-- cgit v1.1 From 177cd316fd2b62facdd9c2f9ba1690c0ee719612 Mon Sep 17 00:00:00 2001 From: des Date: Wed, 26 Aug 2015 09:25:17 +0000 Subject: Vendor import of OpenSSH 7.0p1 --- ChangeLog | 933 +++++++++++++-------- OVERVIEW | 6 +- PROTOCOL | 3 +- PROTOCOL.mux | 8 +- README | 2 +- addrmatch.c | 3 +- auth-options.c | 46 +- auth.c | 6 +- auth2-chall.c | 11 +- authfd.c | 4 +- authfile.c | 8 +- cipher.h | 5 +- clientloop.c | 10 +- compat.c | 8 +- config.h.in | 2 +- configure | 172 +++- configure.ac | 29 +- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- kex.c | 93 +- kex.h | 5 +- key.c | 6 +- key.h | 5 +- krl.c | 10 +- log.c | 3 +- moduli | 513 +++++------ moduli.0 | 2 +- monitor.c | 6 +- monitor_wrap.c | 1 - myproposal.h | 11 +- openbsd-compat/openbsd-compat.h | 10 +- openbsd-compat/port-linux.c | 4 +- openbsd-compat/realpath.c | 7 +- packet.c | 13 +- readconf.c | 54 +- readconf.h | 5 +- regress/cert-hostkey.sh | 169 ++-- regress/cert-userkey.sh | 64 +- regress/hostkey-agent.sh | 7 +- regress/hostkey-rotate.sh | 8 +- regress/keygen-knownhosts.sh | 22 +- regress/keytype.sh | 14 +- regress/principals-command.sh | 222 ++--- regress/unittests/Makefile.inc | 2 +- regress/unittests/kex/test_kex.c | 7 +- regress/unittests/sshkey/mktestdata.sh | 6 +- regress/unittests/sshkey/test_file.c | 20 +- regress/unittests/sshkey/test_sshkey.c | 12 +- regress/unittests/sshkey/testdata/dsa_1 | 20 +- regress/unittests/sshkey/testdata/dsa_1-cert.fp | 2 +- regress/unittests/sshkey/testdata/dsa_1-cert.pub | 2 +- regress/unittests/sshkey/testdata/dsa_1.fp | 2 +- regress/unittests/sshkey/testdata/dsa_1.fp.bb | 2 +- regress/unittests/sshkey/testdata/dsa_1.param.g | 2 +- regress/unittests/sshkey/testdata/dsa_1.param.priv | 2 +- regress/unittests/sshkey/testdata/dsa_1.param.pub | 2 +- regress/unittests/sshkey/testdata/dsa_1.pub | 2 +- regress/unittests/sshkey/testdata/dsa_1_pw | 22 +- regress/unittests/sshkey/testdata/dsa_2 | 20 +- regress/unittests/sshkey/testdata/dsa_2.fp | 2 +- regress/unittests/sshkey/testdata/dsa_2.fp.bb | 2 +- regress/unittests/sshkey/testdata/dsa_2.pub | 2 +- regress/unittests/sshkey/testdata/dsa_n | 20 +- regress/unittests/sshkey/testdata/dsa_n_pw | 39 +- regress/unittests/sshkey/testdata/ecdsa_1 | 6 +- regress/unittests/sshkey/testdata/ecdsa_1-cert.fp | 2 +- regress/unittests/sshkey/testdata/ecdsa_1-cert.pub | 2 +- regress/unittests/sshkey/testdata/ecdsa_1.fp | 2 +- regress/unittests/sshkey/testdata/ecdsa_1.fp.bb | 2 +- .../unittests/sshkey/testdata/ecdsa_1.param.priv | 2 +- .../unittests/sshkey/testdata/ecdsa_1.param.pub | 2 +- regress/unittests/sshkey/testdata/ecdsa_1.pub | 2 +- regress/unittests/sshkey/testdata/ecdsa_1_pw | 8 +- regress/unittests/sshkey/testdata/ecdsa_2 | 10 +- regress/unittests/sshkey/testdata/ecdsa_2.fp | 2 +- regress/unittests/sshkey/testdata/ecdsa_2.fp.bb | 2 +- .../unittests/sshkey/testdata/ecdsa_2.param.priv | 2 +- .../unittests/sshkey/testdata/ecdsa_2.param.pub | 2 +- regress/unittests/sshkey/testdata/ecdsa_2.pub | 2 +- regress/unittests/sshkey/testdata/ecdsa_n | 6 +- regress/unittests/sshkey/testdata/ecdsa_n_pw | 14 +- regress/unittests/sshkey/testdata/ed25519_1 | 8 +- .../unittests/sshkey/testdata/ed25519_1-cert.fp | 2 +- .../unittests/sshkey/testdata/ed25519_1-cert.pub | 2 +- regress/unittests/sshkey/testdata/ed25519_1.fp | 2 +- regress/unittests/sshkey/testdata/ed25519_1.fp.bb | 2 +- regress/unittests/sshkey/testdata/ed25519_1.pub | 2 +- regress/unittests/sshkey/testdata/ed25519_1_pw | 12 +- regress/unittests/sshkey/testdata/ed25519_2 | 8 +- regress/unittests/sshkey/testdata/ed25519_2.fp | 2 +- regress/unittests/sshkey/testdata/ed25519_2.fp.bb | 2 +- regress/unittests/sshkey/testdata/ed25519_2.pub | 2 +- regress/unittests/sshkey/testdata/rsa1_1 | Bin 421 -> 533 bytes regress/unittests/sshkey/testdata/rsa1_1.fp | 2 +- regress/unittests/sshkey/testdata/rsa1_1.fp.bb | 2 +- regress/unittests/sshkey/testdata/rsa1_1.param.n | 2 +- regress/unittests/sshkey/testdata/rsa1_1.pub | 2 +- regress/unittests/sshkey/testdata/rsa1_1_pw | Bin 421 -> 533 bytes regress/unittests/sshkey/testdata/rsa1_2 | Bin 981 -> 981 bytes regress/unittests/sshkey/testdata/rsa1_2.fp | 2 +- regress/unittests/sshkey/testdata/rsa1_2.fp.bb | 2 +- regress/unittests/sshkey/testdata/rsa1_2.param.n | 2 +- regress/unittests/sshkey/testdata/rsa1_2.pub | 2 +- regress/unittests/sshkey/testdata/rsa_1 | 23 +- regress/unittests/sshkey/testdata/rsa_1-cert.fp | 2 +- regress/unittests/sshkey/testdata/rsa_1-cert.pub | 2 +- regress/unittests/sshkey/testdata/rsa_1.fp | 2 +- regress/unittests/sshkey/testdata/rsa_1.fp.bb | 2 +- regress/unittests/sshkey/testdata/rsa_1.param.n | 2 +- regress/unittests/sshkey/testdata/rsa_1.param.p | 2 +- regress/unittests/sshkey/testdata/rsa_1.param.q | 2 +- regress/unittests/sshkey/testdata/rsa_1.pub | 2 +- regress/unittests/sshkey/testdata/rsa_1_pw | 25 +- regress/unittests/sshkey/testdata/rsa_2 | 50 +- regress/unittests/sshkey/testdata/rsa_2.fp | 2 +- regress/unittests/sshkey/testdata/rsa_2.fp.bb | 2 +- regress/unittests/sshkey/testdata/rsa_2.param.n | 2 +- regress/unittests/sshkey/testdata/rsa_2.param.p | 2 +- regress/unittests/sshkey/testdata/rsa_2.param.q | 2 +- regress/unittests/sshkey/testdata/rsa_2.pub | 2 +- regress/unittests/sshkey/testdata/rsa_n | 23 +- regress/unittests/sshkey/testdata/rsa_n_pw | 27 +- sandbox-systrace.c | 5 +- scp.0 | 3 +- scp.1 | 5 +- servconf.c | 39 +- servconf.h | 3 +- sftp-server.0 | 2 +- sftp.0 | 2 +- ssh-add.0 | 2 +- ssh-add.c | 5 +- ssh-agent.0 | 2 +- ssh-agent.c | 5 +- ssh-keygen.0 | 4 +- ssh-keygen.1 | 6 +- ssh-keygen.c | 71 +- ssh-keyscan.0 | 2 +- ssh-keysign.0 | 2 +- ssh-keysign.c | 3 +- ssh-pkcs11-helper.0 | 2 +- ssh-pkcs11.c | 25 +- ssh.0 | 70 +- ssh.1 | 129 ++- ssh.c | 39 +- ssh.h | 2 +- ssh_config.0 | 75 +- ssh_config.5 | 72 +- sshconnect2.c | 70 +- sshd.0 | 15 +- sshd.8 | 17 +- sshd.c | 51 +- sshd_config | 4 +- sshd_config.0 | 113 ++- sshd_config.5 | 106 ++- sshkey.c | 108 +-- sshkey.h | 7 +- sshpty.c | 4 +- version.h | 4 +- 158 files changed, 2436 insertions(+), 1646 deletions(-) diff --git a/ChangeLog b/ChangeLog index c63681f..ed05021 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,575 @@ +commit 1dc8d93ce69d6565747eb44446ed117187621b26 +Author: deraadt@openbsd.org +Date: Thu Aug 6 14:53:21 2015 +0000 + + upstream commit + + add prohibit-password as a synonymn for without-password, + since the without-password is causing too many questions. Harden it to ban + all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from + djm, ok markus + + Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a + +commit 90a95a4745a531b62b81ce3b025e892bdc434de5 +Author: Damien Miller +Date: Tue Aug 11 13:53:41 2015 +1000 + + update version in README + +commit 318c37743534b58124f1bab37a8a0087a3a9bd2f +Author: Damien Miller +Date: Tue Aug 11 13:53:09 2015 +1000 + + update versions in *.spec + +commit 5e75f5198769056089fb06c4d738ab0e5abc66f7 +Author: Damien Miller +Date: Tue Aug 11 13:34:12 2015 +1000 + + set sshpam_ctxt to NULL after free + + Avoids use-after-free in monitor when privsep child is compromised. + Reported by Moritz Jodeit; ok dtucker@ + +commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b +Author: Damien Miller +Date: Tue Aug 11 13:33:24 2015 +1000 + + Don't resend username to PAM; it already has it. + + Pointed out by Moritz Jodeit; ok dtucker@ + +commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca +Author: Darren Tucker +Date: Mon Jul 27 12:14:25 2015 +1000 + + Import updated moduli file from OpenBSD. + +commit 55b263fb7cfeacb81aaf1c2036e0394c881637da +Author: Damien Miller +Date: Mon Aug 10 11:13:44 2015 +1000 + + let principals-command.sh work for noexec /var/run + +commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897 +Author: Damien Miller +Date: Thu Aug 6 11:43:42 2015 +1000 + + work around echo -n / sed behaviour in tests + +commit d85dad81778c1aa8106acd46930b25fdf0d15b2a +Author: djm@openbsd.org +Date: Wed Aug 5 05:27:33 2015 +0000 + + upstream commit + + adjust for RSA minimum modulus switch; ok deraadt@ + + Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae + +commit 57e8e229bad5fe6056b5f1199665f5f7008192c6 +Author: djm@openbsd.org +Date: Tue Aug 4 05:23:06 2015 +0000 + + upstream commit + + backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this + release; problems spotted by sthen@ ok deraadt@ markus@ + + Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822 + +commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a +Author: djm@openbsd.org +Date: Sun Aug 2 09:56:42 2015 +0000 + + upstream commit + + openssh 7.0; ok deraadt@ + + Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f + +commit 3d5728a0f6874ce4efb16913a12963595070f3a9 +Author: chris@openbsd.org +Date: Fri Jul 31 15:38:09 2015 +0000 + + upstream commit + + Allow PermitRootLogin to be overridden by config + + ok markus@ deeradt@ + + Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4 + +commit 6f941396b6835ad18018845f515b0c4fe20be21a +Author: djm@openbsd.org +Date: Thu Jul 30 23:09:15 2015 +0000 + + upstream commit + + fix pty permissions; patch from Nikolay Edigaryev; ok + deraadt + + Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550 + +commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0 +Author: deraadt@openbsd.org +Date: Thu Jul 30 19:23:02 2015 +0000 + + upstream commit + + change default: PermitRootLogin without-password matching + install script changes coming as well ok djm markus + + Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6 + +commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c +Author: Damien Miller +Date: Thu Jul 30 12:31:39 2015 +1000 + + downgrade OOM adjustment logging: verbose -> debug + +commit f9eca249d4961f28ae4b09186d7dc91de74b5895 +Author: djm@openbsd.org +Date: Thu Jul 30 00:01:34 2015 +0000 + + upstream commit + + Allow ssh_config and sshd_config kex parameters options be + prefixed by a '+' to indicate that the specified items be appended to the + default rather than replacing it. + + approach suggested by dtucker@, feedback dlg@, ok markus@ + + Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a + +commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163 +Author: djm@openbsd.org +Date: Wed Jul 29 08:34:54 2015 +0000 + + upstream commit + + fix bug in previous; was printing incorrect string for + failed host key algorithms negotiation + + Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e + +commit f319912b0d0e1675b8bb051ed8213792c788bcb2 +Author: djm@openbsd.org +Date: Wed Jul 29 04:43:06 2015 +0000 + + upstream commit + + include the peer's offer when logging a failure to + negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@ + + Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796 + +commit b6ea0e573042eb85d84defb19227c89eb74cf05a +Author: djm@openbsd.org +Date: Tue Jul 28 23:20:42 2015 +0000 + + upstream commit + + add Cisco to the list of clients that choke on the + hostkeys update extension. Pointed out by Howard Kash + + Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84 + +commit 3f628c7b537291c1019ce86af90756fb4e66d0fd +Author: guenther@openbsd.org +Date: Mon Jul 27 16:29:23 2015 +0000 + + upstream commit + + Permit kbind(2) use in the sandbox now, to ease testing + of ld.so work using it + + reminded by miod@, ok deraadt@ + + Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413 + +commit ebe27ebe520098bbc0fe58945a87ce8490121edb +Author: millert@openbsd.org +Date: Mon Jul 20 18:44:12 2015 +0000 + + upstream commit + + Move .Pp before .Bl, not after to quiet mandoc -Tlint. + Noticed by jmc@ + + Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23 + +commit d5d91d0da819611167782c66ab629159169d94d4 +Author: millert@openbsd.org +Date: Mon Jul 20 18:42:35 2015 +0000 + + upstream commit + + Sync usage with SYNOPSIS + + Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7 + +commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743 +Author: millert@openbsd.org +Date: Mon Jul 20 15:39:52 2015 +0000 + + upstream commit + + Better desciption of Unix domain socket forwarding. + bz#2423; ok jmc@ + + Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d + +commit d56fd1828074a4031b18b8faa0bf949669eb18a0 +Author: Damien Miller +Date: Mon Jul 20 11:19:51 2015 +1000 + + make realpath.c compile -Wsign-compare clean + +commit c63c9a691dca26bb7648827f5a13668832948929 +Author: djm@openbsd.org +Date: Mon Jul 20 00:30:01 2015 +0000 + + upstream commit + + mention that the default of UseDNS=no implies that + hostnames cannot be used for host matching in sshd_config and + authorized_keys; bz#2045, ok dtucker@ + + Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1 + +commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76 +Author: djm@openbsd.org +Date: Sat Jul 18 08:02:17 2015 +0000 + + upstream commit + + don't ignore PKCS#11 hosted keys that return empty + CKA_ID; patch by Jakub Jelen via bz#2429; ok markus + + Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485 + +commit b15fd989c8c62074397160147a8d5bc34b3f3c63 +Author: djm@openbsd.org +Date: Sat Jul 18 08:00:21 2015 +0000 + + upstream commit + + skip uninitialised PKCS#11 slots; patch from Jakub Jelen + in bz#2427 ok markus@ + + Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29 + +commit 5b64f85bb811246c59ebab70aed331f26ba37b18 +Author: djm@openbsd.org +Date: Sat Jul 18 07:57:14 2015 +0000 + + upstream commit + + only query each keyboard-interactive device once per + authentication request regardless of how many times it is listed; ok markus@ + + Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1 + +commit cd7324d0667794eb5c236d8a4e0f236251babc2d +Author: djm@openbsd.org +Date: Fri Jul 17 03:34:27 2015 +0000 + + upstream commit + + remove -u flag to diff (only used for error output) to make + things easier for -portable + + Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548 + +commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a +Author: djm@openbsd.org +Date: Fri Jul 17 03:09:19 2015 +0000 + + upstream commit + + direct-streamlocal@openssh.com Unix domain foward + messages do not contain a "reserved for future use" field and in fact, + serverloop.c checks that there isn't one. Remove erroneous mention from + PROTOCOL description. bz#2421 from Daniel Black + + Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac + +commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52 +Author: djm@openbsd.org +Date: Fri Jul 17 03:04:27 2015 +0000 + + upstream commit + + describe magic for setting up Unix domain socket fowards + via the mux channel; bz#2422 patch from Daniel Black + + Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861 + +commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc +Author: Darren Tucker +Date: Fri Jul 17 12:52:34 2015 +1000 + + Check if realpath works on nonexistent files. + + On some platforms the native realpath doesn't work with non-existent + files (this is actually specified in some versions of POSIX), however + the sftp spec says its realpath with "canonicalize any given path name". + On those platforms, use realpath from the compat library. + + In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines + the realpath symbol to the checked version, so redefine ours to + something else so we pick up the compat version we want. + + bz#2428, ok djm@ + +commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0 +Author: djm@openbsd.org +Date: Fri Jul 17 02:47:45 2015 +0000 + + upstream commit + + fix incorrect test for SSH1 keys when compiled without SSH1 + support + + Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451 + +commit df56a8035d429b2184ee94aaa7e580c1ff67f73a +Author: djm@openbsd.org +Date: Wed Jul 15 08:00:11 2015 +0000 + + upstream commit + + fix NULL-deref when SSH1 reenabled + + Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295 + +commit 41e38c4d49dd60908484e6703316651333f16b93 +Author: djm@openbsd.org +Date: Wed Jul 15 07:19:50 2015 +0000 + + upstream commit + + regen RSA1 test keys; the last batch was missing their + private parts + + Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a + +commit 5bf0933184cb622ca3f96d224bf3299fd2285acc +Author: markus@openbsd.org +Date: Fri Jul 10 06:23:25 2015 +0000 + + upstream commit + + Adapt tests, now that DSA if off by default; use + PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA. + + Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c + +commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc +Author: markus@openbsd.org +Date: Tue Jul 7 14:54:16 2015 +0000 + + upstream commit + + regen test data after mktestdata.sh changes + + Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4 + +commit 7c8c174c69f681d4910fa41c37646763692b28e2 +Author: markus@openbsd.org +Date: Tue Jul 7 14:53:30 2015 +0000 + + upstream commit + + adapt tests to new minimum RSA size and default FP format + + Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e + +commit 6a977a4b68747ade189e43d302f33403fd4a47ac +Author: djm@openbsd.org +Date: Fri Jul 3 04:39:23 2015 +0000 + + upstream commit + + legacy v00 certificates are gone; adapt and don't try to + test them; "sure" markus@ dtucker@ + + Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12 + +commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385 +Author: djm@openbsd.org +Date: Wed Jul 1 23:11:18 2015 +0000 + + upstream commit + + don't expect SSH v.1 in unittests + + Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397 + +commit 3c099845798a817cdde513c39074ec2063781f18 +Author: djm@openbsd.org +Date: Mon Jun 15 06:38:50 2015 +0000 + + upstream commit + + turn SSH1 back on to match src/usr.bin/ssh being tested + + Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333 + +commit b1dc2b33689668c75e95f873a42d5aea1f4af1db +Author: dtucker@openbsd.org +Date: Mon Jul 13 04:57:14 2015 +0000 + + upstream commit + + Add "PuTTY_Local:" to the clients to which we do not + offer DH-GEX. This was the string that was used for development versions + prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately + there are some extant products based on those versions. bx2424 from Jay + Rouman, ok markus@ djm@ + + Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5 + +commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 +Author: markus@openbsd.org +Date: Fri Jul 10 06:21:53 2015 +0000 + + upstream commit + + Turn off DSA by default; add HostKeyAlgorithms to the + server and PubkeyAcceptedKeyTypes to the client side, so it still can be + tested or turned back on; feedback and ok djm@ + + Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21 + +commit 16db0a7ee9a87945cc594d13863cfcb86038db59 +Author: markus@openbsd.org +Date: Thu Jul 9 09:49:46 2015 +0000 + + upstream commit + + re-enable ed25519-certs if compiled w/o openssl; ok djm + + Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49 + +commit c355bf306ac33de6545ce9dac22b84a194601e2f +Author: markus@openbsd.org +Date: Wed Jul 8 20:24:02 2015 +0000 + + upstream commit + + no need to include the old buffer/key API + + Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b + +commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee +Author: markus@openbsd.org +Date: Wed Jul 8 19:09:25 2015 +0000 + + upstream commit + + typedefs for Cipher&CipherContext are unused + + Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7 + +commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0 +Author: markus@openbsd.org +Date: Wed Jul 8 19:04:21 2015 +0000 + + upstream commit + + xmalloc.h is unused + + Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58 + +commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31 +Author: markus@openbsd.org +Date: Wed Jul 8 19:01:15 2015 +0000 + + upstream commit + + compress.c is gone + + Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced + +commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615 +Author: djm@openbsd.org +Date: Fri Jul 3 04:05:54 2015 +0000 + + upstream commit + + another SSH_RSA_MINIMUM_MODULUS_SIZE that needed + cranking + + Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1 + +commit b1f383da5cd3cb921fc7776f17a14f44b8a31757 +Author: djm@openbsd.org +Date: Fri Jul 3 03:56:25 2015 +0000 + + upstream commit + + add an XXX reminder for getting correct key paths from + sshd_config + + Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db + +commit 933935ce8d093996c34d7efa4d59113163080680 +Author: djm@openbsd.org +Date: Fri Jul 3 03:49:45 2015 +0000 + + upstream commit + + refuse to generate or accept RSA keys smaller than 1024 + bits; feedback and ok dtucker@ + + Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba + +commit bdfd29f60b74f3e678297269dc6247a5699583c1 +Author: djm@openbsd.org +Date: Fri Jul 3 03:47:00 2015 +0000 + + upstream commit + + turn off 1024 bit diffie-hellman-group1-sha1 key + exchange method (already off in server, this turns it off in the client by + default too) ok dtucker@ + + Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa + +commit c28fc62d789d860c75e23a9fa9fb250eb2beca57 +Author: djm@openbsd.org +Date: Fri Jul 3 03:43:18 2015 +0000 + + upstream commit + + delete support for legacy v00 certificates; "sure" + markus@ dtucker@ + + Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f + +commit 564d63e1b4a9637a209d42a9d49646781fc9caef +Author: djm@openbsd.org +Date: Wed Jul 1 23:10:47 2015 +0000 + + upstream commit + + Compile-time disable SSH v.1 again + + Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af + +commit 868109b650504dd9bcccdb1f51d0906f967c20ff +Author: djm@openbsd.org +Date: Wed Jul 1 02:39:06 2015 +0000 + + upstream commit + + twiddle PermitRootLogin back + + Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2 + commit 7de4b03a6e4071d454b72927ffaf52949fa34545 Author: djm@openbsd.org Date: Wed Jul 1 02:32:17 2015 +0000 @@ -8572,364 +9144,3 @@ Date: Wed Aug 21 02:38:51 2013 +1000 fix some whitespace at EOL make list of commands an enum rather than a long list of defines add -a to usage() - -commit acd2060f750c16d48b87b92a10b5a833227baf9d -Author: Darren Tucker -Date: Thu Aug 8 17:02:12 2013 +1000 - - - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt - removal. The "make clean" removes modpipe which is built by the top-level - directory before running the tests. Spotted by tim@ - -commit 9542de4547beebf707f3640082d471f1a85534c9 -Author: Darren Tucker -Date: Thu Aug 8 12:50:06 2013 +1000 - - - (dtucker) [misc.c] Remove define added for fallback testing that was - mistakenly included in the previous commit. - -commit 94396b7f06f512a0acb230640d7f703fb802a9ee -Author: Darren Tucker -Date: Thu Aug 8 11:52:37 2013 +1000 - - - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime( - CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the - CLOCK_MONOTONIC define but don't actually support it. Found and tested - by Kevin Brott, ok djm. - -commit a5a3cbfa0fb8ef011d3e7b38910a13f6ebbb8818 -Author: Darren Tucker -Date: Thu Aug 8 10:58:49 2013 +1000 - - - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt - since some platforms (eg really old FreeBSD) don't have it. Instead, - run "make clean" before a complete regress run. ok djm. - -commit f3ab2c5f9cf4aed44971eded3ac9eeb1344b2be5 -Author: Darren Tucker -Date: Sun Aug 4 21:48:41 2013 +1000 - - - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support - for building with older Heimdal versions. ok djm. - -commit ab3575c055adfbce70fa7405345cf0f80b07c827 -Author: Damien Miller -Date: Thu Aug 1 14:34:16 2013 +1000 - - - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134 - -commit c192a4c4f6da907dc0e67a3ca61d806f9a92c931 -Author: Damien Miller -Date: Thu Aug 1 14:29:20 2013 +1000 - - - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- - blocking connecting socket will clear any stored errno that might - otherwise have been retrievable via getsockopt(). A hack to limit writes - to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap - it in an #ifdef. Diagnosis and patch from Ivo Raisr. - -commit 81f7cf1ec5bc2fd202eda05abc2e5361c54633c5 -Author: Tim Rice -Date: Thu Jul 25 18:41:40 2013 -0700 - - more correct comment for last commit - -commit 0553ad76ffdff35fb31b9e6df935a71a1cc6daa2 -Author: Tim Rice -Date: Thu Jul 25 16:03:16 2013 -0700 - - - (tim) [regress/forwarding.sh] Fix for building outside read only source tree. - -commit ed899eb597a8901ff7322cba809660515ec0d601 -Author: Tim Rice -Date: Thu Jul 25 15:40:00 2013 -0700 - - - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on - Solaris and UnixWare. Feedback and OK djm@ - -commit e9e936d33b4b1d77ffbaace9438cb2f1469c1dc7 -Author: Damien Miller -Date: Thu Jul 25 12:34:00 2013 +1000 - - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update version numbers - -commit d1e26cf391de31128b4edde118bff5fed98a90ea -Author: Damien Miller -Date: Thu Jul 25 12:11:18 2013 +1000 - - - djm@cvs.openbsd.org 2013/06/21 02:26:26 - [regress/sftp-cmds.sh regress/test-exec.sh] - unbreak sftp-cmds for renamed test data (s/ls/data/) - -commit 78d47b7c5b182e44552913de2b4b7e0363c8e3cc -Author: Damien Miller -Date: Thu Jul 25 12:08:46 2013 +1000 - - - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 - [regress/forwarding.sh] - Add test for forward config parsing - -commit fea440639e04cea9f2605375a41d654390369402 -Author: Damien Miller -Date: Thu Jul 25 12:08:07 2013 +1000 - - - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 - [regress/test-exec.sh] - use ssh and sshd as testdata since it needs to be >256k for the rekey test - -commit 53435b2d8773a5d7c78359e9f7bf9df2d93b9ef5 -Author: Damien Miller -Date: Thu Jul 25 11:57:15 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/25 00:57:37 - [version.h] - openssh-6.3 for release - -commit 0d032419ee6e1968fc1cb187af63bf3b77b506ea -Author: Damien Miller -Date: Thu Jul 25 11:56:52 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/25 00:56:52 - [sftp-client.c sftp-client.h sftp.1 sftp.c] - sftp support for resuming partial downloads; patch mostly by Loganaden - Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ - -commit 98e27dcf581647b5bbe9780e8f59685d942d8ea3 -Author: Damien Miller -Date: Thu Jul 25 11:55:52 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/25 00:29:10 - [ssh.c] - daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure - it is fully detached from its controlling terminal. based on debugging - -commit 94c9cd34d1590ea1d4bf76919a15b5688fa90ed1 -Author: Damien Miller -Date: Thu Jul 25 11:55:39 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/22 12:20:02 - [umac.h] - oops, forgot to commit corresponding header change; - spotted by jsg and jasper - -commit c331dbd22297ab9bf351abee659893d139c9f28a -Author: Damien Miller -Date: Thu Jul 25 11:55:20 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/22 05:00:17 - [umac.c] - make MAC key, data to be hashed and nonce for final hash const; - checked with -Wcast-qual - -commit c8669a8cd24952b3f16a44eac63d2b6ce8a6343a -Author: Damien Miller -Date: Thu Jul 25 11:52:48 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/20 22:20:42 - [krl.c] - fix verification error in (as-yet usused) KRL signature checking path - -commit 63ddc899d28cf60045b560891894b9fbf6f822e9 -Author: Damien Miller -Date: Sat Jul 20 13:35:45 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/20 01:55:13 - [auth-krb5.c gss-serv-krb5.c gss-serv.c] - fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@ - -commit 1f0e86f23fcebb026371c0888402a981df2a61c4 -Author: Damien Miller -Date: Sat Jul 20 13:22:49 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/20 01:50:20 - [ssh-agent.c] - call cleanup_handler on SIGINT when in debug mode to ensure sockets - are cleaned up on manual exit; bz#2120 - -commit 3009d3cbb89316b1294fb5cedb54770b5d114d04 -Author: Damien Miller -Date: Sat Jul 20 13:22:31 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/20 01:44:37 - [ssh-keygen.c ssh.c] - More useful error message on missing current user in /etc/passwd - -commit 32ecfa0f7920db31471ca8c1f4adc20ae38ed9d6 -Author: Damien Miller -Date: Sat Jul 20 13:22:13 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/20 01:43:46 - [umac.c] - use a union to ensure correct alignment; ok deraadt - -commit 85b45e09188e7a7fc8f0a900a4c6a0f04a5720a7 -Author: Damien Miller -Date: Sat Jul 20 13:21:52 2013 +1000 - - - markus@cvs.openbsd.org 2013/07/19 07:37:48 - [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] - [servconf.h session.c sshd.c sshd_config.5] - add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, - or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 - ok djm@ - -commit d93340cbb6bc0fc0dbd4427e0cec6d994a494dd9 -Author: Damien Miller -Date: Thu Jul 18 16:14:34 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/18 01:12:26 - [ssh.1] - be more exact wrt perms for ~/.ssh/config; bz#2078 - -commit bf836e535dc3a8050c1756423539bac127ee5098 -Author: Damien Miller -Date: Thu Jul 18 16:14:13 2013 +1000 - - - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 - [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] - use .Mt for email addresses; from Jan Stary ; ok jmc@ - -commit 649fe025a409d0ce88c60a068f3f211193c35873 -Author: Damien Miller -Date: Thu Jul 18 16:13:55 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/12 05:48:55 - [ssh.c] - set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ - -commit 5bb8833e809d827496dffca0dc2c223052c93931 -Author: Damien Miller -Date: Thu Jul 18 16:13:37 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/12 05:42:03 - [ssh-keygen.c] - do_print_resource_record() can never be called with a NULL filename, so - don't attempt (and bungle) asking for one if it has not been specified - bz#2127 ok dtucker@ - -commit 7313fc9222785d0c54a7ffcaf2067f4db02c8d72 -Author: Damien Miller -Date: Thu Jul 18 16:13:19 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/12 00:43:50 - [misc.c] - in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when - errno == 0. Avoids confusing error message in some broken resolver - cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker - -commit 746d1a6c524d2e90ebe98cc29e42573a3e1c3c1b -Author: Damien Miller -Date: Thu Jul 18 16:13:02 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/12 00:20:00 - [sftp.c ssh-keygen.c ssh-pkcs11.c] - fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ - -commit ce98654674648fb7d58f73edf6aa398656a2dba4 -Author: Damien Miller -Date: Thu Jul 18 16:12:44 2013 +1000 - - - djm@cvs.openbsd.org 2013/07/12 00:19:59 - [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] - [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] - fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ - -commit 0d02c3e10e1ed16d6396748375a133d348127a2a -Author: Damien Miller -Date: Thu Jul 18 16:12:06 2013 +1000 - - - markus@cvs.openbsd.org 2013/07/02 12:31:43 - [dh.c] - remove extra whitespace - -commit fecfd118d6c90df4fcd3cec7b14e4d3ce69a41d5 -Author: Damien Miller -Date: Thu Jul 18 16:11:50 2013 +1000 - - - jmc@cvs.openbsd.org 2013/06/27 14:05:37 - [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] - do not use Sx for sections outwith the man page - ingo informs me that - stuff like html will render with broken links; - - issue reported by Eric S. Raymond, via djm - -commit bc35d92e78fd53c3f32cbdbdf89d8b1919788c50 -Author: Damien Miller -Date: Thu Jul 18 16:11:25 2013 +1000 - - - djm@cvs.openbsd.org 2013/06/22 06:31:57 - [scp.c] - improved time_t overflow check suggested by guenther@ - -commit 8158441d01ab84f33a7e70e27f87c02cbf67e709 -Author: Damien Miller -Date: Thu Jul 18 16:11:07 2013 +1000 - - - djm@cvs.openbsd.org 2013/06/21 05:43:10 - [scp.c] - make this -Wsign-compare clean after time_t conversion - -commit bbeb1dac550bad8e6aff9bd27113c6bd5ebb7413 -Author: Damien Miller -Date: Thu Jul 18 16:10:49 2013 +1000 - - - djm@cvs.openbsd.org 2013/06/21 05:42:32 - [dh.c] - sprinkle in some error() to explain moduli(5) parse failures - -commit 7f2b438ca0b7c3b9684a03d7bf3eaf379da16de9 -Author: Damien Miller -Date: Thu Jul 18 16:10:29 2013 +1000 - - - djm@cvs.openbsd.org 2013/06/21 00:37:49 - [ssh_config.5] - explicitly mention that IdentitiesOnly can be used with IdentityFile - to control which keys are offered from an agent. - -commit 20bdcd72365e8b3d51261993928cc47c5f0d7c8a -Author: Damien Miller -Date: Thu Jul 18 16:10:09 2013 +1000 - - - djm@cvs.openbsd.org 2013/06/21 00:34:49 - [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] - for hostbased authentication, print the client host and user on - the auth success/failure line; bz#2064, ok dtucker@ - -commit 3071070b39e6d1722151c754cdc2b26640eaf45e -Author: Damien Miller -Date: Thu Jul 18 16:09:44 2013 +1000 - - - markus@cvs.openbsd.org 2013/06/20 19:15:06 - [krl.c] - don't leak the rdata blob on errors; ok djm@ - -commit 044bd2a7ddb0b6f6b716c87e57261572e2b89028 -Author: Damien Miller -Date: Thu Jul 18 16:09:25 2013 +1000 - - - guenther@cvs.openbsd.org 2013/06/17 04:48:42 - [scp.c] - Handle time_t values as long long's when formatting them and when - parsing them from remote servers. - Improve error checking in parsing of 'T' lines. - - ok dtucker@ deraadt@ - -commit 9a6615542108118582f64b7161ca0e12176e3712 -Author: Damien Miller -Date: Thu Jul 18 16:09:04 2013 +1000 - - - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 - [readconf.c] - revert 1.203 while we investigate crashes reported by okan@ - -commit b7482cff46e7e76bfb3cda86c365a08f58d4fca0 -Author: Darren Tucker -Date: Tue Jul 2 20:06:46 2013 +1000 - - - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config - contrib/cygwin/ssh-user-config] Modernizes and improve readability of - the Cygwin README file (which hasn't been updated for ages), drop - unsupported OSes from the ssh-host-config help text, and drop an - unneeded option from ssh-user-config. Patch from vinschen at redhat com. diff --git a/OVERVIEW b/OVERVIEW index 2e1cc0b..fde72c8 100644 --- a/OVERVIEW +++ b/OVERVIEW @@ -65,8 +65,8 @@ these programs. packets. CRC code comes from crc32.c. - The code in packet.c calls the buffer manipulation routines - (buffer.c, bufaux.c), compression routines (compress.c, zlib), - and the encryption routines. + (buffer.c, bufaux.c), compression routines (zlib), and the + encryption routines. X11, TCP/IP, and Agent forwarding @@ -165,4 +165,4 @@ these programs. uidswap.c uid-swapping xmalloc.c "safe" malloc routines -$OpenBSD: OVERVIEW,v 1.11 2006/08/03 03:34:41 deraadt Exp $ +$OpenBSD: OVERVIEW,v 1.12 2015/07/08 19:01:15 markus Exp $ diff --git a/PROTOCOL b/PROTOCOL index 85641e6..131adfe 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -247,7 +247,6 @@ to request that the server make a connection to a Unix domain socket. uint32 initial window size uint32 maximum packet size string socket path - string reserved for future use Similar to forwarded-tcpip, forwarded-streamlocal is sent by the server when the client has previously send the server a streamlocal-forward @@ -453,4 +452,4 @@ respond with a SSH_FXP_STATUS message. This extension is advertised in the SSH_FXP_VERSION hello with version "1". -$OpenBSD: PROTOCOL,v 1.28 2015/05/08 03:56:51 djm Exp $ +$OpenBSD: PROTOCOL,v 1.29 2015/07/17 03:09:19 djm Exp $ diff --git a/PROTOCOL.mux b/PROTOCOL.mux index b583256..f042961 100644 --- a/PROTOCOL.mux +++ b/PROTOCOL.mux @@ -116,6 +116,12 @@ A client may request the master to establish a port forward: forwarding type may be MUX_FWD_LOCAL, MUX_FWD_REMOTE, MUX_FWD_DYNAMIC. +If listen port is (unsigned int) -2, then the listen host is treated as +a unix socket path name. + +If connect port is (unsigned int) -2, then the connect host is treated +as a unix socket path name. + A server may reply with a MUX_S_OK, a MUX_S_REMOTE_PORT, a MUX_S_PERMISSION_DENIED or a MUX_S_FAILURE. @@ -219,4 +225,4 @@ XXX inject packet (what about replies) XXX server->client error/warning notifications XXX send signals via mux -$OpenBSD: PROTOCOL.mux,v 1.9 2012/06/01 00:49:35 djm Exp $ +$OpenBSD: PROTOCOL.mux,v 1.10 2015/07/17 03:04:27 djm Exp $ diff --git a/README b/README index 0401d85..c566f7b 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-6.9 for the release notes. +See http://www.openssh.com/txt/release-7.0 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html diff --git a/addrmatch.c b/addrmatch.c index c443146..70b050e 100644 --- a/addrmatch.c +++ b/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.9 2014/01/19 11:21:51 dtucker Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.10 2015/07/08 19:04:21 markus Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -31,7 +31,6 @@ #include "match.h" #include "log.h" -#include "xmalloc.h" struct xaddr { sa_family_t af; diff --git a/auth-options.c b/auth-options.c index facfc02..e387697 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.67 2015/05/01 03:20:54 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -588,35 +588,21 @@ auth_cert_options(struct sshkey *k, struct passwd *pw) char *cert_forced_command = NULL; int cert_source_address_done = 0; - if (sshkey_cert_is_legacy(k)) { - /* All options are in the one field for v00 certs */ - if (parse_option_list(k->cert->critical, pw, - OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1, - &cert_no_port_forwarding_flag, - &cert_no_agent_forwarding_flag, - &cert_no_x11_forwarding_flag, - &cert_no_pty_flag, - &cert_no_user_rc, - &cert_forced_command, - &cert_source_address_done) == -1) - return -1; - } else { - /* Separate options and extensions for v01 certs */ - if (parse_option_list(k->cert->critical, pw, - OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, - &cert_forced_command, - &cert_source_address_done) == -1) - return -1; - if (parse_option_list(k->cert->extensions, pw, - OPTIONS_EXTENSIONS, 0, - &cert_no_port_forwarding_flag, - &cert_no_agent_forwarding_flag, - &cert_no_x11_forwarding_flag, - &cert_no_pty_flag, - &cert_no_user_rc, - NULL, NULL) == -1) - return -1; - } + /* Separate options and extensions for v01 certs */ + if (parse_option_list(k->cert->critical, pw, + OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, + &cert_forced_command, + &cert_source_address_done) == -1) + return -1; + if (parse_option_list(k->cert->extensions, pw, + OPTIONS_EXTENSIONS, 0, + &cert_no_port_forwarding_flag, + &cert_no_agent_forwarding_flag, + &cert_no_x11_forwarding_flag, + &cert_no_pty_flag, + &cert_no_user_rc, + NULL, NULL) == -1) + return -1; no_port_forwarding_flag |= cert_no_port_forwarding_flag; no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; diff --git a/auth.c b/auth.c index e6c094d..fc32f6c 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -352,7 +352,9 @@ auth_root_allowed(const char *method) case PERMIT_YES: return 1; case PERMIT_NO_PASSWD: - if (strcmp(method, "password") != 0) + if (strcmp(method, "publickey") == 0 || + strcmp(method, "hostbased") == 0 || + strcmp(method, "gssapi-with-mic")) return 1; break; case PERMIT_FORCED_ONLY: diff --git a/auth2-chall.c b/auth2-chall.c index ddabe1a..4aff09d 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -83,6 +83,7 @@ struct KbdintAuthctxt void *ctxt; KbdintDevice *device; u_int nreq; + u_int devices_done; }; #ifdef USE_PAM @@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) if (len == 0) break; for (i = 0; devices[i]; i++) { - if (!auth2_method_allowed(authctxt, + if ((kbdintctxt->devices_done & (1 << i)) != 0 || + !auth2_method_allowed(authctxt, "keyboard-interactive", devices[i]->name)) continue; - if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) + if (strncmp(kbdintctxt->devices, devices[i]->name, + len) == 0) { kbdintctxt->device = devices[i]; + kbdintctxt->devices_done |= 1 << i; + } } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; diff --git a/authfd.c b/authfd.c index 82915a4..eaa1426 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.97 2015/03/26 19:32:19 markus Exp $ */ +/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -560,10 +560,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment, #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: - case KEY_RSA_CERT_V00: case KEY_DSA: case KEY_DSA_CERT: - case KEY_DSA_CERT_V00: case KEY_ECDSA: case KEY_ECDSA_CERT: #endif diff --git a/authfile.c b/authfile.c index 728b136..58f589a 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.114 2015/04/17 13:32:09 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.116 2015/07/09 09:49:46 markus Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -39,13 +39,13 @@ #include #include "cipher.h" -#include "key.h" #include "ssh.h" #include "log.h" #include "authfile.h" #include "rsa.h" #include "misc.h" #include "atomicio.h" +#include "sshkey.h" #include "sshbuf.h" #include "ssherr.h" #include "krl.h" @@ -448,8 +448,8 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, case KEY_RSA: case KEY_DSA: case KEY_ECDSA: - case KEY_ED25519: #endif /* WITH_OPENSSL */ + case KEY_ED25519: case KEY_UNSPEC: break; default: @@ -467,7 +467,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, goto out; } - if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 || + if ((r = sshkey_to_certified(key)) != 0 || (r = sshkey_cert_copy(cert, key)) != 0) goto out; r = 0; diff --git a/cipher.h b/cipher.h index 62a88b4..06d4be4 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.47 2015/01/14 10:24:42 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.48 2015/07/08 19:09:25 markus Exp $ */ /* * Author: Tatu Ylonen @@ -72,9 +72,6 @@ struct sshcipher_ctx { const struct sshcipher *cipher; }; -typedef struct sshcipher Cipher; -typedef struct sshcipher_ctx CipherContext; - u_int cipher_mask_ssh1(int); const struct sshcipher *cipher_by_name(const char *); const struct sshcipher *cipher_by_number(int); diff --git a/clientloop.c b/clientloop.c index dc0e557..87ceb3d 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.274 2015/07/01 02:26:31 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -100,6 +100,7 @@ #include "key.h" #include "cipher.h" #include "kex.h" +#include "myproposal.h" #include "log.h" #include "misc.h" #include "readconf.h" @@ -2362,10 +2363,11 @@ client_input_hostkeys(void) debug3("%s: received %s key %s", __func__, sshkey_type(key), fp); free(fp); + /* Check that the key is accepted in HostkeyAlgorithms */ - if (options.hostkeyalgorithms != NULL && - match_pattern_list(sshkey_ssh_name(key), - options.hostkeyalgorithms, 0) != 1) { + if (match_pattern_list(sshkey_ssh_name(key), + options.hostkeyalgorithms ? options.hostkeyalgorithms : + KEX_DEFAULT_PK_ALG, 0) != 1) { debug3("%s: %s key not permitted by HostkeyAlgorithms", __func__, sshkey_ssh_name(key)); continue; diff --git a/compat.c b/compat.c index 0631024..eef5fbba 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.94 2015/05/26 23:23:40 dtucker Exp $ */ +/* $OpenBSD: compat.c,v 1.96 2015/07/28 23:20:42 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -152,7 +152,8 @@ compat_datafellows(const char *version) "1.2.22*", SSH_BUG_IGNOREMSG }, { "1.3.2*", /* F-Secure */ SSH_BUG_IGNOREMSG }, - { "Cisco-1.*", SSH_BUG_DHGEX_LARGE }, + { "Cisco-1.*", SSH_BUG_DHGEX_LARGE| + SSH_BUG_HOSTKEYS }, { "*SSH Compatible Server*", /* Netscreen */ SSH_BUG_PASSWORDPAD }, { "*OSU_0*," @@ -166,7 +167,8 @@ compat_datafellows(const char *version) "OSU_1.5alpha3*", SSH_BUG_PASSWORDPAD }, { "*SSH_Version_Mapper*", SSH_BUG_SCANNER }, - { "PuTTY-Release-0.5*," /* 0.50-0.57, DH-GEX in >=0.52 */ + { "PuTTY_Local:*," /* dev versions < Sep 2014 */ + "PuTTY-Release-0.5*," /* 0.50-0.57, DH-GEX in >=0.52 */ "PuTTY_Release_0.5*," /* 0.58-0.59 */ "PuTTY_Release_0.60*," "PuTTY_Release_0.61*," diff --git a/config.h.in b/config.h.in index 7e7e38e..7500df5 100644 --- a/config.h.in +++ b/config.h.in @@ -48,7 +48,7 @@ against it */ #undef BROKEN_READ_COMPARISON -/* Define if you have a broken realpath. */ +/* realpath does not work with nonexistent files */ #undef BROKEN_REALPATH /* Needed for NeXT */ diff --git a/configure b/configure index 803c5bc..0d7a5b9 100755 --- a/configure +++ b/configure @@ -5771,7 +5771,7 @@ fi openssl=yes -ssh1=yes +ssh1=no # Check whether --with-openssl was given. if test "${with_openssl+set}" = set; then @@ -16524,7 +16524,6 @@ fi - for ac_func in \ Blowfish_initstate \ Blowfish_expandstate \ @@ -16585,7 +16584,6 @@ for ac_func in \ pstat \ readpassphrase \ reallocarray \ - realpath \ recvmsg \ rresvport_af \ sendmsg \ @@ -18682,6 +18680,174 @@ done +for ac_func in realpath +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval echo '${'$as_ac_var'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + + { echo "$as_me:$LINENO: checking if realpath works with non-existent files" >&5 +echo $ECHO_N "checking if realpath works with non-existent files... $ECHO_C" >&6; } + if test "$cross_compiling" = yes; then + { echo "$as_me:$LINENO: WARNING: cross compiling: assuming working" >&5 +echo "$as_me: WARNING: cross compiling: assuming working" >&2;} + +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +#include + +int +main () +{ + + char buf[PATH_MAX]; + if (realpath("/opensshnonexistentfilename1234", buf) == NULL) + if (errno == ENOENT) + exit(1); + exit(0); + + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + { echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6; } +else + echo "$as_me: program exited with status $ac_status" >&5 +echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) + +cat >>confdefs.h <<\_ACEOF +#define BROKEN_REALPATH 1 +_ACEOF + + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + +fi +done + + + for ac_func in gettimeofday time do diff --git a/configure.ac b/configure.ac index bb0095f..9b05c30 100644 --- a/configure.ac +++ b/configure.ac @@ -122,7 +122,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ ]) openssl=yes -ssh1=yes +ssh1=no AC_ARG_WITH([openssl], [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], [ if test "x$withval" = "xno" ; then @@ -1674,7 +1674,6 @@ AC_CHECK_FUNCS([ \ pstat \ readpassphrase \ reallocarray \ - realpath \ recvmsg \ rresvport_af \ sendmsg \ @@ -1891,6 +1890,32 @@ AC_CHECK_FUNCS([setresgid], [ ) ]) +AC_CHECK_FUNCS([realpath], [ + dnl the sftp v3 spec says SSH_FXP_REALPATH will "canonicalize any given + dnl path name", however some implementations of realpath (and some + dnl versions of the POSIX spec) do not work on non-existent files, + dnl so we use the OpenBSD implementation on those platforms. + AC_MSG_CHECKING([if realpath works with non-existent files]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include + ]], [[ + char buf[PATH_MAX]; + if (realpath("/opensshnonexistentfilename1234", buf) == NULL) + if (errno == ENOENT) + exit(1); + exit(0); + ]])], + [AC_MSG_RESULT([yes])], + [AC_DEFINE([BROKEN_REALPATH], [1], + [realpath does not work with nonexistent files]) + AC_MSG_RESULT([no])], + [AC_MSG_WARN([cross compiling: assuming working])] + ) +]) + dnl Checks for time functions AC_CHECK_FUNCS([gettimeofday time]) dnl Checks for utmp functions diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index b9aaca5..5de7875 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 6.9p1 +%define ver 7.0p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index c29c3f7..dd9692d 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.9p1 +Version: 7.0p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/kex.c b/kex.c index dbc55ef..5100c66 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.106 2015/04/17 13:25:52 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.109 2015/07/30 00:01:34 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -155,6 +155,68 @@ kex_names_valid(const char *names) return 1; } +/* + * Concatenate algorithm names, avoiding duplicates in the process. + * Caller must free returned string. + */ +char * +kex_names_cat(const char *a, const char *b) +{ + char *ret = NULL, *tmp = NULL, *cp, *p; + size_t len; + + if (a == NULL || *a == '\0') + return NULL; + if (b == NULL || *b == '\0') + return strdup(a); + if (strlen(b) > 1024*1024) + return NULL; + len = strlen(a) + strlen(b) + 2; + if ((tmp = cp = strdup(b)) == NULL || + (ret = calloc(1, len)) == NULL) { + free(tmp); + return NULL; + } + strlcpy(ret, a, len); + for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { + if (match_list(ret, p, NULL) != NULL) + continue; /* Algorithm already present */ + if (strlcat(ret, ",", len) >= len || + strlcat(ret, p, len) >= len) { + free(tmp); + free(ret); + return NULL; /* Shouldn't happen */ + } + } + free(tmp); + return ret; +} + +/* + * Assemble a list of algorithms from a default list and a string from a + * configuration file. The user-provided string may begin with '+' to + * indicate that it should be appended to the default. + */ +int +kex_assemble_names(const char *def, char **list) +{ + char *ret; + + if (list == NULL || *list == NULL || **list == '\0') { + *list = strdup(def); + return 0; + } + if (**list != '+') { + return 0; + } + + if ((ret = kex_names_cat(def, *list + 1)) == NULL) + return SSH_ERR_ALLOC_FAIL; + free(*list); + *list = ret; + return 0; +} + /* put algorithm proposal into buffer */ int kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) @@ -448,6 +510,7 @@ kex_free(struct kex *kex) free(kex->session_id); free(kex->client_version_string); free(kex->server_version_string); + free(kex->failed_choice); free(kex); } @@ -626,17 +689,26 @@ kex_choose_conf(struct ssh *ssh) nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; if ((r = choose_enc(&newkeys->enc, cprop[nenc], - sprop[nenc])) != 0) + sprop[nenc])) != 0) { + kex->failed_choice = peer[nenc]; + peer[nenc] = NULL; goto out; + } authlen = cipher_authlen(newkeys->enc.cipher); /* ignore mac for authenticated encryption */ if (authlen == 0 && (r = choose_mac(ssh, &newkeys->mac, cprop[nmac], - sprop[nmac])) != 0) + sprop[nmac])) != 0) { + kex->failed_choice = peer[nmac]; + peer[nmac] = NULL; goto out; + } if ((r = choose_comp(&newkeys->comp, cprop[ncomp], - sprop[ncomp])) != 0) + sprop[ncomp])) != 0) { + kex->failed_choice = peer[ncomp]; + peer[ncomp] = NULL; goto out; + } debug("kex: %s %s %s %s", ctos ? "client->server" : "server->client", newkeys->enc.name, @@ -644,10 +716,17 @@ kex_choose_conf(struct ssh *ssh) newkeys->comp.name); } if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], - sprop[PROPOSAL_KEX_ALGS])) != 0 || - (r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], - sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) + sprop[PROPOSAL_KEX_ALGS])) != 0) { + kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; + peer[PROPOSAL_KEX_ALGS] = NULL; goto out; + } + if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], + sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { + kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; + peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; + goto out; + } need = dh_need = 0; for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; diff --git a/kex.h b/kex.h index f70b81f..d71b532 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.71 2015/02/16 22:13:32 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.73 2015/07/30 00:01:34 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -141,6 +141,7 @@ struct kex { int ec_nid; char *client_version_string; char *server_version_string; + char *failed_choice; int (*verify_host_key)(struct sshkey *, struct ssh *); struct sshkey *(*load_host_public_key)(int, int, struct ssh *); struct sshkey *(*load_host_private_key)(int, int, struct ssh *); @@ -159,6 +160,8 @@ struct kex { int kex_names_valid(const char *); char *kex_alg_list(char); +char *kex_names_cat(const char *, const char *); +int kex_assemble_names(const char *, char **); int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **); int kex_setup(struct ssh *, char *[PROPOSAL_MAX]); diff --git a/key.c b/key.c index bbe027b..0ba98b6 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */ +/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */ /* * placed in the public domain */ @@ -184,11 +184,11 @@ key_demote(const Key *k) } int -key_to_certified(Key *k, int legacy) +key_to_certified(Key *k) { int r; - if ((r = sshkey_to_certified(k, legacy)) != 0) { + if ((r = sshkey_to_certified(k)) != 0) { fatal_on_fatal_errors(r, __func__, 0); error("%s: %s", __func__, ssh_err(r)); return -1; diff --git a/key.h b/key.h index 89fd5cf..903bdf6 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */ +/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -51,7 +51,6 @@ typedef struct sshkey Key; #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid #define key_is_cert sshkey_is_cert #define key_type_plain sshkey_type_plain -#define key_cert_is_legacy sshkey_cert_is_legacy #define key_curve_name_to_nid sshkey_curve_name_to_nid #define key_curve_nid_to_bits sshkey_curve_nid_to_bits #define key_curve_nid_to_name sshkey_curve_nid_to_name @@ -69,7 +68,7 @@ int key_read(Key *, char **); Key *key_generate(int, u_int); Key *key_from_private(const Key *); -int key_to_certified(Key *, int); +int key_to_certified(Key *); int key_drop_cert(Key *); int key_certify(Key *, Key *); void key_cert_copy(const Key *, Key *); diff --git a/krl.c b/krl.c index a98252e..4075df8 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.32 2015/06/24 23:47:23 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */ #include "includes.h" @@ -429,7 +429,7 @@ ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key) if (!sshkey_is_cert(key)) return ssh_krl_revoke_key_sha1(krl, key); - if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) { + if (key->cert->serial == 0) { return ssh_krl_revoke_cert_by_key_id(krl, key->cert->signature_key, key->cert->key_id); @@ -1180,10 +1180,10 @@ is_cert_revoked(const struct sshkey *key, struct revoked_certs *rc) } /* - * Legacy cert formats lack serial numbers. Zero serials numbers - * are ignored (it's the default when the CA doesn't specify one). + * Zero serials numbers are ignored (it's the default when the + * CA doesn't specify one). */ - if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) + if (key->cert->serial == 0) return 0; memset(&rs, 0, sizeof(rs)); diff --git a/log.c b/log.c index 32e1d2e..ad12930 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.45 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: log.c,v 1.46 2015/07/08 19:04:21 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -50,7 +50,6 @@ # include #endif -#include "xmalloc.h" #include "log.h" static LogLevel log_level = SYSLOG_LEVEL_INFO; diff --git a/moduli b/moduli index 6bb25c9..426a58f 100644 --- a/moduli +++ b/moduli @@ -1,247 +1,268 @@ -# $OpenBSD: moduli,v 1.13 2015/05/28 00:03:06 dtucker Exp $ +# $OpenBSD: moduli,v 1.14 2015/07/22 02:34:59 dtucker Exp $ # Time Type Tests Tries Size Generator Modulus -20150520234251 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A740BE2123 -20150520234255 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A740D85877 -20150520234257 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A740E6494B -20150520234301 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A741120F9B -20150520234303 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7411EAC5B -20150520234304 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7412579DB -20150520234311 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74167053B -20150520234312 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74169B303 -20150520234318 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A741A3D69F -20150520234322 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A741C07E23 -20150520234330 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7420B48E3 -20150520234331 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74215059B -20150520234336 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74240BD03 -20150520234338 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7424D70BB -20150520234341 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7425C6CE3 -20150520234342 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74264FA9B -20150520234343 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7426BB34B -20150520234346 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74285D9E3 -20150520234347 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A742878293 -20150520234348 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74288D143 -20150520234356 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A742D55BF3 -20150520234401 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A742FC8227 -20150520234410 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7436032EB -20150520234411 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74361377F -20150520234415 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7437CCCFB -20150520234418 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A743902C1F -20150520234420 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7439EE5DB -20150520234422 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A743AE19BF -20150520234430 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7440152AB -20150520234432 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7440C2F63 -20150520234434 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7441FBDEB -20150520234436 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7442C98DF -20150520234437 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A744319703 -20150520234438 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A74433E927 -20150520234444 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A7446DF46F -20150520234450 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A744A3488B -20150520234455 2 6 100 1535 2 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A744CDAACB -20150520234459 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A744E9D8FF -20150520234504 2 6 100 1535 5 F8F4A446A6C7196643612A6C5CC26A47E491FB737740D68BBEBF0130F7AAADC59075781FB1723B644C0ADCE548C02E726DE5233C484FB4481F3EF3ED0585A0D687B2E0A6987AD2BC910754FC1A1E06B87710CFF0BC2E9868BA15BA20C103D3DCA6B65D8D0182B277F7CAE61D83A785BDD0B3CE471B4B8FAB224438D7A6772130167110AFD1FF584861996117F67B41CF3D2D5FAB020F2EB7F53E299AACF98797AEB6BAC3F0BB892DB4E4F8CDDE28C112C73EB556D0C381C6B9CC78A745196237 -20150520235007 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031E9A9C5F7 -20150520235015 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031E9CBB21F -20150520235039 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EA2E9623 -20150520235043 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EA33E3DF -20150520235057 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EA68038B -20150520235114 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EAAB0717 -20150520235122 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EAC2A7FB -20150520235125 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EAC82DD3 -20150520235154 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EB40583F -20150520235214 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EB94F247 -20150520235218 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EB9DF49F -20150520235239 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EBF7BE27 -20150520235244 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EC0B4F4F -20150520235250 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EC21070F -20150520235256 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EC36541F -20150520235307 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EC5FE22B -20150520235322 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ECA1FB57 -20150520235331 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ECC3C823 -20150520235349 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ED035187 -20150520235400 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ED2F07DB -20150520235407 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ED4620CF -20150520235422 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ED86D39F -20150520235424 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ED86E683 -20150520235427 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031ED8C3073 -20150520235443 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EDCB1F63 -20150520235450 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EDE00B77 -20150520235452 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EDE42247 -20150520235458 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EDF8F493 -20150520235503 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EE04D69F -20150520235508 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EE14B92B -20150520235510 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EE167933 -20150520235517 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EE2DC63B -20150520235527 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EE52259F -20150520235539 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EE829247 -20150520235557 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EED044BF -20150520235608 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EEFD34CF -20150520235614 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EF0F709F -20150520235616 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EF12110B -20150520235622 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EF25FE1F -20150520235637 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EF6BF4D3 -20150520235654 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EFAF28BF -20150520235701 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EFBFB8BB -20150520235704 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EFC7A62F -20150520235710 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031EFD79323 -20150520235725 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F0158F1F -20150520235728 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F01A9E6B -20150520235743 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F055798B -20150520235752 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F0730BC3 -20150520235757 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F08283FF -20150520235825 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F0F451E3 -20150520235830 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F0FDEFB7 -20150520235901 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F1828ECF -20150521000008 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F185D7BF -20150521000011 2 6 100 2047 2 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F18C58FB -20150521000014 2 6 100 2047 5 F7360753237CF1837003CDFE89D99C8149BE6C4B4CCD9D09D834FF137878C452FB4FAB5CA51BE6619BC6FEC4184FA9A96D21FDE83505B67262EEA4870FD709F4DD3A2EC36E5746ED80D762467E794FE524992EAC42D2F0F391A63E027F24411B231D25AEFE60C9329CE8FFB61A8A123C74F6755211C8CFD59915CE0DE28579B66CB426D111F90B19A5BD83AB8C2CAB09FB1F09509B029883BD154B82418B4F3A9EE4564E5F344D5B911C10829C1E975817EB2DFF49F34D95277897A7198C9C4921037B8AA091C380663A6D5260F98FA784565DE2D977C50A1079B485F4BE63B4E3D6A63FD8DD59704116A41CB1C7C2AAA449071BFBAFB0F867FCC031F191F757 -20150521000841 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CC7F06BB -20150521001025 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CD1057AB -20150521001131 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CD717D6F -20150521001248 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CDDA85F7 -20150521001453 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CE8959BF -20150521001510 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CE98227B -20150521001623 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CEF967BF -20150521001651 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CF18156B -20150521001758 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CF717197 -20150521001924 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622CFE1507B -20150521002244 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D0F75427 -20150521002509 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D1BD2823 -20150521002808 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D2B4950F -20150521002846 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D2E6D6D7 -20150521003203 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D3F5D0D3 -20150521003322 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D45851E3 -20150521003430 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D4AEE517 -20150521003629 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D5538E0B -20150521003714 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D58BAFCF -20150521003722 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D5916FC7 -20150521003739 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D5A378F7 -20150521004506 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D82B5113 -20150521004613 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D880CB43 -20150521004753 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D909305B -20150521004802 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D90DBDC3 -20150521005025 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D9CBF44F -20150521005051 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622D9E89DA7 -20150521005252 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622DA8BA403 -20150521005347 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622DAD07F73 -20150521005825 2 6 100 3071 2 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622DC5CE5A3 -20150521005858 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622DC84A597 -20150521010014 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622DCE62957 -20150521010219 2 6 100 3071 5 E0C2D7F7B6E4C69A3B6632FC77BED88CAC663CE39D91DDF017816529795F33B591F80F445BE16F8FB51D11861682154B904AE2282FA0462EB6C508FD7B7AEC551A6C630FE9CC7E17E660377558E4F841CD77AABD81E6A0988823047B3A00C2E50C33035987D6EA42C65FD776051F5D43045848D4385FB37482DC9E5133D1B75E34CC81C2B87C9530F5229FF2154604A286C2E257D3A89CF330AEDBA16288E852277C5D7C6AA947B4510625312DF982A30A4D75679F707EB325CD4DF65C7A58154C6C05E28545DE69673B3EA9CCD41529A7CCEB49A3392D23E9AB083148DD956F8CA9B8CDD76496FF95B5782EE888C40EF1201EB3A52CAE1A635BBF82CD479B38DABD6DEE7A2844F8C614215B04CEBDD41039C2DC2D1CF00AFC78C0363E548FAE1DE8A7B535CC41CED767BE05F300F50C59307061ADE1CAA4614F8FEFAECE8F8C5DB3F425B348A206B0E95703EEA8785768CDB53972422C75B58A7AEA2AD9E2546EA991466E6AFE1FA157D75D3F6616DB715D10CCD6B71C73051FE622DD9517D7 -20150521011229 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F951FEB83 -20150521011834 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F960399B7 -20150521012438 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F96EE7973 -20150521014010 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F99453213 -20150521015607 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F9B549727 -20150521015640 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F9B600A7B -20150521020946 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F9D5299DF -20150521021536 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F9E2793D3 -20150521022706 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877F9FE131CB -20150521023922 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FA1BAC073 -20150521025234 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FA3BC9483 -20150521025424 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FA3FB3513 -20150521032445 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FA87E0FAB -20150521032932 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FA929F00F -20150521032947 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FA92B272B -20150521033245 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FA9953D0B -20150521034828 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FABDD4AEF -20150521035044 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FAC298C7F -20150521035111 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FAC31F17B -20150521035749 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FAD250357 -20150521040009 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FAD788A73 -20150521040220 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FADC5F173 -20150521040316 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FADDFFC03 -20150521041042 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FAEEBDEB3 -20150521041443 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FAF7AD7BB -20150521041831 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB007D653 -20150521041928 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB025C91B -20150521042301 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB0A4C143 -20150521042631 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB12009F7 -20150521042740 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB145360F -20150521043358 2 6 100 4095 2 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB22FAE93 -20150521044013 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB31527AF -20150521044543 2 6 100 4095 5 C8BCE52E2AE7AE1EC20056B2D0764047C92392C9DF75C3A57EB8AF1062A809E6EA975D9910AA5C55833CC47D4DA76E92BF63FEBB289E5FE2ED729429DE9567D0A489FA27B41810066B96602B2E555B34628A37C4CE04984D15C36F1EAD09081D2CB2147D5F0B7E8BCF0774FFCF5F649E0CB797DD23D0801C153B6B8480828CF165C7ED3181F316F371C6EC0B6EF6B8CBE36E5A4E8C070854668AF07FE6C73C3EB817CD0E8C7F264546A1B0402AC0FCEBA5032EBA2323769CC401D262971F4B44FC1151EC4F6E761709FD6ABDC84D9C36046811F54DC86D293D16D235DC712BF7346CDAC005AE5C0DCD96480C9BD0CF7C4BD50026553E27F957B6640BA6A87C6642FF3D97A3E63DA468276E3A22C0C3F2A1CFFB4F190D5E23700BB468EA31FD3EB87B44B51BDABDB0667FCFB618CECFB2BC440A5F2E237E93A6DFF96AB3561AF5EE1BDA21720129FF2123F7038C70B4CADF1BC70B2EF5EBC264E1E3B2A4B3780D4A11507D03A498A556A923B0EFAF90D024341A47818F03D5ADD961086C2573DABF02C4E2F303817D323E1D8D88EFBE3F5E0D6688593C65254907745CA6176C8ED7D6B830875A0BA8FFEEB1882742A4553E4E55A93A7AD4F3224B7BFA03E29C77DB0FCCE0E37E6D3A64C5555ED9555FA1E2C34EC04DA3B6E0AAA7BF64879BC4724859FE806E7DC49A5394AD3D01492F05AE69CF10C67B18BDFF8E877FB3DDFBB7 -20150521004745 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F52665F2B -20150521003352 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F57C7B577 -20150521005557 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F591BBC57 -20150521014228 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F5BDF5CE7 -20150521015455 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F5C9CFD1F -20150521001701 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F5CF6FF9B -20150521002558 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F5D7C4FE3 -20150521003319 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F5DE41DFB -20150521003721 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F5E1B5FAF -20150521010943 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F600B866F -20150521014141 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F61F01EC3 -20150521010312 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F65EAB753 -20150521002914 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F69FD9357 -20150521011058 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F6C6B8513 -20150521013628 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F6DE7D9EF -20150521015040 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F6EB0C897 -20150521001307 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F6F15473B -20150521012712 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F7377044B -20150521005218 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F7767DEA3 -20150521003512 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F7C5546F7 -20150521005420 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F7D68EDC3 -20150521011347 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F7E859CF3 -20150521002429 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F819A93E7 -20150521004826 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F88D91A57 -20150521010541 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F89D29B9F -20150521012418 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F8ADC38F7 -20150521015506 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F8C91980B -20150521004000 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F8E369B97 -20150521005659 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F8F2B1BEB -20150521010328 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F8F7DD1D3 -20150521011152 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F8FF052BB -20150521001457 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F92940463 -20150521011129 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F95C47DCB -20150521013515 2 6 100 6143 2 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F9710A103 -20150521013841 2 6 100 6143 5 D9F2DC4F4AB3E451AB7781730AE26AE5AB1927A8F93D05C7765C4F23947CBAD218690437DDE587137100CA657CB902597743E8B05CB9B821A48E081C451227F5E42404534A28EE1D0A52FA903FBB15B79139D130420B8C7BD2477CDF0C06CF4C9943DF76A74C3B503B2229A5628E13983B0426A10FD164A720488DE3A1639D004B694ADB5216C21F481519865529CE6E3C9C8B89AC00FBF2B4C1F0B0033AC2A5072A157B5D4346950917B055227557FF1EB5F0873D75E648BEE4B6F88D4B228CB89C7602E34F85BF86DDBD09CA39993C73FF59B0310754F0D24740316F7D8D21D67EC65C8715B7130EBC8E19EB712990BBB30D650ACB0B7864B632ABBC2AEE7221393A5C74B043568043480DB41821A0CE1E6D271456C2FDC243D39868FB0D7BDA3FAD5894F7DCBBC5751B77B3DF99F6E8A5BD7A5B82F594E3E0CA2BBF7DA74312227B323652E6856B597326206CAFF2380C23CF94B8CD3EAA56BE60F8C372887CD37A62FC6F5FD467ED96E7CD9C285E75C2C353E520DFB3F39FE7B8E35FFB485B1B043F52321675EDF4848266997D059810F71D21E9DB3E3AB1BCE3713DB67155F41B7C21939B285AB63DBF1770228E4EE36314310D89200F132E8ECF2968CDA0E57DBBCE589E4DDBAD009994A817032EFA52F0659A319FBD813901BF5847EC2D7979CBA5870F3DA25BE09673952628E1EA70C82EC0BE67B402E48DF85C5983516BBEEAB811D1ECAB02928D4087B826139D073501149D47B3339CDA763840E4492661FFEF96C81C816B862EEE820019CD83C93BF9DFF8EC8C59331780D5D86B164EC12BBE59F4C9E62FD7819A941D10AFE32179B2361A17618FA84864F58C09AECB817E67BC352371BB7D7F8209E4EB9002013A585092D4721B1CB464A8480CC76173989144EF51692E373E9CCEAC9807EF190D6BBDD3BB0D16CA87DC6A54890D6F074ABD83E3CF077F2F592C0745BE15D7D6871552BB6139E5CF70D684C6D1D0C4516733E0639BBEC847313BE3D1D923B6A5FAF43A5341DD8C0779881BEB92736BA4F18BD6CDC1FC922B3809ED244748101A6C7E30DDE0C232FA3F9733A497 -20150521041810 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7BE934407F -20150521070624 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7BEEB1E407 -20150521051555 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7BF50EEEC3 -20150521061258 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C00AF225F -20150521034225 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C058D5963 -20150521035956 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C0616723F -20150521054248 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C12F16C3F -20150521060112 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C1379EA23 -20150521023340 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C165F2773 -20150521043505 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C1A3EC717 -20150521024626 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C202ABED3 -20150521064303 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C27790087 -20150521060604 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C2F9DF583 -20150521062143 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C3003EEAB -20150521044311 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C363D0A77 -20150521053731 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C37D6EFCF -20150521065640 2 6 100 7679 5 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C3A20A2DF -20150521044717 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C3F622E8B -20150521065426 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C430ED7CB -20150521023632 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C445E575B -20150521032945 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C45EEE643 -20150521054538 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C49FB77CB -20150521024620 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C4D86D0FB -20150521042108 2 6 100 7679 2 D67DA234F46097F7EE3B230456E7C895BCA86395DF43D60D9D587C64EA4525FBCAD22442143068578CE8ECC8280B2D81F747B484AA668FFCDBEB067EB824B42E5FA1A40BC08EE8CC4A064298CB31C36340951EC7A006878C79C80068196180DA31E1DEF79A72B2D059203DDE461485D1B9783AF79E981CDAEF88589D8343E5B52D96FE90EA13194AFAF7459B17B80971720357ABD09CFE992966FFC1C239821C910F55D69E44277E5DE9841F4E5B2D25D6A265D321059B762F7D6AC5F0E260DEEB628D32940002B219B354486CC5BBF6390F19899EA5E145A28487029DF0517564A81FA10FA60AFA04CE77794775392829DB636E7F5EE00868D5027A6BA75CA922CEF3CA78683D14AB2E58439789033ACF441236F5E3C7849E3662B5123304F82D0061EA9C18EA1676A736FFD628AE982CCEAB8979568C43FB34207E0DEC7D8A6AA391846C910F77771ECF2D0531A234D3798BC1B1433091A895E23A77792F4BE403D526F1D260A3627F2E80E863A204A774F58D7DE2C5C4A7E463A46BC436F0B7AF07179EC334D31073BF035FD94454ECD54146473F786EA15A1CEBB3B9C0D282195AD612D33B31F5528DAB5231CB17A3DE9AB5C8BD7BF8F773C255845BC9B70A1E53A50E5AEA801FFE604A2B2C1FBE86A2A883632E7AE75ADA007FB6AB1AA529DE3151CAA8D1D07FA19EFF5679398340E720CF2CFC4E1AEDD73C44983CC8E610DD419AE2E88206573837D6E44018D9498B62F9C0B8EA7741450FC7DBFF7C546D3CBCBA5B9123577FD5531880A18F1275F9181A922803D8F03512C58B5FBBC41CE8095EDD920A3E36CEB6EDB56900E6CEC2928288909D61B3B426EBC54F0A69C261A848B358C3A8E332567B9FFC1A7A07E9414BB1F75DE0795CF87632F5D6A87A246FD4E98E70489F779FE99C5BC4DB24BFA860C3551888FC721CDBC6AB5783B02BEF893E0984B6FDB5142A1AFD3277FE8F36B87849BC00B3FB3ADAFE4EDAE4839B83894C27FEF93514D7E3FFB7A30E99C6875D96C582E81D45FB463DC37B8791FC28A759301FC2F9879960C82BC7C427382A41B9AEFAC0051A2C653E55A47B48860CDA32812A192C1508A6C012C7E4BBAB1619B7926549FD8CE27928618F035BE31D56CBC9586D88E00DA69341F6F01554E205344E49E8871CCF80F9FF5CB54479AFA66806DD02FAFEE7D43572B3AA22742635FE65BFC8004960DC679FC7F8C0E5B50B3CE1E446B7A5E189BB9AAFA06FEC472D6E67EA4905373A01A2B662F534131405FBAB9BBAE892F0C265439EA1ABC91B186B5AC1E53A0C786607B1069BC026359955CFD614D7F80DF416A08AB18991A0398A83DF3CF2D65D7C505E524B -20150521041835 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CD3703FA7 -20150521051726 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CD4CEF96F -20150521074626 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CD86439C3 -20150521082439 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CD947F7F3 -20150521012012 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CE0694343 -20150521073153 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CE93D436F -20150521094433 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CEC4EE993 -20150521074128 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354CFA190CE3 -20150521014004 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D0235296F -20150521014736 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D025961EB -20150521065737 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D0961218F -20150521043653 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D163706C7 -20150521085322 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D1BC6858F -20150521093922 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D1CC27FE3 -20150521120407 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D1FE2874F -20150521124157 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D20A8A19B -20150521035417 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D24E0665B -20150521062806 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D2828F7AB -20150521074218 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D29B42017 -20150521114937 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D2F027D3F -20150521073847 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D3905A9FF -20150521024512 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D41DB2FFB -20150521024827 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D41E2852F -20150521042402 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D43D9B0E3 -20150521083756 2 6 100 8191 5 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D491D852F -20150521113241 2 6 100 8191 2 D7182545CB6AFDA1CCF5BB87F606DDD1CD25D4BAF110D7CCCC0BC78929189C09DC69308FBF76A16338AB8351B974081AEFE6F68B9DD0B3F661ED84DAF8736BF328122D00A803AD05DDB334CF5C98B2670F0B2ED0E2FA602CE2F6157A2A8E649A546957CE4F723C84B6AC46D64C5B329304181F2B70F48D15181C38777F4E18BB0344F5DAE703CC3A46B670713A7B99E536D30F92D1E5E683F2C5540105F425E01234968D1A63E0220A02721183E30302F029E4D0E0664E30329B730D99D03E53D67793F31BBA6C4274FB2ACA9181655B766246C598E4CD402737B682232B8534BE43A790ED6C04EF8047E1796048099B65EF415375D87BC7A01CB6086C9E23B667D22F52F5F44D6960601C15515D14F7D6A6BF6D7F6B1D834866ADF9FCFA1CDE00EF04C05591B05D4752471F124406D034BC8E6D71E03880BD3E7A77FD22E7D90B90A491E528EDE2E4B6FCF7C638883A4CDE80AF2C839569A4FB641C7B8948200DB0F51CA9B2613966C51F026A007D0696D14A4E4897556C7BB0E60A407B7B8C57643F278A47CC8089E24D38BAC1350A0E6D19FE540A773B8E90A6312D4B038C643B03ADDC741BDD3012F7714863BB63688E6145D47A6F40D15D6485E5AC278E229EA800FE705FEBEB2183CEF7C55DB952B627D4890B45441B3D4CF03BF0D132A7042C24447518B14956C11703131981CD69D7B6BA2A9F8C62057FE3A4319D17739DE0BBDAC9600E4809CD856E5F41C580863D93C251F0A31BA1CBCCAA499FEB79184E165C436A3B2FA9791C4526B47B0D1F6FE3BDE2730421E5DCA10483D91AA873ABD1236674EBE3A0D134C685CCE9D632280AE11C0D9CF7275517C1F14BCB81F2B23860D86F5028B21DF85868972EDF70A0704B3853EB1B16970834C661BC65693D38368DDB0D6E781DD2F52AE279913304601F5709E1C4B1A12B0FFDA93369001186FE8716027667F4B816E927A9977D3030CE211F4BE8B6F48836EABF4D8457FC5CFE39DF5BE96146D3B8C5BA11C3D75D252B0C190DEA5757049DE6BA89249166D60163ADDD38EAE171B53D44E135973AA05293AA7407693AE5478F480A3BE97BACBD8C7DE6EDF39EFB8BDDF8B0A2169228FD98A863C450129C8BA561A1D0F29C4EC75060A27E028E1321BCF7ADCB34B2C2B037E2C6B705F74002E0C844092025A630CFB2105F04D40135794DDF30C7E19187AE2AB8E6296C9EACFF43279F0ABE6E1150ABC2C3C8A6C4B95A7AA18CFBF953BF7662C16A0FE26D9EE7CF62BA16AA87B06373082E7551F42B8BE57BE19A50B059DC652BA46157FB7CC29AC1BF2834E668443637F87B2B12FD338706D69935D2C6348CF72F568B89B66345BF42209AA6D898F4388A54B4CFFD735EAF987CD6B738B401A14FACDAC97F63529118ED56DFB7DAC4967FFA252D185DBC29652E3F62A45D6BF990FB354D4CAD7D8B +20150522025931 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD18DA1F +20150522025936 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD3763B3 +20150522025942 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD702B8B +20150522025943 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD77C283 +20150522025947 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAD96C25B +20150522025953 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADD9B3DB +20150522025956 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADE84F07 +20150522025957 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DADEC1DB3 +20150522030001 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE0E297F +20150522030004 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE2A1E23 +20150522030005 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE2ADE53 +20150522030008 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE47B9F7 +20150522030009 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE4E1343 +20150522030014 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE715CBB +20150522030016 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE7BC9EF +20150522030018 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE84579B +20150522030019 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAE8A564B +20150522030023 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAEAF7AD7 +20150522030025 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAEB9DC53 +20150522030027 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAECD976F +20150522030034 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF07F063 +20150522030034 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF08ACBB +20150522030037 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF192C07 +20150522030039 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF241333 +20150522030040 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF255B3B +20150522030044 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF3DEC37 +20150522030048 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF60F05B +20150522030049 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF6255DF +20150522030055 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAF8EE01F +20150522030059 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFAD237B +20150522030104 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFD13587 +20150522030105 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFD2BE6F +20150522030108 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFECF32F +20150522030112 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DAFFDEED7 +20150522030115 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB01CAA63 +20150522030116 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB01F3647 +20150522030119 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB034B30F +20150522030122 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB04822EF +20150522030124 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0528867 +20150522030131 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB08D3CAB +20150522030136 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0B10C6F +20150522030138 2 6 100 1535 5 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0C688A7 +20150522030140 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0CCDF9B +20150522030141 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0CFD81B +20150522030145 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB0F59763 +20150522030148 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB10339FB +20150522030149 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB10E3ACB +20150522030150 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB11127F3 +20150522030159 2 6 100 1535 2 F4EE15F22E5F49997A027769656DF0240598C9470C7D67A7D7DA2777883C1C243A6F3D04E1CFA6A0350B165ECABE89A684C11ABB7E5B93B54FD6EAC85BBA9F23C6306E485BB9AC5515ABC739CE9B1A79F7DEF6D00B643856DB903E23E7F985EDCAFF867FE15498E7EF6A91057DE337A9AAEDE941C934E65243AC7888A33C78FB2490BBA2BA06F18ECC51DE9AA54BADD061CC5BE1EA060CC3217CA11E26772BD088898D2882CB49A9FF40168E49AE6A90EE1F61132E1B6E4E7F99797DB15B8BDB +20150522030634 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8ADB54257 +20150522030715 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8AE6EF847 +20150522030737 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8AEC5D76B +20150522030739 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8AECB604F +20150522030742 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8AECF538B +20150522030756 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8AF04851B +20150522030828 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8AF867683 +20150522030905 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B01F7E27 +20150522030909 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B02AFB8F +20150522030918 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B048739F +20150522030930 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B07661CB +20150522030938 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B091EC43 +20150522030955 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B0D50D0F +20150522031007 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B1023673 +20150522031015 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B119500F +20150522031036 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B177EE9F +20150522031056 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B1D0030B +20150522031103 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B1ECC193 +20150522031125 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B24C9CF7 +20150522031136 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B2774773 +20150522031208 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B2FC9617 +20150522031220 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B32FE6CF +20150522031228 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B345AC93 +20150522031248 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B392E18F +20150522031256 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B3B32FCF +20150522031300 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B3BF5B2B +20150522031311 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B3E840CB +20150522031316 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B3F5F9D7 +20150522031334 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B439F28B +20150522031337 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B44025D3 +20150522031339 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B442AC0B +20150522031353 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B4788613 +20150522031356 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B47F8FDB +20150522031401 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B48EAEFB +20150522031407 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B4A1CE0B +20150522031420 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B4D73D93 +20150522031425 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B4E9937F +20150522031428 2 6 100 2047 5 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B4EFD4BF +20150522031436 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B507149B +20150522031452 2 6 100 2047 2 DB36277B45EA5615C782C08BF6A290A3D61E6B9690E4A147042113FC1BFC0AEEC5FB0FF82FC1FEA86E273F667EC387FEF3421FFFC617A70C34B1987986C6B35C715713914AB75932A3D1942ECC0F324D81BF00D59916B3BFDC7BA432AF5C5DFCF30BF4A2C80B8CA52A9B80E989D3A852BD81A8BD3ADC97497F43C6F0A90882D9CFA165CF1F735C96428BF9BC32A58B71CF1D4FD48A6D2C616E91BB6E07C5CB0DF0C59DAF79D659C6E53007843497BBEE5B341D27DE2E2543B8DFEB4DDAE6328EAD441C3F36509C1FA689FE494B0426ADCAF9E567A1C5A3301689C5CCC55EC4002FAA5D254C2F3C0F8636BEA7019D1CD212B74EE4F273E0B9997720E8B54A3243 +20150522032348 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF98368C951B +20150522033023 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9838C4B4F7 +20150522033224 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9839729F67 +20150522033330 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9839CF938B +20150522033506 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983A5AA27B +20150522033539 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983A849987 +20150522033610 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983AAC8A5F +20150522033839 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983B7F9067 +20150522033952 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983BE385D7 +20150522034001 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983BEA4367 +20150522034055 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983C305BC3 +20150522034123 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983C516EB3 +20150522034146 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983C6D1017 +20150522034241 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983CB6A553 +20150522034528 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983DA8F54F +20150522034544 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983DB92AEB +20150522034719 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983E32A87B +20150522034748 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983E589F5B +20150522035227 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF983FE4EA2B +20150522035328 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9840340683 +20150522035522 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9840D77183 +20150522035721 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF98417632BF +20150522035808 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9841B795AB +20150522035847 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9841E9F357 +20150522040046 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9842863803 +20150522040057 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF98428F98CF +20150522040128 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9842B68EA3 +20150522040136 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9842BA209B +20150522040232 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF984303E883 +20150522040546 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9844117EF3 +20150522040607 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9844276407 +20150522040733 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF984499981B +20150522040850 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF984502ECCF +20150522041059 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9845BB3AD7 +20150522041141 2 6 100 3071 5 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF9845F34747 +20150522041538 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF98473F522B +20150522041645 2 6 100 3071 2 E409DD3E1471472B9A1A2C64FDDC0EB822C4485590288E209141916DF6C51125FCF17ED5F4226F63928FD7E9C60DEC3B0A82C6DF10C33E0CDA2E200004C3B89C7BD872CF9572374C7590F8960C97E1A995319ECABF60C00DAC39A8A4A4196638FB338F47445310F2424518C4ED9C789D17D591DF7B2CB11FC320AD7C84376EF838077C5C81BBEE2BDF38F8716E94F756919654AD5BC8FDF9CD644F0B1F604DFB7CF28B8AD55576458DB547348E74101FA39ADD0D5675E2BA2FA074C2BEC53DCA68A1F49E3F5EBBE9069C7BB20A0ED4217C8D8FE99DC3DDAC05172EB056C6173306F604B90079CEAD87AA170EA89E38C07128067C48695040F766131E9E8459FB71ED94BE176C9F827BBAB219E1BD7A4C7ED9FE7FF62E844B0915C9ACD5B17FDE866EC34C44C348C23CC303D6E7AFDC55AAAC007BF3C67280C13C9801D2D8E0739680257CE5CEBD5CA0CF24D2CA6A354D5D132A72D2ABB2E50D257B5A6DAA038683C1A433861204570824D0734402498259C171BB58DA074D22B1DF98479B35EB +20150522043157 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379177A90103 +20150522044043 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379178F7604B +20150522044434 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917986809B +20150522044641 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379179D34D9F +20150522045152 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917A93F48B +20150522045648 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917B4FEA03 +20150522051224 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917DA8111B +20150522051844 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917E9226DB +20150522052054 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917EDC16FB +20150522052204 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917F0058A7 +20150522052248 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917F16842F +20150522052650 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917FA2234F +20150522052821 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37917FD2EA1B +20150522054416 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F3791823EE827 +20150522054652 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379182978693 +20150522054912 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379182E6E57B +20150522054941 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379182F0448B +20150522055008 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379182FA0E27 +20150522060835 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379185801F93 +20150522062202 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379187943813 +20150522062512 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F3791880945B7 +20150522063933 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918A32FF83 +20150522064222 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918A910AB3 +20150522064452 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918AE83E73 +20150522065035 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918BBA1623 +20150522065634 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918C920633 +20150522070134 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918D471AAB +20150522070306 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918D7B1063 +20150522070332 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918D838D0B +20150522070807 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918E2B8B67 +20150522071420 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918F0C3653 +20150522071508 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918F1EFFFB +20150522071555 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918F35E697 +20150522071903 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37918FA47DEB +20150522074443 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F37919363872B +20150522075339 2 6 100 4095 2 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379194BA4383 +20150522080128 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F379195DB3C5F +20150522080506 2 6 100 4095 5 DDE41D7021F9DF8240D0BD8E14CE1E374A4FFDD073767E84C8C347B6F832731277F9D333B8BC7CD96ED164DF5C6F26E46E4BAF0AA7C87B26CE3E11042C1BDDF76095E50D7772E5DC0C48EBA0E41EC92EAFA655DA1B6C614E1F0F9AD815BD7505AA9B8A265D13956B5A26141EE812404DE13B821C9B7BCA9982B8CF7D862F8E8A373FEFEE4AE46EC2122519A2AD896ED18CAECEF314D1B98C83358B6E9D2F3BC58C1688F162E3CF1FF58E57E7B9E14BB37C9C9E9692E57C42937141C226E84C35B42DED9055A7F366A61C3CB4899B499278ED4C729CC1DE54827E882290F9FC13F7F1488F897698EA62A99468D6F3ED0561816C39B8279154FC7A8E453CCC4EB1ABC777A397B694E1B9866C2495489F94721A3351B252D05FE6C7857929B34C19A8EB42ABED88FA370DABCA83A245DC35CFB399824D127507AD540054C647F61C6BD11CAFC3FE5277A1014DF6B538BC8BFE009315BCD60E020DAB840B8A4219EBA4E349680BC7CA3A9BC36164A3D36E325C530B178747814F575899126B307EB63F910DDE0F09E5056B2F9F7E230A42C11DDD34A9B23A64090C2FF9C7F3DD696E6828613E74A64CFC4046ECFA997BE84981430D8A7F8AEC63001E50AF9F556567A0065A9A013A66A2737CEEE468D6A15002358AC648D862B0618E6DD6A98BBBE9E68174D9C9FE4568BB2D12083CF6892B6B8D58307944955A987F3791965094C7 +20150522083733 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C514C4F88F +20150522093608 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C517A26827 +20150522094040 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C517D03757 +20150522095314 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C518686A8B +20150522101845 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C519A641F3 +20150522103233 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C51A4A87B7 +20150522111208 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C51C3A7B9B +20150522120305 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C51EB16CF7 +20150522122813 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C51FE5C353 +20150522132032 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5226F04CB +20150522141054 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C524EBC207 +20150522153656 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C529553A9F +20150522154114 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5298632F7 +20150522154826 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C529DCC5D7 +20150522163842 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C52C78C8C3 +20150522165625 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C52D5A1C27 +20150522172408 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C52EBD88E3 +20150522173745 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C52F69630B +20150522184340 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5327AFF1B +20150522190348 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5336CDC63 +20150522200705 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5366C1207 +20150522201200 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5369D0A6B +20150522202855 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5375B287F +20150522204401 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5380EDB4B +20150522205115 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5385D084B +20150522210056 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C538CEBB3B +20150522212110 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C539B27FE3 +20150522215602 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C53B4E825B +20150522222840 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C53CD37713 +20150522224719 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C53DAAAE07 +20150523005800 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C543D2802B +20150523110456 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C549CAF02F +20150523111755 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C54A5BCB0B +20150523135850 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C551C0E2B7 +20150523140345 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C551F4D6B3 +20150523153045 2 6 100 6143 2 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C5561141EB +20150523170349 2 6 100 6143 5 E49C8871D7F1191BFDDF2C21369599F9E9F57F502A68C5AA4B87527B218B90EB8F33F3D6B4E379A17BA18BDDA81F2DE8B15EABBF424BDEF329D792093D88EB5536D5F165F767F08AD2220E0005162BB37BE7F45B2574F2BE5BFE4262623C8895A803F747E3BCB0DD396DED524EE1E9B9EEE82C741A1F8ACA2E6DB05CC1FE8C2A7DC50F1F019FD74FC6FFBF38ADA2D36A7CC8DB2C7961C154A74BF0086C173AC7A22B266BBE9974459A7EFDC2F0CDB2F9E288527FD356017FDE01AE17A954561197E18E4AADAF0643860328FC9A2D8A5073348DAD615ADF1AE4AD5BA1630437AB4F7948FCB3D33CD225AA6661DD2AAFFE774CA01F0BF8A2DB168D8FFF3A223E3A60B039E9ABAE8E4B6A37B7E8F77A3EC2D1714B79DEC2ED2BCFB39A4FAAB8913D421099623BCD1DE50B419173236D91E09CFCF544161EB4CA8A45295D812708E349D2118EFA3EDC0F86D3300A80C36D77CEE41441F84BBE663413378F2CAA58F6915B5B3CD799541AD5CCC74B76A59555EDC3B6ABD77318E0A9E6450277DF93A882C6F3D2E13E3BBE361BBB2813A2A269324D7FD2D9437AD065CF3CE698BE08857E5E22800CDBC0235AEB364301AF3170C24B8A68B7B038499F788040E86376DA7DB517751F4FC6D1D3E1C3FE8DDA27B69D1281A18D6D2DC92C2E471A4B577F789E5D397C68B738DBEA06FF55AC1D1C177E3A51D136055E379CF68C27DBB6D66771D9ADFD846CBFF9EFF5B0BDC9EA16A8817243451A93545D19DCFB3DE1E50936A62CD98379ED37C13BE8D71DE48E4115DD309E67F676B0CE88B60BDCD0CAB98878A17E67E20723DE50DB3599485E25687005AB55407632E12AD919498F562D2871A55FEDB76F113D1E92AD5E4D342B45611D9F844BED39B36E5225147D3F6BFEC6C6CA88C423ED62781E29EA9A9418500E7419922E51210FA767153619573EEB19609C77212D6A9724295FBF0A1915F33074D5225E9BD0C6105DA28F1B0E5F43EECBE67B18D5FE74FE60CF87800C623B13FD6152CA913F91ABC5113FF0CCFE362C30DF8F369E08DE8D57222DDF659AE2458C7B4225AE583E178328C55A59DCDF +20150523191201 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB470CDA3203 +20150523215157 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4711A72AAB +20150523231527 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB47141BE273 +20150523235422 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB47153C4A8F +20150524010823 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB47174C4663 +20150524013736 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB471810100B +20150524040115 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB471BEA9823 +20150524051719 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB471DEF42C3 +20150524055417 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB471EE81B27 +20150524104925 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4726B43323 +20150524105636 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4726DBBBDF +20150524130121 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB472A1294AB +20150524163025 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB472FBAE453 +20150524163715 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB472FE1144B +20150524173410 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB47315B458F +20150524181655 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB473268D4BB +20150524223625 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB473917D17B +20150525001303 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB473B95BAC3 +20150525011252 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB473D16F0B3 +20150525020522 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB473E60DDB7 +20150525061910 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4744D20B9F +20150525092924 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB47499CAF77 +20150525124039 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB474E6A2CEB +20150525132602 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB474F854D7B +20150525170642 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4755495933 +20150525201019 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4759D07FB7 +20150525223942 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB475D6E1C07 +20150525230547 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB475E0B3487 +20150525234905 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB475F115D93 +20150526002510 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB475FE94D13 +20150526014857 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4761E82A83 +20150526045853 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB47667CBC4F +20150605090211 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB476DA5F0B7 +20150605145212 2 6 100 7679 5 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB4776229827 +20150605174343 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB477A770453 +20150605182015 2 6 100 7679 2 F829F98FA9F017F2B534A1ADF10BFE7F46E24D09A1EA89D3BB00CC679F6CDF5107A8AAF6F1AC8581E5D52174BA79E05DC2D61FE0B3F10B52520086FF4BE33841858D569DEFF006D6145E062E37CB2A225BAC5207DBC87BBCBE31A12678F8BD3E64FAFD7DA004CA67EED97A92C511BBDB5CAE7D563758EA45BD2280A91209C417093F079E901E48C80702D0B5420C21A571B133299B590EB3ADD67CB1538D85F03C2EBF2A0E1B64C3CCB55CAE257C3939E2A48DDB50B557BFCFFA891EA55D2CE29ADF58D94887170E2EF8EEA14D83117793B2EBEBAA5DAF26F118C53F3F50EF50ACF4BE634C4714F05F198D0A10C91C789C08F9CE84CE238FDFAA6368A1D971450D3A05B279DC0DB0BE57E7B36ED42FC2DE0989CBF4881F59E1C3EB80C8BFA7A9B4493246AB0977F26E368179D4269DF732C935A7901E34042CEBA93FA7B5F2BE7765D1568F83A82D0A556F973DEE714AE348EC6EE73D06E5746D7CA7A2172053350FF03E2B2483F6F5CC20CE2FD44CF81187EE3A28073C4360432BA958FC71C6B4609208610001B762042C20951BB46D484A4D018134E581BAD41EABE16721DB572B76921A6FDA278B4DBCD6E479D89D8F076A3DF39BBF6A81A1529BBDB06A75792E3CC2AE7047533465FB0C4BB6F0B16A2FB13B5812E5AFA8BC06184CB8620700602A9F3D1194EC7F98FF6858CFB26161FA3903301F7F54E8946C688B91631BF8B2452255F7EA8BC66FA9CB2D12BFE8437330956902B5D04469F45AEBEF0CC2F49791EE958B7FC791ACC0BC6A0DAAA8BFB2A5EB49628051F42A0CF1FA0EA33E9EFC8DED03407EA35D1D6E7F09D278793C9E446F99E3A9D6EB93A07FFFA8A16CA1417D776A3DC2D621F3D49A7DED7FC3274228EA72E2BECFBB071B8F1EEC99F04E62DBE9D6F781B3E4078EE28596222A387E87FC7213BB49AFDB79E549B5533877A8FAAD0A86F34AB36B26A48E544F5175EA498E57E6CC8B72924F2DC0B4C4A6364E667B11E49AEF39CE132086650954863BA4BB734A8A13945901802072BF924A6B38BC81E10E3EB74330411F10E259D58C9C4C5F1B4F40E85F11D12D0A5D4F896E24ABBD91E80EBCF0446B189705C133E113699D589068FD67D1993917B9349D380BAAAC594824051275D3AFA8BD3434AAB6C30CC9B6E687AD41A20DBDB890D36571726BCDA2B7051E1BC227480C83F2352A9DF08EBCDEF39936BC26553279246E536F26FFBB65176F4FE67B21658DF22C344A260B4AA8A09F354ECF50B8505F2F6AE4F99F6549CA139B730DC3618E6B5B70966A4276848266CBF23F0FEE469EAF298932EFBBA50E719BFF2259504A6D23938DAD104016FA91EB477B32F0B3 +20150526114135 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE95C238093 +20150526114600 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE95C32EEF7 +20150526134901 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE95F067BA3 +20150526153127 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE96179B9CB +20150526164245 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE96332D5AF +20150526174513 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9649A719B +20150527035812 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE97262B7F7 +20150527075726 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE977B43343 +20150527112120 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE97C1F6EA7 +20150528010450 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE98E4FBCCB +20150528020450 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE98F884B93 +20150528024708 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE990692277 +20150605205801 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE994DC793F +20150606012116 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE99A681C6B +20150606055158 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9A0264EE7 +20150606071549 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9A1DB0223 +20150606132241 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9A644DC6B +20150606164856 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9AAAAEE73 +20150606183208 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9ACEEACDB +20150607015742 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9B6ADF38F +20150607022317 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9B733A2AB +20150607051100 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9BAB79D47 +20150607064815 2 6 100 8191 5 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9BCBC8A17 +20150607120629 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9C355FA5B +20150607121012 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9C3600A83 +20150607123508 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9C3DCB093 +20150607144400 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9C680E5AB +20150607145646 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9C6BC5BC3 +20150607201140 2 6 100 8191 2 C64DCFC087E26CA2C02394329FAB07FECC446B77A6190D0FFB4326006E0F6D755C35C82228750F80F466E5E6C6FD70A6D4398BBF24C8B4D4B27A38125ADA4D087A7051B2FFCDF675AB1AD9A3A4EE3071B75A8DBEDD879C1B4D396FDF862B2C192B5EB832FA23EAA10DFE795435545882854A0F3BEB476B865E6ED98E43E49950F2FDB00A0E177FAAA3162AE6F513DAFC9A55676C0BC5B87A1C79F98C1A93035F3B39BB24C2C398DA1AADCC16EBB918407579D24ADB3826725E2B4BE73129F28181BD3A1CFCA78712592F8C58E8AF3BA7D7DFFB538AA2476467AC75BFD4C884949C58A0BC8D820E0AE5E0280E083401D239F63649845FEB53444126D137B3A80D4EBF5839263C302FFC3CA5F653B2D93C4AC474D489ADC4E1379BB7FD72950B57EF30FF579917AC9999B4136C030FDCB6121E6F7222227206EBA69DEA5E7DDC7F4718E24E3E4D6D17A81F18E0D376292ED3BB744C66B9ED4BC90F6A04E953B952F794F01372FA88558228C70C97C01D5350EDEE0BEBC99BBD696AE2EFAAB1A0767DCAB15C52821B3243388CE729957668B385A050651F38702C5301A92180A8B84FDF30A74A23E34D9690EEC35A4B644B97DD1558933D7D3DAFF826C942882E223C79EEAE9835F972C273139C396E519D124B6ABBE233548EE1B00B87F7791611DF2E47343368D333C071E231F82914AAE51CEAE790410A6D11D6B82067A9847C945E0BB32310F8370C81636FF68BE65137C3FA912E4C1147F49946C198E1E15E04B8FC7AFFC8465A182E81976C5ED5C2D07F3F6AA25ED27FAC527D6126213BCABC49E102D35AF81E2A694AF0EF83DF6A687E8F3DEEC076BE08A7CD1A3B81C4997136880DB4E7E37B56082F10702F0BB646C7C8A760E297E2A39129BC4A3D0EFB9C3FA2611F5E545F2DC52E013FC49353553F46DEBB59817E18B701689B7A755E609A1B521D72DAE5CBCCE7059E8DA977C97CC87ED8118A2A0011B5ECCCB53785EBDD8986B0A3B36538BBCF4C27DCA06A4B35A9F9920439A35445A0703B34269EB2652999D041912810C06C5742B2AC9B23522D6A2AA3F38A699170B90EAE64509BBD00306C6AFB78AF35EE0D0B504500D5A2AECC0170C2B97620B4796CF538B6D867297F8EC1B08B2F4AFD3534FD9775200BAC298A216AA2553964B7A259D738C84A4035A2BAD35F2AA67CA197D9BB0658ABAB4AF6261C74F18D3D98A5B22C24476FAA8DB9F4FF2621CA01F27C8AB6157F6A1E7F0900CB3F2EEE44D77AAEDC77F24B0E2288340E9A371ACB021407C3E089F61FF0F8469EC9FDFC53892B47CDD0E63748DFE8F814AF7755E6B08491B0CBF8A3A847A922798D28FC72CC9AF8F9299D7B59E1AD1054A98488DB158D471A2D66053FD017238A9B9114393CB4BFD48B8FAABF7E4139E62F533CCCFDD9189E2FFBBB8E488B25B13B17BBEDE9CD3C4A03 diff --git a/moduli.0 b/moduli.0 index 1c580d4..087e596 100644 --- a/moduli.0 +++ b/moduli.0 @@ -71,4 +71,4 @@ STANDARDS the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006, 2006. -OpenBSD 5.7 September 26, 2012 OpenBSD 5.7 +OpenBSD 5.8 September 26, 2012 OpenBSD 5.8 diff --git a/monitor.c b/monitor.c index b410965..a914209 100644 --- a/monitor.c +++ b/monitor.c @@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; int mm_answer_pam_init_ctx(int sock, Buffer *m) { - debug3("%s", __func__); - authctxt->user = buffer_get_string(m, NULL); sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); sshpam_authok = NULL; buffer_clear(m); @@ -1168,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) int mm_answer_pam_free_ctx(int sock, Buffer *m) { + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; debug3("%s", __func__); (sshpam_device.free_ctx)(sshpam_ctxt); + sshpam_ctxt = sshpam_authok = NULL; buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); auth_method = "keyboard-interactive"; auth_submethod = "pam"; - return (sshpam_authok == sshpam_ctxt); + return r; } #endif diff --git a/monitor_wrap.c b/monitor_wrap.c index e6217b3..eac421b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) debug3("%s", __func__); buffer_init(&m); - buffer_put_cstring(&m, authctxt->user); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); diff --git a/myproposal.h b/myproposal.h index 84b63bc..46e5b98 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.44 2015/05/27 23:51:10 dtucker Exp $ */ +/* $OpenBSD: myproposal.h,v 1.47 2015/07/10 06:21:53 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -93,20 +93,15 @@ #define KEX_CLIENT_KEX KEX_COMMON_KEX \ "diffie-hellman-group-exchange-sha1," \ - "diffie-hellman-group14-sha1," \ - "diffie-hellman-group1-sha1" + "diffie-hellman-group14-sha1" #define KEX_DEFAULT_PK_ALG \ HOSTKEY_ECDSA_CERT_METHODS \ "ssh-ed25519-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ - "ssh-dss-cert-v01@openssh.com," \ - "ssh-rsa-cert-v00@openssh.com," \ - "ssh-dss-cert-v00@openssh.com," \ HOSTKEY_ECDSA_METHODS \ "ssh-ed25519," \ - "ssh-rsa," \ - "ssh-dss" + "ssh-rsa" \ /* the actual algorithms */ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index cb59ccd..1ff7114 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -70,8 +70,16 @@ void *reallocarray(void *, size_t, size_t); #endif #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) +/* + * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the + * compat version. + */ +# ifdef BROKEN_REALPATH +# define realpath(x, y) _ssh_compat_realpath(x, y) +# endif + char *realpath(const char *path, char *resolved); -#endif +#endif #ifndef HAVE_RRESVPORT_AF int rresvport_af(int *alport, sa_family_t af); diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 4637a7a3..f36999d 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -278,7 +278,7 @@ oom_adjust_setup(void) verbose("error writing %s: %s", oom_adj_path, strerror(errno)); else - verbose("Set %s from %d to %d", + debug("Set %s from %d to %d", oom_adj_path, oom_adj_save, value); } fclose(fp); @@ -302,7 +302,7 @@ oom_adjust_restore(void) if (fprintf(fp, "%d\n", oom_adj_save) <= 0) verbose("error writing %s: %s", oom_adj_path, strerror(errno)); else - verbose("Set %s to %d", oom_adj_path, oom_adj_save); + debug("Set %s to %d", oom_adj_path, oom_adj_save); fclose(fp); return; diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c index b6120d0..ba4cea9 100644 --- a/openbsd-compat/realpath.c +++ b/openbsd-compat/realpath.c @@ -33,11 +33,13 @@ #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) +#include #include #include #include #include +#include #include #include @@ -90,7 +92,7 @@ realpath(const char *path, char resolved[PATH_MAX]) */ p = strchr(left, '/'); s = p ? p : left + left_len; - if (s - left >= sizeof(next_token)) { + if (s - left >= (ptrdiff_t)sizeof(next_token)) { errno = ENAMETOOLONG; return (NULL); } @@ -169,7 +171,8 @@ realpath(const char *path, char resolved[PATH_MAX]) */ if (p != NULL) { if (symlink[slen - 1] != '/') { - if (slen + 1 >= sizeof(symlink)) { + if (slen + 1 >= + (ptrdiff_t)sizeof(symlink)) { errno = ENAMETOOLONG; return (NULL); } diff --git a/packet.c b/packet.c index a7727ef..6008c2d 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.212 2015/05/01 07:10:01 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.213 2015/07/29 04:43:06 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1933,6 +1933,17 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r) cleanup_exit(255); } /* FALLTHROUGH */ + case SSH_ERR_NO_CIPHER_ALG_MATCH: + case SSH_ERR_NO_MAC_ALG_MATCH: + case SSH_ERR_NO_COMPRESS_ALG_MATCH: + case SSH_ERR_NO_KEX_ALG_MATCH: + case SSH_ERR_NO_HOSTKEY_ALG_MATCH: + if (ssh && ssh->kex && ssh->kex->failed_choice) { + fatal("Unable to negotiate with %.200s: %s. " + "Their offer: %s", ssh_remote_ipaddr(ssh), + ssh_err(r), ssh->kex->failed_choice); + } + /* FALLTHROUGH */ default: fatal("%s%sConnection to %.200s: %s", tag != NULL ? tag : "", tag != NULL ? ": " : "", diff --git a/readconf.c b/readconf.c index db7d0bb..1d03bdf 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -157,6 +157,7 @@ typedef enum { oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, + oPubkeyAcceptedKeyTypes, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -275,6 +276,7 @@ static struct { { "fingerprinthash", oFingerprintHash }, { "updatehostkeys", oUpdateHostkeys }, { "hostbasedkeytypes", oHostbasedKeyTypes }, + { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -1084,7 +1086,7 @@ parse_int: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (!ciphers_valid(arg)) + if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->ciphers == NULL) @@ -1095,7 +1097,7 @@ parse_int: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (!mac_valid(arg)) + if (!mac_valid(*arg == '+' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->macs == NULL) @@ -1107,7 +1109,7 @@ parse_int: if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (!kex_names_valid(arg)) + if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->kex_algorithms == NULL) @@ -1115,14 +1117,17 @@ parse_int: break; case oHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; +parse_keytypes: arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing argument.", filename, linenum); - if (!sshkey_names_valid2(arg, 1)) - fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.", - filename, linenum, arg ? arg : ""); - if (*activep && options->hostkeyalgorithms == NULL) - options->hostkeyalgorithms = xstrdup(arg); + fatal("%.200s line %d: Missing argument.", + filename, linenum); + if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) + fatal("%s line %d: Bad key types '%s'.", + filename, linenum, arg ? arg : ""); + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); break; case oProtocol: @@ -1485,16 +1490,11 @@ parse_int: case oHostbasedKeyTypes: charptr = &options->hostbased_key_types; - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing argument.", - filename, linenum); - if (!sshkey_names_valid2(arg, 1)) - fatal("%s line %d: Bad key types '%s'.", - filename, linenum, arg ? arg : ""); - if (*activep && *charptr == NULL) - *charptr = xstrdup(arg); - break; + goto parse_keytypes; + + case oPubkeyAcceptedKeyTypes: + charptr = &options->pubkey_key_types; + goto parse_keytypes; case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", @@ -1676,6 +1676,7 @@ initialize_options(Options * options) options->fingerprint_hash = -1; options->update_hostkeys = -1; options->hostbased_key_types = NULL; + options->pubkey_key_types = NULL; } /* @@ -1761,9 +1762,6 @@ fill_default_options(Options * options) /* Selected in ssh_login(). */ if (options->cipher == -1) options->cipher = SSH_CIPHER_NOT_SET; - /* options->ciphers, default set in myproposals.h */ - /* options->macs, default set in myproposals.h */ - /* options->kex_algorithms, default set in myproposals.h */ /* options->hostkeyalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; @@ -1857,8 +1855,14 @@ fill_default_options(Options * options) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; if (options->update_hostkeys == -1) options->update_hostkeys = 0; - if (options->hostbased_key_types == NULL) - options->hostbased_key_types = xstrdup("*"); + if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || + kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || + kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->hostbased_key_types) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->pubkey_key_types) != 0) + fatal("%s: kex_assemble_names failed", __func__); #define CLEAR_ON_NONE(v) \ do { \ diff --git a/readconf.h b/readconf.h index 576b9e3..bb2d552 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.109 2015/02/16 22:13:32 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.110 2015/07/10 06:21:53 markus Exp $ */ /* * Author: Tatu Ylonen @@ -150,7 +150,8 @@ typedef struct { int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ - char *hostbased_key_types; + char *hostbased_key_types; + char *pubkey_key_types; char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 51685dc..3f53922 100755 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,11 +1,32 @@ -# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $ # Placed in the Public Domain. tid="certified host keys" rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_* rm -f $OBJ/cert_host_key* $OBJ/host_krl_* + +# Allow all hostkey/pubkey types, prefer certs for the client +types="" +for i in `$SSH -Q key`; do + if [ -z "$types" ]; then + types="$i" + continue + fi + case "$i" in + *cert*) types="$i,$types";; + *) types="$types,$i";; + esac +done +( + echo "HostKeyAlgorithms ${types}" + echo "PubkeyAcceptedKeyTypes *" +) >> $OBJ/ssh_proxy cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +( + echo "HostKeyAlgorithms *" + echo "PubkeyAcceptedKeyTypes *" +) >> $OBJ/sshd_proxy_bak HOSTS='localhost-with-alias,127.0.0.1,::1' @@ -27,13 +48,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` -type_has_legacy() { - case $1 in - ed25519*|ecdsa*) return 1 ;; - esac - return 0 -} - # Prepare certificate, plain key and CA KRLs ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" @@ -61,18 +75,6 @@ for ktype in $PLAIN_TYPES ; do fatal "KRL update failed" cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert serial=`expr $serial + 1` - type_has_legacy $ktype || continue - cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 - cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub - verbose "$tid: sign host ${ktype}_v00 cert" - ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ - -I "regress host key for $USER" \ - -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || - fatal "couldn't sign cert_host_key_${ktype}_v00" - ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \ - $OBJ/cert_host_key_${ktype}_v00-cert.pub || \ - fatal "KRL update failed" - cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert done attempt_connect() { @@ -98,7 +100,7 @@ attempt_connect() { # Basic connect and revocation tests. for privsep in yes no ; do - for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES ; do verbose "$tid: host ${ktype} cert connect privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -133,14 +135,14 @@ done printf '@cert-authority ' printf "$HOSTS " cat $OBJ/host_ca_key.pub - for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES ; do test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" done ) > $OBJ/known_hosts-cert.orig cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert for privsep in yes no ; do - for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES ; do verbose "$tid: host ${ktype} revoked cert privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -169,7 +171,7 @@ done cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert.orig cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert -for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: host ${ktype} revoked cert" ( cat $OBJ/sshd_proxy_bak @@ -198,17 +200,10 @@ test_one() { result=$2 sign_opts=$3 - for kt in rsa rsa_v00 ; do - case $kt in - *_v00) args="-t v00" ;; - *) args="" ;; - esac - - verbose "$tid: host cert connect $ident $kt expect $result" + for kt in rsa ed25519 ; do ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ -I "regress host key for $USER" \ - $sign_opts $args \ - $OBJ/cert_host_key_${kt} || + $sign_opts $OBJ/cert_host_key_${kt} || fail "couldn't sign cert_host_key_${kt}" ( cat $OBJ/sshd_proxy_bak @@ -242,36 +237,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w" test_one "cert has constraints" failure "-h -Oforce-command=false" # Check downgrade of cert to raw key when no CA found -for v in v01 v00 ; do - for ktype in $PLAIN_TYPES ; do - type_has_legacy $ktype || continue - rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* - verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" - # Generate and sign a host key - ${SSHKEYGEN} -q -N '' -t ${ktype} \ - -f $OBJ/cert_host_key_${ktype} || \ - fail "ssh-keygen of cert_host_key_${ktype} failed" - ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ - -I "regress host key for $USER" \ - -n $HOSTS $OBJ/cert_host_key_${ktype} || - fail "couldn't sign cert_host_key_${ktype}" - ( - printf "$HOSTS " - cat $OBJ/cert_host_key_${ktype}.pub - ) > $OBJ/known_hosts-cert - ( - cat $OBJ/sshd_proxy_bak - echo HostKey $OBJ/cert_host_key_${ktype} - echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub - ) > $OBJ/sshd_proxy - - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ - -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ - -F $OBJ/ssh_proxy somehost true - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - done +for ktype in $PLAIN_TYPES ; do + rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* + verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" + # Generate and sign a host key + ${SSHKEYGEN} -q -N '' -t ${ktype} \ + -f $OBJ/cert_host_key_${ktype} || \ + fail "ssh-keygen of cert_host_key_${ktype} failed" + ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${ktype} || + fail "couldn't sign cert_host_key_${ktype}" + ( + printf "$HOSTS " + cat $OBJ/cert_host_key_${ktype}.pub + ) > $OBJ/known_hosts-cert + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${ktype} + echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub + ) > $OBJ/sshd_proxy + + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi done # Wrong certificate @@ -281,33 +273,30 @@ done cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert.orig cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert -for v in v01 v00 ; do - for kt in $PLAIN_TYPES ; do - type_has_legacy $kt || continue - rm -f $OBJ/cert_host_key* - # Self-sign key - ${SSHKEYGEN} -q -N '' -t ${kt} \ - -f $OBJ/cert_host_key_${kt} || \ - fail "ssh-keygen of cert_host_key_${kt} failed" - ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ - -I "regress host key for $USER" \ - -n $HOSTS $OBJ/cert_host_key_${kt} || - fail "couldn't sign cert_host_key_${kt}" - verbose "$tid: host ${kt} connect wrong cert" - ( - cat $OBJ/sshd_proxy_bak - echo HostKey $OBJ/cert_host_key_${kt} - echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub - ) > $OBJ/sshd_proxy - - cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert - ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ - -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ - -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect $ident succeeded unexpectedly" - fi - done +for kt in $PLAIN_TYPES ; do + rm -f $OBJ/cert_host_key* + # Self-sign key + ${SSHKEYGEN} -q -N '' -t ${kt} \ + -f $OBJ/cert_host_key_${kt} || \ + fail "ssh-keygen of cert_host_key_${kt} failed" + ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ + -I "regress host key for $USER" \ + -n $HOSTS $OBJ/cert_host_key_${kt} || + fail "couldn't sign cert_host_key_${kt}" + verbose "$tid: host ${kt} connect wrong cert" + ( + cat $OBJ/sshd_proxy_bak + echo HostKey $OBJ/cert_host_key_${kt} + echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub + ) > $OBJ/sshd_proxy + + cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert + ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ + -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ + -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect $ident succeeded unexpectedly" + fi done rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key* diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index b093a91..c38c00a 100755 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,18 +1,17 @@ -# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ +# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ # Placed in the Public Domain. tid="certified user keys" rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` -type_has_legacy() { - case $1 in - ed25519*|ecdsa*) return 1 ;; - esac - return 0 +kname() { + n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` + echo "$n*,ssh-rsa*,ssh-ed25519*" } # Create a CA key @@ -28,18 +27,11 @@ for ktype in $PLAIN_TYPES ; do ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" - type_has_legacy $ktype || continue - cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 - cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub - verbose "$tid: sign host ${ktype}_v00 cert" - ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ - "regress user key for $USER" \ - -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || - fatal "couldn't sign cert_user_key_${ktype}_v00" done # Test explicitly-specified principals -for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES ; do + t=$(kname $ktype) for privsep in yes no ; do _prefix="${ktype} privsep $privsep" @@ -51,7 +43,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do echo "AuthorizedPrincipalsFile " \ "$OBJ/authorized_principals_%u" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + echo "PubkeyAcceptedKeyTypes ${t}" ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" + ) > $OBJ/ssh_proxy # Missing authorized_principals verbose "$tid: ${_prefix} missing authorized_principals" @@ -124,7 +121,12 @@ for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do ( cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" + echo "PubkeyAcceptedKeyTypes ${t}" ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" + ) > $OBJ/ssh_proxy # Wrong principals list verbose "$tid: ${_prefix} wrong principals key option" @@ -165,7 +167,8 @@ basic_tests() { extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" fi - for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do + for ktype in $PLAIN_TYPES ; do + t=$(kname $ktype) for privsep in yes no ; do _prefix="${ktype} privsep $privsep $auth" # Simple connect @@ -173,8 +176,13 @@ basic_tests() { ( cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy + ( + cat $OBJ/ssh_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" + ) > $OBJ/ssh_proxy ${SSH} -2i $OBJ/cert_user_key_${ktype} \ -F $OBJ/ssh_proxy somehost true @@ -188,6 +196,7 @@ basic_tests() { cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" echo "RevokedKeys $OBJ/cert_user_key_revoked" + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy cp $OBJ/cert_user_key_${ktype}.pub \ @@ -220,6 +229,7 @@ basic_tests() { ( cat $OBJ/sshd_proxy_bak echo "RevokedKeys $OBJ/user_ca_key.pub" + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ @@ -232,6 +242,7 @@ basic_tests() { verbose "$tid: $auth CA does not authenticate" ( cat $OBJ/sshd_proxy_bak + echo "PubkeyAcceptedKeyTypes ${t}" echo "$extra_sshd" ) > $OBJ/sshd_proxy verbose "$tid: ensure CA key does not authenticate user" @@ -257,12 +268,7 @@ test_one() { fi for auth in $auth_choice ; do - for ktype in rsa rsa_v00 ; do - case $ktype in - *_v00) keyv="-t v00" ;; - *) keyv="" ;; - esac - + for ktype in rsa ed25519 ; do cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys @@ -274,6 +280,8 @@ test_one() { echo > $OBJ/authorized_keys_$USER echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \ >> $OBJ/sshd_proxy + echo "PubkeyAcceptedKeyTypes ${t}*" \ + >> $OBJ/sshd_proxy if test "x$auth_opt" != "x" ; then echo $auth_opt >> $OBJ/sshd_proxy fi @@ -282,8 +290,7 @@ test_one() { verbose "$tid: $ident auth $auth expect $result $ktype" ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ -I "regress user key for $USER" \ - $sign_opts $keyv \ - $OBJ/cert_user_key_${ktype} || + $sign_opts $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -335,13 +342,10 @@ test_one "principals key option no principals" failure "" \ # Wrong certificate cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do - case $ktype in - *_v00) args="-t v00" ;; - *) args="" ;; - esac +for ktype in $PLAIN_TYPES ; do + t=$(kname $ktype) # Self-sign - ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \ + ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ "regress user key for $USER" \ -n $USER $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index a011ec8..094700d 100755 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-agent.sh,v 1.5 2015/02/21 20:51:02 djm Exp $ +# $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $ # Placed in the Public Domain. tid="hostkey agent" @@ -31,10 +31,11 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts unset SSH_AUTH_SOCK for ps in no yes; do - cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy - echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy for k in `${SSH} -Q key-plain` ; do verbose "key type $k privsep=$ps" + cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy + echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy + echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" cp $OBJ/known_hosts.orig $OBJ/known_hosts SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index cde6008..3aa8c40 100755 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $ +# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ # Placed in the Public Domain. tid="hostkey rotate" @@ -56,7 +56,7 @@ check_key_present ssh-ed25519 || fail "unstrict didn't learn key" # Connect to sshd as usual verbose "learn additional hostkeys" -dossh -oStrictHostKeyChecking=yes +dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs # Check that other keys learned expect_nkeys $nkeys "learn hostkeys" check_key_present ssh-rsa || fail "didn't learn keys" @@ -74,7 +74,7 @@ verbose "learn changed non-primary hostkey" mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old rm -f $OBJ/hkr.ssh-rsa ${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k" -dossh -oStrictHostKeyChecking=yes +dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs # Check that the key was replaced expect_nkeys $nkeys "learn hostkeys" check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" @@ -109,7 +109,7 @@ dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa expect_nkeys 1 "learn hostkeys" check_key_present ssh-rsa || fail "didn't learn changed key" -# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $ +# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ # Placed in the Public Domain. tid="hostkey rotate" diff --git a/regress/keygen-knownhosts.sh b/regress/keygen-knownhosts.sh index 085aac6..693cd0e 100755 --- a/regress/keygen-knownhosts.sh +++ b/regress/keygen-knownhosts.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-knownhosts.sh,v 1.2 2015/01/27 12:01:36 djm Exp $ +# $OpenBSD: keygen-knownhosts.sh,v 1.3 2015/07/17 03:34:27 djm Exp $ # Placed in the Public Domain. tid="ssh-keygen known_hosts" @@ -57,7 +57,7 @@ check_find() { _name=$2 _keygenopt=$3 ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result - if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then + if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then fail "didn't find $_name" fi } @@ -95,7 +95,7 @@ check_hashed_find() { test "x$_file" = "x" && _file=$OBJ/kh.invalid ${SSHKEYGEN} -f $_file -HF $_host | grep '|1|' | \ sed "s/^[^ ]*/$_host/" > $OBJ/kh.result - if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then + if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then fail "didn't find $_name" fi } @@ -135,47 +135,47 @@ check_hashed_find host-h "find multiple hosts" # Attempt remove key on invalid file. cp $OBJ/kh.invalid.orig $OBJ/kh.invalid ${SSHKEYGEN} -qf $OBJ/kh.invalid -R host-a 2>/dev/null -diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "remove on invalid succeeded" +diff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "remove on invalid succeeded" # Remove key cp $OBJ/kh.hosts.orig $OBJ/kh.hosts ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-a 2>/dev/null grep -v "^host-a " $OBJ/kh.hosts.orig > $OBJ/kh.expect -diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove simple" +diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove simple" # Remove CA key cp $OBJ/kh.hosts.orig $OBJ/kh.hosts ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-c 2>/dev/null # CA key should not be removed. -diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove CA" +diff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove CA" # Remove revoked key cp $OBJ/kh.hosts.orig $OBJ/kh.hosts ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-d 2>/dev/null # revoked key should not be removed. -diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove revoked" +diff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove revoked" # Remove wildcard cp $OBJ/kh.hosts.orig $OBJ/kh.hosts ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-e.blahblah 2>/dev/null grep -v "^host-e[*] " $OBJ/kh.hosts.orig > $OBJ/kh.expect -diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" +diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" # Remove multiple cp $OBJ/kh.hosts.orig $OBJ/kh.hosts ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-h 2>/dev/null grep -v "^host-f," $OBJ/kh.hosts.orig > $OBJ/kh.expect -diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" +diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard" # Attempt hash on invalid file cp $OBJ/kh.invalid.orig $OBJ/kh.invalid ${SSHKEYGEN} -qf $OBJ/kh.invalid -H 2>/dev/null && fail "hash invalid succeeded" -diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "invalid file modified" +diff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "invalid file modified" # Hash valid file cp $OBJ/kh.hosts.orig $OBJ/kh.hosts ${SSHKEYGEN} -qf $OBJ/kh.hosts -H 2>/dev/null || fail "hash failed" -diff -u $OBJ/kh.hosts.old $OBJ/kh.hosts.orig || fail "backup differs" +diff $OBJ/kh.hosts.old $OBJ/kh.hosts.orig || fail "backup differs" grep "^host-[abfgh]" $OBJ/kh.hosts && fail "original hostnames persist" cp $OBJ/kh.hosts $OBJ/kh.hashed.orig diff --git a/regress/keytype.sh b/regress/keytype.sh index 9752acb..8f69778 100755 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $ +# $OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -36,14 +36,26 @@ for ut in $ktypes; do htypes=$ut #htypes=$ktypes for ht in $htypes; do + case $ht in + dsa-1024) t=ssh-dss;; + ecdsa-256) t=ecdsa-sha2-nistp256;; + ecdsa-384) t=ecdsa-sha2-nistp384;; + ecdsa-521) t=ecdsa-sha2-nistp521;; + ed25519-512) t=ssh-ed25519;; + rsa-*) t=ssh-rsa;; + esac trace "ssh connect, userkey $ut, hostkey $ht" ( grep -v HostKey $OBJ/sshd_proxy_bak echo HostKey $OBJ/key.$ht + echo PubkeyAcceptedKeyTypes $t + echo HostKeyAlgorithms $t ) > $OBJ/sshd_proxy ( grep -v IdentityFile $OBJ/ssh_proxy_bak echo IdentityFile $OBJ/key.$ut + echo PubkeyAcceptedKeyTypes $t + echo HostKeyAlgorithms $t ) > $OBJ/ssh_proxy ( printf 'localhost-with-alias,127.0.0.1,::1 ' diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 9006437..b90a8cf 100755 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -14,15 +14,15 @@ fi # Establish a AuthorizedPrincipalsCommand in /var/run where it will have # acceptable directory permissions. -PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" -cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" +PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" +cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" #!/bin/sh test "x\$1" != "x${LOGNAME}" && exit 1 test -f "$OBJ/authorized_principals_${LOGNAME}" && exec cat "$OBJ/authorized_principals_${LOGNAME}" _EOF test $? -eq 0 || fatal "couldn't prepare principals command" -$SUDO chmod 0755 "$PRINCIPALS_COMMAND" +$SUDO chmod 0755 "$PRINCIPALS_CMD" # Create a CA key and a user certificate. ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ @@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ fatal "couldn't sign cert_user_key" -# Test explicitly-specified principals -for privsep in yes no ; do - _prefix="privsep $privsep" - - # Setup for AuthorizedPrincipalsCommand - rm -f $OBJ/authorized_keys_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" - echo "AuthorizedKeysFile none" - echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" - echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" - ) > $OBJ/sshd_proxy - - # XXX test missing command - # XXX test failing command - - # Empty authorized_principals - verbose "$tid: ${_prefix} empty authorized_principals" - echo > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Wrong authorized_principals - verbose "$tid: ${_prefix} wrong authorized_principals" - echo gregorsamsa > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct authorized_principals - verbose "$tid: ${_prefix} correct authorized_principals" - echo mekmitasdigoat > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # authorized_principals with bad key option - verbose "$tid: ${_prefix} authorized_principals bad key opt" - echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # authorized_principals with command=false - verbose "$tid: ${_prefix} authorized_principals command=false" - echo 'command="false" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - - # authorized_principals with command=true - verbose "$tid: ${_prefix} authorized_principals command=true" - echo 'command="true" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # Setup for principals= key option - rm -f $OBJ/authorized_principals_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" - ) > $OBJ/sshd_proxy - - # Wrong principals list - verbose "$tid: ${_prefix} wrong principals key option" - ( - printf 'cert-authority,principals="gregorsamsa" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct principals list - verbose "$tid: ${_prefix} correct principals key option" - ( - printf 'cert-authority,principals="mekmitasdigoat" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi -done +if [ -x $PRINCIPALS_CMD ]; then + # Test explicitly-specified principals + for privsep in yes no ; do + _prefix="privsep $privsep" + + # Setup for AuthorizedPrincipalsCommand + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "AuthorizedKeysFile none" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" + echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # XXX test missing command + # XXX test failing command + + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # authorized_principals with bad key option + verbose "$tid: ${_prefix} authorized_principals bad key opt" + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=false + verbose "$tid: ${_prefix} authorized_principals command=false" + echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=true + verbose "$tid: ${_prefix} authorized_principals command=true" + echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + printf 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + printf 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +else + echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ + "(/var/run mounted noexec?)" +fi diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc index c55d00c..7385e2b 100644 --- a/regress/unittests/Makefile.inc +++ b/regress/unittests/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.3 2015/01/23 21:21:23 miod Exp $ +# $OpenBSD: Makefile.inc,v 1.6 2015/07/01 23:11:18 djm Exp $ .include .include diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c index c61e2bd..6e5999b 100644 --- a/regress/unittests/kex/test_kex.c +++ b/regress/unittests/kex/test_kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_kex.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */ +/* $OpenBSD: test_kex.c,v 1.2 2015/07/10 06:23:25 markus Exp $ */ /* * Regress test KEX * @@ -85,6 +85,7 @@ do_kex_with_key(char *kex, int keytype, int bits) struct sshbuf *state; struct kex_params kex_params; char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *keyname = NULL; TEST_START("sshkey_generate"); ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0); @@ -98,6 +99,9 @@ do_kex_with_key(char *kex, int keytype, int bits) memcpy(kex_params.proposal, myproposal, sizeof(myproposal)); if (kex != NULL) kex_params.proposal[PROPOSAL_KEX_ALGS] = kex; + keyname = strdup(sshkey_ssh_name(private)); + ASSERT_PTR_NE(keyname, NULL); + kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname; ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0); ASSERT_PTR_NE(client, NULL); @@ -167,6 +171,7 @@ do_kex_with_key(char *kex, int keytype, int bits) ssh_free(client); ssh_free(server); ssh_free(server2); + free(keyname); TEST_DONE(); } diff --git a/regress/unittests/sshkey/mktestdata.sh b/regress/unittests/sshkey/mktestdata.sh index 09165af..e111001 100755 --- a/regress/unittests/sshkey/mktestdata.sh +++ b/regress/unittests/sshkey/mktestdata.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: mktestdata.sh,v 1.4 2015/01/18 19:54:46 djm Exp $ +# $OpenBSD: mktestdata.sh,v 1.5 2015/07/07 14:53:30 markus Exp $ PW=mekmitasdigoat @@ -94,8 +94,8 @@ rm -f rsa1_1_pw rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb -ssh-keygen -t rsa1 -b 768 -C "RSA1 test key #1" -N "" -f rsa1_1 -ssh-keygen -t rsa -b 768 -C "RSA test key #1" -N "" -f rsa_1 +ssh-keygen -t rsa1 -b 1024 -C "RSA1 test key #1" -N "" -f rsa1_1 +ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1 ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1 ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1 ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1 diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c index fa95212..c8a2369 100644 --- a/regress/unittests/sshkey/test_file.c +++ b/regress/unittests/sshkey/test_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_file.c,v 1.3 2015/03/04 23:22:35 djm Exp $ */ +/* $OpenBSD: test_file.c,v 1.4 2015/07/07 14:53:30 markus Exp $ */ /* * Regress test for sshkey.h key management API * @@ -83,7 +83,7 @@ sshkey_file_tests(void) TEST_START("RSA1 key hex fingerprint"); buf = load_text_file("rsa1_1.fp"); - cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -167,7 +167,7 @@ sshkey_file_tests(void) TEST_START("RSA key hex fingerprint"); buf = load_text_file("rsa_1.fp"); - cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -176,7 +176,7 @@ sshkey_file_tests(void) TEST_START("RSA cert hex fingerprint"); buf = load_text_file("rsa_1-cert.fp"); - cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -260,7 +260,7 @@ sshkey_file_tests(void) TEST_START("DSA key hex fingerprint"); buf = load_text_file("dsa_1.fp"); - cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -269,7 +269,7 @@ sshkey_file_tests(void) TEST_START("DSA cert hex fingerprint"); buf = load_text_file("dsa_1-cert.fp"); - cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -360,7 +360,7 @@ sshkey_file_tests(void) TEST_START("ECDSA key hex fingerprint"); buf = load_text_file("ecdsa_1.fp"); - cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -369,7 +369,7 @@ sshkey_file_tests(void) TEST_START("ECDSA cert hex fingerprint"); buf = load_text_file("ecdsa_1-cert.fp"); - cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -427,7 +427,7 @@ sshkey_file_tests(void) TEST_START("Ed25519 key hex fingerprint"); buf = load_text_file("ed25519_1.fp"); - cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); @@ -436,7 +436,7 @@ sshkey_file_tests(void) TEST_START("Ed25519 cert hex fingerprint"); buf = load_text_file("ed25519_1-cert.fp"); - cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64); ASSERT_PTR_NE(cp, NULL); ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); sshbuf_free(buf); diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 4453a85..9b3ce7e 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */ +/* $OpenBSD: test_sshkey.c,v 1.7 2015/08/05 05:27:33 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -288,13 +288,15 @@ sshkey_tests(void) #endif TEST_START("generate KEY_RSA"); - ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 768, &kr), 0); + ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr), + SSH_ERR_INVALID_ARGUMENT); + ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0); ASSERT_PTR_NE(kr, NULL); ASSERT_PTR_NE(kr->rsa, NULL); ASSERT_PTR_NE(kr->rsa->n, NULL); ASSERT_PTR_NE(kr->rsa->e, NULL); ASSERT_PTR_NE(kr->rsa->p, NULL); - ASSERT_INT_EQ(BN_num_bits(kr->rsa->n), 768); + ASSERT_INT_EQ(BN_num_bits(kr->rsa->n), 1024); TEST_DONE(); TEST_START("generate KEY_DSA"); @@ -397,7 +399,7 @@ sshkey_tests(void) TEST_DONE(); TEST_START("equal different keys"); - ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 768, &k1), 0); + ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &k1), 0); ASSERT_INT_EQ(sshkey_equal(kr, k1), 0); sshkey_free(k1); ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &k1), 0); @@ -424,7 +426,7 @@ sshkey_tests(void) ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"), &k1, NULL), 0); k2 = get_private("ed25519_2"); - ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0); + ASSERT_INT_EQ(sshkey_to_certified(k1), 0); ASSERT_PTR_NE(k1->cert, NULL); k1->cert->type = SSH2_CERT_TYPE_USER; k1->cert->serial = 1234; diff --git a/regress/unittests/sshkey/testdata/dsa_1 b/regress/unittests/sshkey/testdata/dsa_1 index 3434686..d3f2482 100644 --- a/regress/unittests/sshkey/testdata/dsa_1 +++ b/regress/unittests/sshkey/testdata/dsa_1 @@ -1,12 +1,12 @@ -----BEGIN DSA PRIVATE KEY----- -MIIBuwIBAAKBgQCxBNwH8TmLXqiZa0b9pxC6W+zS4Voqp8S+QwecYpNPTmhjaUYI -E/aJWAzFVtdbysLM89ukvw/z8qBkbMSefdypKmjUtgv51ZD4nfV4Wxb+G+1QExHr -M+kowOOL3XbcsdbPLUt8vxDJbBlQRch4zyai7CWjQR3JFXpR8sevUFJxSQIVAIdE -oncp2DEY2U/ZZnIyGCwApCzfAoGARW+eewZTv1Eosxv3ANKx372pf5+fQKwnWizI -j5z/GY3w3xobRCP9FiL4K3Nip2FvHLTGpRrlfm19RWYAg77VsNgztC4V9C8QrKWc -WJdkUkoQpZ3VoO25rO13hmIelkal3omKCF4ZE/edeF3d2B8DlzYs0aBcjTCMDrub -/CJILcYCgYEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j -4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1 -/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gCFBl7Lc6V -hmTiTuhLXjoRdCZS/p/m +MIIBvAIBAAKBgQD6kutNFRsHTwEAv6d39Lhsqy1apdHBZ9c2HfyRr7WmypyGIy2m +Ka43vzXI8CNwmRSYs+A6d0vJC7Pl+f9QzJ/04NWOA+MiwfurwrR3CRe61QRYb8Py +mcHOxueHs95IcjrbIPNn86cjnPP5qvv/guUzCjuww4zBdJOXpligrGt2XwIVAKMD +/50qQy7j8JaMk+1+Xtg1pK01AoGBAO7l9QVVbSSoy5lq6cOtvpf8UlwOa6+zBwbl +o4gmFd1RwX1yWkA8kQ7RrhCSg8Hc6mIGnKRgKRli/3LgbSfZ0obFJehkRtEWtN4P +h8fVUeS74iQbIwFQeKlYHIlNTRoGtAbdi3nHdV+BBkEQc1V3rjqYqhjOoz/yNsgz +LND26HrdAoGBAOdXpyfmobEBaOqZAuvgj1P0uhjG2P31Ufurv22FWPBU3A9qrkxb +OXwE0LwvjCvrsQV/lrYhJz/tiys40VeahulWZE5SAHMXGIf95LiLSgaXMjko7joo +t+LK84ltLymwZ4QMnYjnZSSclf1UuyQMcUtb34+I0u9Ycnyhp2mSFsQtAhRYIbQ5 +KfXsZuBPuWe5FJz3ldaEgw== -----END DSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.fp b/regress/unittests/sshkey/testdata/dsa_1-cert.fp index b26145b..75ff0e9 100644 --- a/regress/unittests/sshkey/testdata/dsa_1-cert.fp +++ b/regress/unittests/sshkey/testdata/dsa_1-cert.fp @@ -1 +1 @@ -MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 +SHA256:kOLgXSoAT8O5T6r36n5NJUYigbux1d7gdH/rmWiJm6s diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.pub b/regress/unittests/sshkey/testdata/dsa_1-cert.pub index 023edf1..e768db1 100644 --- a/regress/unittests/sshkey/testdata/dsa_1-cert.pub +++ b/regress/unittests/sshkey/testdata/dsa_1-cert.pub @@ -1 +1 @@ -ssh-dss-cert-v01@openssh.com AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgj8zueN51MSQ7jW3fFwqyJWA3DycAAavQ8WgMHqcUG7YAAACBALEE3AfxOYteqJlrRv2nELpb7NLhWiqnxL5DB5xik09OaGNpRggT9olYDMVW11vKwszz26S/D/PyoGRsxJ593KkqaNS2C/nVkPid9XhbFv4b7VATEesz6SjA44vddtyx1s8tS3y/EMlsGVBFyHjPJqLsJaNBHckVelHyx69QUnFJAAAAFQCHRKJ3KdgxGNlP2WZyMhgsAKQs3wAAAIBFb557BlO/USizG/cA0rHfval/n59ArCdaLMiPnP8ZjfDfGhtEI/0WIvgrc2KnYW8ctMalGuV+bX1FZgCDvtWw2DO0LhX0LxCspZxYl2RSShClndWg7bms7XeGYh6WRqXeiYoIXhkT9514Xd3YHwOXNizRoFyNMIwOu5v8IkgtxgAAAIEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gAAAAAAAAABgAAAAIAAAAGanVsaXVzAAAAEgAAAAVob3N0MQAAAAVob3N0MgAAAAA2i4NgAAAAAE0d4eAAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEA6qftqozw0ah9PG9obAg8iOPwQv6AsT9t/1G69eArSd9Am85OKIhAvYguI1Xtr9rw78X/Xk+6HtyAOF3QemaQD dsa_1.pub +ssh-dss-cert-v01@openssh.com AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgdTlbNU9Hn9Qng3FHxwH971bxCIoq1ern/QWFFDWXgmYAAACBAPqS600VGwdPAQC/p3f0uGyrLVql0cFn1zYd/JGvtabKnIYjLaYprje/NcjwI3CZFJiz4Dp3S8kLs+X5/1DMn/Tg1Y4D4yLB+6vCtHcJF7rVBFhvw/KZwc7G54ez3khyOtsg82fzpyOc8/mq+/+C5TMKO7DDjMF0k5emWKCsa3ZfAAAAFQCjA/+dKkMu4/CWjJPtfl7YNaStNQAAAIEA7uX1BVVtJKjLmWrpw62+l/xSXA5rr7MHBuWjiCYV3VHBfXJaQDyRDtGuEJKDwdzqYgacpGApGWL/cuBtJ9nShsUl6GRG0Ra03g+Hx9VR5LviJBsjAVB4qVgciU1NGga0Bt2Lecd1X4EGQRBzVXeuOpiqGM6jP/I2yDMs0Pboet0AAACBAOdXpyfmobEBaOqZAuvgj1P0uhjG2P31Ufurv22FWPBU3A9qrkxbOXwE0LwvjCvrsQV/lrYhJz/tiys40VeahulWZE5SAHMXGIf95LiLSgaXMjko7joot+LK84ltLymwZ4QMnYjnZSSclf1UuyQMcUtb34+I0u9Ycnyhp2mSFsQtAAAAAAAAAAYAAAACAAAABmp1bGl1cwAAABIAAAAFaG9zdDEAAAAFaG9zdDIAAAAANowB8AAAAABNHmBwAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN+F7SMGQAAAFMAAAALc3NoLWVkMjU1MTkAAABAh/z1LIdNL1b66tQ8t9DY9BTB3BQKpTKmc7ezyFKLwl96yaIniZwD9Ticdbe/8i/Li3uCFE3EAt8NAIv9zff8Bg== DSA test key #1 diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp b/regress/unittests/sshkey/testdata/dsa_1.fp index b26145b..75ff0e9 100644 --- a/regress/unittests/sshkey/testdata/dsa_1.fp +++ b/regress/unittests/sshkey/testdata/dsa_1.fp @@ -1 +1 @@ -MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 +SHA256:kOLgXSoAT8O5T6r36n5NJUYigbux1d7gdH/rmWiJm6s diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp.bb b/regress/unittests/sshkey/testdata/dsa_1.fp.bb index 07dd9b4..ba37776 100644 --- a/regress/unittests/sshkey/testdata/dsa_1.fp.bb +++ b/regress/unittests/sshkey/testdata/dsa_1.fp.bb @@ -1 +1 @@ -xosat-baneh-gocad-relek-kepur-mibip-motog-bykyb-hisug-mysus-tuxix +xetag-todiz-mifah-torec-mynyv-cyvit-gopon-pygag-rupic-cenav-bexax diff --git a/regress/unittests/sshkey/testdata/dsa_1.param.g b/regress/unittests/sshkey/testdata/dsa_1.param.g index 4b09f6d..e51c3f9 100644 --- a/regress/unittests/sshkey/testdata/dsa_1.param.g +++ b/regress/unittests/sshkey/testdata/dsa_1.param.g @@ -1 +1 @@ -456f9e7b0653bf5128b31bf700d2b1dfbda97f9f9f40ac275a2cc88f9cff198df0df1a1b4423fd1622f82b7362a7616f1cb4c6a51ae57e6d7d45660083bed5b0d833b42e15f42f10aca59c589764524a10a59dd5a0edb9aced7786621e9646a5de898a085e1913f79d785dddd81f0397362cd1a05c8d308c0ebb9bfc22482dc6 +00eee5f505556d24a8cb996ae9c3adbe97fc525c0e6bafb30706e5a3882615dd51c17d725a403c910ed1ae109283c1dcea62069ca460291962ff72e06d27d9d286c525e86446d116b4de0f87c7d551e4bbe2241b23015078a9581c894d4d1a06b406dd8b79c7755f81064110735577ae3a98aa18cea33ff236c8332cd0f6e87add diff --git a/regress/unittests/sshkey/testdata/dsa_1.param.priv b/regress/unittests/sshkey/testdata/dsa_1.param.priv index 2dd737c..4f74331 100644 --- a/regress/unittests/sshkey/testdata/dsa_1.param.priv +++ b/regress/unittests/sshkey/testdata/dsa_1.param.priv @@ -1 +1 @@ -197b2dce958664e24ee84b5e3a11742652fe9fe6 +5821b43929f5ec66e04fb967b9149cf795d68483 diff --git a/regress/unittests/sshkey/testdata/dsa_1.param.pub b/regress/unittests/sshkey/testdata/dsa_1.param.pub index b23d720..ba0313b 100644 --- a/regress/unittests/sshkey/testdata/dsa_1.param.pub +++ b/regress/unittests/sshkey/testdata/dsa_1.param.pub @@ -1 +1 @@ -00809b7d8de7c6422e1297917c8778d8a39d8bca013cb0d632bab12530a566ca1152289d487e2f63e21369da3673bbb8e96568589dd5283da1ba81b441edf2f7a79927951a373f60f39ddeaee8d01d86b003596f895fd9f5fc430a52fd21f2b44523fddbf516351d55730501fb577b0d27a89e907f09a8ecb596208c68cca5c388 +00e757a727e6a1b10168ea9902ebe08f53f4ba18c6d8fdf551fbabbf6d8558f054dc0f6aae4c5b397c04d0bc2f8c2bebb1057f96b621273fed8b2b38d1579a86e956644e520073171887fde4b88b4a0697323928ee3a28b7e2caf3896d2f29b067840c9d88e765249c95fd54bb240c714b5bdf8f88d2ef58727ca1a7699216c42d diff --git a/regress/unittests/sshkey/testdata/dsa_1.pub b/regress/unittests/sshkey/testdata/dsa_1.pub index 8968197..41cae2f 100644 --- a/regress/unittests/sshkey/testdata/dsa_1.pub +++ b/regress/unittests/sshkey/testdata/dsa_1.pub @@ -1 +1 @@ -ssh-dss AAAAB3NzaC1kc3MAAACBALEE3AfxOYteqJlrRv2nELpb7NLhWiqnxL5DB5xik09OaGNpRggT9olYDMVW11vKwszz26S/D/PyoGRsxJ593KkqaNS2C/nVkPid9XhbFv4b7VATEesz6SjA44vddtyx1s8tS3y/EMlsGVBFyHjPJqLsJaNBHckVelHyx69QUnFJAAAAFQCHRKJ3KdgxGNlP2WZyMhgsAKQs3wAAAIBFb557BlO/USizG/cA0rHfval/n59ArCdaLMiPnP8ZjfDfGhtEI/0WIvgrc2KnYW8ctMalGuV+bX1FZgCDvtWw2DO0LhX0LxCspZxYl2RSShClndWg7bms7XeGYh6WRqXeiYoIXhkT9514Xd3YHwOXNizRoFyNMIwOu5v8IkgtxgAAAIEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4g= DSA test key #1 +ssh-dss AAAAB3NzaC1kc3MAAACBAPqS600VGwdPAQC/p3f0uGyrLVql0cFn1zYd/JGvtabKnIYjLaYprje/NcjwI3CZFJiz4Dp3S8kLs+X5/1DMn/Tg1Y4D4yLB+6vCtHcJF7rVBFhvw/KZwc7G54ez3khyOtsg82fzpyOc8/mq+/+C5TMKO7DDjMF0k5emWKCsa3ZfAAAAFQCjA/+dKkMu4/CWjJPtfl7YNaStNQAAAIEA7uX1BVVtJKjLmWrpw62+l/xSXA5rr7MHBuWjiCYV3VHBfXJaQDyRDtGuEJKDwdzqYgacpGApGWL/cuBtJ9nShsUl6GRG0Ra03g+Hx9VR5LviJBsjAVB4qVgciU1NGga0Bt2Lecd1X4EGQRBzVXeuOpiqGM6jP/I2yDMs0Pboet0AAACBAOdXpyfmobEBaOqZAuvgj1P0uhjG2P31Ufurv22FWPBU3A9qrkxbOXwE0LwvjCvrsQV/lrYhJz/tiys40VeahulWZE5SAHMXGIf95LiLSgaXMjko7joot+LK84ltLymwZ4QMnYjnZSSclf1UuyQMcUtb34+I0u9Ycnyhp2mSFsQt DSA test key #1 diff --git a/regress/unittests/sshkey/testdata/dsa_1_pw b/regress/unittests/sshkey/testdata/dsa_1_pw index 1402153..24c7303 100644 --- a/regress/unittests/sshkey/testdata/dsa_1_pw +++ b/regress/unittests/sshkey/testdata/dsa_1_pw @@ -1,15 +1,15 @@ -----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,9E668E24E7B9D658E3E7D0446B32B376 +DEK-Info: AES-128-CBC,BC8386C373B22EB7F00ADC821D5D8BE9 -hDjDLbfCAQutblxLuyNzSLxISSgXTgyzq8St9GE0lUtEc7i0xGNWwoWpFSbtD9y1 -yTG5UkhATQt56SY1ABfXZ21wieYuEEQeSJi0gwUQNNt2SwwITx4EdzDedWiHjikt -jbzH3v33agp/odw2X9wY6zu75y9CeW9o7SszRl286DliWIHJmhMlbb8r7jRqu62H -s5YYxD0xS1ipWauxklmIXMWNZHcARo8ZiJOuNdLshrSrl8DUW9P6F89FvxclQzKr -44u3OBm7KbgPvPURDFLgNP6uCGBjzHvhHTpzVBxmQzCl3aGgsTKXiwJ1eupNjntB -ji0EnbznvoxR6qhXxw/WQ+MnWlWqTXka/2qaB6m3oJv+Zn7cPCJ5kvHnhr2JmNMl -igTh4Ov4LZLyNgO0Lbec4KyxW9QInRV5CY4Pu5lhqHteiPmOIGMWFtuh8Bb8Kg2q -VvXnPo5I3FjqV7UhDduO1Wn558sBZWQPqRbHVPN6wXJuM3HGkBl+aNjn0qddv9tr -VFJd/xdly2Ne81g3CB8jysE+3WEOrV9kdybocp/EhSOzP4i6pjWlyWdR5+CgbvRm -TUIeIaQbmPIB5251o5YK+Q== ++HDV2DQ09sxrIAeXTz9r3YFuPRa2hk1+NGcr3ETkXbC6KiZ14wpTnGTloKwaQjIW +eXTa9mpCOWAoohgvsVb+hOuOlP7AfeHu1IXV4EAS+GDpkiV5UxlCXXwqlD75Buu4 +wwDd/p4SWzILH3WGjDk5JIXoxWNY13LHwC7Q6gtGJx4AicUG7YBRTXMIBDa/Kh77 +6o2rFETKmp4VHBvHbakmiETfptdM8bbWxKWeY2vakThyESgeofsLoTOQCIwlEfJC +s2D/KYL65C8VbHYgIoSLTQnooO45DDyxIuhCqP+H23mhv9vB1Od3nc2atgHj/XFs +dcOPFkF/msDRYqxY3V0AS6+jpKwFodZ7g/hyGcyPxOkzlJVuKoKuH6P5PyQ69Gx0 +iqri0xEPyABr7kGlXNrjjctojX+B4WwSnjg/2euXXWFXCRalIdA7ErATTiQbGOx7 +Vd6Gn8PZbSy1MkqEDrZRip0pfAFJYI/8GXPC75BpnRsrVlfhtrngbW+kBP35LzaN +l2K+RQ3gSB3iFoqNb1Kuu6T5MZlyVl5H2dVlJSeb1euQ2OycXdDoFTyJ4AiyWS7w +Vlh8zeJnso5QRDjMwx99pZilbbuFGSLsahiGEveFc6o= -----END DSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/dsa_2 b/regress/unittests/sshkey/testdata/dsa_2 index b189dc8..3cc9631 100644 --- a/regress/unittests/sshkey/testdata/dsa_2 +++ b/regress/unittests/sshkey/testdata/dsa_2 @@ -1,12 +1,12 @@ -----BEGIN DSA PRIVATE KEY----- -MIIBuwIBAAKBgQDoMxCTyBnLPSO7CRU3RyfJLANLKBZ3/LdcsyNaARctaRA5gzRb -XdTFFU+rWKfxv+otm0KyCOepLtWy8tjKRYb7Ni46USlGwtM0Adx/3vR4iWNfipDP -K2V4O97JyMe3wsbF7siC01U4b8Ki+J44iFG9nuRnOTHqUWI615mraQRwlQIVAMsX -nsPGH8QrU11F1ScAIfZC165dAoGACCXyOHFkxABpJDtJs6AE7Hl3XjI4dnlim/XH -Y60W6gcO7gHSE2r2ljCubJqoUXmxd5mLKgnu91jIG/4URwDM4V7pb2k99sXpAi8I -L52eQl88C0bRD9+lEJfR4PMT39EccDRPB4+E055RoYQZ/McIyad8sF3Qwt084Eq+ -IkUt2coCgYEAxZRpCY82sM9Mu4B0EcH6O8seRqIRScmelljhUtKxuvf2PChwIWkR -HK9lORHBE3iKyurC5Muf3abuHKwMFjrOjHKOTqXBRrDZ7RgLQA0aUAQD3lWc9OTP -NShjphpq5xr0HZB31eJg3/Mo6KxYlRpzMXbTyenZP0XLICSSAywvTDoCFG5whl2k -Y2FLGfi9V6ylUVH6jKgE +MIIBvQIBAAKBgQCbyPXNdHeLsjpobPVCMkfagBkt15Zsltqf/PGNP1y1cuz7rsTX +ZekQwUkSTNm5coqXe+ZOw2O4tjobJDd60I1/VPgaB0NYlQR9Hn87M284WD4f6VY+ +aunHmP134a8ybG5G4NqVNF3ihvxAR2pVITqb7kE46r2uYZNcNlHI8voRCwIVAMcP +bwqFNsQbH5pJyZW30wj4KVZ3AoGBAIK98BVeKQVf8qDFqx9ovMuNgVSxpd+N0Yta +5ZEy1OI2ziu5RhjueIM2K7Gq2Mnp38ob1AM53BUxqlcBJaHEDa6rj6yvuMgW9oCJ +dImBM8sIFxfBbXNbpJiMaDwa6WyT84OkpDE6uuAepTMnWOUWkUVkAiyokHDUGXkG +GyoQblbXAoGBAIsf7TaZ804sUWwRV0wI8DYx+hxD5QdrfYPYMtL2fHn3lICimGt0 +FTtUZ25jKg0E0DMBPdET6ZEHB3ZZkR8hFoUzZhdnyJMu3UjVtgaV88Ue3PrXxchk +0W2jHPaAgQU3JIWzo8HFIFqvC/HEL+EyW3rBTY2uXM3XGI+YcWSA4ZrZAhUAsY2f +bDFNzgZ4DaZ9wLRzTgOswPU= -----END DSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp b/regress/unittests/sshkey/testdata/dsa_2.fp index 8226574..51fbeb4 100644 --- a/regress/unittests/sshkey/testdata/dsa_2.fp +++ b/regress/unittests/sshkey/testdata/dsa_2.fp @@ -1 +1 @@ -MD5:72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a +SHA256:ecwhWcXgpdBxZ2e+OjpRRY7dqXHHCD62BGtoVQQBwCk diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp.bb b/regress/unittests/sshkey/testdata/dsa_2.fp.bb index 37a5221..4d908ee 100644 --- a/regress/unittests/sshkey/testdata/dsa_2.fp.bb +++ b/regress/unittests/sshkey/testdata/dsa_2.fp.bb @@ -1 +1 @@ -xesoh-mebaf-feced-lenuz-sicam-pevok-bosak-nogaz-ligen-fekef-fixex +xeser-megad-pocan-rozit-belup-tapoh-fapif-kyvit-vonav-cehab-naxax diff --git a/regress/unittests/sshkey/testdata/dsa_2.pub b/regress/unittests/sshkey/testdata/dsa_2.pub index 6ed2736..77bb555 100644 --- a/regress/unittests/sshkey/testdata/dsa_2.pub +++ b/regress/unittests/sshkey/testdata/dsa_2.pub @@ -1 +1 @@ -ssh-dss AAAAB3NzaC1kc3MAAACBAOgzEJPIGcs9I7sJFTdHJ8ksA0soFnf8t1yzI1oBFy1pEDmDNFtd1MUVT6tYp/G/6i2bQrII56ku1bLy2MpFhvs2LjpRKUbC0zQB3H/e9HiJY1+KkM8rZXg73snIx7fCxsXuyILTVThvwqL4njiIUb2e5Gc5MepRYjrXmatpBHCVAAAAFQDLF57Dxh/EK1NdRdUnACH2QteuXQAAAIAIJfI4cWTEAGkkO0mzoATseXdeMjh2eWKb9cdjrRbqBw7uAdITavaWMK5smqhRebF3mYsqCe73WMgb/hRHAMzhXulvaT32xekCLwgvnZ5CXzwLRtEP36UQl9Hg8xPf0RxwNE8Hj4TTnlGhhBn8xwjJp3ywXdDC3TzgSr4iRS3ZygAAAIEAxZRpCY82sM9Mu4B0EcH6O8seRqIRScmelljhUtKxuvf2PChwIWkRHK9lORHBE3iKyurC5Muf3abuHKwMFjrOjHKOTqXBRrDZ7RgLQA0aUAQD3lWc9OTPNShjphpq5xr0HZB31eJg3/Mo6KxYlRpzMXbTyenZP0XLICSSAywvTDo= DSA test key #2 +ssh-dss AAAAB3NzaC1kc3MAAACBAJvI9c10d4uyOmhs9UIyR9qAGS3XlmyW2p/88Y0/XLVy7PuuxNdl6RDBSRJM2blyipd75k7DY7i2OhskN3rQjX9U+BoHQ1iVBH0efzszbzhYPh/pVj5q6ceY/XfhrzJsbkbg2pU0XeKG/EBHalUhOpvuQTjqva5hk1w2Ucjy+hELAAAAFQDHD28KhTbEGx+aScmVt9MI+ClWdwAAAIEAgr3wFV4pBV/yoMWrH2i8y42BVLGl343Ri1rlkTLU4jbOK7lGGO54gzYrsarYyenfyhvUAzncFTGqVwElocQNrquPrK+4yBb2gIl0iYEzywgXF8Ftc1ukmIxoPBrpbJPzg6SkMTq64B6lMydY5RaRRWQCLKiQcNQZeQYbKhBuVtcAAACBAIsf7TaZ804sUWwRV0wI8DYx+hxD5QdrfYPYMtL2fHn3lICimGt0FTtUZ25jKg0E0DMBPdET6ZEHB3ZZkR8hFoUzZhdnyJMu3UjVtgaV88Ue3PrXxchk0W2jHPaAgQU3JIWzo8HFIFqvC/HEL+EyW3rBTY2uXM3XGI+YcWSA4ZrZ DSA test key #2 diff --git a/regress/unittests/sshkey/testdata/dsa_n b/regress/unittests/sshkey/testdata/dsa_n index 3434686..d3f2482 100644 --- a/regress/unittests/sshkey/testdata/dsa_n +++ b/regress/unittests/sshkey/testdata/dsa_n @@ -1,12 +1,12 @@ -----BEGIN DSA PRIVATE KEY----- -MIIBuwIBAAKBgQCxBNwH8TmLXqiZa0b9pxC6W+zS4Voqp8S+QwecYpNPTmhjaUYI -E/aJWAzFVtdbysLM89ukvw/z8qBkbMSefdypKmjUtgv51ZD4nfV4Wxb+G+1QExHr -M+kowOOL3XbcsdbPLUt8vxDJbBlQRch4zyai7CWjQR3JFXpR8sevUFJxSQIVAIdE -oncp2DEY2U/ZZnIyGCwApCzfAoGARW+eewZTv1Eosxv3ANKx372pf5+fQKwnWizI -j5z/GY3w3xobRCP9FiL4K3Nip2FvHLTGpRrlfm19RWYAg77VsNgztC4V9C8QrKWc -WJdkUkoQpZ3VoO25rO13hmIelkal3omKCF4ZE/edeF3d2B8DlzYs0aBcjTCMDrub -/CJILcYCgYEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j -4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1 -/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gCFBl7Lc6V -hmTiTuhLXjoRdCZS/p/m +MIIBvAIBAAKBgQD6kutNFRsHTwEAv6d39Lhsqy1apdHBZ9c2HfyRr7WmypyGIy2m +Ka43vzXI8CNwmRSYs+A6d0vJC7Pl+f9QzJ/04NWOA+MiwfurwrR3CRe61QRYb8Py +mcHOxueHs95IcjrbIPNn86cjnPP5qvv/guUzCjuww4zBdJOXpligrGt2XwIVAKMD +/50qQy7j8JaMk+1+Xtg1pK01AoGBAO7l9QVVbSSoy5lq6cOtvpf8UlwOa6+zBwbl +o4gmFd1RwX1yWkA8kQ7RrhCSg8Hc6mIGnKRgKRli/3LgbSfZ0obFJehkRtEWtN4P +h8fVUeS74iQbIwFQeKlYHIlNTRoGtAbdi3nHdV+BBkEQc1V3rjqYqhjOoz/yNsgz +LND26HrdAoGBAOdXpyfmobEBaOqZAuvgj1P0uhjG2P31Ufurv22FWPBU3A9qrkxb +OXwE0LwvjCvrsQV/lrYhJz/tiys40VeahulWZE5SAHMXGIf95LiLSgaXMjko7joo +t+LK84ltLymwZ4QMnYjnZSSclf1UuyQMcUtb34+I0u9Ycnyhp2mSFsQtAhRYIbQ5 +KfXsZuBPuWe5FJz3ldaEgw== -----END DSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/dsa_n_pw b/regress/unittests/sshkey/testdata/dsa_n_pw index 42f70dd..24ac299 100644 --- a/regress/unittests/sshkey/testdata/dsa_n_pw +++ b/regress/unittests/sshkey/testdata/dsa_n_pw @@ -1,22 +1,21 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABD5nB+Nkw -LNoPtAG7C3IdXmAAAAEAAAAAEAAAGyAAAAB3NzaC1kc3MAAACBALEE3AfxOYteqJlrRv2n -ELpb7NLhWiqnxL5DB5xik09OaGNpRggT9olYDMVW11vKwszz26S/D/PyoGRsxJ593KkqaN -S2C/nVkPid9XhbFv4b7VATEesz6SjA44vddtyx1s8tS3y/EMlsGVBFyHjPJqLsJaNBHckV -elHyx69QUnFJAAAAFQCHRKJ3KdgxGNlP2WZyMhgsAKQs3wAAAIBFb557BlO/USizG/cA0r -Hfval/n59ArCdaLMiPnP8ZjfDfGhtEI/0WIvgrc2KnYW8ctMalGuV+bX1FZgCDvtWw2DO0 -LhX0LxCspZxYl2RSShClndWg7bms7XeGYh6WRqXeiYoIXhkT9514Xd3YHwOXNizRoFyNMI -wOu5v8IkgtxgAAAIEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j -4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1/EMKUv -0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gAAAHw8P1DtkBulOGv85qf -P+md2+LL+NKufVzHl9k2UKQFjeqY6uqs4HSDqvhXe7oiXd5mz6I7orxjtKU9hGjNF4ABUD -OawVGe/GCRUQ4WgpAgDnqQLeFcdIwtMSIrRZU6xjs314EI7TM7IIiG26JEuXDfZI1e7C3y -Cc38ZsP3zmg/UjgcCQar5c4n++vhOmeO36+fcUyZ1QlR05SaEtFYJA+otP3RmKTiDwob8Q -zRMr8Y57i2NTTtFjkmnnnQCibP62yz7N22Dve7RTOH8jiaW7p02Vn/6WmCarevN1rxtLLR -lkuWtPoKY8z/Ktcev8YE9f2+9H2TfXDRKYqIEfxgZLCJ4yP2gxDe6zurabS0hAO1CP+ej5 -htdJM3/rTqHAIevXX5uhIDmMvRHnLGldaIX1xux8TIJvSfMkYNIwscIP4kx7BGMk04vXtW -5DLm6IZhzw9T3hjr8R0kBugmT6/h9vD5iN1D+wiHIhHYzQKMU9nOeFNsMBFWgJjU0l8VlF -gEjEMgAEfwynnmIoKB1iA/0em1tdU3naS59DBK+buE0trxUpTAAB5z8yPhAm6DdqrPE8cA -N3HlMoWrbCuak2A0uyOlEJjPg4UJUnv12ve2c9pAMsAu/4CAszCEM0prR+qd/RA4nn4M5u -Xrny2wNtt/DybCkA== +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABCVs+LsMJ +wnB5zM9U9pTXrGAAAAEAAAAAEAAAGzAAAAB3NzaC1kc3MAAACBAPqS600VGwdPAQC/p3f0 +uGyrLVql0cFn1zYd/JGvtabKnIYjLaYprje/NcjwI3CZFJiz4Dp3S8kLs+X5/1DMn/Tg1Y +4D4yLB+6vCtHcJF7rVBFhvw/KZwc7G54ez3khyOtsg82fzpyOc8/mq+/+C5TMKO7DDjMF0 +k5emWKCsa3ZfAAAAFQCjA/+dKkMu4/CWjJPtfl7YNaStNQAAAIEA7uX1BVVtJKjLmWrpw6 +2+l/xSXA5rr7MHBuWjiCYV3VHBfXJaQDyRDtGuEJKDwdzqYgacpGApGWL/cuBtJ9nShsUl +6GRG0Ra03g+Hx9VR5LviJBsjAVB4qVgciU1NGga0Bt2Lecd1X4EGQRBzVXeuOpiqGM6jP/ +I2yDMs0Pboet0AAACBAOdXpyfmobEBaOqZAuvgj1P0uhjG2P31Ufurv22FWPBU3A9qrkxb +OXwE0LwvjCvrsQV/lrYhJz/tiys40VeahulWZE5SAHMXGIf95LiLSgaXMjko7joot+LK84 +ltLymwZ4QMnYjnZSSclf1UuyQMcUtb34+I0u9Ycnyhp2mSFsQtAAAB4HiOcRW4w+sIqBL0 +TPVbf0glN1hUi0rcE63Pqxmvxb8LkldC4IxAUagPrjhNAEW2AY42+CvPrtGB1z7gDADAIW +xZX6wKwIcXP0Qh+xHE12F4u6mwfasssnAp4t1Ki8uCjMjnimgb3KdWpp0kiUV0oR062TXV +PAdfrWjaq4fw0KOqbHIAG/v36AqzuqjSTfDbqvLZM3y0gp2Q1RxaQVJA5ZIKKyqRyFX7sr +BaEIyCgeE3hM0EB7BycY1oIcS/eNxrACBWVJCENl5N7LtEYXNX7TANFniztfXzwaqGTT6A +fCfbW4gz1UKldLUBzbIrPwMWlirAstbHvOf/2Iay2pNAs/SHhI0aF2jsGfvv5/D6N+r9dG +B2SgDKBg7pywMH1DTvg6YT3P4GjCx0GUHqRCFLvD1rDdk4KSjvaRMpVq1PJ0/Wv6UGtsMS +TR0PaEHDRNZqAX4YxqujnWrGKuRJhuz0eUvp7fZvbWHtiAMKV7368kkeUmkOHanb+TS+zs +KINX8ev8zJZ6WVr8Vl+IQavpv0i2bXwS6QqbEuifpv/+uBb7pqRiU4u8en0eMdX1bZoTPM +R6xHCnGD/Jpb3zS91Ya57T6CiXZ12KCaL6nWGnCkZVpzkfJ2HjFklWSWBQ6uyaosDQ== -----END OPENSSH PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ecdsa_1 b/regress/unittests/sshkey/testdata/ecdsa_1 index aec73dd..80382b6 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1 +++ b/regress/unittests/sshkey/testdata/ecdsa_1 @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIFghsFR1K95tz8qOl3+tX6fv8a/O6AfNbxOSFZX3ihxooAoGCCqGSM49 -AwEHoUQDQgAEalpgP0BOePHtTw0Pus4tdhTb8P9yWUZluvLf1D8vrHImT+G4vr/W -xo5iXGKQVEifuUVyLkAW2kDrq8J/szeRiQ== +MHcCAQEEIPPNyUAnjvFr+eT/7t/IyjuQQd/aLFiTY92LB9gIjyrMoAoGCCqGSM49 +AwEHoUQDQgAEDFlblkOrW9ydKVhtM+9AY3c9saBE7SG3lFx38nBavkADDaI9jh3/ +kvG/Jt9vpm22qwoklTCGDfzCkXkIKaWlBw== -----END EC PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp index c3d747a..e48304f 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp +++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp @@ -1 +1 @@ -MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 +SHA256:8ty77fOpABat1y88aNdclQTfU+lVvWe7jYZGw8VYtfg diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub b/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub index 29b06a4..55e2a25 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub +++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub @@ -1 +1 @@ -ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgjpoHehzmM54xz776HOiTOLPhkOwSWyXOMYeqDhDEcLgAAAAIbmlzdHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYlxikFRIn7lFci5AFtpA66vCf7M3kYkAAAAAAAAABwAAAAIAAAAGanVsaXVzAAAAEgAAAAVob3N0MQAAAAVob3N0MgAAAAA2i4NgAAAAAE0d4eAAAAAAAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYlxikFRIn7lFci5AFtpA66vCf7M3kYkAAABjAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABIAAAAIFZM1PXlXf0a3VuGs7MVdWSealDXprT1nN5hQTg+m+EYAAAAIGN1yNXWEY5V315NhOD3mBuh/xCpfDn5rZjF4YntA7du ecdsa_1.pub +ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgOtFRnMigkGliaYfPmX5IidVWfV3tRH6lqRXv0l8bvKoAAAAIbmlzdHAyNTYAAABBBAxZW5ZDq1vcnSlYbTPvQGN3PbGgRO0ht5Rcd/JwWr5AAw2iPY4d/5Lxvybfb6ZttqsKJJUwhg38wpF5CCmlpQcAAAAAAAAABwAAAAIAAAAGanVsaXVzAAAAEgAAAAVob3N0MQAAAAVob3N0MgAAAAA2jAHwAAAAAE0eYHAAAAAAAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxZW5ZDq1vcnSlYbTPvQGN3PbGgRO0ht5Rcd/JwWr5AAw2iPY4d/5Lxvybfb6ZttqsKJJUwhg38wpF5CCmlpQcAAABkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAIHbxGwTnue7KxhHXGFvRcxBnekhQ3Qx84vV/Vs4oVCrpAAAAIQC7vk2+d14aS7td7kVXLQn392oALjEBzMZoDvT1vT/zOA== ECDSA test key #1 diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp b/regress/unittests/sshkey/testdata/ecdsa_1.fp index c3d747a..e48304f 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1.fp +++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp @@ -1 +1 @@ -MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 +SHA256:8ty77fOpABat1y88aNdclQTfU+lVvWe7jYZGw8VYtfg diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb b/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb index f01a5dd..fa23c33 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb +++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb @@ -1 +1 @@ -xotah-hecal-zibyb-nadug-romuc-hator-venum-hobip-ruluh-ripus-naxix +xibah-vocun-sogyn-byhen-rivem-hegyh-luneh-dozyr-vatyf-dufid-myxyx diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.param.priv b/regress/unittests/sshkey/testdata/ecdsa_1.param.priv index 3475f1f..dc908ad 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1.param.priv +++ b/regress/unittests/sshkey/testdata/ecdsa_1.param.priv @@ -1 +1 @@ -5821b054752bde6dcfca8e977fad5fa7eff1afcee807cd6f13921595f78a1c68 +00f3cdc940278ef16bf9e4ffeedfc8ca3b9041dfda2c589363dd8b07d8088f2acc diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.param.pub b/regress/unittests/sshkey/testdata/ecdsa_1.param.pub index 11847a3..71c9584 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1.param.pub +++ b/regress/unittests/sshkey/testdata/ecdsa_1.param.pub @@ -1 +1 @@ -046a5a603f404e78f1ed4f0d0fbace2d7614dbf0ff72594665baf2dfd43f2fac72264fe1b8bebfd6c68e625c629054489fb945722e4016da40ebabc27fb3379189 +040c595b9643ab5bdc9d29586d33ef4063773db1a044ed21b7945c77f2705abe40030da23d8e1dff92f1bf26df6fa66db6ab0a249530860dfcc291790829a5a507 diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.pub b/regress/unittests/sshkey/testdata/ecdsa_1.pub index eca1620..84a71f9 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1.pub +++ b/regress/unittests/sshkey/testdata/ecdsa_1.pub @@ -1 +1 @@ -ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYlxikFRIn7lFci5AFtpA66vCf7M3kYk= ECDSA test key #1 +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxZW5ZDq1vcnSlYbTPvQGN3PbGgRO0ht5Rcd/JwWr5AAw2iPY4d/5Lxvybfb6ZttqsKJJUwhg38wpF5CCmlpQc= ECDSA test key #1 diff --git a/regress/unittests/sshkey/testdata/ecdsa_1_pw b/regress/unittests/sshkey/testdata/ecdsa_1_pw index 071154a..5c83a65 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_1_pw +++ b/regress/unittests/sshkey/testdata/ecdsa_1_pw @@ -1,8 +1,8 @@ -----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,74C8AEA5BFAFCC2B1C8B13DE671F5610 +DEK-Info: AES-128-CBC,7BA38DE00F67851E4207216809C3BB15 -vUsgOvCqezxPmcZcFqrSy9Y1MMlVguY0h9cfSPFC7gUrRr+45uCOYX5bOwEXecKn -/9uCXZtlBwwqDS9iK5IPoUrjEHvzI5rVbHWUxDrEOVbsfiDuCxrQM19It6QIqC1v -OSQEdXuBWR5WmhKNc3dqLbWsU8u2s60YwKQmZrj9nM4= +8QkFoZHQkj9a2mt032sp+WKaJ1fwteqWDd4RpAW9OzDgqzMx1QO43qJgBDTfhzjt +M2Q8YfiGjfBEYpg4kCbacfcV68DEV4z6Ll7rIzzzO7OfWUNL++brD64vKx4z6f46 ++sn4nbZTXilpkzi/nmPDVzrNmTSywA8T7Yf0QcBUxks= -----END EC PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ecdsa_2 b/regress/unittests/sshkey/testdata/ecdsa_2 index 76ae07a..0f4e844 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_2 +++ b/regress/unittests/sshkey/testdata/ecdsa_2 @@ -1,7 +1,7 @@ -----BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIBg4kVxUfoo/RE/78/QBRqG6PZuHZ82eLnhmZVzBa7XREUiYI/Jw7r -Qwp4FTBVfXL76Pt5AyBMf+52aVeOUlLRERSgBwYFK4EEACOhgYkDgYYABACNTJ5O -uNo5dNgIQRLHzKU91m7immKFiutJ6BlDbkRkKr+Envj13J6HOgYvOTm0n7SPlKHS -STZ4/T36d/rzQOAbIwEnbbwD9HMj6IzE4WH9lJzH7Zy7Tcyu6dOM8L7nOxCp3DUk -F3aAnPSFJhD7NN0jBWOFsD6uy1OmaTklPfRAnCt1MQ== +MIHcAgEBBEIBqBtN7e6Essd3dlsgISViPCXXC0atlNkGtoMgSQdBTKVUfeJOi4lc +RZaXJdXnqWUqI/KEsH8h8QN4YcB8ugmAcc+gBwYFK4EEACOhgYkDgYYABAHZ2VNy +oDedBwqsdzY+kkNptc9DrtRCVmO6cULLj+691MhItqVqTMJbTFlI4MnAg9PoGTF/ +0KmLJfy8vSffXGKqqwGKcFNtd1XCo+7Qu9tXbxron9g6Dmu7y8jaLkixcwZwnwLs +6GmA9qZGuiAfOGV0Gf9/u98sr+vikOa4Ow5JFDTw5g== -----END EC PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp b/regress/unittests/sshkey/testdata/ecdsa_2.fp index fe7526b..581e48a 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_2.fp +++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp @@ -1 +1 @@ -MD5:51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70 +SHA256:ed8YniRHA6qCrErCRnzrWxPHxYuA62a+CAFYUVxJgaI diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb b/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb index 267bc63..e1cc664 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb +++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb @@ -1 +1 @@ -xuzaz-zuzuk-virop-vypah-zumel-gylak-selih-fevad-varag-zynif-haxox +xufag-danul-putub-mokin-pugaz-covid-dofag-nihuz-sysab-genar-zaxyx diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.param.priv b/regress/unittests/sshkey/testdata/ecdsa_2.param.priv index 537cdaa..dd898d9 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_2.param.priv +++ b/regress/unittests/sshkey/testdata/ecdsa_2.param.priv @@ -1 +1 @@ -01838915c547e8a3f444ffbf3f40146a1ba3d9b8767cd9e2e7866655cc16bb5d111489823f270eeb430a781530557d72fbe8fb7903204c7fee7669578e5252d11114 +01a81b4dedee84b2c777765b202125623c25d70b46ad94d906b683204907414ca5547de24e8b895c45969725d5e7a9652a23f284b07f21f1037861c07cba098071cf diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.param.pub b/regress/unittests/sshkey/testdata/ecdsa_2.param.pub index 3352ac7..94301c9 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_2.param.pub +++ b/regress/unittests/sshkey/testdata/ecdsa_2.param.pub @@ -1 +1 @@ -04008d4c9e4eb8da3974d8084112c7cca53dd66ee29a62858aeb49e819436e44642abf849ef8f5dc9e873a062f3939b49fb48f94a1d2493678fd3dfa77faf340e01b2301276dbc03f47323e88cc4e161fd949cc7ed9cbb4dccaee9d38cf0bee73b10a9dc35241776809cf4852610fb34dd23056385b03eaecb53a66939253df4409c2b7531 +0401d9d95372a0379d070aac77363e924369b5cf43aed4425663ba7142cb8feebdd4c848b6a56a4cc25b4c5948e0c9c083d3e819317fd0a98b25fcbcbd27df5c62aaab018a70536d7755c2a3eed0bbdb576f1ae89fd83a0e6bbbcbc8da2e48b17306709f02ece86980f6a646ba201f38657419ff7fbbdf2cafebe290e6b83b0e491434f0e6 diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.pub b/regress/unittests/sshkey/testdata/ecdsa_2.pub index 34e1881..be9d84b 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_2.pub +++ b/regress/unittests/sshkey/testdata/ecdsa_2.pub @@ -1 +1 @@ -ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACNTJ5OuNo5dNgIQRLHzKU91m7immKFiutJ6BlDbkRkKr+Envj13J6HOgYvOTm0n7SPlKHSSTZ4/T36d/rzQOAbIwEnbbwD9HMj6IzE4WH9lJzH7Zy7Tcyu6dOM8L7nOxCp3DUkF3aAnPSFJhD7NN0jBWOFsD6uy1OmaTklPfRAnCt1MQ== ECDSA test key #2 +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHZ2VNyoDedBwqsdzY+kkNptc9DrtRCVmO6cULLj+691MhItqVqTMJbTFlI4MnAg9PoGTF/0KmLJfy8vSffXGKqqwGKcFNtd1XCo+7Qu9tXbxron9g6Dmu7y8jaLkixcwZwnwLs6GmA9qZGuiAfOGV0Gf9/u98sr+vikOa4Ow5JFDTw5g== ECDSA test key #2 diff --git a/regress/unittests/sshkey/testdata/ecdsa_n b/regress/unittests/sshkey/testdata/ecdsa_n index aec73dd..80382b6 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_n +++ b/regress/unittests/sshkey/testdata/ecdsa_n @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIFghsFR1K95tz8qOl3+tX6fv8a/O6AfNbxOSFZX3ihxooAoGCCqGSM49 -AwEHoUQDQgAEalpgP0BOePHtTw0Pus4tdhTb8P9yWUZluvLf1D8vrHImT+G4vr/W -xo5iXGKQVEifuUVyLkAW2kDrq8J/szeRiQ== +MHcCAQEEIPPNyUAnjvFr+eT/7t/IyjuQQd/aLFiTY92LB9gIjyrMoAoGCCqGSM49 +AwEHoUQDQgAEDFlblkOrW9ydKVhtM+9AY3c9saBE7SG3lFx38nBavkADDaI9jh3/ +kvG/Jt9vpm22qwoklTCGDfzCkXkIKaWlBw== -----END EC PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ecdsa_n_pw b/regress/unittests/sshkey/testdata/ecdsa_n_pw index 75d5859..36b7fa7 100644 --- a/regress/unittests/sshkey/testdata/ecdsa_n_pw +++ b/regress/unittests/sshkey/testdata/ecdsa_n_pw @@ -1,9 +1,9 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABBXqI6Z6o -uRM+jAwdhnDoIMAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz -dHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYl -xikFRIn7lFci5AFtpA66vCf7M3kYkAAACwYMnoCTqvUTG0ktSSMNsOZLCdal5J4avEpM1L -sV9SL/RVcwo3ChprhwsnQsaAtMiJCRcHerKgD9qy1MNNaE5VNfVJ0Ih/7ut04cbFKed8p6 -0V+w8WP7WvFffBPoHn+GGbQd1FDGzHhXUB61pH8Qzd1bI/sld/XEtMk7iYjNGQe9Rt0RaK -Wi8trwaA0Fb2w/EFnrdsFFxrIhQEqYBdEQJo782IqAsMG9OwUaM0vy+8bcI= +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABC4UwEov5 +z0RrCm7AMCxbuiAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz +dHAyNTYAAABBBAxZW5ZDq1vcnSlYbTPvQGN3PbGgRO0ht5Rcd/JwWr5AAw2iPY4d/5Lxvy +bfb6ZttqsKJJUwhg38wpF5CCmlpQcAAACgbCnAklQTHrf5qiHiMxKYwQJ7k/X9mp4fXD4v +xUbgNZiXSxN26mn8mC2rH+WA6Lk3CexR/hrtLI2ndpBsYu1h6HhVkOwwm3Kd/PMKArCupW +l6sYEabrT0EghXR/3aDEZvj79hgKSdu3RpayLvMdbCR8k1cg0/mDmR9hicWfeJ61n/IH05 +tUR268+0BVRW9kDhh/cuv8tVY4L09jCCQ6CpsA== -----END OPENSSH PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ed25519_1 b/regress/unittests/sshkey/testdata/ed25519_1 index a537ae1..6b0ae01 100644 --- a/regress/unittests/sshkey/testdata/ed25519_1 +++ b/regress/unittests/sshkey/testdata/ed25519_1 @@ -1,7 +1,7 @@ -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACC5PeVeSdyylcfG3C0geNO90e3dGgL0fICaz751dA9zEAAAAJglsAcYJbAH -GAAAAAtzc2gtZWQyNTUxOQAAACC5PeVeSdyylcfG3C0geNO90e3dGgL0fICaz751dA9zEA -AAAED6HJ8Bh8tdQvhMd5o8IxtIwBv8/FV48FpBFWAbYdsIsLk95V5J3LKVx8bcLSB4073R -7d0aAvR8gJrPvnV0D3MQAAAAE0VEMjU1MTkgdGVzdCBrZXkgIzEBAg== +QyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN+F7SMGQAAAJjnj4Ao54+A +KAAAAAtzc2gtZWQyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN+F7SMGQ +AAAED3KgoDbjR54V7bdNpfKlQY5m20UK1QaHytkCR+6rZEDFOG6kY7Rf4UtCFvPwKgo/Bz +tXck2xC4a2WyA34XtIwZAAAAE0VEMjU1MTkgdGVzdCBrZXkgIzEBAg== -----END OPENSSH PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp index fbde87a..a9674e2 100644 --- a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp +++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp @@ -1 +1 @@ -MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f +SHA256:L3k/oJubblSY0lB9Ulsl7emDMnRPKm/8udf2ccwk560 diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.pub b/regress/unittests/sshkey/testdata/ed25519_1-cert.pub index ad0b9a8..649b4e8 100644 --- a/regress/unittests/sshkey/testdata/ed25519_1-cert.pub +++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.pub @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHmdL66MkkOvncpc0W4MdvlJZMfQthHiOUv+XKm7gvzOAAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQAAAAAAAAAAgAAAACAAAABmp1bGl1cwAAABIAAAAFaG9zdDEAAAAFaG9zdDIAAAAANouDYAAAAABNHeHgAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACC5PeVeSdyylcfG3C0geNO90e3dGgL0fICaz751dA9zEAAAAFMAAAALc3NoLWVkMjU1MTkAAABAsUStKm1z3Rtvwy3eXE1DrgVp6kix2iEQXfB66IHX2UpAj5yl0eQGXWTSEDIxHDIb0SJvUH43OWX0PrEeAs0mAA== ed25519_1.pub +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIxzuxl4z3uwAIslne8Huft+1n1IhHAlNbWZkQyyECCGAAAAIFOG6kY7Rf4UtCFvPwKgo/BztXck2xC4a2WyA34XtIwZAAAAAAAAAAgAAAACAAAABmp1bGl1cwAAABIAAAAFaG9zdDEAAAAFaG9zdDIAAAAANowB8AAAAABNHmBwAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACBThupGO0X+FLQhbz8CoKPwc7V3JNsQuGtlsgN+F7SMGQAAAFMAAAALc3NoLWVkMjU1MTkAAABABGTn+Bmz86Ajk+iqKCSdP5NClsYzn4alJd0V5bizhP0Kumc/HbqQfSt684J1WdSzih+EjvnTgBhK9jTBKb90AQ== ED25519 test key #1 diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp b/regress/unittests/sshkey/testdata/ed25519_1.fp index fbde87a..a9674e2 100644 --- a/regress/unittests/sshkey/testdata/ed25519_1.fp +++ b/regress/unittests/sshkey/testdata/ed25519_1.fp @@ -1 +1 @@ -MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f +SHA256:L3k/oJubblSY0lB9Ulsl7emDMnRPKm/8udf2ccwk560 diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp.bb b/regress/unittests/sshkey/testdata/ed25519_1.fp.bb index 591a711..309f2da 100644 --- a/regress/unittests/sshkey/testdata/ed25519_1.fp.bb +++ b/regress/unittests/sshkey/testdata/ed25519_1.fp.bb @@ -1 +1 @@ -xofip-nuhoh-botam-cypeg-panig-tunef-bimav-numeb-nikic-gocyf-paxax +xubop-rekyd-bakal-nubuf-pahaf-gicuh-logeb-gocif-petod-galip-fuxux diff --git a/regress/unittests/sshkey/testdata/ed25519_1.pub b/regress/unittests/sshkey/testdata/ed25519_1.pub index 633e050..e533059 100644 --- a/regress/unittests/sshkey/testdata/ed25519_1.pub +++ b/regress/unittests/sshkey/testdata/ed25519_1.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQ ED25519 test key #1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOG6kY7Rf4UtCFvPwKgo/BztXck2xC4a2WyA34XtIwZ ED25519 test key #1 diff --git a/regress/unittests/sshkey/testdata/ed25519_1_pw b/regress/unittests/sshkey/testdata/ed25519_1_pw index 9fc6352..c3b7ae7 100644 --- a/regress/unittests/sshkey/testdata/ed25519_1_pw +++ b/regress/unittests/sshkey/testdata/ed25519_1_pw @@ -1,8 +1,8 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAlT1eewp -9gl0gue+sSrBWKAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bc -LSB4073R7d0aAvR8gJrPvnV0D3MQAAAAoMrL9ixIQHoJ86DcKMGt26+bCeaoyGjW5hha2Y -IxAZ+rRvNjUuv3MGvbUxtUpPZkTP/vk2fVSCuCD9St5Lbt/LKdIk2MfWIFbjZ6iEfdzxz0 -DHmsSDMps8dbePqqIPULR8av447jEzQEkUc8GSR6WqFSJOjJ8OvrJat1KcEK7V2tjZnLS1 -GoLMqVAtCVhuXwUkeJiRQE/JRl172hxB+LAVw= +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABCus+kaow +AUjHphacvRp98dAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIFOG6kY7Rf4UtCFv +PwKgo/BztXck2xC4a2WyA34XtIwZAAAAoJaqqgiYQuElraJAmYOm7Tb4nJ3eI4oj9mQ52M +/Yd+ION2Ur1v8BDewpDX+LHEYgKHo3Mlmcn2UyF+QJ+7xUCW7QCtk/4szrJzw74DlEl6mH +T8PT/f/av7PpECBD/YD3NoDlB9OWm/Q4sHcxfBEKfTGD7s2Onn71HgrdEOPqd4Sj/IQigR +drfjtXEMlD32k9n3dd2eS9x7AHWYaGFEMkOcY= -----END OPENSSH PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ed25519_2 b/regress/unittests/sshkey/testdata/ed25519_2 index a6e5f00..e4aed63 100644 --- a/regress/unittests/sshkey/testdata/ed25519_2 +++ b/regress/unittests/sshkey/testdata/ed25519_2 @@ -1,7 +1,7 @@ -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACBXUfO5Kid+jhRnyVt+1r9wj2FN/mZ6RfgGdySeYoq4WAAAAJjGeKsZxnir -GQAAAAtzc2gtZWQyNTUxOQAAACBXUfO5Kid+jhRnyVt+1r9wj2FN/mZ6RfgGdySeYoq4WA -AAAEB+gn4gGClQl2WMeOkikY+w0A0kSw1KH4Oyami7hlypsFdR87kqJ36OFGfJW37Wv3CP -YU3+ZnpF+AZ3JJ5iirhYAAAAE0VEMjU1MTkgdGVzdCBrZXkgIzEBAg== +QyNTUxOQAAACDPVKyLnm3eZE0lm0IfM3Uy9AsdGSBtozcoCt21blYBCwAAAJix1mBGsdZg +RgAAAAtzc2gtZWQyNTUxOQAAACDPVKyLnm3eZE0lm0IfM3Uy9AsdGSBtozcoCt21blYBCw +AAAECZEQHXs18o3DKjhUYaTyt+bUbhqfMeqmsKjYyFvzGVgs9UrIuebd5kTSWbQh8zdTL0 +Cx0ZIG2jNygK3bVuVgELAAAAE0VEMjU1MTkgdGVzdCBrZXkgIzEBAg== -----END OPENSSH PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp b/regress/unittests/sshkey/testdata/ed25519_2.fp index ec1cdbb..0496626 100644 --- a/regress/unittests/sshkey/testdata/ed25519_2.fp +++ b/regress/unittests/sshkey/testdata/ed25519_2.fp @@ -1 +1 @@ -MD5:5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9 +SHA256:vMbaARqVciRgXyZPNHDo+P5p5WK5yWG1Oo6VC35Bomw diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp.bb b/regress/unittests/sshkey/testdata/ed25519_2.fp.bb index ebe782e..abba789 100644 --- a/regress/unittests/sshkey/testdata/ed25519_2.fp.bb +++ b/regress/unittests/sshkey/testdata/ed25519_2.fp.bb @@ -1 +1 @@ -xenoz-tovup-zecyt-hohar-motam-sugid-fecyz-tutyk-gosom-ginar-kixux +xuces-bapyb-vikob-zesyv-budod-nupip-kebon-tacyc-fofed-lezic-soxax diff --git a/regress/unittests/sshkey/testdata/ed25519_2.pub b/regress/unittests/sshkey/testdata/ed25519_2.pub index 37b9335..af34236 100644 --- a/regress/unittests/sshkey/testdata/ed25519_2.pub +++ b/regress/unittests/sshkey/testdata/ed25519_2.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdR87kqJ36OFGfJW37Wv3CPYU3+ZnpF+AZ3JJ5iirhY ED25519 test key #1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9UrIuebd5kTSWbQh8zdTL0Cx0ZIG2jNygK3bVuVgEL ED25519 test key #1 diff --git a/regress/unittests/sshkey/testdata/rsa1_1 b/regress/unittests/sshkey/testdata/rsa1_1 index d22014e..161cc04 100644 Binary files a/regress/unittests/sshkey/testdata/rsa1_1 and b/regress/unittests/sshkey/testdata/rsa1_1 differ diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp index 2e1068c..21b3d1a 100644 --- a/regress/unittests/sshkey/testdata/rsa1_1.fp +++ b/regress/unittests/sshkey/testdata/rsa1_1.fp @@ -1 +1 @@ -MD5:a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80 +SHA256:/kk7K9S9kwYFiFilnZYFwCsQJweI/SGQVR2nIa8VBhE diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp.bb b/regress/unittests/sshkey/testdata/rsa1_1.fp.bb index caaf951..62991b3 100644 --- a/regress/unittests/sshkey/testdata/rsa1_1.fp.bb +++ b/regress/unittests/sshkey/testdata/rsa1_1.fp.bb @@ -1 +1 @@ -xukib-cymuf-mylib-kecih-rogyb-sorid-belys-kytem-dinin-cicil-kyxex +xilil-nabyf-gynih-duheb-gokyp-bofet-nekac-bosod-lozin-kuvyh-poxix diff --git a/regress/unittests/sshkey/testdata/rsa1_1.param.n b/regress/unittests/sshkey/testdata/rsa1_1.param.n index 4ceb373..9a2549b 100644 --- a/regress/unittests/sshkey/testdata/rsa1_1.param.n +++ b/regress/unittests/sshkey/testdata/rsa1_1.param.n @@ -1 +1 @@ -00cf68059e5c7743318d740d3ebb55eb577891c9c3098817703f4c3157285055c2daa50102509ebdcade324e541c965e2931fd3459052fe65d013722da805d7ec8ef5b97cc006789d0566c5578b23e7aaa5be2b055d85798030cdead2eb2cc4eb3 +00ce8ca77a556eba887f9a866c084a6402785354a81c10854d343181fa09351223a65f99915f8433d11a9c41677d307c03c3a39865b83e7172d2c1d878333c980438d6e4462106a0065cd75cfea7ca7f21538bf2f43f2af49cacee51b22e3bdcc5e87b59cc691f7c6942a77ef13bfdfb24300777b727348d0ba7900ba06b886729 diff --git a/regress/unittests/sshkey/testdata/rsa1_1.pub b/regress/unittests/sshkey/testdata/rsa1_1.pub index 56cf30d..f665b0d 100644 --- a/regress/unittests/sshkey/testdata/rsa1_1.pub +++ b/regress/unittests/sshkey/testdata/rsa1_1.pub @@ -1 +1 @@ -768 65537 1257820658919101781627826212425999371251377782154008557690434337796299274692579921603319269571889066123773172648045269780061837011867522525764583065919572648969392756890567918758763032103894830246827894023662422727333291801518558899 RSA1 test key #1 +1024 65537 145043942670517902781741650890610683756045780348507433188994725700923246927874581962206512480287863636935077725837494808988986557337885675565086448774391442851909709751605441036910145362277967349042489937363543710406342212883803780768870873303921572812138116796733586484633244057911618360651775855949808953129 RSA1 test key #1 diff --git a/regress/unittests/sshkey/testdata/rsa1_1_pw b/regress/unittests/sshkey/testdata/rsa1_1_pw index 3113dbc..e73c679 100644 Binary files a/regress/unittests/sshkey/testdata/rsa1_1_pw and b/regress/unittests/sshkey/testdata/rsa1_1_pw differ diff --git a/regress/unittests/sshkey/testdata/rsa1_2 b/regress/unittests/sshkey/testdata/rsa1_2 index e75e665..1d672dd 100644 Binary files a/regress/unittests/sshkey/testdata/rsa1_2 and b/regress/unittests/sshkey/testdata/rsa1_2 differ diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp index cd00393..00516d5 100644 --- a/regress/unittests/sshkey/testdata/rsa1_2.fp +++ b/regress/unittests/sshkey/testdata/rsa1_2.fp @@ -1 +1 @@ -MD5:c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c +SHA256:JaOeRCnLl/TLe7vn1+aQ4ONyKZCUhK5x3k4VHilmbpE diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp.bb b/regress/unittests/sshkey/testdata/rsa1_2.fp.bb index cd80371..b4989a5 100644 --- a/regress/unittests/sshkey/testdata/rsa1_2.fp.bb +++ b/regress/unittests/sshkey/testdata/rsa1_2.fp.bb @@ -1 +1 @@ -xifad-vevot-sozyl-fapeb-meryf-kylut-cydiv-firik-gavyb-lanad-kaxox +xipag-zohut-zepuk-pisyv-kamog-pupus-netud-tudis-melup-cynov-gaxox diff --git a/regress/unittests/sshkey/testdata/rsa1_2.param.n b/regress/unittests/sshkey/testdata/rsa1_2.param.n index f8143a4..25d438d 100644 --- a/regress/unittests/sshkey/testdata/rsa1_2.param.n +++ b/regress/unittests/sshkey/testdata/rsa1_2.param.n @@ -1 +1 @@ -00b08a9fa386aceaab2ec3e9cdc7e6cb4eac9e98620279eed6762e1f513739a417ac8a86231fad3b8727a9de994973a7aae674a132547341984ade91aa1c22f01d2f0204ea7fa121969c367a5d04bda384066cf94e0b56d1efc47f50ca28e90603547df41c0676550d82d369f699b457d4f0f077999d9e76ab679fbf4206d418dbabed1823f14e4ddf3aac987686e6b006f8a23ea6af13b4c0e5b1fb5b1eb4db2f47b229422c450574cae9c64db5dcfce050836b6bdfa8fb541b4d426444a5ea20ad51a25d3048414ced2e199da2997968273e8beb10f3a351e98a57b00dadfa8f00a39bb55be94dae898fda6021d728f32b2ec93edd16e51073be3ac7511e5085 +00cab091b57a154740c1bb7020f46a21a19dc40f647db2aab1babd30cabe241f0437391e68376ba35e48c624b8eaf6b59424d4c1a848c9fd1ef5cdc7c1b7f5e5df23b7ad513b79021286d38c52fdfae35656659e8649b2bf8bedf7c99664e45534007bd1c5dc3de1dafdf2d34ad087155951aa0f3d500b36d0d804bbccdef15ab31ca3dd40bdf5196065a97f397ef576caffb606be8232f6e0614aea0e979b9584296673fabb1dbd9f3212495c428842a2ab1f1768dd424fb6fdceeeab9126cacdfc834f0a0d09ba73ad8360d183ba85bb1565555cc6a536eb8d06df1a1e841107c021ae28a2d8b3465f9d8b58ef4045aea1c4ad7f8bf639574d6b142af67b4eb3 diff --git a/regress/unittests/sshkey/testdata/rsa1_2.pub b/regress/unittests/sshkey/testdata/rsa1_2.pub index de1afbb..acab6dd 100644 --- a/regress/unittests/sshkey/testdata/rsa1_2.pub +++ b/regress/unittests/sshkey/testdata/rsa1_2.pub @@ -1 +1 @@ -2048 65537 22286299513474010485021611215236051675183880694440075228245854420062562171290421803318459093678819161498086077099067169041536315773126601869537036602014639497662916952995546870691495931205282427606841521014293638607226118353743812583642616889028731910222603216563207637006843580936568089467160095319593442255227365472917576488012409542775346105980501967996562422764758836868135158147777193940857952623773420292946843206784104932927528915610322518810753953608862466374219925252817405397507396462117715293725218947744085154122395590957537510003558169729949140038634486299736757269280065662263306737701939154762092925061 RSA1 test key #2 +2048 65537 25587207108642486834576012232250034427766229965612147538722032399009467293691448851087324679403117563681753304072089087252850866332601294130674473984011813227791089686736237645788471744456489819306046398653719249100878753563464696688916667605969658659855996383142110932332560049231682024775766802333675397528993897914717996946881193454997890776063024953924432026083898531677702536941151535135950834711001926404724453460085864892836473957600610133803037286539329764689125111700732309717375455919436557475211197800228646235077584780367991159670572954337165006813357814232200750568307753718414790655085790471723847208627 RSA1 test key #2 diff --git a/regress/unittests/sshkey/testdata/rsa_1 b/regress/unittests/sshkey/testdata/rsa_1 index 09e79a7..5de3f84 100644 --- a/regress/unittests/sshkey/testdata/rsa_1 +++ b/regress/unittests/sshkey/testdata/rsa_1 @@ -1,12 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBywIBAAJhAM/6MDmVVm/uNQmZpOcthoAAgMDUg7G4H6ZLLyPEhboKaBBHvIdw -ZdDmB+0LDf3D1aWXyUd2/pCkCysiBzqd/523zAzjY7HayqL6A940AxKBBbWLn+X6 -i2yJR7dTOYkk6QIDAQABAmAgKanBjfWzE5yCIo+c7K5rJyjCKVtAZaAHYIMmveKM -VcWoFt/x9hDY0GoTX21HfDxLX8oDxnsmhsOrnvSmgUChFwkm45eSETqeVDWwIVFA -FGL1s38xQsciWZWBFNppAIECMQD7nslReAxwz/Ad++ACXswfJg1l2wUQ1gJA3zh3 -jln6a4s3aV1zxbKlIn8iqBv0BZkCMQDTmO4WqyNnin73XCZs0DWu7GsfcuaH8QnD -wqPjJgrclTZXedxHkeqO2oyZW4mLC9ECMBb/blsZ49kzyDiVWuYcj/+Q1MyodhAR -32bagCi9RBAVYEYSRU5dlXRucLxULSnikQIxAJ5teY5Vcru6kZfJUifUuO0QrKAu -WnbcPVBqMmUHfchsm/RhFFIt6W4uKmlEhTYrkQIxAMAStb7QCU3yU6ZkN7uL22Zs -498i4jY6y+VEXv+L9O09VdlEnXhbUisOhy1bhyS3yg== +MIICXAIBAAKBgQDLV5lUTt7FrADseB/CGhEZzpoojjEW5y8+ePvLppmK3MmMI18u +d6vxzpK3bwZLYkVSyfJYI0HmIuGhdu7yMrW6wb84gbq8C31Xoe9EORcIUuGSvDKd +NSM1SjlhDquRblDFB8kToqXyx1lqrXecXylxIUOL0jE+u0rU1967pDJx+wIDAQAB +AoGAXyj5mpjmbD+YlxGIWz/zrM4hGsWgd4VteKEJxT6MMI4uzCRpkMd0ck8oHiwZ +GAI/SwUzIsgtONQuH3AXVsUgghW4Ynn+8ksEv0IZ918WDMDwqvqkyrVzsOsZzqYj +Pf8DUDKCpwFjnlknJ04yvWBZvVhWtY4OiZ8GV0Ttsu3k+GECQQD1YHfvBb5FdJBv +Uhde2Il+jaFia8mwVVNNaiD2ECxXx6CzGz54ZLEB9NPVfDUZK8lJ4UJDqelWNh3i +PF3RefWDAkEA1CVBzAFL4mNwpleVPzrfy69xP3gWOa26MxM/GE6zx9jC7HgQ3KPa +WKdG/FuHs085aTRDaDLmGcZ8IvMuu7NgKQJAcIOKmxR0Gd8IN7NZugjqixggb0Pj +mLKXXwESGiJyYtHL0zTj4Uqyi6Ya2GJ66o7UXscmnmYz828fJtTtZBdbRwJBALfi +C2QvA32Zv/0PEXibKXy996WSC4G3ShwXZKtHHKHvCxY5BDSbehk59VesZrVPyG2e +NYdOBxD0cIlCzJE56/ECQAndVkxvO8hwyEFGGwF3faHIAe/OxVb+MjaU25//Pe1/ +h/e6tlCk4w9CODpyV685gV394eYwMcGDcIkipTNUDZs= -----END RSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.fp b/regress/unittests/sshkey/testdata/rsa_1-cert.fp index 1cf780d..79f380a 100644 --- a/regress/unittests/sshkey/testdata/rsa_1-cert.fp +++ b/regress/unittests/sshkey/testdata/rsa_1-cert.fp @@ -1 +1 @@ -MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b +SHA256:l6itGumSMcRBBAFteCgmjQBIXqLK/jFGUH3viHX1RmE diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.pub b/regress/unittests/sshkey/testdata/rsa_1-cert.pub index 51b1ce0..3bacf3c 100644 --- a/regress/unittests/sshkey/testdata/rsa_1-cert.pub +++ b/regress/unittests/sshkey/testdata/rsa_1-cert.pub @@ -1 +1 @@ -ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg1i9Ueveqg9sFSGsEYmsQqlI+dpC3nqhucPfwBVo3DtcAAAADAQABAAAAYQDP+jA5lVZv7jUJmaTnLYaAAIDA1IOxuB+mSy8jxIW6CmgQR7yHcGXQ5gftCw39w9Wll8lHdv6QpAsrIgc6nf+dt8wM42Ox2sqi+gPeNAMSgQW1i5/l+otsiUe3UzmJJOkAAAAAAAAABQAAAAIAAAAGanVsaXVzAAAAEgAAAAVob3N0MQAAAAVob3N0MgAAAAA2i4NgAAAAAE0d4eAAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQAAAAUwAAAAtzc2gtZWQyNTUxOQAAAED0TLf2Mv2F9TBt1Skf/1vviUgt7bt9xvL5HqugnVDfKaEg+RNKgfa5Rtpteb39EODkH8v4FJPWlmNG0F9w0cYF rsa_1.pub +ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg98LhS2EHxLOWCLopZPwHdg/RJXusnkOqQXSc9R7aITkAAAADAQABAAAAgQDLV5lUTt7FrADseB/CGhEZzpoojjEW5y8+ePvLppmK3MmMI18ud6vxzpK3bwZLYkVSyfJYI0HmIuGhdu7yMrW6wb84gbq8C31Xoe9EORcIUuGSvDKdNSM1SjlhDquRblDFB8kToqXyx1lqrXecXylxIUOL0jE+u0rU1967pDJx+wAAAAAAAAAFAAAAAgAAAAZqdWxpdXMAAAASAAAABWhvc3QxAAAABWhvc3QyAAAAADaMAfAAAAAATR5gcAAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgU4bqRjtF/hS0IW8/AqCj8HO1dyTbELhrZbIDfhe0jBkAAABTAAAAC3NzaC1lZDI1NTE5AAAAQI3QGlUCzC07KorupxpDkkGy6tniaZ8EvBflzvv+itXWNchGvfUeHmVT6aX0sRqehdz/lR+GmXRoZBhofwh0qAM= RSA test key #1 diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp b/regress/unittests/sshkey/testdata/rsa_1.fp index 1cf780d..79f380a 100644 --- a/regress/unittests/sshkey/testdata/rsa_1.fp +++ b/regress/unittests/sshkey/testdata/rsa_1.fp @@ -1 +1 @@ -MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b +SHA256:l6itGumSMcRBBAFteCgmjQBIXqLK/jFGUH3viHX1RmE diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp.bb b/regress/unittests/sshkey/testdata/rsa_1.fp.bb index 448133b..45bacd5 100644 --- a/regress/unittests/sshkey/testdata/rsa_1.fp.bb +++ b/regress/unittests/sshkey/testdata/rsa_1.fp.bb @@ -1 +1 @@ -xetif-zuvul-nylyc-vykor-lumac-gyhyv-bacih-cimyk-sycen-gikym-pixax +xosis-fodod-votot-dibum-ryvac-rediz-naruf-votun-kevis-halis-gexux diff --git a/regress/unittests/sshkey/testdata/rsa_1.param.n b/regress/unittests/sshkey/testdata/rsa_1.param.n index 2ffc2ba..4933712 100644 --- a/regress/unittests/sshkey/testdata/rsa_1.param.n +++ b/regress/unittests/sshkey/testdata/rsa_1.param.n @@ -1 +1 @@ -00cffa303995566fee350999a4e72d86800080c0d483b1b81fa64b2f23c485ba0a681047bc877065d0e607ed0b0dfdc3d5a597c94776fe90a40b2b22073a9dff9db7cc0ce363b1dacaa2fa03de3403128105b58b9fe5fa8b6c8947b753398924e9 +00cb5799544edec5ac00ec781fc21a1119ce9a288e3116e72f3e78fbcba6998adcc98c235f2e77abf1ce92b76f064b624552c9f2582341e622e1a176eef232b5bac1bf3881babc0b7d57a1ef4439170852e192bc329d3523354a39610eab916e50c507c913a2a5f2c7596aad779c5f297121438bd2313ebb4ad4d7debba43271fb diff --git a/regress/unittests/sshkey/testdata/rsa_1.param.p b/regress/unittests/sshkey/testdata/rsa_1.param.p index 4fcf148..4783d21 100644 --- a/regress/unittests/sshkey/testdata/rsa_1.param.p +++ b/regress/unittests/sshkey/testdata/rsa_1.param.p @@ -1 +1 @@ -00fb9ec951780c70cff01dfbe0025ecc1f260d65db0510d60240df38778e59fa6b8b37695d73c5b2a5227f22a81bf40599 +00f56077ef05be4574906f52175ed8897e8da1626bc9b055534d6a20f6102c57c7a0b31b3e7864b101f4d3d57c35192bc949e14243a9e956361de23c5dd179f583 diff --git a/regress/unittests/sshkey/testdata/rsa_1.param.q b/regress/unittests/sshkey/testdata/rsa_1.param.q index 3473f51..00fc8a2 100644 --- a/regress/unittests/sshkey/testdata/rsa_1.param.q +++ b/regress/unittests/sshkey/testdata/rsa_1.param.q @@ -1 +1 @@ -00d398ee16ab23678a7ef75c266cd035aeec6b1f72e687f109c3c2a3e3260adc95365779dc4791ea8eda8c995b898b0bd1 +00d42541cc014be26370a657953f3adfcbaf713f781639adba33133f184eb3c7d8c2ec7810dca3da58a746fc5b87b34f396934436832e619c67c22f32ebbb36029 diff --git a/regress/unittests/sshkey/testdata/rsa_1.pub b/regress/unittests/sshkey/testdata/rsa_1.pub index 889fdae..23ef872 100644 --- a/regress/unittests/sshkey/testdata/rsa_1.pub +++ b/regress/unittests/sshkey/testdata/rsa_1.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQDP+jA5lVZv7jUJmaTnLYaAAIDA1IOxuB+mSy8jxIW6CmgQR7yHcGXQ5gftCw39w9Wll8lHdv6QpAsrIgc6nf+dt8wM42Ox2sqi+gPeNAMSgQW1i5/l+otsiUe3UzmJJOk= RSA test key #1 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLV5lUTt7FrADseB/CGhEZzpoojjEW5y8+ePvLppmK3MmMI18ud6vxzpK3bwZLYkVSyfJYI0HmIuGhdu7yMrW6wb84gbq8C31Xoe9EORcIUuGSvDKdNSM1SjlhDquRblDFB8kToqXyx1lqrXecXylxIUOL0jE+u0rU1967pDJx+w== RSA test key #1 diff --git a/regress/unittests/sshkey/testdata/rsa_1_pw b/regress/unittests/sshkey/testdata/rsa_1_pw index 71637a5..b4c0674 100644 --- a/regress/unittests/sshkey/testdata/rsa_1_pw +++ b/regress/unittests/sshkey/testdata/rsa_1_pw @@ -1,15 +1,18 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,1E851A01F12A49FDC256E7A665C61D4B +DEK-Info: AES-128-CBC,0C3F819F6EEA66A471BAEEDDA8171606 -+sfWU7kg3idmHL6vShby5LXnfF4bZDPhJjv89uldae7qPEgEW8qS8o0Ssokxf7Au -/vTQnbSB+gy/qZaUOykOzqiV1YL7UfkbOkM2QYnzzrVeGzI5RZ0G9iH8HBn2owQ+ -Ejf1UKDUVZEea5X0IwQRfE0zaZqFS4tyEex0iKz8dI4FvyabKLZsCs1DBGO7A3ml -LgP947mh10yKWTP2fbq8LOhDUEWCXrh2NzuH6Rl5nNyC4MNQEkLzK1wL7J/WCNaL -sciYmuqEQRDikDDQQFZw2wjBD638fhK+IhuN3VGegiXFnu5C+p9kzUvqVk4X9g2r -BMmlP0pceFv/fEwtNNaeI2Tt7mIsWsZTmCqdzOUAYqGIiNjzykWw64nMO3TpVpbA -i4854RhblbeiyjENbMVPU6BAk4fx7OJvDElLxwN43CS3U0MldbI7A4uG3B3RTSCj -1rGxRNAHWC3q3zzrn6gLwrUVje4iTedaKItLIHQeo1A091Tr8AqQdZi/Ck2Ju0Hl -4Qdwzjw1Y5n1Akm+EWh31ydxtUQ0YBOz/W6DKwTNA1D8oH9bZBG4f0pnvVhtttAO -WKj+DUqMa+f3OOmQ9UXlitk2pEgjeMngTgfQnhZiCts= +AhQNxgw7Z2un3dpm6KPHF1u5qVvOczm0yiTyPK4U11B3TTRhXOHdzPLAcKMX71Xq +fmLm2/JIZATUbLTaysLKIQlmAgtpmXoKLv9b90R3AXLophgToZzOLpvlQTCt+y9G +0E3QQZG/LFy9BLNyw6uD5cy0RHT3FQb5VQDwfBvR/I+K3qWBFLlb7Rw9bCujYczu +D3bimcDj/k6YkrWVsEa81Ch5RF2RClOYufti6bsvc4xIsB0Kd++vokER+kXFuQqf +Tl0Jz+SG0kr9QtjVvkhBtSxzJ6/olAosoUySQ5hqsB8iECufBgp1KelXqsHFJQXy +gCvVmGiivFUinX0rKOuWCHTplsSKQ9BnPSwDAAs8A7ZLcTXcLs/hMQ5r6fmOYfNN +YthhjZyE2ciJO0lydGJUJMb5aJUak0rl+uINRlYCHTRLVwmCOmpfqz9SfcJb1ieU +4Us8NR+pXJar4U0+C2wVlNJkAdpL6GvYxN6vp7vLa+BiFwIZOQozswacIZk/ScXm +QL9rmWug51RCmDeenX46WTEZeB0o0+xi60sDEDhhe4+iNYcJu5L0BJ5lqRFe3I5n +HRRv1mBEjbF2fDcg/ChYfOXsc4gDivH2nObabeASuMFZyadmXfA8tnXRZf+7Wuy/ +LZGYbM2xLeEyV3ss16WBHuIqexDt04OEZvs0jN90zj6Yv7qKCB975bdOcuKkN2Nn +n9lA11R2pgsCs6COp9rYiWXkXZeDf3sW6kdcEV+/SzkVsv4JlHcsIzgk4WGVF/E/ +ZkU4J9AvSdJPzEQDM+yszp0eeUow4+SAgpuNTqZiUO/2UUVbsr3qvlYMoCixhFAN -----END RSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/rsa_2 b/regress/unittests/sshkey/testdata/rsa_2 index 058cf77..2441d52 100644 --- a/regress/unittests/sshkey/testdata/rsa_2 +++ b/regress/unittests/sshkey/testdata/rsa_2 @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAlDS/ygeFfsR/mhZK/XMHU/gzRogPuMQIYUd17WDjMprA6dQb -ckTDrNm/mrf09I6YAhjgooEL16oWM1z6cesDE0KwaJsy6uTmXFMLO+Ha4mtFHhmu -tiyJcQ9MKKr0vC64384WQZygZk0OlVz7x9WSPiGXzal5MzsX4TYq5B05o2Cb+epA -FxK0c8cdYZD0Sy57gWRpRA3yJq4zh/hks98jzn0XA3HAJA39MKhUG5tf5e6z5BeP -Yi5FvdnDQ9WcasRiEvkmHbg59pbgg/Lbsl6OgZQruS8hKiJ3YBARt2euCCeg7qAF -KbXRR9TMwfphH3Ai4Oi/w6HPRAhdrwooA/gKkQIDAQABAoIBAH22OLB/rMaYmrvz -COzvM1oQgD3lj6Bj98+8M9WEh3MXPWeaGSXWGjx1/0aXn1oJ0fqFa5Wr7IWkqmwr -A+y5McSWntg8PPZt7tCFSFQlAetonhooIsA4CuUx2qHsUOeGoh6EyvAgkRX1atdb -Jd6d1AyLph43EK1aBKltrvgLqiZfs7mcuwyvKtN9ktdKY2FDhn6DHpm9pE9MEHJV -Xv1isNc6a0qNoRlKqxrSZHNEN4fbjLw31wBySzmmnIog5wVEwaHeASwLJT6TmuIZ -eZxnd7/jMwRZWH8ZIGKvkTMp4fYzK9QkehO7A2HFD3FPDBVrkSJjqRdkujF8vu1C -0RwrD1kCgYEAxFXUoE1ero6vp9akvR/mw94kYjXE/YOz1yi0KTkZUs6gURc8Kzsm -MzlEZ31rnngE4jQHYAvuPEfiqcnUgylW3QuevMgo2hCLYO7aG5C0fk8TeOiuvnrF -YPO8rSJWk/BgdrPtzu45P7jmWsjkHn+y+t8cKvq1sZY40sn2YgIhYK8CgYEAwT6j -5tReI6sxpHltPUbvOdpD04eL6ggBAKwzb5aBoa/Dj+sU1zg5uyY8diggQEEznlBW -iWTQmmmfy1ef9i6YAwNuZveKOrVwNMcdubQJ2X26XoFrmA59PjsbLtr1bdUb02gz -6P5x6pcw5qzEq0mddgvHiU3RhL24xdc1LW8nmL8CgYEAmgaT1macPuklmNBlURGz -4jll5b41GoW2EreWDzkCStpbHwLRa0DuCQWGSoI0aY/SlPsoRgtWDOiAQ59ZHsTR -pnw1PfjxQ5HzJkp7xWBSmTzEE/jHDhwWuKa+gD0OGuVbaARkLhDpzLnrzZEIlXyt -Fu7tlDI3VGh7j7Jtnhn5wXUCgYBKmPbGfcaVeFmih2lfFUn2CEbUmmetgUd5zf/R -HMWP9/zDStlxt3e5winm5tiEVWcqvxKY2T0Zzppr8biDXTs7NpDg2MAYp7/X7+GO -tWxz8/AE2WsCeN1qL4Dv1oCV1IV4V6pqUAcDqzeqZJlLEhDh5+wwGcU+u8pfPRN/ -JYCgmwKBgDa+kXPqzcc6vzD9cwEEk4ftn9/Vk2yBx0XOu8RdEkRhXj1QXGJckCqh -FkXzVbuurFhsBt+H0B4arw+51T9fVCZqfcaU34u+Qa/FQvTod4OJUSRxYUaDqygs -VTyuP+zGZlIw7JWktxjVazENsM/ef5wBH0Nf839OZbPVDLfn7K0j +MIIEpAIBAAKCAQEA9NEUXp78SAkmL4+eAj4mBzPOjk+ccCPVzkTR+mZJdyTwkJAB +HUN4cn4a2kTmh7Er+N8CXCsiqxIOV1GfH2fwaCiBlOEXeQJi/cMjxr9kVWO4FhC6 +l1UqbvPUdrUCUZjFTA9/Ah9MKgk7qGYq5SjE3p+sn4GLhRKbqmq9LjiHgMmkBuv/ +a1Slit+rXHzO2F8fH5hkjeHivyYVgw45aNvGCe2RRfbpoeW2mRtgIv7y9wSewt6a +mhEDXSo/F6mkqA7xVinzro5NettEXLo91tA9Hb6f6x/Mc/GJDNXTKhpWCGeJ6xeW +nAefDZORWAY7Y9YbuAxhEJVi9QL5NWoFOA0C6wIDAQABAoIBAQDtRGVVfwhKWHOl +zK76xXjdqhwaWJXpKRHiI1jOMawpyKdNtAMgdW+apxUnTXePMurG/HuxEC09VvaH +MhfhvD6G9BsCS1UQdnuyLRnTWVLIXyjeWcA9QtEpTy8vDSb+Je2xVaNmTybl5qTn +BH22Mtj6Wg5XWJn7kplDhMdssGTDLsSCMw/rcxe9iT2qOKyltQal23RHzR7SijGp +QTtBp2SDGhvMZcyGuyMqJ084W8sdJpbyVzdDim2iaZdHlk7uvW2n0HcJ56I6yhIq +2U8wfgEEwydGVGHgmQNJ/n+SiT/hv6g5ebhDS46X9F9m5CHDwhdr0DrhPBVSsdhl +1HeJ0+FhAoGBAPuC3uNHToiJis688juKlwc3SQ6ger5ffAg3yaNhEcpHkvOtdZlF +/CfX94xazMov/YqFwkvpSSdKsX+PeXuaqnb1hPKNYX5t45U9RjB/ox7BIQj/2rPx +Bfs99UFW9HKP4HsVmLu1xeJg1Pc9iylTK/xrnwfYiZ+H7IGVccizjnqHAoGBAPkv +n1flAdxBzJH/O0rXoig2EtZsDRMPY51MGDdqVOW14ZOfTVlmu0OSnkSKQm2twfro +TPDVb2TY3wTRutz8H9yOFW1c1Nz4YOyTb8FmJhE2FWAQ9t8QpwUlhn15if72dS/Y +22+vP+AYu7wfqGL7QVVEXho5hGjXi053iEvfXBl9AoGAeZISpo1LGphRLgkKlVky +E1zXxWgwrGB/FYHRx1UeQkZCc+K+Wy4G6kNr9r3VC04TIafx+Lt0jrd+AIibUfG6 +v/GBJ7TLEU+QmAycJskrUaxMiYsSbbPtDjoumDytv8pn2VbhEqqUUg44IqHu6DS5 +qDNlFWfHbgNHgIN6EmcoUXUCgYEAi2G57X4pRjx/4wIy9jAbggaNDuctgQXQoIGZ +4hVWG49a+CnZKDKweKGgaZI0igjxQhmCQAwC3RP520Y9EbLtV38aOSv93QQJowrt +Le6nSGVKG4whqrAz3EsbKUA8kiLldbgFNjl+ryjmidnjZEpKRxmQ0XZuu/4k6+Us +ldQAPjkCgYBwjSm5eDUtK2eEPaBtbJykV05CTv5rn6CKC9L7ZBTkCcdU1hxeqe99 +wb22decnNawGRP1a5cGwqKJPOfkgybJVkdr6aqQW8ClzdFSaenjzs+nVW+T9JTXf +9lFpIZg5kN/geld3B9B4C99riTM0jg9hbe2RQvpLRTrZbnWMA1XoRw== -----END RSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp b/regress/unittests/sshkey/testdata/rsa_2.fp index 8d43676..4659639 100644 --- a/regress/unittests/sshkey/testdata/rsa_2.fp +++ b/regress/unittests/sshkey/testdata/rsa_2.fp @@ -1 +1 @@ -MD5:fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0 +SHA256:NoQh0XBUuYUSWqnzOzOBnfpgJTRWLMj7BlWAb8IbjeE diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp.bb b/regress/unittests/sshkey/testdata/rsa_2.fp.bb index e90a357..e9d1e4a 100644 --- a/regress/unittests/sshkey/testdata/rsa_2.fp.bb +++ b/regress/unittests/sshkey/testdata/rsa_2.fp.bb @@ -1 +1 @@ -xepev-gupub-vuvyg-femiv-gonat-defiv-hirak-betub-pahut-veryd-hexix +xogit-gupof-mydon-hocep-zuval-feson-rarif-cefar-tobar-ryvap-kuxex diff --git a/regress/unittests/sshkey/testdata/rsa_2.param.n b/regress/unittests/sshkey/testdata/rsa_2.param.n index 389de42..a669dbf 100644 --- a/regress/unittests/sshkey/testdata/rsa_2.param.n +++ b/regress/unittests/sshkey/testdata/rsa_2.param.n @@ -1 +1 @@ -009434bfca07857ec47f9a164afd730753f83346880fb8c408614775ed60e3329ac0e9d41b7244c3acd9bf9ab7f4f48e980218e0a2810bd7aa16335cfa71eb031342b0689b32eae4e65c530b3be1dae26b451e19aeb62c89710f4c28aaf4bc2eb8dfce16419ca0664d0e955cfbc7d5923e2197cda979333b17e1362ae41d39a3609bf9ea401712b473c71d6190f44b2e7b816469440df226ae3387f864b3df23ce7d170371c0240dfd30a8541b9b5fe5eeb3e4178f622e45bdd9c343d59c6ac46212f9261db839f696e083f2dbb25e8e81942bb92f212a2277601011b767ae0827a0eea00529b5d147d4ccc1fa611f7022e0e8bfc3a1cf44085daf0a2803f80a91 +00f4d1145e9efc4809262f8f9e023e260733ce8e4f9c7023d5ce44d1fa66497724f09090011d4378727e1ada44e687b12bf8df025c2b22ab120e57519f1f67f068288194e117790262fdc323c6bf645563b81610ba97552a6ef3d476b5025198c54c0f7f021f4c2a093ba8662ae528c4de9fac9f818b85129baa6abd2e388780c9a406ebff6b54a58adfab5c7cced85f1f1f98648de1e2bf2615830e3968dbc609ed9145f6e9a1e5b6991b6022fef2f7049ec2de9a9a11035d2a3f17a9a4a80ef15629f3ae8e4d7adb445cba3dd6d03d1dbe9feb1fcc73f1890cd5d32a1a56086789eb17969c079f0d939158063b63d61bb80c61109562f502f9356a05380d02eb diff --git a/regress/unittests/sshkey/testdata/rsa_2.param.p b/regress/unittests/sshkey/testdata/rsa_2.param.p index c3c9a13..be7c1c3 100644 --- a/regress/unittests/sshkey/testdata/rsa_2.param.p +++ b/regress/unittests/sshkey/testdata/rsa_2.param.p @@ -1 +1 @@ -00c455d4a04d5eae8eafa7d6a4bd1fe6c3de246235c4fd83b3d728b429391952cea051173c2b3b26333944677d6b9e7804e23407600bee3c47e2a9c9d4832956dd0b9ebcc828da108b60eeda1b90b47e4f1378e8aebe7ac560f3bcad225693f06076b3edceee393fb8e65ac8e41e7fb2fadf1c2afab5b19638d2c9f662022160af +00fb82dee3474e88898acebcf23b8a970737490ea07abe5f7c0837c9a36111ca4792f3ad759945fc27d7f78c5accca2ffd8a85c24be949274ab17f8f797b9aaa76f584f28d617e6de3953d46307fa31ec12108ffdab3f105fb3df54156f4728fe07b1598bbb5c5e260d4f73d8b29532bfc6b9f07d8899f87ec819571c8b38e7a87 diff --git a/regress/unittests/sshkey/testdata/rsa_2.param.q b/regress/unittests/sshkey/testdata/rsa_2.param.q index 728c474..6f2c542 100644 --- a/regress/unittests/sshkey/testdata/rsa_2.param.q +++ b/regress/unittests/sshkey/testdata/rsa_2.param.q @@ -1 +1 @@ -00c13ea3e6d45e23ab31a4796d3d46ef39da43d3878bea080100ac336f9681a1afc38feb14d73839bb263c7628204041339e50568964d09a699fcb579ff62e9803036e66f78a3ab57034c71db9b409d97dba5e816b980e7d3e3b1b2edaf56dd51bd36833e8fe71ea9730e6acc4ab499d760bc7894dd184bdb8c5d7352d6f2798bf +00f92f9f57e501dc41cc91ff3b4ad7a2283612d66c0d130f639d4c18376a54e5b5e1939f4d5966bb43929e448a426dadc1fae84cf0d56f64d8df04d1badcfc1fdc8e156d5cd4dcf860ec936fc166261136156010f6df10a70525867d7989fef6752fd8db6faf3fe018bbbc1fa862fb4155445e1a398468d78b4e77884bdf5c197d diff --git a/regress/unittests/sshkey/testdata/rsa_2.pub b/regress/unittests/sshkey/testdata/rsa_2.pub index ed9f78c..3322fbc 100644 --- a/regress/unittests/sshkey/testdata/rsa_2.pub +++ b/regress/unittests/sshkey/testdata/rsa_2.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUNL/KB4V+xH+aFkr9cwdT+DNGiA+4xAhhR3XtYOMymsDp1BtyRMOs2b+at/T0jpgCGOCigQvXqhYzXPpx6wMTQrBomzLq5OZcUws74dria0UeGa62LIlxD0woqvS8LrjfzhZBnKBmTQ6VXPvH1ZI+IZfNqXkzOxfhNirkHTmjYJv56kAXErRzxx1hkPRLLnuBZGlEDfImrjOH+GSz3yPOfRcDccAkDf0wqFQbm1/l7rPkF49iLkW92cND1ZxqxGIS+SYduDn2luCD8tuyXo6BlCu5LyEqIndgEBG3Z64IJ6DuoAUptdFH1MzB+mEfcCLg6L/Doc9ECF2vCigD+AqR RSA test key #2 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD00RRenvxICSYvj54CPiYHM86OT5xwI9XORNH6Zkl3JPCQkAEdQ3hyfhraROaHsSv43wJcKyKrEg5XUZ8fZ/BoKIGU4Rd5AmL9wyPGv2RVY7gWELqXVSpu89R2tQJRmMVMD38CH0wqCTuoZirlKMTen6yfgYuFEpuqar0uOIeAyaQG6/9rVKWK36tcfM7YXx8fmGSN4eK/JhWDDjlo28YJ7ZFF9umh5baZG2Ai/vL3BJ7C3pqaEQNdKj8XqaSoDvFWKfOujk1620Rcuj3W0D0dvp/rH8xz8YkM1dMqGlYIZ4nrF5acB58Nk5FYBjtj1hu4DGEQlWL1Avk1agU4DQLr RSA test key #2 diff --git a/regress/unittests/sshkey/testdata/rsa_n b/regress/unittests/sshkey/testdata/rsa_n index 09e79a7..5de3f84 100644 --- a/regress/unittests/sshkey/testdata/rsa_n +++ b/regress/unittests/sshkey/testdata/rsa_n @@ -1,12 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBywIBAAJhAM/6MDmVVm/uNQmZpOcthoAAgMDUg7G4H6ZLLyPEhboKaBBHvIdw -ZdDmB+0LDf3D1aWXyUd2/pCkCysiBzqd/523zAzjY7HayqL6A940AxKBBbWLn+X6 -i2yJR7dTOYkk6QIDAQABAmAgKanBjfWzE5yCIo+c7K5rJyjCKVtAZaAHYIMmveKM -VcWoFt/x9hDY0GoTX21HfDxLX8oDxnsmhsOrnvSmgUChFwkm45eSETqeVDWwIVFA -FGL1s38xQsciWZWBFNppAIECMQD7nslReAxwz/Ad++ACXswfJg1l2wUQ1gJA3zh3 -jln6a4s3aV1zxbKlIn8iqBv0BZkCMQDTmO4WqyNnin73XCZs0DWu7GsfcuaH8QnD -wqPjJgrclTZXedxHkeqO2oyZW4mLC9ECMBb/blsZ49kzyDiVWuYcj/+Q1MyodhAR -32bagCi9RBAVYEYSRU5dlXRucLxULSnikQIxAJ5teY5Vcru6kZfJUifUuO0QrKAu -WnbcPVBqMmUHfchsm/RhFFIt6W4uKmlEhTYrkQIxAMAStb7QCU3yU6ZkN7uL22Zs -498i4jY6y+VEXv+L9O09VdlEnXhbUisOhy1bhyS3yg== +MIICXAIBAAKBgQDLV5lUTt7FrADseB/CGhEZzpoojjEW5y8+ePvLppmK3MmMI18u +d6vxzpK3bwZLYkVSyfJYI0HmIuGhdu7yMrW6wb84gbq8C31Xoe9EORcIUuGSvDKd +NSM1SjlhDquRblDFB8kToqXyx1lqrXecXylxIUOL0jE+u0rU1967pDJx+wIDAQAB +AoGAXyj5mpjmbD+YlxGIWz/zrM4hGsWgd4VteKEJxT6MMI4uzCRpkMd0ck8oHiwZ +GAI/SwUzIsgtONQuH3AXVsUgghW4Ynn+8ksEv0IZ918WDMDwqvqkyrVzsOsZzqYj +Pf8DUDKCpwFjnlknJ04yvWBZvVhWtY4OiZ8GV0Ttsu3k+GECQQD1YHfvBb5FdJBv +Uhde2Il+jaFia8mwVVNNaiD2ECxXx6CzGz54ZLEB9NPVfDUZK8lJ4UJDqelWNh3i +PF3RefWDAkEA1CVBzAFL4mNwpleVPzrfy69xP3gWOa26MxM/GE6zx9jC7HgQ3KPa +WKdG/FuHs085aTRDaDLmGcZ8IvMuu7NgKQJAcIOKmxR0Gd8IN7NZugjqixggb0Pj +mLKXXwESGiJyYtHL0zTj4Uqyi6Ya2GJ66o7UXscmnmYz828fJtTtZBdbRwJBALfi +C2QvA32Zv/0PEXibKXy996WSC4G3ShwXZKtHHKHvCxY5BDSbehk59VesZrVPyG2e +NYdOBxD0cIlCzJE56/ECQAndVkxvO8hwyEFGGwF3faHIAe/OxVb+MjaU25//Pe1/ +h/e6tlCk4w9CODpyV685gV394eYwMcGDcIkipTNUDZs= -----END RSA PRIVATE KEY----- diff --git a/regress/unittests/sshkey/testdata/rsa_n_pw b/regress/unittests/sshkey/testdata/rsa_n_pw index 0166fd5..dc18373 100644 --- a/regress/unittests/sshkey/testdata/rsa_n_pw +++ b/regress/unittests/sshkey/testdata/rsa_n_pw @@ -1,14 +1,17 @@ -----BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABClELgtaZ -qAmMwESpqXDN0uAAAAEAAAAAEAAAB3AAAAB3NzaC1yc2EAAAADAQABAAAAYQDP+jA5lVZv -7jUJmaTnLYaAAIDA1IOxuB+mSy8jxIW6CmgQR7yHcGXQ5gftCw39w9Wll8lHdv6QpAsrIg -c6nf+dt8wM42Ox2sqi+gPeNAMSgQW1i5/l+otsiUe3UzmJJOkAAAGgwJpHy/nshQa9+Jbw -yomvgNMYvuuoD7Ll7iCY/RFFGXivTkki27C9q0qx3afauSLQQWFanGhjeJn7JPy98lMcVl -qnn5XOE5+xxZqA8ONOBD8eH0KBcTH17DH1A1z94p5zZ1VJKIWsBZ0krxgHIXcdv9ucAckj -N0vAEBm+0wsfy2TTOtuqXvcj65wFwknpyy/SSvU0QTr99FiYe9PIhIslBHO6wlqxfKj+Tm -E/nCb75dAVu6gTtS2P0pdOqV/V7VHX5C0z3BROqpKDJJcVeoc7vRkEl+MWfvvQrG66IPEW -luohFXPDPDrxu1zDduyRsmNwpBHChi2rFhxtsjxNK0svMwESeCCKAWmPxnzLJfvMbTCv00 -SpaCr7WhtzsGt73axqSkeOdynp5NNrN7MEdwruMZFirF4BcI2z2H9ugpS+qbLPuE2H5vln -h7NSwBUNwmZ+4TC8MXFH9KIpRg8dNhf66OU610LYiN4+ZfOYCmfQfgQuBGhMTYFMY6O4SB -NCdIavvWY6rDSBq7QC1f4rHpwiXxpkiE43Rd8fM32TaPlBPtA= +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAFw/Wg/V +I5SAXWj/HJr9qeAAAAEAAAAAEAAACXAAAAB3NzaC1yc2EAAAADAQABAAAAgQDLV5lUTt7F +rADseB/CGhEZzpoojjEW5y8+ePvLppmK3MmMI18ud6vxzpK3bwZLYkVSyfJYI0HmIuGhdu +7yMrW6wb84gbq8C31Xoe9EORcIUuGSvDKdNSM1SjlhDquRblDFB8kToqXyx1lqrXecXylx +IUOL0jE+u0rU1967pDJx+wAAAgD1iSGiMlMJt2VH4kx5yr0wCJS+4UOmX0bxKO7UH5Jcul +K5eaSe5ZoKE7hTYBaz0K5dRF/0fqLsvVZlE4quDjFLN6Hyavgn2W/QM7SUqBHgRMal9pgH +LnxX6mFNWJ+4yb7f3bcbVIdgmMm3sT9Xjwaf5xgzNlR2mkUWtFwjyQh6FxUo5apNzqNBwO +l2Q4xfmyZTp1s++pStQ/su6obXpxnE2Nx5G/D84ZL5iWl+njUy/MvJTazHRbiTSyihU+UA +mUr5ZNuP3WUYY+h3KVlHpYHJYB7l3AMTKuPMFLhY9V7BJ+DuKPaqBgX4hvRzY0eVQiFr61 +ovjWjvfu1ulx550JqdYCgH2PpP0E89OQne35Cxs9QPThfe8DKojC9YquYh9zmVTvr7kNiE +Soluk/7oKpQIDaC+/SRk7AJ2e3Cbt1lXyGNn37PuqaaC/apaF/DOD6Yig9aClS7jOUrT96 +56trFAYfHEIKbRCUSMCiM1+x6HOLYf5ROrGE9KxT3kUD9XMsMpTva+cPpHUpbGpXcYE10N +MyYDz+V5M2/ZoIdEhscJNQ3UnhaZpeEaqcOyNyo90n3Dnaw/WpMDD/kNMGfm8daTaYInnQ +QnwA2gwlYfpTAqxE71oXgOuGmtA0yqJB4778Xq26Pb+B7/mZZZe6n0FVmiNC+ZG37ZGOw/ +iGL9e2Sxzw== -----END OPENSSH PRIVATE KEY----- diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 03b0d40..3830ed1 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.16 2015/06/29 22:35:12 djm Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.17 2015/07/27 16:29:23 guenther Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -63,6 +63,9 @@ static const struct sandbox_policy preauth_policy[] = { { SYS_getpid, SYSTR_POLICY_PERMIT }, { SYS_getpgid, SYSTR_POLICY_PERMIT }, { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, +#ifdef SYS_kbind + { SYS_kbind, SYSTR_POLICY_PERMIT }, +#endif { SYS_madvise, SYSTR_POLICY_PERMIT }, { SYS_mmap, SYSTR_POLICY_PERMIT }, { SYS_mprotect, SYSTR_POLICY_PERMIT }, diff --git a/scp.0 b/scp.0 index 3f309fe..8f41f61 100644 --- a/scp.0 +++ b/scp.0 @@ -109,6 +109,7 @@ DESCRIPTION PreferredAuthentications Protocol ProxyCommand + PubkeyAcceptedKeyTypes PubkeyAuthentication RekeyLimit RhostsRSAAuthentication @@ -161,4 +162,4 @@ AUTHORS Timo Rinne Tatu Ylonen -OpenBSD 5.7 January 30, 2015 OpenBSD 5.7 +OpenBSD 5.8 July 10, 2015 OpenBSD 5.8 diff --git a/scp.1 b/scp.1 index 0e84780..279b0d7 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.66 2015/01/30 11:43:14 djm Exp $ +.\" $OpenBSD: scp.1,v 1.67 2015/07/10 06:21:53 markus Exp $ .\" -.Dd $Mdocdate: January 30 2015 $ +.Dd $Mdocdate: July 10 2015 $ .Dt SCP 1 .Os .Sh NAME @@ -170,6 +170,7 @@ For full details of the options listed below, and their possible values, see .It PreferredAuthentications .It Protocol .It ProxyCommand +.It PubkeyAcceptedKeyTypes .It PubkeyAuthentication .It RekeyLimit .It RhostsRSAAuthentication diff --git a/servconf.c b/servconf.c index df93fc4..6c7a91e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.274 2015/07/01 02:32:17 djm Exp $ */ + +/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -107,6 +108,7 @@ initialize_server_options(ServerOptions *options) options->hostbased_authentication = -1; options->hostbased_uses_name_from_packet_only = -1; options->hostbased_key_types = NULL; + options->hostkeyalgorithms = NULL; options->rsa_authentication = -1; options->pubkey_authentication = -1; options->pubkey_key_types = NULL; @@ -222,7 +224,7 @@ fill_default_server_options(ServerOptions *options) if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) - options->permit_root_login = PERMIT_YES; + options->permit_root_login = PERMIT_NO_PASSWD; if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) @@ -257,14 +259,12 @@ fill_default_server_options(ServerOptions *options) options->hostbased_authentication = 0; if (options->hostbased_uses_name_from_packet_only == -1) options->hostbased_uses_name_from_packet_only = 0; - if (options->hostbased_key_types == NULL) - options->hostbased_key_types = xstrdup("*"); + if (options->hostkeyalgorithms == NULL) + options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); if (options->rsa_authentication == -1) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; - if (options->pubkey_key_types == NULL) - options->pubkey_key_types = xstrdup("*"); if (options->kerberos_authentication == -1) options->kerberos_authentication = 0; if (options->kerberos_or_local_passwd == -1) @@ -341,6 +341,16 @@ fill_default_server_options(ServerOptions *options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + + if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || + kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || + kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->hostbased_key_types) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->pubkey_key_types) != 0) + fatal("%s: kex_assemble_names failed", __func__); + /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_NOSANDBOX; @@ -399,6 +409,7 @@ typedef enum { sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sAcceptEnv, sPermitTunnel, @@ -449,6 +460,7 @@ static struct { { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, + { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, @@ -904,6 +916,7 @@ static const struct multistate multistate_addressfamily[] = { }; static const struct multistate multistate_permitrootlogin[] = { { "without-password", PERMIT_NO_PASSWD }, + { "prohibit-password", PERMIT_NO_PASSWD }, { "forced-commands-only", PERMIT_FORCED_ONLY }, { "yes", PERMIT_YES }, { "no", PERMIT_NO }, @@ -1175,13 +1188,17 @@ process_server_config_line(ServerOptions *options, char *line, if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (!sshkey_names_valid2(arg, 1)) + if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) fatal("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : ""); if (*activep && *charptr == NULL) *charptr = xstrdup(arg); break; + case sHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; + goto parse_keytypes; + case sRSAAuthentication: intptr = &options->rsa_authentication; goto parse_flag; @@ -1424,7 +1441,7 @@ process_server_config_line(ServerOptions *options, char *line, arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (!ciphers_valid(arg)) + if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) fatal("%s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : ""); if (options->ciphers == NULL) @@ -1435,7 +1452,7 @@ process_server_config_line(ServerOptions *options, char *line, arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (!mac_valid(arg)) + if (!mac_valid(*arg == '+' ? arg + 1 : arg)) fatal("%s line %d: Bad SSH2 mac spec '%s'.", filename, linenum, arg ? arg : ""); if (options->macs == NULL) @@ -1447,7 +1464,7 @@ process_server_config_line(ServerOptions *options, char *line, if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (!kex_names_valid(arg)) + if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : ""); if (options->kex_algorithms == NULL) @@ -2279,6 +2296,8 @@ dump_config(ServerOptions *o) o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? o->hostbased_key_types : KEX_DEFAULT_PK_ALG); + dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? + o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? o->pubkey_key_types : KEX_DEFAULT_PK_ALG); diff --git a/servconf.h b/servconf.h index 606d80c..f4137af 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.120 2015/07/10 06:21:53 markus Exp $ */ /* * Author: Tatu Ylonen @@ -102,6 +102,7 @@ typedef struct { int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ int hostbased_uses_name_from_packet_only; /* experimental */ char *hostbased_key_types; /* Key types allowed for hostbased */ + char *hostkeyalgorithms; /* SSH2 server key types */ int rsa_authentication; /* If true, permit RSA authentication. */ int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ char *pubkey_key_types; /* Key types allowed for public key */ diff --git a/sftp-server.0 b/sftp-server.0 index 77b6bb5..b971cef 100644 --- a/sftp-server.0 +++ b/sftp-server.0 @@ -93,4 +93,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 5.7 December 11, 2014 OpenBSD 5.7 +OpenBSD 5.8 December 11, 2014 OpenBSD 5.8 diff --git a/sftp.0 b/sftp.0 index 24fd991..550f276 100644 --- a/sftp.0 +++ b/sftp.0 @@ -380,4 +380,4 @@ SEE ALSO T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -OpenBSD 5.7 January 30, 2015 OpenBSD 5.7 +OpenBSD 5.8 January 30, 2015 OpenBSD 5.8 diff --git a/ssh-add.0 b/ssh-add.0 index 66493f1..29db710 100644 --- a/ssh-add.0 +++ b/ssh-add.0 @@ -126,4 +126,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.7 March 30, 2015 OpenBSD 5.7 +OpenBSD 5.8 March 30, 2015 OpenBSD 5.8 diff --git a/ssh-add.c b/ssh-add.c index 9c8da54..d6271d7 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.122 2015/03/26 12:32:38 naddy Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -302,8 +302,7 @@ add_file(int agent_fd, const char *filename, int key_only) } /* Graft with private bits */ - if ((r = sshkey_to_certified(private, - sshkey_cert_is_legacy(cert))) != 0) { + if ((r = sshkey_to_certified(private)) != 0) { error("%s: sshkey_to_certified: %s", __func__, ssh_err(r)); sshkey_free(cert); goto out; diff --git a/ssh-agent.0 b/ssh-agent.0 index eb89281..65bf6e7 100644 --- a/ssh-agent.0 +++ b/ssh-agent.0 @@ -109,4 +109,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.7 April 24, 2015 OpenBSD 5.7 +OpenBSD 5.8 April 24, 2015 OpenBSD 5.8 diff --git a/ssh-agent.c b/ssh-agent.c index 34b19b7..a335ea3 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.203 2015/05/15 05:44:21 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.204 2015/07/08 20:24:02 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -72,9 +72,6 @@ # include #endif -#include "key.h" /* XXX for typedef */ -#include "buffer.h" /* XXX for typedef */ - #include "xmalloc.h" #include "ssh.h" #include "rsa.h" diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 784ad03..a471a40 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -101,7 +101,7 @@ DESCRIPTION -b bits Specifies the number of bits in the key to create. For RSA keys, - the minimum size is 768 bits and the default is 2048 bits. + the minimum size is 1024 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key length by selecting from one of @@ -563,4 +563,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.7 February 24, 2015 OpenBSD 5.7 +OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9b93666..8c3317b 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.125 2015/02/24 15:24:05 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.126 2015/07/03 03:49:45 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 24 2015 $ +.Dd $Mdocdate: July 3 2015 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -244,7 +244,7 @@ This option specifies the number of primality tests to perform. Show the bubblebabble digest of specified private or public key file. .It Fl b Ar bits Specifies the number of bits in the key to create. -For RSA keys, the minimum size is 768 bits and the default is 2048 bits. +For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the diff --git a/ssh-keygen.c b/ssh-keygen.c index 8259d87..ea5f1e4 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.276 2015/07/03 03:49:45 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -217,8 +217,8 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) fatal("key bits exceeds maximum %d", maxbits); if (type == KEY_DSA && *bitsp != 1024) fatal("DSA keys must be 1024 bits"); - else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) - fatal("Key must at least be 768 bits"); + else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024) + fatal("Key must at least be 1024 bits"); else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1) fatal("Invalid ECDSA key length - valid lengths are " "256, 384 or 521 bits"); @@ -239,7 +239,6 @@ ask_filename(struct passwd *pw, const char *prompt) name = _PATH_SSH_CLIENT_IDENTITY; break; case KEY_DSA_CERT: - case KEY_DSA_CERT_V00: case KEY_DSA: name = _PATH_SSH_CLIENT_ID_DSA; break; @@ -250,7 +249,6 @@ ask_filename(struct passwd *pw, const char *prompt) break; #endif case KEY_RSA_CERT: - case KEY_RSA_CERT_V00: case KEY_RSA: name = _PATH_SSH_CLIENT_ID_RSA; break; @@ -1575,25 +1573,6 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) struct sshkey *ca, *public; char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; FILE *f; - int v00 = 0; /* legacy keys */ - - if (key_type_name != NULL) { - switch (sshkey_type_from_name(key_type_name)) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: - v00 = 1; - break; - case KEY_UNSPEC: - if (strcasecmp(key_type_name, "v00") == 0) { - v00 = 1; - break; - } else if (strcasecmp(key_type_name, "v01") == 0) - break; - /* FALLTHROUGH */ - default: - fatal("unknown key type %s", key_type_name); - } - } #ifdef ENABLE_PKCS11 pkcs11_init(1); @@ -1630,7 +1609,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) __func__, tmp, sshkey_type(public)); /* Prepare certificate to sign */ - if ((r = sshkey_to_certified(public, v00)) != 0) + if ((r = sshkey_to_certified(public)) != 0) fatal("Could not upgrade key %s to certificate: %s", tmp, ssh_err(r)); public->cert->type = cert_key_type; @@ -1640,15 +1619,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) public->cert->principals = plist; public->cert->valid_after = cert_valid_from; public->cert->valid_before = cert_valid_to; - if (v00) { - prepare_options_buf(public->cert->critical, - OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); - } else { - prepare_options_buf(public->cert->critical, - OPTIONS_CRITICAL); - prepare_options_buf(public->cert->extensions, - OPTIONS_EXTENSIONS); - } + prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL); + prepare_options_buf(public->cert->extensions, + OPTIONS_EXTENSIONS); if ((r = sshkey_from_private(ca, &public->cert->signature_key)) != 0) fatal("key_from_private (ca key): %s", ssh_err(r)); @@ -1833,7 +1806,7 @@ add_cert_option(char *opt) } static void -show_options(struct sshbuf *optbuf, int v00, int in_critical) +show_options(struct sshbuf *optbuf, int in_critical) { char *name, *arg; struct sshbuf *options, *option = NULL; @@ -1848,14 +1821,14 @@ show_options(struct sshbuf *optbuf, int v00, int in_critical) (r = sshbuf_froms(options, &option)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); printf(" %s", name); - if ((v00 || !in_critical) && + if (!in_critical && (strcmp(name, "permit-X11-forwarding") == 0 || strcmp(name, "permit-agent-forwarding") == 0 || strcmp(name, "permit-port-forwarding") == 0 || strcmp(name, "permit-pty") == 0 || strcmp(name, "permit-user-rc") == 0)) printf("\n"); - else if ((v00 || in_critical) && + else if (in_critical && (strcmp(name, "force-command") == 0 || strcmp(name, "source-address") == 0)) { if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) @@ -1882,7 +1855,7 @@ do_show_cert(struct passwd *pw) struct sshkey *key; struct stat st; char *key_fp, *ca_fp; - u_int i, v00; + u_int i; int r; if (!have_identity) @@ -1894,7 +1867,6 @@ do_show_cert(struct passwd *pw) identity_file, ssh_err(r)); if (!sshkey_is_cert(key)) fatal("%s is not a certificate", identity_file); - v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); ca_fp = sshkey_fingerprint(key->cert->signature_key, @@ -1909,10 +1881,7 @@ do_show_cert(struct passwd *pw) printf(" Signing CA: %s %s\n", sshkey_type(key->cert->signature_key), ca_fp); printf(" Key ID: \"%s\"\n", key->cert->key_id); - if (!v00) { - printf(" Serial: %llu\n", - (unsigned long long)key->cert->serial); - } + printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); printf(" Valid: %s\n", fmt_validity(key->cert->valid_after, key->cert->valid_before)); printf(" Principals: "); @@ -1929,16 +1898,14 @@ do_show_cert(struct passwd *pw) printf("(none)\n"); else { printf("\n"); - show_options(key->cert->critical, v00, 1); + show_options(key->cert->critical, 1); } - if (!v00) { - printf(" Extensions: "); - if (sshbuf_len(key->cert->extensions) == 0) - printf("(none)\n"); - else { - printf("\n"); - show_options(key->cert->extensions, v00, 0); - } + printf(" Extensions: "); + if (sshbuf_len(key->cert->extensions) == 0) + printf("(none)\n"); + else { + printf("\n"); + show_options(key->cert->extensions, 0); } exit(0); } diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index fe7aa85..500c1dd 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 @@ -106,4 +106,4 @@ BUGS This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -OpenBSD 5.7 August 30, 2014 OpenBSD 5.7 +OpenBSD 5.8 August 30, 2014 OpenBSD 5.8 diff --git a/ssh-keysign.0 b/ssh-keysign.0 index b061076..7db72c7 100644 --- a/ssh-keysign.0 +++ b/ssh-keysign.0 @@ -50,4 +50,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 5.7 December 7, 2013 OpenBSD 5.7 +OpenBSD 5.8 December 7, 2013 OpenBSD 5.8 diff --git a/ssh-keysign.c b/ssh-keysign.c index 5688202..1dca3e2 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.48 2015/03/24 20:09:11 markus Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.49 2015/07/03 03:56:25 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -187,6 +187,7 @@ main(int argc, char **argv) close(fd); i = 0; + /* XXX This really needs to read sshd_config for the paths */ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY); diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 index a4d6dd4..7fac805 100644 --- a/ssh-pkcs11-helper.0 +++ b/ssh-pkcs11-helper.0 @@ -22,4 +22,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 5.7 July 16, 2013 OpenBSD 5.7 +OpenBSD 5.8 July 16, 2013 OpenBSD 5.8 diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index e074175..92614a5 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.19 2015/05/27 05:15:02 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.21 2015/07/18 08:02:17 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -481,15 +481,23 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, error("C_GetAttributeValue failed: %lu", rv); continue; } - /* check that none of the attributes are zero length */ - if (attribs[0].ulValueLen == 0 || - attribs[1].ulValueLen == 0 || + /* + * Allow CKA_ID (always first attribute) to be empty, but + * ensure that none of the others are zero length. + * XXX assumes CKA_ID is always first. + */ + if (attribs[1].ulValueLen == 0 || attribs[2].ulValueLen == 0) { continue; } /* allocate buffers for attributes */ - for (i = 0; i < 3; i++) - attribs[i].pValue = xmalloc(attribs[i].ulValueLen); + for (i = 0; i < 3; i++) { + if (attribs[i].ulValueLen > 0) { + attribs[i].pValue = xmalloc( + attribs[i].ulValueLen); + } + } + /* * retrieve ID, modulus and public exponent of RSA key, * or ID, subject and value for certificates. @@ -631,6 +639,11 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) error("C_GetTokenInfo failed: %lu", rv); continue; } + if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) { + debug2("%s: ignoring uninitialised token in slot %lu", + __func__, (unsigned long)i); + continue; + } rmspace(token->label, sizeof(token->label)); rmspace(token->manufacturerID, sizeof(token->manufacturerID)); rmspace(token->model, sizeof(token->model)); diff --git a/ssh.0 b/ssh.0 index 5aaeb8d..ad4817a 100644 --- a/ssh.0 +++ b/ssh.0 @@ -6,12 +6,11 @@ NAME SYNOPSIS ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] - [-F configfile] [-I pkcs11] [-i identity_file] - [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] - [-O ctl_cmd] [-o option] [-p port] + [-F configfile] [-I pkcs11] [-i identity_file] [-L address] + [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q cipher | cipher-auth | mac | kex | key | protocol-version] - [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] - [-w local_tun[:remote_tun]] [user@]hostname [command] + [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] + [user@]hostname [command] DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for @@ -156,22 +155,29 @@ DESCRIPTION server. -L [bind_address:]port:host:hostport - Specifies that the given port on the local (client) host is to be - forwarded to the given host and port on the remote side. This - works by allocating a socket to listen to port on the local side, - optionally bound to the specified bind_address. Whenever a - connection is made to this port, the connection is forwarded over - the secure channel, and a connection is made to host port - hostport from the remote machine. Port forwardings can also be - specified in the configuration file. IPv6 addresses can be - specified by enclosing the address in square brackets. Only the - superuser can forward privileged ports. By default, the local - port is bound in accordance with the GatewayPorts setting. - However, an explicit bind_address may be used to bind the - connection to a specific address. The bind_address of - M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local - use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port - should be available from all interfaces. + -L [bind_address:]port:remote_socket + -L local_socket:host:hostport + -L local_socket:remote_socket + Specifies that connections to the given TCP port or Unix socket + on the local (client) host are to be forwarded to the given host + and port, or Unix socket, on the remote side. This works by + allocating a socket to listen to either a TCP port on the local + side, optionally bound to the specified bind_address, or to a + Unix socket. Whenever a connection is made to the local port or + socket, the connection is forwarded over the secure channel, and + a connection is made to either host port hostport, or the Unix + socket remote_socket, from the remote machine. + + Port forwardings can also be specified in the configuration file. + Only the superuser can forward privileged ports. IPv6 addresses + can be specified by enclosing the address in square brackets. + + By default, the local port is bound in accordance with the + GatewayPorts setting. However, an explicit bind_address may be + used to bind the connection to a specific address. The + bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be + bound for local use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates + that the port should be available from all interfaces. -l login_name Specifies the user to log in as on the remote machine. This also @@ -278,6 +284,7 @@ DESCRIPTION Protocol ProxyCommand ProxyUseFdpass + PubkeyAcceptedKeyTypes PubkeyAuthentication RekeyLimit RemoteForward @@ -317,19 +324,24 @@ DESCRIPTION suppressed. -R [bind_address:]port:host:hostport - Specifies that the given port on the remote (server) host is to - be forwarded to the given host and port on the local side. This - works by allocating a socket to listen to port on the remote - side, and whenever a connection is made to this port, the - connection is forwarded over the secure channel, and a connection - is made to host port hostport from the local machine. + -R [bind_address:]port:local_socket + -R remote_socket:host:hostport + -R remote_socket:local_socket + Specifies that connections to the given TCP port or Unix socket + on the remote (server) host are to be forwarded to the given host + and port, or Unix socket, on the local side. This works by + allocating a socket to listen to either a TCP port or to a Unix + socket on the remote side. Whenever a connection is made to this + port or Unix socket, the connection is forwarded over the secure + channel, and a connection is made to either host port hostport, + or local_socket, from the local machine. Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets. - By default, the listening socket on the server will be bound to + By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address M-bM-^@M-^X*M-bM-^@M-^Y, indicates that the remote socket should listen on all @@ -957,4 +969,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.7 May 22, 2015 OpenBSD 5.7 +OpenBSD 5.8 July 20, 2015 OpenBSD 5.8 diff --git a/ssh.1 b/ssh.1 index df7ac86..2ea0a20 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.358 2015/05/22 05:28:45 djm Exp $ -.Dd $Mdocdate: May 22 2015 $ +.\" $OpenBSD: ssh.1,v 1.361 2015/07/20 18:44:12 millert Exp $ +.Dd $Mdocdate: July 20 2015 $ .Dt SSH 1 .Os .Sh NAME @@ -52,14 +52,14 @@ .Op Fl F Ar configfile .Op Fl I Ar pkcs11 .Op Fl i Ar identity_file -.Op Fl L Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport +.Op Fl L Ar address .Op Fl l Ar login_name .Op Fl m Ar mac_spec .Op Fl O Ar ctl_cmd .Op Fl o Ar option .Op Fl p Ar port .Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version -.Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport +.Op Fl R Ar address .Op Fl S Ar ctl_path .Op Fl W Ar host : Ns Ar port .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun @@ -93,23 +93,28 @@ is specified, it is executed on the remote host instead of a login shell. .Pp The options are as follows: -.Bl -tag -width Ds +.Pp +.Bl -tag -width Ds -compact .It Fl 1 Forces .Nm to try protocol version 1 only. +.Pp .It Fl 2 Forces .Nm to try protocol version 2 only. +.Pp .It Fl 4 Forces .Nm to use IPv4 addresses only. +.Pp .It Fl 6 Forces .Nm to use IPv6 addresses only. +.Pp .It Fl A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file. @@ -122,14 +127,17 @@ socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. +.Pp .It Fl a Disables forwarding of the authentication agent connection. +.Pp .It Fl b Ar bind_address Use .Ar bind_address on the local machine as the source address of the connection. Only useful on systems with more than one address. +.Pp .It Fl C Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and @@ -148,6 +156,7 @@ The default value can be set on a host-by-host basis in the configuration files; see the .Cm Compression option. +.Pp .It Fl c Ar cipher_spec Selects the cipher specification for encrypting the session. .Pp @@ -166,6 +175,7 @@ See the keyword in .Xr ssh_config 5 for more information. +.Pp .It Fl D Xo .Sm off .Oo Ar bind_address : Oc @@ -205,10 +215,12 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. +.Pp .It Fl E Ar log_file Append debug logs to .Ar log_file instead of standard error. +.Pp .It Fl e Ar escape_char Sets the escape character for sessions with a pty (default: .Ql ~ ) . @@ -221,6 +233,7 @@ and followed by itself sends the escape character once. Setting the character to .Dq none disables any escapes and makes the session fully transparent. +.Pp .It Fl F Ar configfile Specifies an alternative per-user configuration file. If a configuration file is given on the command line, @@ -229,6 +242,7 @@ the system-wide configuration file will be ignored. The default for the per-user configuration file is .Pa ~/.ssh/config . +.Pp .It Fl f Requests .Nm @@ -251,6 +265,7 @@ then a client started with .Fl f will wait for all remote port forwards to be successfully established before placing itself in the background. +.Pp .It Fl G Causes .Nm @@ -259,15 +274,18 @@ to print its configuration after evaluating and .Cm Match blocks and exit. +.Pp .It Fl g Allows remote hosts to connect to local forwarded ports. If used on a multiplexed connection, then this option must be specified on the master process. +.Pp .It Fl I Ar pkcs11 Specify the PKCS#11 shared library .Nm should use to communicate with a PKCS#11 token providing the user's private RSA key. +.Pp .It Fl i Ar identity_file Selects a file from which the identity (private key) for public key authentication is read. @@ -291,33 +309,58 @@ will also try to load certificate information from the filename obtained by appending .Pa -cert.pub to identity filenames. +.Pp .It Fl K Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server. +.Pp .It Fl k Disables forwarding (delegation) of GSSAPI credentials to the server. +.Pp .It Fl L Xo .Sm off .Oo Ar bind_address : Oc .Ar port : host : hostport .Sm on .Xc -Specifies that the given port on the local (client) host is to be -forwarded to the given host and port on the remote side. -This works by allocating a socket to listen to +.It Fl L Xo +.Sm off +.Oo Ar bind_address : Oc +.Ar port : remote_socket +.Sm on +.Xc +.It Fl L Xo +.Sm off +.Ar local_socket : host : hostport +.Sm on +.Xc +.It Fl L Xo +.Sm off +.Ar local_socket : remote_socket +.Sm on +.Xc +Specifies that connections to the given TCP port or Unix socket on the local +(client) host are to be forwarded to the given host and port, or Unix socket, +on the remote side. +This works by allocating a socket to listen to either a TCP .Ar port on the local side, optionally bound to the specified -.Ar bind_address . -Whenever a connection is made to this port, the +.Ar bind_address , +or to a Unix socket. +Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is -made to +made to either .Ar host port -.Ar hostport +.Ar hostport , +or the Unix socket +.Ar remote_socket , from the remote machine. +.Pp Port forwardings can also be specified in the configuration file. -IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser can forward privileged ports. +IPv6 addresses can be specified by enclosing the address in square brackets. +.Pp By default, the local port is bound in accordance with the .Cm GatewayPorts setting. @@ -332,9 +375,11 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. +.Pp .It Fl l Ar login_name Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. +.Pp .It Fl M Places the .Nm @@ -353,6 +398,7 @@ Refer to the description of in .Xr ssh_config 5 for details. +.Pp .It Fl m Ar mac_spec Additionally, for protocol version 2 a comma-separated list of MAC (message authentication code) algorithms can @@ -360,10 +406,12 @@ be specified in order of preference. See the .Cm MACs keyword for more information. +.Pp .It Fl N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only). +.Pp .It Fl n Redirects stdin from .Pa /dev/null @@ -384,6 +432,7 @@ program will be put in the background. needs to ask for a password or passphrase; see also the .Fl f option.) +.Pp .It Fl O Ar ctl_cmd Control an active connection multiplexing master process. When the @@ -402,6 +451,7 @@ Valid commands are: (request the master to exit), and .Dq stop (request the master to stop accepting further multiplexing requests). +.Pp .It Fl o Ar option Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate @@ -470,6 +520,7 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It ProxyUseFdpass +.It PubkeyAcceptedKeyTypes .It PubkeyAuthentication .It RekeyLimit .It RemoteForward @@ -493,10 +544,12 @@ For full details of the options listed below, and their possible values, see .It VisualHostKey .It XAuthLocation .El +.Pp .It Fl p Ar port Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. +.Pp .It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version Queries .Nm @@ -514,25 +567,47 @@ The available features are: (key types) and .Ar protocol-version (supported SSH protocol versions). +.Pp .It Fl q Quiet mode. Causes most warning and diagnostic messages to be suppressed. +.Pp .It Fl R Xo .Sm off .Oo Ar bind_address : Oc .Ar port : host : hostport .Sm on .Xc -Specifies that the given port on the remote (server) host is to be -forwarded to the given host and port on the local side. -This works by allocating a socket to listen to +.It Fl R Xo +.Sm off +.Oo Ar bind_address : Oc +.Ar port : local_socket +.Sm on +.Xc +.It Fl R Xo +.Sm off +.Ar remote_socket : host : hostport +.Sm on +.Xc +.It Fl R Xo +.Sm off +.Ar remote_socket : local_socket +.Sm on +.Xc +Specifies that connections to the given TCP port or Unix socket on the remote +(server) host are to be forwarded to the given host and port, or Unix socket, +on the local side. +This works by allocating a socket to listen to either a TCP .Ar port -on the remote side, and whenever a connection is made to this port, the -connection is forwarded over the secure channel, and a connection is -made to +or to a Unix socket on the remote side. +Whenever a connection is made to this port or Unix socket, the +connection is forwarded over the secure channel, and a connection +is made to either .Ar host port -.Ar hostport +.Ar hostport , +or +.Ar local_socket , from the local machine. .Pp Port forwardings can also be specified in the configuration file. @@ -540,7 +615,7 @@ Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets. .Pp -By default, the listening socket on the server will be bound to the loopback +By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a .Ar bind_address . @@ -565,6 +640,7 @@ to the client at run time. When used together with .Ic -O forward the allocated port will be printed to the standard output. +.Pp .It Fl S Ar ctl_path Specifies the location of a control socket for connection sharing, or the string @@ -577,14 +653,17 @@ and in .Xr ssh_config 5 for details. +.Pp .It Fl s May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg.\& .Xr sftp 1 ) . The subsystem is specified as the remote command. +.Pp .It Fl T Disable pseudo-terminal allocation. +.Pp .It Fl t Force pseudo-terminal allocation. This can be used to execute arbitrary @@ -595,8 +674,10 @@ Multiple options force tty allocation, even if .Nm has no local tty. +.Pp .It Fl V Display the version number and exit. +.Pp .It Fl v Verbose mode. Causes @@ -608,6 +689,7 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. +.Pp .It Fl W Ar host : Ns Ar port Requests that standard input and output on the client be forwarded to .Ar host @@ -621,6 +703,7 @@ Implies and .Cm ClearAllForwardings . Works with Protocol version 2 only. +.Pp .It Fl w Xo .Ar local_tun Ns Op : Ns Ar remote_tun .Xc @@ -650,6 +733,7 @@ If the .Cm Tunnel directive is unset, it is set to the default tunnel mode, which is .Dq point-to-point . +.Pp .It Fl X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. @@ -670,12 +754,15 @@ option and the directive in .Xr ssh_config 5 for more information. +.Pp .It Fl x Disables X11 forwarding. +.Pp .It Fl Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. +.Pp .It Fl y Send log information using the .Xr syslog 3 diff --git a/ssh.c b/ssh.c index 3fd5a94..59c1f93 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.418 2015/05/04 06:10:48 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -108,6 +108,7 @@ #include "roaming.h" #include "version.h" #include "ssherr.h" +#include "myproposal.h" #ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" @@ -203,10 +204,10 @@ usage(void) "usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" " [-F configfile] [-I pkcs11] [-i identity_file]\n" -" [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" +" [-L address] [-l login_name] [-m mac_spec]\n" " [-O ctl_cmd] [-o option] [-p port]\n" " [-Q cipher | cipher-auth | mac | kex | key]\n" -" [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]\n" +" [-R address] [-S ctl_path] [-W host:port]\n" " [-w local_tun[:remote_tun]] [user@]hostname [command]\n" ); exit(255); @@ -794,26 +795,26 @@ main(int ac, char **av) } break; case 'c': - if (ciphers_valid(optarg)) { + if (ciphers_valid(*optarg == '+' ? + optarg + 1 : optarg)) { /* SSH2 only */ options.ciphers = xstrdup(optarg); options.cipher = SSH_CIPHER_INVALID; - } else { - /* SSH1 only */ - options.cipher = cipher_number(optarg); - if (options.cipher == -1) { - fprintf(stderr, - "Unknown cipher type '%s'\n", - optarg); - exit(255); - } - if (options.cipher == SSH_CIPHER_3DES) - options.ciphers = "3des-cbc"; - else if (options.cipher == SSH_CIPHER_BLOWFISH) - options.ciphers = "blowfish-cbc"; - else - options.ciphers = (char *)-1; + break; + } + /* SSH1 only */ + options.cipher = cipher_number(optarg); + if (options.cipher == -1) { + fprintf(stderr, "Unknown cipher type '%s'\n", + optarg); + exit(255); } + if (options.cipher == SSH_CIPHER_3DES) + options.ciphers = xstrdup("3des-cbc"); + else if (options.cipher == SSH_CIPHER_BLOWFISH) + options.ciphers = xstrdup("blowfish-cbc"); + else + options.ciphers = xstrdup(KEX_CLIENT_ENCRYPT); break; case 'm': if (mac_valid(optarg)) diff --git a/ssh.h b/ssh.h index c94633b..39c7e18 100644 --- a/ssh.h +++ b/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.79 2010/06/25 07:14:46 djm Exp $ */ +/* $OpenBSD: ssh.h,v 1.81 2015/08/04 05:23:06 djm Exp $ */ /* * Author: Tatu Ylonen diff --git a/ssh_config.0 b/ssh_config.0 index b0a614b..6548077 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -180,8 +180,12 @@ DESCRIPTION Ciphers Specifies the ciphers allowed for protocol version 2 in order of - preference. Multiple ciphers must be comma-separated. The - supported ciphers are: + preference. Multiple ciphers must be comma-separated. If the + specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified + ciphers will be appended to the default set instead of replacing + them. + + The supported ciphers are: 3des-cbc aes128-cbc @@ -435,23 +439,35 @@ DESCRIPTION HostbasedKeyTypes Specifies the key types that will be used for hostbased - authentication as a comma-separated pattern list. The default - M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be - used to list supported key types. + authentication as a comma-separated pattern list. Alternately if + the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified key types will be appended to the default set instead + of replacing them. The default for this option is: + + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + ssh-ed25519,ssh-rsa + + The -Q option of ssh(1) may be used to list supported key types. HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the - client wants to use in order of preference. The default for this - option is: + client wants to use in order of preference. Alternately if the + specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified + key types will be appended to the default set instead of + replacing them. The default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, - ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, + ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, - ssh-ed25519,ssh-rsa,ssh-dss + ssh-ed25519,ssh-rsa If hostkeys are known for the destination host then this default is modified to prefer their algorithms. @@ -548,14 +564,16 @@ DESCRIPTION KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple - algorithms must be comma-separated. The default is: + algorithms must be comma-separated. Alternately if the specified + value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods + will be appended to the default set instead of replacing them. + The default is: curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, - diffie-hellman-group14-sha1, - diffie-hellman-group1-sha1 + diffie-hellman-group14-sha1 The list of available key exchange algorithms may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. @@ -604,9 +622,15 @@ DESCRIPTION MACs Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms - must be comma-separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] - calculate the MAC after encryption (encrypt-then-mac). These are - considered safer and their use recommended. The default is: + must be comma-separated. If the specified value begins with a + M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be appended to + the default set instead of replacing them. + + The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after + encryption (encrypt-then-mac). These are considered safer and + their use recommended. + + The default is: umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, @@ -696,6 +720,23 @@ DESCRIPTION back to ssh(1) instead of continuing to execute and pass data. The default is M-bM-^@M-^\noM-bM-^@M-^]. + PubkeyAcceptedKeyTypes + Specifies the key types that will be used for public key + authentication as a comma-separated pattern list. Alternately if + the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the key + types after it will be appended to the default instead of + replacing it. The default for this option is: + + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + ssh-ed25519,ssh-rsa + + The -Q option of ssh(1) may be used to list supported key types. + PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. @@ -982,4 +1023,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.7 June 2, 2015 OpenBSD 5.7 +OpenBSD 5.8 July 30, 2015 OpenBSD 5.8 diff --git a/ssh_config.5 b/ssh_config.5 index 268a627..5b0975f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.211 2015/06/02 09:10:40 djm Exp $ -.Dd $Mdocdate: June 2 2015 $ +.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $ +.Dd $Mdocdate: July 30 2015 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -373,6 +373,11 @@ The default is Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. +If the specified value begins with a +.Sq + +character, then the specified ciphers will be appended to the default set +instead of replacing them. +.Pp The supported ciphers are: .Pp .Bl -item -compact -offset indent @@ -781,9 +786,21 @@ is similar to .It Cm HostbasedKeyTypes Specifies the key types that will be used for hostbased authentication as a comma-separated pattern list. -The default -.Dq * -will allow all key types. +Alternately if the specified value begins with a +.Sq + +character, then the specified key types will be appended to the default set +instead of replacing them. +The default for this option is: +.Bd -literal -offset 3n +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +ssh-ed25519-cert-v01@openssh.com, +ssh-rsa-cert-v01@openssh.com, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa +.Ed +.Pp The .Fl Q option of @@ -792,16 +809,19 @@ may be used to list supported key types. .It Cm HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. +Alternately if the specified value begins with a +.Sq + +character, then the specified key types will be appended to the default set +instead of replacing them. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, -ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, +ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ssh-rsa,ssh-dss +ssh-ed25519,ssh-rsa .Ed .Pp If hostkeys are known for the destination host then this default is modified @@ -974,14 +994,17 @@ and .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. +Alternately if the specified value begins with a +.Sq + +character, then the specified methods will be appended to the default set +instead of replacing them. The default is: .Bd -literal -offset indent curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, -diffie-hellman-group14-sha1, -diffie-hellman-group1-sha1 +diffie-hellman-group14-sha1 .Ed .Pp The list of available key exchange algorithms may also be obtained using the @@ -1063,10 +1086,16 @@ in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. +If the specified value begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +.Pp The algorithms that contain .Dq -etm calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. +.Pp The default is: .Bd -literal -offset indent umac-64-etm@openssh.com,umac-128-etm@openssh.com, @@ -1207,6 +1236,29 @@ will pass a connected file descriptor back to instead of continuing to execute and pass data. The default is .Dq no . +.It Cm PubkeyAcceptedKeyTypes +Specifies the key types that will be used for public key authentication +as a comma-separated pattern list. +Alternately if the specified value begins with a +.Sq + +character, then the key types after it will be appended to the default +instead of replacing it. +The default for this option is: +.Bd -literal -offset 3n +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +ssh-ed25519-cert-v01@openssh.com, +ssh-rsa-cert-v01@openssh.com, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa +.Ed +.Pp +The +.Fl Q +option of +.Xr ssh 1 +may be used to list supported key types. .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be diff --git a/sshconnect2.c b/sshconnect2.c index fcaed6b..7751031 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -163,18 +163,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) xxx_host = host; xxx_hostaddr = hostaddr; - if (options.ciphers == (char *)-1) { - logit("No valid ciphers for protocol version 2 given, using defaults."); - options.ciphers = NULL; - } - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; - } + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + options.kex_algorithms); myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); + compat_cipher_proposal(options.ciphers); myproposal[PROPOSAL_ENC_ALGS_STOC] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); + compat_cipher_proposal(options.ciphers); if (options.compression) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; @@ -182,23 +176,22 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; } - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; - } - if (options.hostkeyalgorithms != NULL) + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (options.hostkeyalgorithms != NULL) { + if (kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options.hostkeyalgorithms) != 0) + fatal("%s: kex_assemble_namelist", __func__); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(options.hostkeyalgorithms); - else { + } else { + /* Enforce default */ + options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( order_hostkeyalgs(host, hostaddr, port)); } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - myproposal[PROPOSAL_KEX_ALGS]); if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, @@ -1315,6 +1308,26 @@ pubkey_cleanup(Authctxt *authctxt) } } +static int +try_identity(Identity *id) +{ + if (!id->key) + return (0); + if (match_pattern_list(sshkey_ssh_name(id->key), + options.pubkey_key_types, 0) != 1) { + debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", + sshkey_ssh_name(id->key), id->filename); + return (0); + } + if (key_type_plain(id->key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + debug("Skipped %s key %s for RSA/MD5 server", + key_type(id->key), id->filename); + return (0); + } + return (id->key->type != KEY_RSA1); +} + int userauth_pubkey(Authctxt *authctxt) { @@ -1333,11 +1346,7 @@ userauth_pubkey(Authctxt *authctxt) * private key instead */ if (id->key != NULL) { - if (key_type_plain(id->key->type) == KEY_RSA && - (datafellows & SSH_BUG_RSASIGMD5) != 0) { - debug("Skipped %s key %s for RSA/MD5 server", - key_type(id->key), id->filename); - } else if (id->key->type != KEY_RSA1) { + if (try_identity(id)) { debug("Offering %s public key: %s", key_type(id->key), id->filename); sent = send_pubkey_test(authctxt, id); @@ -1347,13 +1356,8 @@ userauth_pubkey(Authctxt *authctxt) id->key = load_identity_file(id->filename, id->userprovided); if (id->key != NULL) { - id->isprivate = 1; - if (key_type_plain(id->key->type) == KEY_RSA && - (datafellows & SSH_BUG_RSASIGMD5) != 0) { - debug("Skipped %s key %s for RSA/MD5 " - "server", key_type(id->key), - id->filename); - } else { + if (try_identity(id)) { + id->isprivate = 1; sent = sign_and_send_pubkey( authctxt, id); } diff --git a/sshd.0 b/sshd.0 index 33a9392..7980225 100644 --- a/sshd.0 +++ b/sshd.0 @@ -87,12 +87,11 @@ DESCRIPTION files for the different protocol versions and host key algorithms. - -i Specifies that sshd is being run from inetd(8). sshd is normally - not run from inetd because it needs to generate the server key - before it can respond to the client, and this may take tens of - seconds. Clients would have to wait too long if the key was - regenerated every time. However, with small key sizes (e.g. 512) - using sshd from inetd may be feasible. + -i Specifies that sshd is being run from inetd(8). If SSH protocol + 1 is enabled, sshd should not normally be run from inetd because + it needs to generate the server key before it can respond to the + client, and this may take some time. Clients may have to wait + too long if the key was regenerated every time. -k key_gen_time Specifies how often the ephemeral protocol version 1 server key @@ -152,7 +151,7 @@ AUTHENTICATION host-specific key, normally 2048 bits, used to identify the host. Forward security for protocol 1 is provided through an additional server - key, normally 768 bits, generated when the server starts. This key is + key, normally 1024 bits, generated when the server starts. This key is normally regenerated every hour if it has been used, and is never stored on disk. Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its @@ -633,4 +632,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 5.7 May 1, 2015 OpenBSD 5.7 +OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 diff --git a/sshd.8 b/sshd.8 index dcf20f0..213b5fc 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.279 2015/05/01 07:11:47 djm Exp $ -.Dd $Mdocdate: May 1 2015 $ +.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $ +.Dd $Mdocdate: July 3 2015 $ .Dt SSHD 8 .Os .Sh NAME @@ -184,15 +184,12 @@ Specifies that .Nm is being run from .Xr inetd 8 . +If SSH protocol 1 is enabled, .Nm -is normally not run +should not normally be run from inetd because it needs to generate the server key before it can -respond to the client, and this may take tens of seconds. -Clients would have to wait too long if the key was regenerated every time. -However, with small key sizes (e.g. 512) using -.Nm -from inetd may -be feasible. +respond to the client, and this may take some time. +Clients may have to wait too long if the key was regenerated every time. .It Fl k Ar key_gen_time Specifies how often the ephemeral protocol version 1 server key is regenerated (default 3600 seconds, or one hour). @@ -287,7 +284,7 @@ used to identify the host. .Pp Forward security for protocol 1 is provided through an additional server key, -normally 768 bits, +normally 1024 bits, generated when the server starts. This key is normally regenerated every hour if it has been used, and is never stored on disk. diff --git a/sshd.c b/sshd.c index 6f8c6f2..c7dd8cb 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -95,6 +95,7 @@ #include "log.h" #include "buffer.h" #include "misc.h" +#include "match.h" #include "servconf.h" #include "uidswap.h" #include "compat.h" @@ -797,8 +798,15 @@ list_hostkey_types(void) key = sensitive_data.host_keys[i]; if (key == NULL) key = sensitive_data.host_pubkeys[i]; - if (key == NULL) + if (key == NULL || key->type == KEY_RSA1) + continue; + /* Check that the key is accepted in HostkeyAlgorithms */ + if (match_pattern_list(sshkey_ssh_name(key), + options.hostkeyalgorithms, 0) != 1) { + debug3("%s: %s key not permitted by HostkeyAlgorithms", + __func__, sshkey_ssh_name(key)); continue; + } switch (key->type) { case KEY_RSA: case KEY_DSA: @@ -815,8 +823,6 @@ list_hostkey_types(void) if (key == NULL) continue; switch (key->type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: @@ -843,8 +849,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) for (i = 0; i < options.num_host_key_files; i++) { switch (type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: @@ -1878,8 +1882,8 @@ main(int ac, char **av) #ifdef WITH_SSH1 /* Check certain values for sanity. */ if (options.protocol & SSH_PROTO_1) { - if (options.server_key_bits < 512 || - options.server_key_bits > 32768) { + if (options.server_key_bits < SSH_RSA_MINIMUM_MODULUS_SIZE || + options.server_key_bits > OPENSSL_RSA_MAX_MODULUS_BITS) { fprintf(stderr, "Bad server key size.\n"); exit(1); } @@ -2527,9 +2531,7 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, return 0; } -/* - * SSH2 key exchange: diffie-hellman-group1-sha1 - */ +/* SSH2 key exchange */ static void do_ssh2_kex(void) { @@ -2537,19 +2539,15 @@ do_ssh2_kex(void) struct kex *kex; int r; - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); - myproposal[PROPOSAL_ENC_ALGS_STOC] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); - - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; - } + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + options.kex_algorithms); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( + options.ciphers); + myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal( + options.ciphers); + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; @@ -2557,11 +2555,6 @@ do_ssh2_kex(void) myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - myproposal[PROPOSAL_KEX_ALGS]); if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, diff --git a/sshd_config b/sshd_config index cf7d8e1e..4d77f05 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $ +# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -41,7 +41,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin no +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 diff --git a/sshd_config.0 b/sshd_config.0 index 6410418..1cc7459 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -262,7 +262,11 @@ DESCRIPTION Ciphers Specifies the ciphers allowed for protocol version 2. Multiple - ciphers must be comma-separated. The supported ciphers are: + ciphers must be comma-separated. If the specified value begins + with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended + to the default set instead of replacing them. + + The supported ciphers are: 3des-cbc aes128-cbc @@ -394,9 +398,20 @@ DESCRIPTION HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased - authentication as a comma-separated pattern list. The default - M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be - used to list supported key types. + authentication as a comma-separated pattern list. Alternately if + the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified key types will be appended to the default set instead + of replacing them. The default for this option is: + + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + ssh-ed25519,ssh-rsa + + The -Q option of ssh(1) may be used to list supported key types. HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication @@ -425,13 +440,17 @@ DESCRIPTION default is /etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for - protocol version 2. Note that sshd(8) will refuse to use a file - if it is group/world-accessible. It is possible to have multiple - host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], - M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH - protocol. It is also possible to specify public host key files - instead. In this case operations on the private key will be - delegated to an ssh-agent(1). + protocol version 2. + + Note that sshd(8) will refuse to use a file if it is group/world- + accessible and that the HostKeyAlgorithms option restricts which + of the keys are actually used by sshd(8). + + It is possible to have multiple host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are + used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are + used for version 2 of the SSH protocol. It is also possible to + specify public host key files instead. In this case operations + on the private key will be delegated to an ssh-agent(1). HostKeyAgent Identifies the UNIX-domain socket used to communicate with an @@ -439,6 +458,21 @@ DESCRIPTION M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable. + HostKeyAlgorithms + Specifies the protocol version 2 host key algorithms that the + server offers. The default for this option is: + + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + ssh-ed25519,ssh-rsa + + The list of available key types may also be obtained using the -Q + option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. + IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. @@ -493,8 +527,10 @@ DESCRIPTION KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple - algorithms must be comma-separated. The supported algorithms - are: + algorithms must be comma-separated. Alternately if the specified + value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods + will be appended to the default set instead of replacing them. + The supported algorithms are: curve25519-sha256@libssh.org diffie-hellman-group1-sha1 @@ -551,9 +587,13 @@ DESCRIPTION MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma- - separated. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC - after encryption (encrypt-then-mac). These are considered safer - and their use recommended. The supported MACs are: + separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified algorithms will be appended to the default set + instead of replacing them. + + The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after + encryption (encrypt-then-mac). These are considered safer and + their use recommended. The supported MACs are: hmac-md5 hmac-md5-96 @@ -673,11 +713,13 @@ DESCRIPTION PermitRootLogin Specifies whether root can log in using ssh(1). The argument - must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or - M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], + M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is + M-bM-^@M-^\prohibit-passwordM-bM-^@M-^]. - If this option is set to M-bM-^@M-^\without-passwordM-bM-^@M-^], password - authentication is disabled for root. + If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or + M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive + authentication are disabled for root. If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with public key authentication will be allowed, but only if the @@ -740,9 +782,20 @@ DESCRIPTION PubkeyAcceptedKeyTypes Specifies the key types that will be accepted for public key - authentication as a comma-separated pattern list. The default - M-bM-^@M-^\*M-bM-^@M-^] will allow all key types. The -Q option of ssh(1) may be - used to list supported key types. + authentication as a comma-separated pattern list. Alternately if + the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified key types will be appended to the default set instead + of replacing them. The default for this option is: + + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + ssh-ed25519-cert-v01@openssh.com, + ssh-rsa-cert-v01@openssh.com, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + ssh-ed25519,ssh-rsa + + The -Q option of ssh(1) may be used to list supported key types. PubkeyAuthentication Specifies whether public key authentication is allowed. The @@ -786,7 +839,7 @@ DESCRIPTION ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 - server key. The minimum value is 512, and the default is 1024. + server key. The default and minimum value is 1024. StreamLocalBindMask Sets the octal file creation mode mask (umask) used when creating @@ -868,9 +921,13 @@ DESCRIPTION TrustedUserCAKeys. For more details on certificates, see the CERTIFICATES section in ssh-keygen(1). - UseDNS Specifies whether sshd(8) should look up the remote host name and - check that the resolved host name for the remote IP address maps - back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. + UseDNS Specifies whether sshd(8) should look up the remote host name, + and to check that the resolved host name for the remote IP + address maps back to the very same IP address. + + If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses + and not host names may be used in ~/.ssh/known_hosts from and + sshd_config(5) Match Host directives. UseLogin Specifies whether login(1) is used for interactive login @@ -992,4 +1049,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 5.7 June 5, 2015 OpenBSD 5.7 +OpenBSD 5.8 August 6, 2015 OpenBSD 5.8 diff --git a/sshd_config.5 b/sshd_config.5 index 5ab4318..58e277f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $ -.Dd $Mdocdate: June 5 2015 $ +.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ +.Dd $Mdocdate: August 6 2015 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -434,6 +434,11 @@ The default is not to .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. +If the specified value begins with a +.Sq + +character, then the specified ciphers will be appended to the default set +instead of replacing them. +.Pp The supported ciphers are: .Pp .Bl -item -compact -offset indent @@ -640,9 +645,21 @@ The default is .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication as a comma-separated pattern list. -The default -.Dq * -will allow all key types. +Alternately if the specified value begins with a +.Sq + +character, then the specified key types will be appended to the default set +instead of replacing them. +The default for this option is: +.Bd -literal -offset 3n +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +ssh-ed25519-cert-v01@openssh.com, +ssh-rsa-cert-v01@openssh.com, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa +.Ed +.Pp The .Fl Q option of @@ -694,9 +711,15 @@ for protocol version 1, and and .Pa /etc/ssh/ssh_host_rsa_key for protocol version 2. +.Pp Note that .Xr sshd 8 -will refuse to use a file if it is group/world-accessible. +will refuse to use a file if it is group/world-accessible +and that the +.Cm HostKeyAlgorithms +option restricts which of the keys are actually used by +.Xr sshd 8 . +.Pp It is possible to have multiple host key files. .Dq rsa1 keys are used for version 1 and @@ -718,6 +741,26 @@ If is specified, the location of the socket will be read from the .Ev SSH_AUTH_SOCK environment variable. +.It Cm HostKeyAlgorithms +Specifies the protocol version 2 host key algorithms +that the server offers. +The default for this option is: +.Bd -literal -offset 3n +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +ssh-ed25519-cert-v01@openssh.com, +ssh-rsa-cert-v01@openssh.com, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa +.Ed +.Pp +The list of available key types may also be obtained using the +.Fl Q +option of +.Xr ssh 1 +with an argument of +.Dq key . .It Cm IgnoreRhosts Specifies that .Pa .rhosts @@ -821,6 +864,10 @@ The default is .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. +Alternately if the specified value begins with a +.Sq + +character, then the specified methods will be appended to the default set +instead of replacing them. The supported algorithms are: .Pp .Bl -item -compact -offset indent @@ -919,6 +966,11 @@ Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. +If the specified value begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +.Pp The algorithms that contain .Dq -etm calculate the MAC after encryption (encrypt-then-mac). @@ -1152,16 +1204,19 @@ Specifies whether root can log in using .Xr ssh 1 . The argument must be .Dq yes , +.Dq prohibit-password , .Dq without-password , .Dq forced-commands-only , or .Dq no . The default is -.Dq no . +.Dq prohibit-password . .Pp If this option is set to +.Dq prohibit-password +or .Dq without-password , -password authentication is disabled for root. +password and keyboard-interactive authentication are disabled for root. .Pp If this option is set to .Dq forced-commands-only , @@ -1279,9 +1334,21 @@ is identical to .It Cm PubkeyAcceptedKeyTypes Specifies the key types that will be accepted for public key authentication as a comma-separated pattern list. -The default -.Dq * -will allow all key types. +Alternately if the specified value begins with a +.Sq + +character, then the specified key types will be appended to the default set +instead of replacing them. +The default for this option is: +.Bd -literal -offset 3n +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +ssh-ed25519-cert-v01@openssh.com, +ssh-rsa-cert-v01@openssh.com, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa +.Ed +.Pp The .Fl Q option of @@ -1343,7 +1410,7 @@ The default is This option applies to protocol version 1 only. .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. -The minimum value is 512, and the default is 1024. +The default and minimum value is 1024. .It Cm StreamLocalBindMask Sets the octal file creation mode mask .Pq umask @@ -1451,11 +1518,20 @@ For more details on certificates, see the CERTIFICATES section in .It Cm UseDNS Specifies whether .Xr sshd 8 -should look up the remote host name and check that +should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. -The default is -.Dq no . +.Pp +If this option is set to +.Dq no +(the default) then only addresses and not host names may be used in +.Pa ~/.ssh/known_hosts +.Cm from +and +.Xr sshd_config 5 +.Cm Match +.Cm Host +directives. .It Cm UseLogin Specifies whether .Xr login 1 diff --git a/sshkey.c b/sshkey.c index cfe5980..dbb16e2 100644 --- a/sshkey.c +++ b/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -111,10 +111,6 @@ static const struct keytype keytypes[] = { KEY_ECDSA_CERT, NID_secp521r1, 1 }, # endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_ECC */ - { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", - KEY_RSA_CERT_V00, 0, 1 }, - { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", - KEY_DSA_CERT_V00, 0, 1 }, #endif /* WITH_OPENSSL */ { NULL, NULL, -1, -1, 0 } }; @@ -272,11 +268,9 @@ sshkey_size(const struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: return BN_num_bits(k->rsa->n); case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: return BN_num_bits(k->dsa->p); case KEY_ECDSA: @@ -290,18 +284,6 @@ sshkey_size(const struct sshkey *k) return 0; } -int -sshkey_cert_is_legacy(const struct sshkey *k) -{ - switch (k->type) { - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT_V00: - return 1; - default: - return 0; - } -} - static int sshkey_type_is_valid_ca(int type) { @@ -329,10 +311,8 @@ int sshkey_type_plain(int type) { switch (type) { - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: return KEY_RSA; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: return KEY_DSA; case KEY_ECDSA_CERT: @@ -497,7 +477,6 @@ sshkey_new(int type) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((rsa = RSA_new()) == NULL || (rsa->n = BN_new()) == NULL || @@ -510,7 +489,6 @@ sshkey_new(int type) k->rsa = rsa; break; case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((dsa = DSA_new()) == NULL || (dsa->p = BN_new()) == NULL || @@ -558,7 +536,6 @@ sshkey_add_private(struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) if (bn_maybe_alloc_failed(k->rsa->d) || @@ -570,7 +547,6 @@ sshkey_add_private(struct sshkey *k) return SSH_ERR_ALLOC_FAIL; break; case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if (bn_maybe_alloc_failed(k->dsa->priv_key)) return SSH_ERR_ALLOC_FAIL; @@ -616,14 +592,12 @@ sshkey_free(struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if (k->rsa != NULL) RSA_free(k->rsa); k->rsa = NULL; break; case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if (k->dsa != NULL) DSA_free(k->dsa); @@ -695,13 +669,11 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) switch (a->type) { #ifdef WITH_OPENSSL case KEY_RSA1: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: return a->rsa != NULL && b->rsa != NULL && BN_cmp(a->rsa->e, b->rsa->e) == 0 && BN_cmp(a->rsa->n, b->rsa->n) == 0; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: case KEY_DSA: return a->dsa != NULL && b->dsa != NULL && @@ -772,8 +744,6 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) switch (type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT_V00: case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: @@ -1297,8 +1267,6 @@ sshkey_read(struct sshkey *ret, char **cpp) case KEY_DSA: case KEY_ECDSA: case KEY_ED25519: - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT_V00: case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: @@ -1797,7 +1765,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) switch (k->type) { #ifdef WITH_OPENSSL case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1829,7 +1796,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) # endif /* OPENSSL_HAS_ECC */ case KEY_RSA: case KEY_RSA1: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1873,21 +1839,20 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) u_char *sig = NULL; size_t signed_len = 0, slen = 0, kidlen = 0; int ret = SSH_ERR_INTERNAL_ERROR; - int v00 = sshkey_cert_is_legacy(key); /* Copy the entire key blob for verification and later serialisation */ if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) return ret; - if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || + /* Parse body of certificate up to signature */ + if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || (ret = sshbuf_froms(b, &principals)) != 0 || (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || (ret = sshbuf_froms(b, &crit)) != 0 || - (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || - (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) || + (ret = sshbuf_froms(b, &exts)) != 0 || (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || (ret = sshbuf_froms(b, &ca)) != 0) { /* XXX debug print error for ret */ @@ -1924,9 +1889,8 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) goto out; } oprincipals = key->cert->principals; - key->cert->principals = realloc(key->cert->principals, - (key->cert->nprincipals + 1) * - sizeof(*key->cert->principals)); + key->cert->principals = reallocarray(key->cert->principals, + key->cert->nprincipals + 1, sizeof(*key->cert->principals)); if (key->cert->principals == NULL) { free(principal); key->cert->principals = oprincipals; @@ -1947,7 +1911,6 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) /* * Validate critical options and extensions sections format. - * NB. extensions are not present in v00 certs. */ while (sshbuf_len(crit) != 0) { if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || @@ -2032,7 +1995,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, } /* FALLTHROUGH */ case KEY_RSA: - case KEY_RSA_CERT_V00: if ((key = sshkey_new(type)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -2054,7 +2016,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, } /* FALLTHROUGH */ case KEY_DSA: - case KEY_DSA_CERT_V00: if ((key = sshkey_new(type)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -2224,7 +2185,6 @@ sshkey_sign(const struct sshkey *key, return SSH_ERR_INVALID_ARGUMENT; switch (key->type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: case KEY_DSA: return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); @@ -2233,7 +2193,6 @@ sshkey_sign(const struct sshkey *key, case KEY_ECDSA: return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); # endif /* OPENSSL_HAS_ECC */ - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); @@ -2258,7 +2217,6 @@ sshkey_verify(const struct sshkey *key, return SSH_ERR_INVALID_ARGUMENT; switch (key->type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: case KEY_DSA: return ssh_dss_verify(key, sig, siglen, data, dlen, compat); @@ -2267,7 +2225,6 @@ sshkey_verify(const struct sshkey *key, case KEY_ECDSA: return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); # endif /* OPENSSL_HAS_ECC */ - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); @@ -2303,7 +2260,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) switch (k->type) { #ifdef WITH_OPENSSL - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((ret = sshkey_cert_copy(k, pk)) != 0) goto fail; @@ -2317,7 +2273,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) goto fail; } break; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((ret = sshkey_cert_copy(k, pk)) != 0) goto fail; @@ -2376,27 +2331,23 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) /* Convert a plain key to their _CERT equivalent */ int -sshkey_to_certified(struct sshkey *k, int legacy) +sshkey_to_certified(struct sshkey *k) { int newtype; switch (k->type) { #ifdef WITH_OPENSSL case KEY_RSA: - newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; + newtype = KEY_RSA_CERT; break; case KEY_DSA: - newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; + newtype = KEY_DSA_CERT; break; case KEY_ECDSA: - if (legacy) - return SSH_ERR_INVALID_ARGUMENT; newtype = KEY_ECDSA_CERT; break; #endif /* WITH_OPENSSL */ case KEY_ED25519: - if (legacy) - return SSH_ERR_INVALID_ARGUMENT; newtype = KEY_ED25519_CERT; break; default: @@ -2448,15 +2399,12 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) /* -v01 certs put nonce first */ arc4random_buf(&nonce, sizeof(nonce)); - if (!sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) - goto out; - } + if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) + goto out; /* XXX this substantially duplicates to_blob(); refactor */ switch (k->type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || @@ -2474,7 +2422,6 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) goto out; break; # endif /* OPENSSL_HAS_ECC */ - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) @@ -2491,13 +2438,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) goto out; } - /* -v01 certs have a serial number next */ - if (!sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0) - goto out; - } - - if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || + if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || + (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) goto out; @@ -2513,22 +2455,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || - (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) - goto out; - - /* -v01 certs have non-critical options here */ - if (!sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0) - goto out; - } - - /* -v00 certs put the nonce at the end */ - if (sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) - goto out; - } - - if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ + (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || + (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || + (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) goto out; @@ -2628,7 +2557,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) goto out; break; - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { r = SSH_ERR_INVALID_ARGUMENT; @@ -2649,7 +2577,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) goto out; break; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { r = SSH_ERR_INVALID_ARGUMENT; @@ -2740,7 +2667,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) goto out; break; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((r = sshkey_froms(buf, &k)) != 0 || (r = sshkey_add_private(k)) != 0 || @@ -2813,7 +2739,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) (r = rsa_generate_additional_parameters(k->rsa)) != 0) goto out; break; - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((r = sshkey_froms(buf, &k)) != 0 || (r = sshkey_add_private(k)) != 0 || @@ -2863,7 +2788,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) /* enable blinding */ switch (k->type) { case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA1: if (RSA_blinding_on(k->rsa, NULL) != 1) { diff --git a/sshkey.h b/sshkey.h index cdac0e2..c8d3cdd 100644 --- a/sshkey.h +++ b/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.6 2015/05/21 04:55:51 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.9 2015/08/04 05:23:06 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -62,8 +62,6 @@ enum sshkey_types { KEY_DSA_CERT, KEY_ECDSA_CERT, KEY_ED25519_CERT, - KEY_RSA_CERT_V00, - KEY_DSA_CERT_V00, KEY_UNSPEC }; @@ -137,13 +135,12 @@ int sshkey_type_from_name(const char *); int sshkey_is_cert(const struct sshkey *); int sshkey_type_is_cert(int); int sshkey_type_plain(int); -int sshkey_to_certified(struct sshkey *, int); +int sshkey_to_certified(struct sshkey *); int sshkey_drop_cert(struct sshkey *); int sshkey_certify(struct sshkey *, struct sshkey *); int sshkey_cert_copy(const struct sshkey *, struct sshkey *); int sshkey_cert_check_authority(const struct sshkey *, int, int, const char *, const char **); -int sshkey_cert_is_legacy(const struct sshkey *); int sshkey_ecdsa_nid_from_name(const char *); int sshkey_curve_name_to_nid(const char *); diff --git a/sshpty.c b/sshpty.c index 7bb7641..15da8c6 100644 --- a/sshpty.c +++ b/sshpty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ +/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty) /* Determine the group to make the owner of the tty. */ grp = getgrnam("tty"); gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; - mode = (grp != NULL) ? 0622 : 0600; + mode = (grp != NULL) ? 0620 : 0600; /* * Change owner and mode of the tty as required. diff --git a/version.h b/version.h index b58fbe1..7a5dbc8 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.73 2015/07/01 01:55:13 djm Exp $ */ +/* $OpenBSD: version.h,v 1.74 2015/08/02 09:56:42 djm Exp $ */ -#define SSH_VERSION "OpenSSH_6.9" +#define SSH_VERSION "OpenSSH_7.0" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.1 From b1d8fa4383e208e9d18a28ad786f6b08fa152c46 Mon Sep 17 00:00:00 2001 From: des Date: Wed, 26 Aug 2015 09:27:05 +0000 Subject: Vendor import of OpenSSH 7.1p1. --- ChangeLog | 249 +++++++++++++++++++++----------------------- README | 6 +- auth.c | 4 +- compat.c | 15 ++- contrib/README | 2 +- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- dns.c | 4 +- mux.c | 6 +- packet.c | 6 +- sftp-server.c | 6 +- sftp.c | 6 +- ssh-keygen.0 | 6 +- ssh-keygen.1 | 8 +- ssh-keygen.c | 5 +- ssh-pkcs11-helper.c | 6 +- ssh_config.0 | 4 +- ssh_config.5 | 6 +- sshconnect.c | 4 +- sshd.c | 4 +- sshd_config.0 | 8 +- sshd_config.5 | 10 +- sshkey.c | 3 +- version.h | 4 +- 24 files changed, 191 insertions(+), 185 deletions(-) diff --git a/ChangeLog b/ChangeLog index ed05021..0e0dd87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,121 @@ +commit e91346dc2bbf460246df2ab591b7613908c1b0ad +Author: Damien Miller +Date: Fri Aug 21 14:49:03 2015 +1000 + + we don't use Github for issues/pull-requests + +commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23 +Author: Damien Miller +Date: Fri Aug 21 14:43:55 2015 +1000 + + fix URL for connect.c + +commit d026a8d3da0f8186598442997c7d0a28e7275414 +Author: Damien Miller +Date: Fri Aug 21 13:47:10 2015 +1000 + + update version numbers for 7.1 + +commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed +Author: djm@openbsd.org +Date: Fri Aug 21 03:45:26 2015 +0000 + + upstream commit + + openssh-7.1 + + Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f + +commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf +Author: djm@openbsd.org +Date: Fri Aug 21 03:42:19 2015 +0000 + + upstream commit + + fix inverted logic that broke PermitRootLogin; reported + by Mantas Mikulenas; ok markus@ + + Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5 + +commit ce445b0ed927e45bd5bdce8f836eb353998dd65c +Author: deraadt@openbsd.org +Date: Thu Aug 20 22:32:42 2015 +0000 + + upstream commit + + Do not cast result of malloc/calloc/realloc* if stdlib.h + is in scope ok krw millert + + Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667 + +commit 05291e5288704d1a98bacda269eb5a0153599146 +Author: naddy@openbsd.org +Date: Thu Aug 20 19:20:06 2015 +0000 + + upstream commit + + In the certificates section, be consistent about using + "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@ + + Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb + +commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4 +Author: djm@openbsd.org +Date: Wed Aug 19 23:21:42 2015 +0000 + + upstream commit + + Better compat matching for WinSCP, add compat matching + for FuTTY (fork of PuTTY); ok markus@ deraadt@ + + Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389 + +commit ec6eda16ebab771aa3dfc90629b41953b999cb1e +Author: djm@openbsd.org +Date: Wed Aug 19 23:19:01 2015 +0000 + + upstream commit + + fix double-free() in error path of DSA key generation + reported by Mateusz Kocielski; ok markus@ + + Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c + +commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b +Author: djm@openbsd.org +Date: Wed Aug 19 23:18:26 2015 +0000 + + upstream commit + + fix free() of uninitialised pointer reported by Mateusz + Kocielski; ok markus@ + + Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663 + +commit c837643b93509a3ef538cb6624b678c5fe32ff79 +Author: djm@openbsd.org +Date: Wed Aug 19 23:17:51 2015 +0000 + + upstream commit + + fixed unlink([uninitialised memory]) reported by Mateusz + Kocielski; ok markus@ + + Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109 + +commit 1f8d3d629cd553031021068eb9c646a5f1e50994 +Author: jmc@openbsd.org +Date: Fri Aug 14 15:32:41 2015 +0000 + + upstream commit + + match myproposal.h order; from brian conway (i snuck in a + tweak while here) + + ok dtucker + + Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67 + commit 1dc8d93ce69d6565747eb44446ed117187621b26 Author: deraadt@openbsd.org Date: Thu Aug 6 14:53:21 2015 +0000 @@ -9013,134 +9131,3 @@ Date: Wed Aug 28 12:49:43 2013 +1000 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we start to use them in the future. - -commit f2f6c315a920a256937e1b6a3702757f3195a592 -Author: Damien Miller -Date: Wed Aug 21 02:44:58 2013 +1000 - - - jmc@cvs.openbsd.org 2013/08/20 06:56:07 - [ssh.1 ssh_config.5] - some proxyusefdpass tweaks; - -commit 1262b6638f7d01ab110fd373dd90d915c882fe1a -Author: Damien Miller -Date: Wed Aug 21 02:44:24 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/20 00:11:38 - [readconf.c readconf.h ssh_config.5 sshconnect.c] - Add a ssh_config ProxyUseFDPass option that supports the use of - ProxyCommands that establish a connection and then pass a connected - file descriptor back to ssh(1). This allows the ProxyCommand to exit - rather than have to shuffle data back and forth and enables ssh to use - getpeername, etc. to obtain address information just like it does with - regular directly-connected sockets. ok markus@ - -commit b7727df37efde4dbe4f5a33b19cbf42022aabf66 -Author: Damien Miller -Date: Wed Aug 21 02:43:49 2013 +1000 - - - jmc@cvs.openbsd.org 2013/08/14 08:39:27 - [scp.1 ssh.1] - some Bx/Ox conversion; - From: Jan Stary - -commit d5d9d7b1fdacf0551de4c747728bd159be40590a -Author: Damien Miller -Date: Wed Aug 21 02:43:27 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/13 18:33:08 - [ssh-keygen.c] - another of the same typo - -commit d234afb0b3a8de1be78cbeafed5fc86912594c3c -Author: Damien Miller -Date: Wed Aug 21 02:42:58 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/13 18:32:08 - [ssh-keygen.c] - typo in error message; from Stephan Rickauer - -commit e0ee727b8281a7c2ae20630ce83f6b200b404059 -Author: Damien Miller -Date: Wed Aug 21 02:42:35 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/09 03:56:42 - [sftp.c] - enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; - matching ksh's relatively recent change. - -commit fec029f1dc2c338f3fae3fa82aabc988dc07868c -Author: Damien Miller -Date: Wed Aug 21 02:42:12 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/09 03:39:13 - [sftp-client.c] - two problems found by a to-be-committed regress test: 1) msg_id was not - being initialised so was starting at a random value from the heap - (harmless, but confusing). 2) some error conditions were not being - propagated back to the caller - -commit 036d30743fc914089f9849ca52d615891d47e616 -Author: Damien Miller -Date: Wed Aug 21 02:41:46 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/09 03:37:25 - [sftp.c] - do getopt parsing for all sftp commands (with an empty optstring for - commands without arguments) to ensure consistent behaviour - -commit c7dba12bf95eb1d69711881a153cc286c1987663 -Author: Damien Miller -Date: Wed Aug 21 02:41:15 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/08 05:04:03 - [sftp-client.c sftp-client.h sftp.c] - add a "-l" flag for the rename command to force it to use the silly - standard SSH_FXP_RENAME command instead of the POSIX-rename- like - posix-rename@openssh.com extension. - - intended for use in regress tests, so no documentation. - -commit 034f27a0c09e69fe3589045b41f03f6e345b63f5 -Author: Damien Miller -Date: Wed Aug 21 02:40:44 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/08 04:52:04 - [sftp.c] - fix two year old regression: symlinking a file would incorrectly - canonicalise the target path. bz#2129 report from delphij AT freebsd.org - -commit c6895c5c67492144dd28589e5788f783be9152ed -Author: Damien Miller -Date: Wed Aug 21 02:40:21 2013 +1000 - - - jmc@cvs.openbsd.org 2013/08/07 06:24:51 - [sftp.1 sftp.c] - sort -a; - -commit a6d6c1f38ac9b4a5e1bd4df889e1020a8370ed55 -Author: Damien Miller -Date: Wed Aug 21 02:40:01 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/06 23:06:01 - [servconf.c] - add cast to avoid format warning; from portable - -commit eec840673bce3f69ad269672fba7ed8ff05f154f -Author: Damien Miller -Date: Wed Aug 21 02:39:39 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/06 23:05:01 - [sftp.1] - document top-level -a option (the -a option to 'get' was already - documented) - -commit 02e878070d0eddad4e11f2c82644b275418eb112 -Author: Damien Miller -Date: Wed Aug 21 02:38:51 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/06 23:03:49 - [sftp.c] - fix some whitespace at EOL - make list of commands an enum rather than a long list of defines - add -a to usage() diff --git a/README b/README index c566f7b..9bbd3ba 100644 --- a/README +++ b/README @@ -1,4 +1,8 @@ -See http://www.openssh.com/txt/release-7.0 for the release notes. +See http://www.openssh.com/txt/release-7.1 for the release notes. + +Please read http://www.openssh.com/report.html for bug reporting +instructions and note that we do not use Github for bug reporting or +patch/pull-request management. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html diff --git a/auth.c b/auth.c index fc32f6c..214c2c7 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */ +/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -354,7 +354,7 @@ auth_root_allowed(const char *method) case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || strcmp(method, "hostbased") == 0 || - strcmp(method, "gssapi-with-mic")) + strcmp(method, "gssapi-with-mic") == 0) return 1; break; case PERMIT_FORCED_ONLY: diff --git a/compat.c b/compat.c index eef5fbba..5583804 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.96 2015/07/28 23:20:42 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.97 2015/08/19 23:21:42 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -176,6 +176,7 @@ compat_datafellows(const char *version) "PuTTY_Release_0.63*," "PuTTY_Release_0.64*", SSH_OLD_DHGEX }, + { "FuTTY*", SSH_OLD_DHGEX }, /* Putty Fork */ { "Probe-*", SSH_BUG_PROBE }, { "TeraTerm SSH*," @@ -189,7 +190,17 @@ compat_datafellows(const char *version) "TTSSH/2.70*," "TTSSH/2.71*," "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, - { "WinSCP*", SSH_OLD_DHGEX }, + { "WinSCP_release_4*," + "WinSCP_release_5.0*," + "WinSCP_release_5.1*," + "WinSCP_release_5.5*," + "WinSCP_release_5.6*," + "WinSCP_release_5.7," + "WinSCP_release_5.7.1," + "WinSCP_release_5.7.2," + "WinSCP_release_5.7.3," + "WinSCP_release_5.7.4", + SSH_OLD_DHGEX }, { NULL, 0 } }; diff --git a/contrib/README b/contrib/README index c002238..60e19ba 100644 --- a/contrib/README +++ b/contrib/README @@ -11,7 +11,7 @@ which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or https CONNECT style proxy server. His page for connect.c has extensive documentation on its use as well as compiled versions for Win32. -http://www.taiyo.co.jp/~gotoh/ssh/connect.html +https://bitbucket.org/gotoh/connect/wiki/Home X11 SSH Askpass: diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 5de7875..5b27106 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 7.0p1 +%define ver 7.1p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index dd9692d..5968958 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 7.0p1 +Version: 7.1p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/dns.c b/dns.c index f201b60..e813afe 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.34 2015/01/28 22:36:00 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -154,7 +154,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type, *digest_len = rdata_len - 2; if (*digest_len > 0) { - *digest = (u_char *) xmalloc(*digest_len); + *digest = xmalloc(*digest_len); memcpy(*digest, rdata + 2, *digest_len); } else { *digest = (u_char *)xstrdup(""); diff --git a/mux.c b/mux.c index cdc01bd..e6136fd 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.53 2015/05/01 04:03:20 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -665,6 +665,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) u_int lport, cport; int i, ret = 0, freefwd = 1; + memset(&fwd, 0, sizeof(fwd)); + /* XXX - lport/cport check redundant */ if (buffer_get_int_ret(&ftype, m) != 0 || (listen_addr = buffer_get_string_ret(m, NULL)) == NULL || @@ -832,6 +834,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) int i, ret = 0; u_int lport, cport; + memset(&fwd, 0, sizeof(fwd)); + if (buffer_get_int_ret(&ftype, m) != 0 || (listen_addr = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&lport, m) != 0 || diff --git a/packet.c b/packet.c index 6008c2d..01d3e29 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.213 2015/07/29 04:43:06 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.214 2015/08/20 22:32:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1272,7 +1272,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) DBG(debug("packet_read()")); - setp = (fd_set *)calloc(howmany(state->connection_in + 1, + setp = calloc(howmany(state->connection_in + 1, NFDBITS), sizeof(fd_mask)); if (setp == NULL) return SSH_ERR_ALLOC_FAIL; @@ -2036,7 +2036,7 @@ ssh_packet_write_wait(struct ssh *ssh) struct timeval start, timeout, *timeoutp = NULL; struct session_state *state = ssh->state; - setp = (fd_set *)calloc(howmany(state->connection_out + 1, + setp = calloc(howmany(state->connection_out + 1, NFDBITS), sizeof(fd_mask)); if (setp == NULL) return SSH_ERR_ALLOC_FAIL; diff --git a/sftp-server.c b/sftp-server.c index d1831bf..eac11d7 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.106 2015/04/24 01:36:01 deraadt Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.107 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1632,8 +1632,8 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) fatal("%s: sshbuf_new failed", __func__); set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); - rset = (fd_set *)xmalloc(set_size); - wset = (fd_set *)xmalloc(set_size); + rset = xmalloc(set_size); + wset = xmalloc(set_size); if (homedir != NULL) { if (chdir(homedir) != 0) { diff --git a/sftp.c b/sftp.c index cb9b967..788601a 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.170 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: sftp.c,v 1.171 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1958,7 +1958,7 @@ complete(EditLine *el, int ch) /* Figure out which argument the cursor points to */ cursor = lf->cursor - lf->buffer; - line = (char *)xmalloc(cursor + 1); + line = xmalloc(cursor + 1); memcpy(line, lf->buffer, cursor); line[cursor] = '\0'; argv = makeargv(line, &carg, 1, "e, &terminated); @@ -1966,7 +1966,7 @@ complete(EditLine *el, int ch) /* Get all the arguments on the line */ len = lf->lastchar - lf->buffer; - line = (char *)xmalloc(len + 1); + line = xmalloc(len + 1); memcpy(line, lf->buffer, len); line[len] = '\0'; argv = makeargv(line, &argc, 1, NULL, NULL); diff --git a/ssh-keygen.0 b/ssh-keygen.0 index a471a40..07a45b3 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -426,7 +426,7 @@ CERTIFICATES providing the token library using -D and identifying the CA key by providing its public half as an argument to -s: - $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub + $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub In all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication. @@ -437,7 +437,7 @@ CERTIFICATES principals: $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub - $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub + $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub Additional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may @@ -563,4 +563,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 +OpenBSD 5.8 August 20, 2015 OpenBSD 5.8 diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 8c3317b..ed17a08 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.126 2015/07/03 03:49:45 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 3 2015 $ +.Dd $Mdocdate: August 20 2015 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -680,7 +680,7 @@ and identifying the CA key by providing its public half as an argument to .Fl s : .Pp -.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub +.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub .Pp In all cases, .Ar key_id @@ -693,7 +693,7 @@ By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals: .Pp .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub -.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" +.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub" .Pp Additional limitations on the validity and use of user certificates may be specified through certificate options. diff --git a/ssh-keygen.c b/ssh-keygen.c index ea5f1e4..4e0a855 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.276 2015/07/03 03:49:45 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1201,7 +1201,8 @@ do_known_hosts(struct passwd *pw, const char *name) exit(1); } else if (delete_host && !ctx.found_key) { logit("Host %s not found in %s", name, identity_file); - unlink(tmp); + if (inplace) + unlink(tmp); } else if (inplace) { /* Backup existing file */ if (unlink(old) == -1 && errno != ENOENT) diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index ceabc8b..f2d5863 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.10 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.11 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -301,8 +301,8 @@ main(int argc, char **argv) buffer_init(&oqueue); set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); - rset = (fd_set *)xmalloc(set_size); - wset = (fd_set *)xmalloc(set_size); + rset = xmalloc(set_size); + wset = xmalloc(set_size); for (;;) { memset(rset, 0, set_size); diff --git a/ssh_config.0 b/ssh_config.0 index 6548077..67133cd 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -205,9 +205,9 @@ DESCRIPTION The default is: + chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, - chacha20-poly1305@openssh.com, arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, aes192-cbc,aes256-cbc,arcfour @@ -1023,4 +1023,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 July 30, 2015 OpenBSD 5.8 +OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 diff --git a/ssh_config.5 b/ssh_config.5 index 5b0975f..a47f3ca 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $ -.Dd $Mdocdate: July 30 2015 $ +.\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $ +.Dd $Mdocdate: August 14 2015 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -415,9 +415,9 @@ chacha20-poly1305@openssh.com .Pp The default is: .Bd -literal -offset indent +chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, -chacha20-poly1305@openssh.com, arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, aes192-cbc,aes256-cbc,arcfour diff --git a/sshconnect.c b/sshconnect.c index f41960c..17fbe39 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.262 2015/05/28 05:41:29 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -356,7 +356,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, goto done; } - fdset = (fd_set *)xcalloc(howmany(sockfd + 1, NFDBITS), + fdset = xcalloc(howmany(sockfd + 1, NFDBITS), sizeof(fd_mask)); FD_SET(sockfd, fdset); ms_to_timeval(&tv, *timeoutp); diff --git a/sshd.c b/sshd.c index c7dd8cb..65ef7e8 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.458 2015/08/20 22:32:42 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1253,7 +1253,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) sighup_restart(); if (fdset != NULL) free(fdset); - fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), + fdset = xcalloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask)); for (i = 0; i < num_listen_socks; i++) diff --git a/sshd_config.0 b/sshd_config.0 index 1cc7459..aae7fb6 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -286,9 +286,9 @@ DESCRIPTION The default is: + chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, - aes128-gcm@openssh.com,aes256-gcm@openssh.com, - chacha20-poly1305@openssh.com + aes128-gcm@openssh.com,aes256-gcm@openssh.com The list of available ciphers may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. @@ -927,7 +927,7 @@ DESCRIPTION If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses and not host names may be used in ~/.ssh/known_hosts from and - sshd_config(5) Match Host directives. + sshd_config Match Host directives. UseLogin Specifies whether login(1) is used for interactive login @@ -1049,4 +1049,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 5.8 August 6, 2015 OpenBSD 5.8 +OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 diff --git a/sshd_config.5 b/sshd_config.5 index 58e277f..b18d340 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ -.Dd $Mdocdate: August 6 2015 $ +.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $ +.Dd $Mdocdate: August 14 2015 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -476,9 +476,9 @@ chacha20-poly1305@openssh.com .Pp The default is: .Bd -literal -offset indent +chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com, -chacha20-poly1305@openssh.com +aes128-gcm@openssh.com,aes256-gcm@openssh.com .Ed .Pp The list of available ciphers may also be obtained using the @@ -1528,7 +1528,7 @@ If this option is set to .Pa ~/.ssh/known_hosts .Cm from and -.Xr sshd_config 5 +.Nm .Cm Match .Cm Host directives. diff --git a/sshkey.c b/sshkey.c index dbb16e2..32dd8f2 100644 --- a/sshkey.c +++ b/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -1556,7 +1556,6 @@ dsa_generate_private_key(u_int bits, DSA **dsap) *dsap = NULL; if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, NULL, NULL) || !DSA_generate_key(private)) { - DSA_free(private); ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } diff --git a/version.h b/version.h index 7a5dbc8..d917ca1 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.74 2015/08/02 09:56:42 djm Exp $ */ +/* $OpenBSD: version.h,v 1.75 2015/08/21 03:45:26 djm Exp $ */ -#define SSH_VERSION "OpenSSH_7.0" +#define SSH_VERSION "OpenSSH_7.1" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.1 From 726d99a65fa7814f56e18b7cff59646660a231f5 Mon Sep 17 00:00:00 2001 From: des Date: Tue, 19 Jan 2016 10:10:58 +0000 Subject: Vendor import of OpenSSH 7.1p2. --- ChangeLog | 1684 +++---------------------------------------- README | 2 +- bitmap.c | 2 +- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- kex.c | 10 +- packet.c | 1 + readconf.c | 5 +- ssh.c | 3 - sshbuf-getput-crypto.c | 12 +- sshbuf-misc.c | 10 +- sshbuf.c | 12 +- sshd.c | 6 + version.h | 2 +- 14 files changed, 119 insertions(+), 1634 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0e0dd87..35a1a76 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,86 @@ +commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443 +Author: Damien Miller +Date: Thu Jan 14 11:08:19 2016 +1100 + + bump version numbers + +commit 302bc21e6fadacb04b665868cd69b625ef69df90 +Author: Damien Miller +Date: Thu Jan 14 11:04:04 2016 +1100 + + openssh-7.1p2 + +commit 6b33763242c063e4e0593877e835eeb1fd1b60aa +Author: Damien Miller +Date: Thu Jan 14 11:02:58 2016 +1100 + + forcibly disable roaming support in the client + +commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13 +Author: djm@openbsd.org +Date: Mon Oct 5 17:11:21 2015 +0000 + + upstream commit + + some more bzero->explicit_bzero, from Michael McConville + + Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0 + +commit 8f5b93026797b9f7fba90d0c717570421ccebbd3 +Author: guenther@openbsd.org +Date: Fri Sep 11 08:50:04 2015 +0000 + + upstream commit + + Use explicit_bzero() when zeroing before free() + + from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu) + ok millert@ djm@ + + Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50 + +commit d77148e3a3ef6c29b26ec74331455394581aa257 +Author: djm@openbsd.org +Date: Sun Nov 8 21:59:11 2015 +0000 + + upstream commit + + fix OOB read in packet code caused by missing return + statement found by Ben Hawkes; ok markus@ deraadt@ + + Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 + +commit 076d849e17ab12603627f87b301e2dca71bae518 +Author: Damien Miller +Date: Sat Nov 14 18:44:49 2015 +1100 + + read back from libcrypto RAND when privdropping + + makes certain libcrypto implementations cache a /dev/urandom fd + in preparation of sandboxing. Based on patch by Greg Hartman. + +commit f72adc0150011a28f177617a8456e1f83733099d +Author: djm@openbsd.org +Date: Sun Dec 13 22:42:23 2015 +0000 + + upstream commit + + unbreak connections with peers that set + first_kex_follows; fix from Matt Johnston va bz#2515 + + Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b + +commit 04bd8d019ccd906cac1a2b362517b8505f3759e6 +Author: djm@openbsd.org +Date: Tue Jan 12 23:42:54 2016 +0000 + + upstream commit + + use explicit_bzero() more liberally in the buffer code; ok + deraadt + + Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf + commit e91346dc2bbf460246df2ab591b7613908c1b0ad Author: Damien Miller Date: Fri Aug 21 14:49:03 2015 +1000 @@ -7530,1604 +7613,3 @@ Date: Thu Jan 16 18:42:10 2014 +1100 [sftp-client.c] needless and incorrect cast to size_t can break resumption of large download; patch from tobias@ - -commit 91b580e4bec55118bf96ab3cdbe5a50839e75d0a -Author: Damien Miller -Date: Sun Jan 12 19:21:22 2014 +1100 - - - djm@cvs.openbsd.org 2014/01/12 08:13:13 - [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c] - [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c] - avoid use of OpenSSL BIGNUM type and functions for KEX with - Curve25519 by adding a buffer_put_bignum2_from_string() that stores - a string using the bignum encoding rules. Will make it easier to - build a reduced-feature OpenSSH without OpenSSL in the future; - ok markus@ - -commit af5d4481f4c7c8c3c746e68b961bb85ef907800e -Author: Damien Miller -Date: Sun Jan 12 19:20:47 2014 +1100 - - - djm@cvs.openbsd.org 2014/01/10 05:59:19 - [sshd_config] - the /etc/ssh/ssh_host_ed25519_key is loaded by default too - -commit 58cd63bc63038acddfb4051ed14e11179d8f4941 -Author: Damien Miller -Date: Fri Jan 10 10:59:24 2014 +1100 - - - djm@cvs.openbsd.org 2014/01/09 23:26:48 - [sshconnect.c sshd.c] - ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, - deranged and might make some attacks on KEX easier; ok markus@ - -commit b3051d01e505c9c2dc00faab472a0d06fa6b0e65 -Author: Damien Miller -Date: Fri Jan 10 10:58:53 2014 +1100 - - - djm@cvs.openbsd.org 2014/01/09 23:20:00 - [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] - [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] - [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] - [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] - Introduce digest API and use it to perform all hashing operations - rather than calling OpenSSL EVP_Digest* directly. Will make it easier - to build a reduced-feature OpenSSH without OpenSSL in future; - feedback, ok markus@ - -commit e00e413dd16eb747fb2c15a099971d91c13cf70f -Author: Damien Miller -Date: Fri Jan 10 10:40:45 2014 +1100 - - - guenther@cvs.openbsd.org 2014/01/09 03:26:00 - [sftp-common.c] - When formating the time for "ls -l"-style output, show dates in the future - with the year, and rearrange a comparison to avoid a potentional signed - arithmetic overflow that would give the wrong result. - - ok djm@ - -commit 3e49853650448883685cfa32fa382d0ba6d51d48 -Author: Damien Miller -Date: Fri Jan 10 10:37:05 2014 +1100 - - - tedu@cvs.openbsd.org 2014/01/04 17:50:55 - [mac.c monitor_mm.c monitor_mm.h xmalloc.c] - use standard types and formats for size_t like variables. ok dtucker - -commit a9c1e500ef609795cbc662848edb1a1dca279c81 -Author: Damien Miller -Date: Wed Jan 8 16:13:12 2014 +1100 - - - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ - -commit 324541e5264e1489ca0babfaf2b39612eb80dfb3 -Author: Damien Miller -Date: Tue Dec 31 12:25:40 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/30 23:52:28 - [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] - [sshconnect.c sshconnect2.c sshd.c] - refuse RSA keys from old proprietary clients/servers that use the - obsolete RSA+MD5 signature scheme. it will still be possible to connect - with these clients/servers but only DSA keys will be accepted, and we'll - deprecate them entirely in a future release. ok markus@ - -commit 9f4c8e797ea002a883307ca906f1f1f815010e78 -Author: Damien Miller -Date: Sun Dec 29 17:57:46 2013 +1100 - - - (djm) [regress/Makefile] Add some generated files for cleaning - -commit 106bf1ca3c7a5fdc34f9fd7a1fe651ca53085bc5 -Author: Damien Miller -Date: Sun Dec 29 17:54:03 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 05:57:02 - [sshconnect.c] - when showing other hostkeys, don't forget Ed25519 keys - -commit 0fa47cfb32c239117632cab41e4db7d3e6de5e91 -Author: Damien Miller -Date: Sun Dec 29 17:53:39 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 05:42:16 - [ssh.c] - don't forget to load Ed25519 certs too - -commit b9a95490daa04cc307589897f95bfaff324ad2c9 -Author: Damien Miller -Date: Sun Dec 29 17:50:15 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 04:35:50 - [authfile.c] - don't refuse to load Ed25519 certificates - -commit f72cdde6e6fabc51d2a62f4e75b8b926d9d7ee89 -Author: Damien Miller -Date: Sun Dec 29 17:49:55 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 04:29:25 - [authfd.c] - allow deletion of ed25519 keys from the agent - -commit 29ace1cb68cc378a464c72c0fd67aa5f9acd6b5b -Author: Damien Miller -Date: Sun Dec 29 17:49:31 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 04:20:04 - [key.c] - to make sure we don't omit any key types as valid CA keys again, - factor the valid key type check into a key_type_is_valid_ca() - function - -commit 9de4fcdc5a9cff48d49a3e2f6194d3fb2d7ae34d -Author: Damien Miller -Date: Sun Dec 29 17:49:13 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 02:49:52 - [key.c] - correct comment for key_drop_cert() - -commit 5baeacf8a80f054af40731c6f92435f9164b8e02 -Author: Damien Miller -Date: Sun Dec 29 17:48:55 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 02:37:04 - [key.c] - correct comment for key_to_certified() - -commit 83f2fe26cb19330712c952eddbd3c0b621674adc -Author: Damien Miller -Date: Sun Dec 29 17:48:38 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/29 02:28:10 - [key.c] - allow ed25519 keys to appear as certificate authorities - -commit 06122e9a74bb488b0fe0a8f64e1135de870f9cc0 -Author: Damien Miller -Date: Sun Dec 29 17:48:15 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/27 22:37:18 - [ssh-rsa.c] - correct comment - -commit 3e19295c3a253c8dc8660cf45baad7f45fccb969 -Author: Damien Miller -Date: Sun Dec 29 17:47:50 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/27 22:30:17 - [ssh-dss.c ssh-ecdsa.c ssh-rsa.c] - make the original RSA and DSA signing/verification code look more like - the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type - rather than tediously listing all variants, use __func__ for debug/ - error messages - -commit 137977180be6254639e2c90245763e6965f8d815 -Author: Damien Miller -Date: Sun Dec 29 17:47:14 2013 +1100 - - - tedu@cvs.openbsd.org 2013/12/21 07:10:47 - [ssh-keygen.1] - small typo - -commit 339a48fe7ffb3186d22bbaa9efbbc3a053e602fd -Author: Damien Miller -Date: Sun Dec 29 17:46:49 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/19 22:57:13 - [poly1305.c poly1305.h] - use full name for author, with his permission - -commit 0b36c83148976c7c8268f4f41497359e2fb26251 -Author: Damien Miller -Date: Sun Dec 29 17:45:51 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/19 01:19:41 - [ssh-agent.c] - bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent - that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com; - ok dtucker - -commit 4def184e9b6c36be6d965a9705632fc4c0c2a8af -Author: Damien Miller -Date: Sun Dec 29 17:45:26 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/19 01:04:36 - [channels.c] - bz#2147: fix multiple remote forwardings with dynamically assigned - listen ports. In the s->c message to open the channel we were sending - zero (the magic number to request a dynamic port) instead of the actual - listen port. The client therefore had no way of discriminating between - them. - - Diagnosis and fix by ronf AT timeheart.net - -commit bf25d114e23a803f8feca8926281b1aaedb6191b -Author: Damien Miller -Date: Sun Dec 29 17:44:56 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/19 00:27:57 - [auth-options.c] - simplify freeing of source-address certificate restriction - -commit bb3dafe7024a5b4e851252e65ee35d45b965e4a8 -Author: Damien Miller -Date: Sun Dec 29 17:44:29 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/12/19 00:19:12 - [serverloop.c] - Cast client_alive_interval to u_int64_t before assinging to - max_time_milliseconds to avoid potential integer overflow in the timeout. - bz#2170, patch from Loganaden Velvindron, ok djm@ - -commit ef275ead3dcadde4db1efe7a0aa02b5e618ed40c -Author: Damien Miller -Date: Sun Dec 29 17:44:07 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/19 00:10:30 - [ssh-add.c] - skip requesting smartcard PIN when removing keys from agent; bz#2187 - patch from jay AT slushpupie.com; ok dtucker - -commit 7d97fd9a1cae778c3eacf16e09f5da3689d616c6 -Author: Damien Miller -Date: Sun Dec 29 17:40:18 2013 +1100 - - - (djm) [loginrec.c] Check for username truncation when looking up lastlog - entries - -commit 77244afe3b6d013b485e0952eaab89b9db83380f -Author: Darren Tucker -Date: Sat Dec 21 17:02:39 2013 +1100 - - 20131221 - - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. - -commit 53f8e784dc431a82d31c9b0e95b144507f9330e9 -Author: Darren Tucker -Date: Thu Dec 19 11:31:44 2013 +1100 - - - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item(). - Patch from Loganaden Velvindron. - -commit 1fcec9d4f265e38af248c4c845986ca8c174bd68 -Author: Darren Tucker -Date: Thu Dec 19 11:00:12 2013 +1100 - - - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions - greater than 11 either rather than just 11. Patch from Tomas Kuthan. - -commit 6674eb9683afd1ea4eb35670b5e66815543a759e -Author: Damien Miller -Date: Wed Dec 18 17:50:39 2013 +1100 - - - markus@cvs.openbsd.org 2013/12/17 10:36:38 - [crypto_api.h] - I've assempled the header file by cut&pasting from generated headers - and the source files. - -commit d58a5964426ee014384d67d775d16712e93057f3 -Author: Damien Miller -Date: Wed Dec 18 17:50:13 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/15 21:42:35 - [cipher-chachapoly.c] - add some comments and constify a constant - -commit 059321d19af24d87420de3193f79dfab23556078 -Author: Damien Miller -Date: Wed Dec 18 17:49:48 2013 +1100 - - - pascal@cvs.openbsd.org 2013/12/15 18:17:26 - [ssh-add.c] - Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page. - ok markus@ - -commit 155b5a5bf158767f989215479ded2a57f331e1c6 -Author: Damien Miller -Date: Wed Dec 18 17:48:32 2013 +1100 - - - markus@cvs.openbsd.org 2013/12/09 11:08:17 - [crypto_api.h] - remove unused defines - -commit 8a56dc2b6b48b05590810e7f4c3567508410000c -Author: Damien Miller -Date: Wed Dec 18 17:48:11 2013 +1100 - - - markus@cvs.openbsd.org 2013/12/09 11:03:45 - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] - [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] - Add Authors for the public domain ed25519/nacl code. - see also http://nacl.cr.yp.to/features.html - All of the NaCl software is in the public domain. - and http://ed25519.cr.yp.to/software.html - The Ed25519 software is in the public domain. - -commit 6575c3acf31fca117352f31f37b16ae46e664837 -Author: Damien Miller -Date: Wed Dec 18 17:47:02 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/12/08 09:53:27 - [sshd_config.5] - Use a literal for the default value of KEXAlgorithms. ok deraadt jmc - -commit 8ba0ead6985ea14999265136b14ffd5aeec516f9 -Author: Damien Miller -Date: Wed Dec 18 17:46:27 2013 +1100 - - - naddy@cvs.openbsd.org 2013/12/07 11:58:46 - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] - [ssh_config.5 sshd.8 sshd_config.5] - add missing mentions of ed25519; ok djm@ - -commit 4f752cf71cf44bf4bc777541156c2bf56daf9ce9 -Author: Damien Miller -Date: Wed Dec 18 17:45:35 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/07 08:08:26 - [ssh-keygen.1] - document -a and -o wrt new key format - -commit 6d6fcd14e23a9053198342bb379815b15e504084 -Author: Damien Miller -Date: Sun Dec 8 15:53:28 2013 +1100 - - - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh] - [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid - filesystem before running agent-ptrace.sh; ok dtucker - -commit 7e6e42fb532c7dafd7078ef5e9e2d3e47fcf6752 -Author: Damien Miller -Date: Sun Dec 8 08:23:08 2013 +1100 - - - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna - Vinschen - -commit da3ca351b49d52ae85db2e3998265dc3c6617068 -Author: Damien Miller -Date: Sat Dec 7 21:43:46 2013 +1100 - - - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from - Loganaden Velvindron @ AfriNIC in bz#2179 - -commit eb401585bb8336cbf81fe4fc58eb9f7cac3ab874 -Author: Damien Miller -Date: Sat Dec 7 17:07:15 2013 +1100 - - - (djm) [regress/cert-hostkey.sh] Fix merge botch - -commit f54542af3ad07532188b10136ae302314ec69ed6 -Author: Damien Miller -Date: Sat Dec 7 16:32:44 2013 +1100 - - - markus@cvs.openbsd.org 2013/12/06 13:52:46 - [regress/Makefile regress/agent.sh regress/cert-hostkey.sh] - [regress/cert-userkey.sh regress/keytype.sh] - test ed25519 support; from djm@ - -commit f104da263de995f66b6861b4f3368264ee483d7f -Author: Damien Miller -Date: Sat Dec 7 12:37:53 2013 +1100 - - - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in] - [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on - Linux - -commit 1ff130dac9b7aea0628f4ad30683431fe35e0020 -Author: Damien Miller -Date: Sat Dec 7 11:51:51 2013 +1100 - - - [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c] - [openbsd-compat/blf.h openbsd-compat/blowfish.c] - [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in - portable. - -commit 4260828a2958ebe8c96f66d8301dac53f4cde556 -Author: Damien Miller -Date: Sat Dec 7 11:38:03 2013 +1100 - - - [authfile.c] Conditionalise inclusion of util.h - -commit a913442bac8a26fd296a3add51293f8f6f9b3b4c -Author: Damien Miller -Date: Sat Dec 7 11:35:36 2013 +1100 - - - [Makefile.in] Add ed25519 sources - -commit ca570a519cb846da61d002c7f46fa92e39c83e45 -Author: Damien Miller -Date: Sat Dec 7 11:29:09 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/07 00:19:15 - [key.c] - set k->cert = NULL after freeing it - -commit 3cccc0e155229a2f2d86b6df40bd4559b4f960ff -Author: Damien Miller -Date: Sat Dec 7 11:27:47 2013 +1100 - - - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] - [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents - -commit a7827c11b3f0380b7e593664bd62013ff9c131db -Author: Damien Miller -Date: Sat Dec 7 11:24:30 2013 +1100 - - - jmc@cvs.openbsd.org 2013/12/06 15:29:07 - [sshd.8] - missing comma; - -commit 5be9d9e3cbd9c66f24745d25bf2e809c1d158ee0 -Author: Damien Miller -Date: Sat Dec 7 11:24:01 2013 +1100 - - - markus@cvs.openbsd.org 2013/12/06 13:39:49 - [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] - [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] - [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] - [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] - [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] - support ed25519 keys (hostkeys and user identities) using the public - domain ed25519 reference code from SUPERCOP, see - http://ed25519.cr.yp.to/software.html - feedback, help & ok djm@ - -commit bcd00abd8451f36142ae2ee10cc657202149201e -Author: Damien Miller -Date: Sat Dec 7 10:41:55 2013 +1100 - - - markus@cvs.openbsd.org 2013/12/06 13:34:54 - [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] - [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by - default; details in PROTOCOL.key; feedback and lots help from djm; - ok djm@ - -commit f0e9060d236c0e38bec2fa1c6579fb0a2ea6458d -Author: Damien Miller -Date: Sat Dec 7 10:40:26 2013 +1100 - - - markus@cvs.openbsd.org 2013/12/06 13:30:08 - [authfd.c key.c key.h ssh-agent.c] - move private key (de)serialization to key.c; ok djm - -commit 0f8536da23a6ef26e6495177c0d8a4242b710289 -Author: Damien Miller -Date: Sat Dec 7 10:31:37 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/06 03:40:51 - [ssh-keygen.c] - remove duplicated character ('g') in getopt() string; - document the (few) remaining option characters so we don't have to - rummage next time. - -commit 393920745fd328d3fe07f739a3cf7e1e6db45b60 -Author: Damien Miller -Date: Sat Dec 7 10:31:08 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/05 22:59:45 - [sftp-client.c] - fix memory leak in error path in do_readdir(); pointed out by - Loganaden Velvindron @ AfriNIC in bz#2163 - -commit 534b2ccadea5e5e9a8b27226e6faac3ed5552e97 -Author: Damien Miller -Date: Thu Dec 5 14:07:27 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/05 01:16:41 - [servconf.c servconf.h] - bz#2161 - fix AuthorizedKeysCommand inside a Match block and - rearrange things so the same error is harder to make next time; - with and ok dtucker@ - -commit 8369c8e61a3408ec6bb75755fad4ffce29b5fdbe -Author: Darren Tucker -Date: Thu Dec 5 11:00:16 2013 +1100 - - - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct - -L location for libedit. Patch from Serge van den Boom. - -commit 9275df3e0a2a3bc3897f7d664ea86a425c8a092d -Author: Damien Miller -Date: Thu Dec 5 10:26:32 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/04 04:20:01 - [sftp-client.c] - bz#2171: don't leak local_fd on error; from Loganaden Velvindron @ - AfriNIC - -commit 960f6a2b5254e4da082d8aa3700302ed12dc769a -Author: Damien Miller -Date: Thu Dec 5 10:26:14 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/02 03:13:14 - [cipher.c] - correct bzero of chacha20+poly1305 key context. bz#2177 from - Loganaden Velvindron @ AfriNIC - - Also make it a memset for consistency with the rest of cipher.c - -commit f7e8a8796d661c9d6692ab837e1effd4f5ada1c2 -Author: Damien Miller -Date: Thu Dec 5 10:25:51 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/02 03:09:22 - [key.c] - make key_to_blob() return a NULL blob on failure; part of - bz#2175 from Loganaden Velvindron @ AfriNIC - -commit f1e44ea9d9a6d4c1a95a0024132e603bd1778c9c -Author: Damien Miller -Date: Thu Dec 5 10:23:21 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/02 02:56:17 - [ssh-pkcs11-helper.c] - use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC - -commit 114e540b15d57618f9ebf624264298f80bbd8c77 -Author: Damien Miller -Date: Thu Dec 5 10:22:57 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/02 02:50:27 - [PROTOCOL.chacha20poly1305] - typo; from Jon Cave - -commit e4870c090629e32f2cb649dc16d575eeb693f4a8 -Author: Damien Miller -Date: Thu Dec 5 10:22:39 2013 +1100 - - - djm@cvs.openbsd.org 2013/12/01 23:19:05 - [PROTOCOL] - mention curve25519-sha256@libssh.org key exchange algorithm - -commit 1d2f8804a6d33a4e908b876b2e1266b8260ec76b -Author: Damien Miller -Date: Thu Dec 5 10:22:03 2013 +1100 - - - deraadt@cvs.openbsd.org 2013/11/26 19:15:09 - [pkcs11.h] - cleanup 1 << 31 idioms. Resurrection of this issue pointed out by - Eitan Adler ok markus for ssh, implies same change in kerberosV - -commit bdb352a54f82df94a548e3874b22f2d6ae90328d -Author: Damien Miller -Date: Thu Dec 5 10:20:52 2013 +1100 - - - jmc@cvs.openbsd.org 2013/11/26 12:14:54 - [ssh.1 ssh.c] - - put -Q in the right place - - Ar was a poor choice for the arguments to -Q. i've chosen an - admittedly equally poor Cm, at least consistent with the rest - of the docs. also no need for multiple instances - - zap a now redundant Nm - - usage() sync - -commit d937dc084a087090f1cf5395822c3ac958d33759 -Author: Damien Miller -Date: Thu Dec 5 10:19:54 2013 +1100 - - - deraadt@cvs.openbsd.org 2013/11/25 18:04:21 - [ssh.1 ssh.c] - improve -Q usage and such. One usage change is that the option is now - case-sensitive - ok dtucker markus djm - -commit dec0393f7ee8aabc7d9d0fc2c5fddb4bc649112e -Author: Damien Miller -Date: Thu Dec 5 10:18:43 2013 +1100 - - - jmc@cvs.openbsd.org 2013/11/21 08:05:09 - [ssh_config.5 sshd_config.5] - no need for .Pp before displays; - -commit 8a073cf57940aabf85e49799f89f5d5e9b072c1b -Author: Damien Miller -Date: Thu Nov 21 14:26:18 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/21 03:18:51 - [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] - [regress/try-ciphers.sh] - use new "ssh -Q cipher-auth" query to obtain lists of authenticated - encryption ciphers instead of specifying them manually; ensures that - the new chacha20poly1305@openssh.com mode is tested; - - ok markus@ and naddy@ as part of the diff to add - chacha20poly1305@openssh.com - -commit ea61b2179f63d48968dd2c9617621002bb658bfe -Author: Damien Miller -Date: Thu Nov 21 14:25:15 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/21 03:16:47 - [regress/modpipe.c] - use unsigned long long instead of u_int64_t here to avoid warnings - on some systems portable OpenSSH is built on. - -commit 36aba25b0409d2db6afc84d54bc47a2532d38424 -Author: Damien Miller -Date: Thu Nov 21 14:24:42 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/21 03:15:46 - [regress/krl.sh] - add some reminders for additional tests that I'd like to implement - -commit fa7a20bc289f09b334808d988746bc260a2f60c9 -Author: Damien Miller -Date: Thu Nov 21 14:24:08 2013 +1100 - - - naddy@cvs.openbsd.org 2013/11/18 05:09:32 - [regress/forward-control.sh] - bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) - to successfully run this; ok djm@ - (ID sync only; our timeouts are already longer) - -commit 0fde8acdad78a4d20cadae974376cc0165f645ee -Author: Damien Miller -Date: Thu Nov 21 14:12:23 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/21 00:45:44 - [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] - [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] - [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] - [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport - cipher "chacha20-poly1305@openssh.com" that combines Daniel - Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an - authenticated encryption mode. - - Inspired by and similar to Adam Langley's proposal for TLS: - http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 - but differs in layout used for the MAC calculation and the use of a - second ChaCha20 instance to separately encrypt packet lengths. - Details are in the PROTOCOL.chacha20poly1305 file. - - Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC - ok markus@ naddy@ - -commit fdb2306acdc3eb2bc46b6dfdaaf6005c650af22a -Author: Damien Miller -Date: Thu Nov 21 13:57:15 2013 +1100 - - - deraadt@cvs.openbsd.org 2013/11/20 20:54:10 - [canohost.c clientloop.c match.c readconf.c sftp.c] - unsigned casts for ctype macros where neccessary - ok guenther millert markus - -commit e00167307e4d3692695441e9bd712f25950cb894 -Author: Damien Miller -Date: Thu Nov 21 13:56:49 2013 +1100 - - - deraadt@cvs.openbsd.org 2013/11/20 20:53:10 - [scp.c] - unsigned casts for ctype macros where neccessary - ok guenther millert markus - -commit 23e00aa6ba9eee0e0c218f2026bf405ad4625832 -Author: Damien Miller -Date: Thu Nov 21 13:56:28 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/20 02:19:01 - [sshd.c] - delay closure of in/out fds until after "Bad protocol version - identification..." message, as get_remote_ipaddr/get_remote_port - require them open. - -commit 867e6934be6521f87f04a5ab86702e2d1b314245 -Author: Damien Miller -Date: Thu Nov 21 13:56:06 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/13 13:48:20 - [ssh-pkcs11.c] - add missing braces found by pedro - -commit 0600c7020f4fe68a780bd7cf21ff541a8d4b568a -Author: Damien Miller -Date: Thu Nov 21 13:55:43 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/08 11:15:19 - [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c] - [uidswap.c] Include stdlib.h for free() as per the man page. - -commit b6a75b0b93b8faa6f79c3a395ab6c71f3f880b80 -Author: Darren Tucker -Date: Sun Nov 10 20:25:22 2013 +1100 - - - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by - querying the ones that are compiled in. - -commit 2c89430119367eb1bc96ea5ee55de83357e4c926 -Author: Darren Tucker -Date: Sun Nov 10 12:38:42 2013 +1100 - - - (dtucker) [key.c] Check for the correct defines for NID_secp521r1. - -commit dd5264db5f641dbd03186f9e5e83e4b14b3d0003 -Author: Darren Tucker -Date: Sat Nov 9 22:32:51 2013 +1100 - - - (dtucker) [configure.ac] Add missing "test". - -commit 95cb2d4eb08117be061f3ff076adef3e9a5372c3 -Author: Darren Tucker -Date: Sat Nov 9 22:02:31 2013 +1100 - - - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test. - -commit 37bcef51b3d9d496caecea6394814d2f49a1357f -Author: Darren Tucker -Date: Sat Nov 9 18:39:25 2013 +1100 - - - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of - NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the - latter actually works before using it. Fedora (at least) has NID_secp521r1 - that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). - -commit 6e2fe81f926d995bae4be4a6b5b3c88c1c525187 -Author: Darren Tucker -Date: Sat Nov 9 16:55:03 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 - [regress/test-exec.sh regress/rekey.sh] - Use smaller test data files to speed up tests. Grow test datafiles - where necessary for a specific test. - -commit aff7ef1bb8b7c1eeb1f4812129091c5adbf51848 -Author: Darren Tucker -Date: Sat Nov 9 00:19:22 2013 +1100 - - - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation: - rather than testing and generating each key, call ssh-keygen -A. - Patch from vinschen at redhat.com. - -commit 882abfd3fb3c98cfe70b4fc79224770468b570a5 -Author: Darren Tucker -Date: Sat Nov 9 00:17:41 2013 +1100 - - - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform - and pass in TEST_ENV. Unknown options cause stderr to get polluted - and the stderr-data test to fail. - -commit 8c333ec23bdf7da917aa20ac6803a2cdd79182c5 -Author: Darren Tucker -Date: Fri Nov 8 21:12:58 2013 +1100 - - - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile - warnings. - -commit d94240b2f6b376b6e9de187e4a0cd4b89dfc48cb -Author: Darren Tucker -Date: Fri Nov 8 21:10:04 2013 +1100 - - - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. - -commit 1c8ce34909886288a3932dce770deec5449f7bb5 -Author: Darren Tucker -Date: Fri Nov 8 19:50:32 2013 +1100 - - - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have - EVP_sha256. - -commit ccdb9bec46bcc88549b26a94aa0bae2b9f51031c -Author: Darren Tucker -Date: Fri Nov 8 18:54:38 2013 +1100 - - - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of - arc4random_stir for platforms that have arc4random but don't have - arc4random_stir (right now this is only OpenBSD -current). - -commit 3420a50169b52cc8d2775d51316f9f866c73398f -Author: Damien Miller -Date: Fri Nov 8 16:48:13 2013 +1100 - - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update version numbers following release. - -commit 3ac4a234df842fd8c94d9cb0ad198e1fe84b895b -Author: Damien Miller -Date: Fri Nov 8 12:39:49 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/08 01:38:11 - [version.h] - openssh-6.4 - -commit 6c81fee693038de7d4a5559043350391db2a2761 -Author: Damien Miller -Date: Fri Nov 8 12:19:55 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/08 00:39:15 - [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c] - [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c] - [sftp-client.c sftp-glob.c] - use calloc for all structure allocations; from markus@ - -commit 690d989008e18af3603a5e03f1276c9bad090370 -Author: Damien Miller -Date: Fri Nov 8 12:16:49 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/07 11:58:27 - [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] - Output the effective values of Ciphers, MACs and KexAlgorithms when - the default has not been overridden. ok markus@ - -commit 08998c5fb9c7c1d248caa73b76e02ca0482e6d85 -Author: Darren Tucker -Date: Fri Nov 8 12:11:46 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 - [regress/rekey.sh] - Rekey less frequently during tests to speed them up - -commit 4bf7e50e533aa956366df7402c132f202e841a48 -Author: Darren Tucker -Date: Thu Nov 7 22:33:48 2013 +1100 - - - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment - variable. It's no longer used now that we get the supported MACs from - ssh -Q. - -commit 6e9d6f411288374d1dee4b7debbfa90bc7e73035 -Author: Darren Tucker -Date: Thu Nov 7 15:32:37 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/07 04:26:56 - [regress/kextype.sh] - trailing space - -commit 74cbc22529f3e5de756e1b7677b7624efb28f62c -Author: Darren Tucker -Date: Thu Nov 7 15:26:12 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/07 03:55:41 - [regress/kextype.sh] - Use ssh -Q to get kex types instead of a static list. - -commit a955041c930e63405159ff7d25ef14272f36eab3 -Author: Darren Tucker -Date: Thu Nov 7 15:21:19 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 - [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] - Use ssh -Q instead of hardcoding lists of ciphers or MACs. - -commit 06595d639577577bc15d359e037a31eb83563269 -Author: Darren Tucker -Date: Thu Nov 7 15:08:02 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/07 01:12:51 - [regress/rekey.sh] - Factor out the data transfer rekey tests - -commit 651dc8b2592202dac6b16ee3b82ce5b331be7da3 -Author: Darren Tucker -Date: Thu Nov 7 15:04:44 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/07 00:12:05 - [regress/rekey.sh] - Test rekeying for every Cipher, MAC and KEX, plus test every KEX with - the GCM ciphers. - -commit 234557762ba1096a867ca6ebdec07efebddb5153 -Author: Darren Tucker -Date: Thu Nov 7 15:00:51 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 - [regress/rekey.sh] - Test rekeying with all KexAlgorithms. - -commit bbfb9b0f386aab0c3e19d11f136199ef1b9ad0ef -Author: Darren Tucker -Date: Thu Nov 7 14:56:43 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/02 22:39:53 - [regress/kextype.sh] - add curve25519-sha256@libssh.org - -commit aa19548a98c0f89283ebd7354abd746ca6bc4fdf -Author: Darren Tucker -Date: Thu Nov 7 14:50:09 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/09 23:44:14 - [regress/Makefile] (ID sync only) - regression test for sftp request white/blacklisting and readonly mode. - -commit c8908aabff252f5da772d4e679479c2b7d18cac1 -Author: Damien Miller -Date: Thu Nov 7 13:38:35 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/06 23:05:59 - [ssh-pkcs11.c] - from portable: s/true/true_val/ to avoid name collisions on dump platforms - RCSID sync only - -commit 49c145c5e89b9d7d48e84328d6347d5ad640b567 -Author: Damien Miller -Date: Thu Nov 7 13:35:39 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/06 16:52:11 - [monitor_wrap.c] - fix rekeying for AES-GCM modes; ok deraadt - -commit 67a8800f290b39fd60e379988c700656ae3f2539 -Author: Damien Miller -Date: Thu Nov 7 13:32:51 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/04 11:51:16 - [monitor.c] - fix rekeying for KEX_C25519_SHA256; noted by dtucker@ - RCSID sync only; I thought this was a merge botch and fixed it already - -commit df8b030b15fcec7baf38ec7944f309f9ca8cc9a7 -Author: Damien Miller -Date: Thu Nov 7 13:28:16 2013 +1100 - - - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms - that lack it but have arc4random_uniform() - -commit a6fd1d3c38a562709374a70fa76423859160aa90 -Author: Damien Miller -Date: Thu Nov 7 12:03:26 2013 +1100 - - - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these - -commit c98319750b0bbdd0d1794420ec97d65dd9244613 -Author: Damien Miller -Date: Thu Nov 7 12:00:23 2013 +1100 - - - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff - -commit 61c5c2319e84a58210810d39b062c8b8e3321160 -Author: Damien Miller -Date: Thu Nov 7 11:34:14 2013 +1100 - - - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) - that got lost in recent merge. - -commit 094003f5454a9f5a607674b2739824a7e91835f4 -Author: Damien Miller -Date: Mon Nov 4 22:59:27 2013 +1100 - - - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from - KEX/curve25519 change - -commit ca67a7eaf8766499ba67801d0be8cdaa550b9a50 -Author: Damien Miller -Date: Mon Nov 4 09:05:17 2013 +1100 - - - djm@cvs.openbsd.org 2013/11/03 10:37:19 - [roaming_common.c] - fix a couple of function definitions foo() -> foo(void) - (-Wold-style-definition) - -commit 0bd8f1519d51af8d4229be81e8f2f4903a1d440b -Author: Damien Miller -Date: Mon Nov 4 08:55:43 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/02 22:39:19 - [ssh_config.5 sshd_config.5] - the default kex is now curve25519-sha256@libssh.org - -commit 4c3ba0767fbe4a8a2a748df4035aaf86651f6b30 -Author: Damien Miller -Date: Mon Nov 4 08:40:13 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/02 22:34:01 - [auth-options.c] - no need to include monitor_wrap.h and ssh-gss.h - -commit 660621b2106b987b874c2f120218bec249d0f6ba -Author: Damien Miller -Date: Mon Nov 4 08:37:51 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/02 22:24:24 - [kexdhs.c kexecdhs.c] - no need to include ssh-gss.h - -commit abdca986decfbbc008c895195b85e879ed460ada -Author: Damien Miller -Date: Mon Nov 4 08:30:05 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/02 22:10:15 - [kexdhs.c kexecdhs.c] - no need to include monitor_wrap.h - -commit 1e1242604eb0fd510fe93f81245c529237ffc513 -Author: Damien Miller -Date: Mon Nov 4 08:26:52 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/02 21:59:15 - [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] - use curve25519 for default key exchange (curve25519-sha256@libssh.org); - initial patch from Aris Adamantiadis; ok djm@ - -commit d2252c79191d069372ed6effce7c7a2de93448cd -Author: Damien Miller -Date: Mon Nov 4 07:41:48 2013 +1100 - - - markus@cvs.openbsd.org 2013/11/02 20:03:54 - [ssh-pkcs11.c] - support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys; - fixes bz#1908; based on patch from Laurent Barbe; ok djm - -commit 007e3b357e880caa974d5adf9669298ba0751c78 -Author: Darren Tucker -Date: Sun Nov 3 18:43:55 2013 +1100 - - - (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t - for platforms that don't have them. - -commit 710f3747352fb93a63e5b69b12379da37f5b3fa9 -Author: Darren Tucker -Date: Sun Nov 3 17:20:34 2013 +1100 - - - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd - vsnprintf. From eric at openbsd via chl@. - -commit d52770452308e5c2e99f4da6edaaa77ef078b610 -Author: Darren Tucker -Date: Sun Nov 3 16:30:46 2013 +1100 - - - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep. - From OpenSMTPD where it prevents "implicit declaration" warnings (it's - a no-op in OpenSSH). From chl at openbsd. - -commit 63857c9340d3482746a5622ffdacc756751f6448 -Author: Damien Miller -Date: Wed Oct 30 22:31:06 2013 +1100 - - - jmc@cvs.openbsd.org 2013/10/29 18:49:32 - [sshd_config.5] - pty(4), not pty(7); - -commit 5ff30c6b68adeee767dd29bf2369763c6a13c0b3 -Author: Damien Miller -Date: Wed Oct 30 22:21:50 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/29 09:48:02 - [servconf.c servconf.h session.c sshd_config sshd_config.5] - shd_config PermitTTY to disallow TTY allocation, mirroring the - longstanding no-pty authorized_keys option; - bz#2070, patch from Teran McKinney; ok markus@ - -commit 4a3a9d4bbf8048473f5cc202cd8db7164d5e6b8d -Author: Damien Miller -Date: Wed Oct 30 22:19:47 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/29 09:42:11 - [key.c key.h] - fix potential stack exhaustion caused by nested certificates; - report by Mateusz Kocielski; ok dtucker@ markus@ - -commit 28631ceaa7acd9bc500f924614431542893c6a21 -Author: Damien Miller -Date: Sat Oct 26 10:07:56 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/25 23:04:51 - [ssh.c] - fix crash when using ProxyCommand caused by previous commit - was calling - freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@ - -commit 26506ad29350c5681815745cc90b3952a84cf118 -Author: Damien Miller -Date: Sat Oct 26 10:05:46 2013 +1100 - - - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove - unnecessary arc4random_stir() calls. The only ones left are to ensure - that the PRNG gets a different state after fork() for platforms that - have broken the API. - -commit bd43e8872325e9bbb3319c89da593614709f317c -Author: Tim Rice -Date: Thu Oct 24 12:22:49 2013 -0700 - - - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd" - -commit a90c0338083ee0e4064c4bdf61f497293a699be0 -Author: Damien Miller -Date: Thu Oct 24 21:03:17 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/24 08:19:36 - [ssh.c] - fix bug introduced in hostname canonicalisation commit: don't try to - resolve hostnames when a ProxyCommand is set unless the user has forced - canonicalisation; spotted by Iain Morgan - -commit cf31f3863425453ffcda540fbefa9df80088c8d1 -Author: Damien Miller -Date: Thu Oct 24 21:02:56 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 - [readconf.c servconf.c ssh_config.5 sshd_config.5] - Disallow empty Match statements and add "Match all" which matches - everything. ok djm, man page help jmc@ - -commit 4bedd4032a09ce87322ae5ea80f193f109e5c607 -Author: Damien Miller -Date: Thu Oct 24 21:02:26 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/10/24 00:49:49 - [moduli.c] - Periodically print progress and, if possible, expected time to completion - when screening moduli for DH groups. ok deraadt djm - -commit 5ecb41629860687b145be63b8877fabb6bae5eda -Author: Damien Miller -Date: Thu Oct 24 21:02:02 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/23 23:35:32 - [sshd.c] - include local address and port in "Connection from ..." message (only - shown at loglevel>=verbose) - -commit 03bf2e61ad6ac59a362a1f11b105586cb755c147 -Author: Damien Miller -Date: Thu Oct 24 21:01:26 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/10/23 05:40:58 - [servconf.c] - fix comment - -commit 8f1873191478847773906af961c8984d02a49dd6 -Author: Damien Miller -Date: Thu Oct 24 10:53:02 2013 +1100 - - - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check - rather than full client name which may be of form user@REALM; - patch from Miguel Sanders; ok dtucker@ - -commit 5b01b0dcb417eb615df77e7ce1b59319bf04342c -Author: Damien Miller -Date: Wed Oct 23 16:31:31 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/23 04:16:22 - [ssh-keygen.c] - Make code match documentation: relative-specified certificate expiry time - should be relative to current time and not the validity start time. - Reported by Petr Lautrbach; ok deraadt@ - -commit eff5cada589f25793dbe63a76aba9da39837a148 -Author: Damien Miller -Date: Wed Oct 23 16:31:10 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/23 03:05:19 - [readconf.c ssh.c] - comment - -commit 084bcd24e9fe874020e4df4e073e7408e1b17fb7 -Author: Damien Miller -Date: Wed Oct 23 16:30:51 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/23 03:03:07 - [readconf.c] - Hostname may have %h sequences that should be expanded prior to Match - evaluation; spotted by Iain Morgan - -commit 8e5a67f46916def40b2758bb7755350dd2eee843 -Author: Damien Miller -Date: Wed Oct 23 16:30:25 2013 +1100 - - - jmc@cvs.openbsd.org 2013/10/20 18:00:13 - [ssh_config.5] - tweak the "exec" description, as worded by djm; - -commit c0049bd0bca02890cd792babc594771c563f91f2 -Author: Damien Miller -Date: Wed Oct 23 16:29:59 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/20 09:51:26 - [scp.1 sftp.1] - add canonicalisation options to -o lists - -commit 8a04be795fc28514a09e55a54b2e67968f2e1b3a -Author: Damien Miller -Date: Wed Oct 23 16:29:40 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/20 06:19:28 - [readconf.c ssh_config.5] - rename "command" subclause of the recently-added "Match" keyword to - "exec"; it's shorter, clearer in intent and we might want to add the - ability to match against the command being executed at the remote end in - the future. - -commit 5c86ebdf83b636b6741db4b03569ef4a53b89a58 -Author: Damien Miller -Date: Wed Oct 23 16:29:12 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/20 04:39:28 - [ssh_config.5] - document % expansions performed by "Match command ..." - -commit 4502f88774edc56194707167443f94026d3c7cfa -Author: Damien Miller -Date: Fri Oct 18 10:17:36 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/17 22:08:04 - [sshd.c] - include remote port in bad banner message; bz#2162 - -commit 1edcbf65ebd2febeaf10a836468f35e519eed7ca -Author: Damien Miller -Date: Fri Oct 18 10:17:17 2013 +1100 - - - jmc@cvs.openbsd.org 2013/10/17 07:35:48 - [sftp.1 sftp.c] - tweak previous; - -commit a176e1823013dd8533a20235b3a5131f0626f46b -Author: Damien Miller -Date: Fri Oct 18 09:05:41 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/09 23:44:14 - [regress/Makefile regress/sftp-perm.sh] - regression test for sftp request white/blacklisting and readonly mode. - -commit e3ea09494dcfe7ba76536e95765c8328ecfc18fb -Author: Damien Miller -Date: Thu Oct 17 11:57:23 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/17 00:46:49 - [ssh.c] - rearrange check to reduce diff against -portable - (Id sync only) - -commit f29238e67471a7f1088a99c3c3dbafce76b790cf -Author: Damien Miller -Date: Thu Oct 17 11:48:52 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/17 00:30:13 - [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c] - fsync@openssh.com protocol extension for sftp-server - client support to allow calling fsync() faster successful transfer - patch mostly by imorgan AT nas.nasa.gov; bz#1798 - "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@ - -commit 51682faa599550a69d8120e5e2bdbdc0625ef4be -Author: Damien Miller -Date: Thu Oct 17 11:48:31 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/16 22:58:01 - [ssh.c ssh_config.5] - one I missed in previous: s/isation/ization/ - -commit 3850559be93f1a442ae9ed370e8c389889dd5f72 -Author: Damien Miller -Date: Thu Oct 17 11:48:13 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/16 22:49:39 - [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] - s/canonicalise/canonicalize/ for consistency with existing spelling, - e.g. authorized_keys; pointed out by naddy@ - -commit 607af3434b75acc7199a5d99d5a9c11068c01f27 -Author: Damien Miller -Date: Thu Oct 17 11:47:51 2013 +1100 - - - jmc@cvs.openbsd.org 2013/10/16 06:42:25 - [ssh_config.5] - tweak previous; - -commit 0faf747e2f77f0f7083bcd59cbed30c4b5448444 -Author: Damien Miller -Date: Thu Oct 17 11:47:23 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/16 02:31:47 - [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] - [sshconnect.c sshconnect.h] - Implement client-side hostname canonicalisation to allow an explicit - search path of domain suffixes to use to convert unqualified host names - to fully-qualified ones for host key matching. - This is particularly useful for host certificates, which would otherwise - need to list unqualified names alongside fully-qualified ones (and this - causes a number of problems). - "looks fine" markus@ - -commit d77b81f856e078714ec6b0f86f61c20249b7ead4 -Author: Damien Miller -Date: Thu Oct 17 11:39:00 2013 +1100 - - - jmc@cvs.openbsd.org 2013/10/15 14:10:25 - [ssh.1 ssh_config.5] - tweak previous; - -commit dcd39f29ce3308dc74a0ff27a9056205a932ce05 -Author: Damien Miller -Date: Thu Oct 17 11:31:40 2013 +1100 - - - [ssh.c] g/c unused variable. - -commit 5359a628ce3763408da25d83271a8eddec597a0c -Author: Damien Miller -Date: Tue Oct 15 12:20:37 2013 +1100 - - - [ssh.c] g/c unused variable. - -commit 386feab0c4736b054585ee8ee372865d5cde8d69 -Author: Damien Miller -Date: Tue Oct 15 12:14:49 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/14 23:31:01 - [ssh.c] - whitespace at EOL; pointed out by markus@ - -commit e9fc72edd6c313b670558cd5219601c38a949b67 -Author: Damien Miller -Date: Tue Oct 15 12:14:12 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/14 23:28:23 - [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c] - refactor client config code a little: - add multistate option partsing to readconf.c, similar to servconf.c's - existing code. - move checking of options that accept "none" as an argument to readconf.c - add a lowercase() function and use it instead of explicit tolower() in - loops - part of a larger diff that was ok markus@ - -commit 194fd904d8597a274b93e075b2047afdf5a175d4 -Author: Damien Miller -Date: Tue Oct 15 12:13:05 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/14 22:22:05 - [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] - add a "Match" keyword to ssh_config that allows matching on hostname, - user and result of arbitrary commands. "nice work" markus@ - -commit 71df752de2a04f423b1cd18d961a79f4fbccbcee -Author: Damien Miller -Date: Tue Oct 15 12:12:02 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/14 21:20:52 - [session.c session.h] - Add logging of session starts in a useful format; ok markus@ feedback and - ok dtucker@ - -commit 6efab27109b82820e8d32a5d811adb7bfc354f65 -Author: Damien Miller -Date: Tue Oct 15 12:07:05 2013 +1100 - - - jmc@cvs.openbsd.org 2013/10/14 14:18:56 - [sftp-server.8 sftp-server.c] - tweak previous; - ok djm - -commit 61c7de8a94156f6d7e9718ded9be8c65bb902b66 -Author: Damien Miller -Date: Tue Oct 15 12:06:45 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/11 02:53:45 - [sftp-client.h] - obsolete comment - -commit 2f93d0556e4892208c9b072624caa8cc5ddd839d -Author: Damien Miller -Date: Tue Oct 15 12:06:27 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/11 02:52:23 - [sftp-client.c] - missed one arg reorder - -commit bda5c8445713ae592d969a5105ed1a65da22bc96 -Author: Damien Miller -Date: Tue Oct 15 12:05:58 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/11 02:45:36 - [sftp-client.c] - rename flag arguments to be more clear and consistent. - reorder some internal function arguments to make adding additional flags - easier. - no functional change - -commit 61ee4d68ca0fcc793a826fc7ec70f3b8ffd12ab6 -Author: Damien Miller -Date: Tue Oct 15 11:56:47 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/10 01:43:03 - [sshd.c] - bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly - updated; ok dtucker@ - -commit 73600e51af9ee734a19767e0c084bbbc5eb5b8da -Author: Damien Miller -Date: Tue Oct 15 11:56:25 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/10 00:53:25 - [sftp-server.c] - add -Q, -P and -p to usage() before jmc@ catches me - -commit 6eaeebf27d92f39a38c772aa3f20c2250af2dd29 -Author: Damien Miller -Date: Tue Oct 15 11:55:57 2013 +1100 - - - djm@cvs.openbsd.org 2013/10/09 23:42:17 - [sftp-server.8 sftp-server.c] - Add ability to whitelist and/or blacklist sftp protocol requests by name. - Refactor dispatch loop and consolidate read-only mode checks. - Make global variables static, since sftp-server is linked into sshd(8). - ok dtucker@ - -commit df62d71e64d29d1054e7a53d1a801075ef70335f -Author: Darren Tucker -Date: Thu Oct 10 10:32:39 2013 +1100 - - - dtucker@cvs.openbsd.org 2013/10/08 11:42:13 - [dh.c dh.h] - Increase the size of the Diffie-Hellman groups requested for a each - symmetric key size. New values from NIST Special Publication 800-57 with - the upper limit specified by RFC4419. Pointed out by Peter Backes, ok - djm@. - -commit e6e52f8c5dc89a6767702e65bb595aaf7bc8991c -Author: Darren Tucker -Date: Thu Oct 10 10:28:07 2013 +1100 - - - djm@cvs.openbsd.org 2013/09/19 01:26:29 - [sshconnect.c] - bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from - swp AT swp.pp.ru; ok dtucker@ - -commit 71152bc9911bc34a98810b2398dac20df3fe8de3 -Author: Darren Tucker -Date: Thu Oct 10 10:27:21 2013 +1100 - - - djm@cvs.openbsd.org 2013/09/19 01:24:46 - [channels.c] - bz#1297 - tell the client (via packet_send_debug) when their preferred - listen address has been overridden by the server's GatewayPorts; - ok dtucker@ - -commit b59aaf3c4f3f449a4b86d8528668bd979be9aa5f -Author: Darren Tucker -Date: Thu Oct 10 10:26:21 2013 +1100 - - - djm@cvs.openbsd.org 2013/09/19 00:49:12 - [sftp-client.c] - fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan - -commit 5d80e4522d6238bdefe9d0c634f0e6d35a241e41 -Author: Darren Tucker -Date: Thu Oct 10 10:25:09 2013 +1100 - - - djm@cvs.openbsd.org 2013/09/19 00:24:52 - [progressmeter.c] - store the initial file offset so the progress meter doesn't freak out - when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@ - -commit ad92df7e5ed26fea85adfb3f95352d6cd8e86344 -Author: Darren Tucker -Date: Thu Oct 10 10:24:11 2013 +1100 - - - sthen@cvs.openbsd.org 2013/09/16 11:35:43 - [ssh_config] - Remove gssapi config parts from ssh_config, as was already done for - sshd_config. Req by/ok ajacoutot@ - ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular - -commit 720711960b130d36dfdd3d50eb25ef482bdd000e -Author: Damien Miller -Date: Wed Oct 9 10:44:47 2013 +1100 - - - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c] - [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random - implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@, - tested tim@ - -commit 9159310087a218e28940a592896808b8eb76a039 -Author: Damien Miller -Date: Wed Oct 9 10:42:32 2013 +1100 - - - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull - in OpenBSD implementation of arc4random, shortly to replace the existing - bsd-arc4random.c - -commit 67f1d557a68d6fa8966a327d7b6dee3408cf0e72 -Author: Damien Miller -Date: Wed Oct 9 09:33:08 2013 +1100 - - correct incorrect years in datestamps; from des - -commit f2bf36c3eb4d969f85ec8aa342e9aecb61cc8bb1 -Author: Darren Tucker -Date: Sun Sep 22 19:02:40 2013 +1000 - - - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj - setting when handling SIGHUP to maintain behaviour over retart. Patch - from Matthew Ife. - -commit e90a06ae570fd259a2f5ced873c7f17390f535a5 -Author: Darren Tucker -Date: Wed Sep 18 15:09:38 2013 +1000 - - - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu. - -commit 13840e0103946982cee2a05c40697be7e57dca41 -Author: Damien Miller -Date: Sat Sep 14 09:49:43 2013 +1000 - - - djm@cvs.openbsd.org 2013/09/13 06:54:34 - [channels.c] - avoid unaligned access in code that reused a buffer to send a - struct in_addr in a reply; simpler just use use buffer_put_int(); - from portable; spotted by and ok dtucker@ - -commit 70182522a47d283513a010338cd028cb80dac2ab -Author: Damien Miller -Date: Sat Sep 14 09:49:19 2013 +1000 - - - djm@cvs.openbsd.org 2013/09/12 01:41:12 - [clientloop.c] - fix connection crash when sending break (~B) on ControlPersist'd session; - ok dtucker@ - -commit ff9d6c2a4171ee32e8fe28fc3b86eb33bd5c845b -Author: Damien Miller -Date: Sat Sep 14 09:48:55 2013 +1000 - - - sthen@cvs.openbsd.org 2013/09/07 13:53:11 - [sshd_config] - Remove commented-out kerberos/gssapi config options from sample config, - kerberos support is currently not enabled in ssh in OpenBSD. Discussed with - various people; ok deraadt@ - ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular - -commit 8bab5e7b5ff6721d926b5ebf05a3a24489889c58 -Author: Damien Miller -Date: Sat Sep 14 09:47:00 2013 +1000 - - - deraadt@cvs.openbsd.org 2013/09/02 22:00:34 - [ssh-keygen.c sshconnect1.c sshd.c] - All the instances of arc4random_stir() are bogus, since arc4random() - does this itself, inside itself, and has for a very long time.. Actually, - this was probably reducing the entropy available. - ok djm - ID SYNC ONLY for portable; we don't trust other arc4random implementations - to do this right. - -commit 61353b3208d548fab863e0e0ac5d2400ee5bb340 -Author: Damien Miller -Date: Sat Sep 14 09:45:32 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/31 00:13:54 - [sftp.c] - make ^w match ksh behaviour (delete previous word instead of entire line) - -commit 660854859cad31d234edb9353fb7ca2780df8128 -Author: Damien Miller -Date: Sat Sep 14 09:45:03 2013 +1000 - - - mikeb@cvs.openbsd.org 2013/08/28 12:34:27 - [ssh-keygen.c] - improve batch processing a bit by making use of the quite flag a bit - more often and exit with a non zero code if asked to find a hostname - in a known_hosts file and it wasn't there; - originally from reyk@, ok djm - -commit 045bda5cb8acf0eb9d71c275ee1247e3154fc9e5 -Author: Damien Miller -Date: Sat Sep 14 09:44:37 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/22 19:02:21 - [sshd.c] - Stir PRNG after post-accept fork. The child gets a different PRNG state - anyway via rexec and explicit privsep reseeds, but it's good to be sure. - ok markus@ - -commit ed4af412da60a084891b20412433a27966613fb8 -Author: Damien Miller -Date: Sat Sep 14 09:40:51 2013 +1000 - - add marker for 6.3p1 release at the point of the last included change - -commit 43968a8e66a0aa1afefb11665bf96f86b113f5d9 -Author: Damien Miller -Date: Wed Aug 28 14:00:54 2013 +1000 - - - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits - until we have configure support. - -commit 04be8b9e53f8388c94b531ebc5d1bd6e10e930d1 -Author: Damien Miller -Date: Wed Aug 28 12:49:43 2013 +1000 - - - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the - 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we - start to use them in the future. diff --git a/README b/README index 9bbd3ba..ea6e228 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-7.1 for the release notes. +See http://www.openssh.com/txt/release-7.1p2 for the release notes. Please read http://www.openssh.com/report.html for bug reporting instructions and note that we do not use Github for bug reporting or diff --git a/bitmap.c b/bitmap.c index 19cd2e8..f950322 100644 --- a/bitmap.c +++ b/bitmap.c @@ -53,7 +53,7 @@ void bitmap_free(struct bitmap *b) { if (b != NULL && b->d != NULL) { - memset(b->d, 0, b->len); + explicit_bzero(b->d, b->len); free(b->d); } free(b); diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 5b27106..4c55227 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 7.1p1 +%define ver 7.1p2 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 5968958..3ee5268 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 7.1p1 +Version: 7.1p2 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/kex.c b/kex.c index 5100c66..b777b7d 100644 --- a/kex.c +++ b/kex.c @@ -270,13 +270,13 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) debug2("kex_parse_kexinit: %s", proposal[i]); } /* first kex follows / reserved */ - if ((r = sshbuf_get_u8(b, &v)) != 0 || - (r = sshbuf_get_u32(b, &i)) != 0) + if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ + (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ goto out; if (first_kex_follows != NULL) - *first_kex_follows = i; - debug2("kex_parse_kexinit: first_kex_follows %d ", v); - debug2("kex_parse_kexinit: reserved %u ", i); + *first_kex_follows = v; + debug2("first_kex_follows %d ", v); + debug2("reserved %u ", i); r = 0; *propp = proposal; out: diff --git a/packet.c b/packet.c index 01d3e29..7b5c419 100644 --- a/packet.c +++ b/packet.c @@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) logit("Bad packet length %u.", state->packlen); if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) return r; + return SSH_ERR_CONN_CORRUPT; } sshbuf_reset(state->incoming_packet); } else if (state->packlen == 0) { diff --git a/readconf.c b/readconf.c index 1d03bdf..cd01482 100644 --- a/readconf.c +++ b/readconf.c @@ -1660,7 +1660,7 @@ initialize_options(Options * options) options->tun_remote = -1; options->local_command = NULL; options->permit_local_command = -1; - options->use_roaming = -1; + options->use_roaming = 0; options->visual_host_key = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -1833,8 +1833,7 @@ fill_default_options(Options * options) options->tun_remote = SSH_TUNID_ANY; if (options->permit_local_command == -1) options->permit_local_command = 0; - if (options->use_roaming == -1) - options->use_roaming = 1; + options->use_roaming = 0; if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) diff --git a/ssh.c b/ssh.c index 59c1f93..67c1ebf 100644 --- a/ssh.c +++ b/ssh.c @@ -1932,9 +1932,6 @@ ssh_session2(void) fork_postauth(); } - if (options.use_roaming) - request_roaming(); - return client_loop(tty_flag, tty_flag ? options.escape_char : SSH_ESCAPECHAR_NONE, id); } diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c index e2e093c..d0d791b 100644 --- a/sshbuf-getput-crypto.c +++ b/sshbuf-getput-crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf-getput-crypto.c,v 1.4 2015/01/14 15:02:39 djm Exp $ */ +/* $OpenBSD: sshbuf-getput-crypto.c,v 1.5 2016/01/12 23:42:54 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -158,10 +158,10 @@ sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v) if (len > 0 && (d[1] & 0x80) != 0) prepend = 1; if ((r = sshbuf_put_string(buf, d + 1 - prepend, len + prepend)) < 0) { - bzero(d, sizeof(d)); + explicit_bzero(d, sizeof(d)); return r; } - bzero(d, sizeof(d)); + explicit_bzero(d, sizeof(d)); return 0; } @@ -177,13 +177,13 @@ sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v) if (BN_bn2bin(v, d) != (int)len_bytes) return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */ if ((r = sshbuf_reserve(buf, len_bytes + 2, &dp)) < 0) { - bzero(d, sizeof(d)); + explicit_bzero(d, sizeof(d)); return r; } POKE_U16(dp, len_bits); if (len_bytes != 0) memcpy(dp + 2, d, len_bytes); - bzero(d, sizeof(d)); + explicit_bzero(d, sizeof(d)); return 0; } @@ -210,7 +210,7 @@ sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g) } BN_CTX_free(bn_ctx); ret = sshbuf_put_string(buf, d, len); - bzero(d, len); + explicit_bzero(d, len); return ret; } diff --git a/sshbuf-misc.c b/sshbuf-misc.c index d022065..3da4b80 100644 --- a/sshbuf-misc.c +++ b/sshbuf-misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf-misc.c,v 1.4 2015/03/24 20:03:44 markus Exp $ */ +/* $OpenBSD: sshbuf-misc.c,v 1.5 2015/10/05 17:11:21 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -103,7 +103,7 @@ sshbuf_dtob64(struct sshbuf *buf) if (SIZE_MAX / 2 <= len || (ret = malloc(plen)) == NULL) return NULL; if ((r = b64_ntop(p, len, ret, plen)) == -1) { - bzero(ret, plen); + explicit_bzero(ret, plen); free(ret); return NULL; } @@ -122,16 +122,16 @@ sshbuf_b64tod(struct sshbuf *buf, const char *b64) if ((p = malloc(plen)) == NULL) return SSH_ERR_ALLOC_FAIL; if ((nlen = b64_pton(b64, p, plen)) < 0) { - bzero(p, plen); + explicit_bzero(p, plen); free(p); return SSH_ERR_INVALID_FORMAT; } if ((r = sshbuf_put(buf, p, nlen)) < 0) { - bzero(p, plen); + explicit_bzero(p, plen); free(p); return r; } - bzero(p, plen); + explicit_bzero(p, plen); free(p); return 0; } diff --git a/sshbuf.c b/sshbuf.c index dbe0c91..19e162c 100644 --- a/sshbuf.c +++ b/sshbuf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.c,v 1.3 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: sshbuf.c,v 1.4 2015/10/05 17:11:21 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -134,7 +134,7 @@ sshbuf_fromb(struct sshbuf *buf) void sshbuf_init(struct sshbuf *ret) { - bzero(ret, sizeof(*ret)); + explicit_bzero(ret, sizeof(*ret)); ret->alloc = SSHBUF_SIZE_INIT; ret->max_size = SSHBUF_SIZE_MAX; ret->readonly = 0; @@ -177,10 +177,10 @@ sshbuf_free(struct sshbuf *buf) return; dont_free = buf->dont_free; if (!buf->readonly) { - bzero(buf->d, buf->alloc); + explicit_bzero(buf->d, buf->alloc); free(buf->d); } - bzero(buf, sizeof(*buf)); + explicit_bzero(buf, sizeof(*buf)); if (!dont_free) free(buf); } @@ -196,7 +196,7 @@ sshbuf_reset(struct sshbuf *buf) return; } if (sshbuf_check_sanity(buf) == 0) - bzero(buf->d, buf->alloc); + explicit_bzero(buf->d, buf->alloc); buf->off = buf->size = 0; if (buf->alloc != SSHBUF_SIZE_INIT) { if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) { @@ -255,7 +255,7 @@ sshbuf_set_max_size(struct sshbuf *buf, size_t max_size) rlen = roundup(buf->size, SSHBUF_SIZE_INC); if (rlen > max_size) rlen = max_size; - bzero(buf->d + buf->size, buf->alloc - buf->size); + explicit_bzero(buf->d + buf->size, buf->alloc - buf->size); SSHBUF_DBG(("new alloc = %zu", rlen)); if ((dp = realloc(buf->d, rlen)) == NULL) return SSH_ERR_ALLOC_FAIL; diff --git a/sshd.c b/sshd.c index 65ef7e8..43d4650 100644 --- a/sshd.c +++ b/sshd.c @@ -624,6 +624,8 @@ privsep_preauth_child(void) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); @@ -767,6 +769,8 @@ privsep_postauth(Authctxt *authctxt) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); @@ -1436,6 +1440,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) arc4random_buf(rnd, sizeof(rnd)); #ifdef WITH_OPENSSL RAND_seed(rnd, sizeof(rnd)); + if ((RAND_bytes((u_char *)rnd, 1)) != 1) + fatal("%s: RAND_bytes failed", __func__); #endif explicit_bzero(rnd, sizeof(rnd)); } diff --git a/version.h b/version.h index d917ca1..41e1ea9 100644 --- a/version.h +++ b/version.h @@ -2,5 +2,5 @@ #define SSH_VERSION "OpenSSH_7.1" -#define SSH_PORTABLE "p1" +#define SSH_PORTABLE "p2" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.1 From 9169dee5c46ff1d9dfce5c97590347e20a54c84e Mon Sep 17 00:00:00 2001 From: des Date: Thu, 10 Mar 2016 20:10:25 +0000 Subject: Vendor import of OpenSSH 7.2p1. --- ChangeLog | 11176 +++++++++++++++++-------------- Makefile.in | 72 +- README | 2 +- README.platform | 3 + auth-bsdauth.c | 4 +- auth-krb5.c | 4 +- auth-options.c | 111 +- auth-pam.c | 3 +- auth.h | 4 +- auth2-pubkey.c | 36 +- authfd.c | 20 +- authfd.h | 6 +- authfile.c | 27 +- channels.c | 16 +- cipher.c | 5 +- clientloop.c | 195 +- clientloop.h | 4 +- config.h.in | 27 +- configure | 1631 +++-- configure.ac | 75 +- contrib/redhat/openssh.spec | 7 +- contrib/ssh-copy-id | 53 +- contrib/ssh-copy-id.1 | 5 + contrib/suse/openssh.spec | 2 +- defines.h | 7 + dh.h | 9 +- includes.h | 6 - kex.c | 168 +- kex.h | 13 +- kexc25519s.c | 6 +- kexdhs.c | 6 +- kexecdhs.c | 6 +- kexgexs.c | 6 +- key.c | 6 +- key.h | 5 +- krl.c | 23 +- krl.h | 3 +- loginrec.c | 3 + misc.c | 58 +- moduli.0 | 2 +- monitor.c | 39 +- monitor_wrap.c | 6 +- monitor_wrap.h | 4 +- mux.c | 34 +- myproposal.h | 23 +- opacket.c | 12 - opacket.h | 4 - openbsd-compat/bsd-misc.c | 8 + openbsd-compat/bsd-misc.h | 4 + openbsd-compat/bsd-poll.h | 4 +- openbsd-compat/glob.c | 1 + openbsd-compat/glob.h | 8 +- openbsd-compat/openbsd-compat.h | 1 - openbsd-compat/port-solaris.c | 136 + openbsd-compat/port-solaris.h | 6 + openbsd-compat/realpath.c | 61 +- packet.c | 366 +- packet.h | 11 +- platform-pledge.c | 71 + platform.h | 5 + readconf.c | 110 +- readconf.h | 12 +- readpass.c | 4 +- regress/Makefile | 5 +- regress/agent-ptrace.sh | 5 + regress/cert-file.sh | 138 + regress/check-perm.c | 205 + regress/dhgex.sh | 6 +- regress/hostkey-rotate.sh | 20 +- regress/keys-command.sh | 6 + regress/keyscan.sh | 4 +- regress/limit-keytype.sh | 37 +- regress/principals-command.sh | 7 + regress/proxy-connect.sh | 5 +- regress/rekey.sh | 6 +- regress/setuid-allowed.c | 2 +- regress/sftp-chroot.sh | 5 + regress/unittests/sshkey/test_file.c | 42 +- regress/unittests/sshkey/test_fuzz.c | 102 +- regress/unittests/sshkey/test_sshkey.c | 46 +- roaming.h | 45 - roaming_client.c | 271 - roaming_common.c | 241 - roaming_dummy.c | 72 - roaming_serv.c | 31 - sandbox-pledge.c | 77 + sandbox-seccomp-filter.c | 3 + sandbox-solaris.c | 108 + sandbox-systrace.c | 36 +- scp.0 | 3 +- scp.1 | 5 +- scp.c | 14 +- servconf.c | 59 +- serverloop.c | 31 +- session.c | 52 +- sftp-client.c | 22 +- sftp-client.h | 6 + sftp-server-main.c | 4 +- sftp-server.0 | 2 +- sftp-server.c | 12 +- sftp.0 | 3 +- sftp.1 | 5 +- sftp.c | 3 +- ssh-add.0 | 2 +- ssh-add.c | 35 +- ssh-agent.0 | 14 +- ssh-agent.1 | 15 +- ssh-agent.c | 26 +- ssh-dss.c | 11 +- ssh-ecdsa.c | 14 +- ssh-keygen.0 | 23 +- ssh-keygen.1 | 18 +- ssh-keygen.c | 366 +- ssh-keyscan.0 | 6 +- ssh-keyscan.1 | 8 +- ssh-keyscan.c | 71 +- ssh-keysign.0 | 5 +- ssh-keysign.8 | 6 +- ssh-keysign.c | 27 +- ssh-pkcs11-client.c | 4 +- ssh-pkcs11-helper.0 | 2 +- ssh-pkcs11-helper.c | 3 +- ssh-pkcs11.c | 8 +- ssh-rsa.c | 149 +- ssh.0 | 114 +- ssh.1 | 97 +- ssh.c | 148 +- ssh.h | 10 +- ssh2.h | 10 +- ssh_api.c | 16 +- ssh_config | 6 +- ssh_config.0 | 140 +- ssh_config.5 | 143 +- sshbuf-getput-basic.c | 8 +- sshbuf.c | 8 +- sshbuf.h | 65 +- sshconnect.c | 75 +- sshconnect.h | 4 +- sshconnect1.c | 15 +- sshconnect2.c | 265 +- sshd.0 | 44 +- sshd.8 | 55 +- sshd.c | 76 +- sshd_config | 4 +- sshd_config.0 | 128 +- sshd_config.5 | 64 +- ssherr.c | 4 +- sshkey.c | 210 +- sshkey.h | 17 +- sshlogin.c | 2 +- uidswap.c | 18 +- version.h | 6 +- xmalloc.c | 12 +- xmalloc.h | 3 +- 154 files changed, 10981 insertions(+), 8090 deletions(-) create mode 100644 platform-pledge.c create mode 100755 regress/cert-file.sh create mode 100644 regress/check-perm.c delete mode 100644 roaming_client.c delete mode 100644 roaming_common.c delete mode 100644 roaming_dummy.c delete mode 100644 roaming_serv.c create mode 100644 sandbox-pledge.c create mode 100644 sandbox-solaris.c diff --git a/ChangeLog b/ChangeLog index 35a1a76..b01bb56 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7615 +1,8907 @@ -commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443 -Author: Damien Miller -Date: Thu Jan 14 11:08:19 2016 +1100 +commit 72b061d4ba0f909501c595d709ea76e06b01e5c9 +Author: Darren Tucker +Date: Fri Feb 26 14:40:04 2016 +1100 - bump version numbers + Add a note about using xlc on AIX. + +commit fd4e4f2416baa2e6565ea49d52aade296bad3e28 +Author: Darren Tucker +Date: Wed Feb 24 10:44:25 2016 +1100 + + Skip PrintLastLog in config dump mode. + + When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the + config dump since it'll be reported as UNKNOWN. -commit 302bc21e6fadacb04b665868cd69b625ef69df90 +commit 99135c764fa250801da5ec3b8d06cbd0111caae8 Author: Damien Miller -Date: Thu Jan 14 11:04:04 2016 +1100 +Date: Tue Feb 23 20:17:23 2016 +1100 - openssh-7.1p2 + update spec/README versions ahead of release -commit 6b33763242c063e4e0593877e835eeb1fd1b60aa +commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5 Author: Damien Miller -Date: Thu Jan 14 11:02:58 2016 +1100 +Date: Tue Feb 23 20:16:53 2016 +1100 - forcibly disable roaming support in the client + put back portable patchlevel to p1 -commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13 +commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f Author: djm@openbsd.org -Date: Mon Oct 5 17:11:21 2015 +0000 +Date: Tue Feb 23 09:14:34 2016 +0000 upstream commit - some more bzero->explicit_bzero, from Michael McConville + openssh-7.2 - Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0 + Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78 -commit 8f5b93026797b9f7fba90d0c717570421ccebbd3 -Author: guenther@openbsd.org -Date: Fri Sep 11 08:50:04 2015 +0000 +commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf +Author: Damien Miller +Date: Tue Feb 23 16:12:13 2016 +1100 - upstream commit - - Use explicit_bzero() when zeroing before free() + Disable tests where fs perms are incorrect - from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu) - ok millert@ djm@ + Some tests have strict requirements on the filesystem permissions + for certain files and directories. This adds a regress/check-perm + tool that copies the relevant logic from sshd to exactly test + the paths in question. This lets us skip tests when the local + filesystem doesn't conform to our expectations rather than + continuing and failing the test run. - Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50 + ok dtucker@ -commit d77148e3a3ef6c29b26ec74331455394581aa257 -Author: djm@openbsd.org -Date: Sun Nov 8 21:59:11 2015 +0000 +commit 39f303b1f36d934d8410b05625f25c7bcb75db4d +Author: Damien Miller +Date: Tue Feb 23 12:56:59 2016 +1100 - upstream commit + fix sandbox on OSX Lion - fix OOB read in packet code caused by missing return - statement found by Ben Hawkes; ok markus@ deraadt@ + sshd was failing with: - Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 - -commit 076d849e17ab12603627f87b301e2dca71bae518 -Author: Damien Miller -Date: Sat Nov 14 18:44:49 2015 +1100 - - read back from libcrypto RAND when privdropping + ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw + image not found [preauth] - makes certain libcrypto implementations cache a /dev/urandom fd - in preparation of sandboxing. Based on patch by Greg Hartman. + caused by chroot before sandboxing. Avoid by explicitly linking libsandbox + to sshd. Spotted by Darren. -commit f72adc0150011a28f177617a8456e1f83733099d +commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4 Author: djm@openbsd.org -Date: Sun Dec 13 22:42:23 2015 +0000 +Date: Tue Feb 23 01:34:14 2016 +0000 upstream commit - unbreak connections with peers that set - first_kex_follows; fix from Matt Johnston va bz#2515 + fix spurious error message when incorrect passphrase + entered for keys; reported by espie@ ok deraadt@ - Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b + Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899 -commit 04bd8d019ccd906cac1a2b362517b8505f3759e6 -Author: djm@openbsd.org -Date: Tue Jan 12 23:42:54 2016 +0000 +commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc +Author: sobrado@openbsd.org +Date: Sat Feb 20 23:06:23 2016 +0000 upstream commit - use explicit_bzero() more liberally in the buffer code; ok - deraadt + set ssh(1) protocol version to 2 only. - Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf + ok djm@ + + Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10 -commit e91346dc2bbf460246df2ab591b7613908c1b0ad -Author: Damien Miller -Date: Fri Aug 21 14:49:03 2015 +1000 +commit 9262e07826ba5eebf8423f7ac9e47ec488c47869 +Author: sobrado@openbsd.org +Date: Sat Feb 20 23:02:39 2016 +0000 - we don't use Github for issues/pull-requests + upstream commit + + add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to + IdentityFile. + + ok djm@ + + Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf -commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23 -Author: Damien Miller -Date: Fri Aug 21 14:43:55 2015 +1000 +commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5 +Author: sobrado@openbsd.org +Date: Sat Feb 20 23:01:46 2016 +0000 - fix URL for connect.c + upstream commit + + AddressFamily defaults to any. + + ok djm@ + + Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c -commit d026a8d3da0f8186598442997c7d0a28e7275414 -Author: Damien Miller -Date: Fri Aug 21 13:47:10 2015 +1000 +commit 907091acb188b1057d50c2158f74c3ecf1c2302b +Author: Darren Tucker +Date: Fri Feb 19 09:05:39 2016 +1100 - update version numbers for 7.1 + Make Solaris privs code build on older systems. + + Not all systems with Solaris privs have priv_basicset so factor that + out and provide backward compatibility code. Similarly, not all have + PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from + alex at cooperi.net and djm@ with help from carson at taltos.org and + wieland at purdue.edu. -commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed +commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59 Author: djm@openbsd.org -Date: Fri Aug 21 03:45:26 2015 +0000 +Date: Wed Feb 17 22:20:14 2016 +0000 upstream commit - openssh-7.1 + rekey refactor broke SSH1; spotted by Tom G. Christensen - Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f + Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243 -commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf +commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca Author: djm@openbsd.org -Date: Fri Aug 21 03:42:19 2015 +0000 +Date: Wed Feb 17 08:57:34 2016 +0000 upstream commit - fix inverted logic that broke PermitRootLogin; reported - by Mantas Mikulenas; ok markus@ + rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly + in *KeyTypes options yet. Remove them from the lists of algorithms for now. + committing on behalf of markus@ ok djm@ - Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5 + Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7 -commit ce445b0ed927e45bd5bdce8f836eb353998dd65c -Author: deraadt@openbsd.org -Date: Thu Aug 20 22:32:42 2015 +0000 +commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b +Author: jmc@openbsd.org +Date: Wed Feb 17 07:38:19 2016 +0000 upstream commit - Do not cast result of malloc/calloc/realloc* if stdlib.h - is in scope ok krw millert - - Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667 - -commit 05291e5288704d1a98bacda269eb5a0153599146 -Author: naddy@openbsd.org -Date: Thu Aug 20 19:20:06 2015 +0000 - - upstream commit + since these pages now clearly tell folks to avoid v1, + normalise the docs from a v2 perspective (i.e. stop pointing out which bits + are v2 only); - In the certificates section, be consistent about using - "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@ + ok/tweaks djm ok markus - Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb + Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129 -commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4 +commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d Author: djm@openbsd.org -Date: Wed Aug 19 23:21:42 2015 +0000 +Date: Wed Feb 17 05:29:04 2016 +0000 upstream commit - Better compat matching for WinSCP, add compat matching - for FuTTY (fork of PuTTY); ok markus@ deraadt@ + make sandboxed privilege separation the default, not just + for new installs; "absolutely" deraadt@ - Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389 + Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b -commit ec6eda16ebab771aa3dfc90629b41953b999cb1e -Author: djm@openbsd.org -Date: Wed Aug 19 23:19:01 2015 +0000 +commit eb3f7337a651aa01d5dec019025e6cdc124ed081 +Author: jmc@openbsd.org +Date: Tue Feb 16 07:47:54 2016 +0000 upstream commit - fix double-free() in error path of DSA key generation - reported by Mateusz Kocielski; ok markus@ + no need to state that protocol 2 is the default twice; - Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c + Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb -commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b +commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005 Author: djm@openbsd.org -Date: Wed Aug 19 23:18:26 2015 +0000 +Date: Tue Feb 16 05:11:04 2016 +0000 upstream commit - fix free() of uninitialised pointer reported by Mateusz - Kocielski; ok markus@ + Replace list of ciphers and MACs adjacent to -1/-2 flag + descriptions in ssh(1) with a strong recommendation not to use protocol 1. + Add a similar warning to the Protocol option descriptions in ssh_config(5) + and sshd_config(5); - Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663 + prompted by and ok mmcc@ + + Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e -commit c837643b93509a3ef538cb6624b678c5fe32ff79 +commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2 Author: djm@openbsd.org -Date: Wed Aug 19 23:17:51 2015 +0000 +Date: Tue Feb 16 03:37:48 2016 +0000 upstream commit - fixed unlink([uninitialised memory]) reported by Mateusz - Kocielski; ok markus@ + add a "Close session" log entry (at loglevel=verbose) to + correspond to the existing "Starting session" one. Also include the session + id number to make multiplexed sessions more apparent. - Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109 + feedback and ok dtucker@ + + Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c -commit 1f8d3d629cd553031021068eb9c646a5f1e50994 -Author: jmc@openbsd.org -Date: Fri Aug 14 15:32:41 2015 +0000 +commit 624fd395b559820705171f460dd33d67743d13d6 +Author: djm@openbsd.org +Date: Wed Feb 17 02:24:17 2016 +0000 upstream commit - match myproposal.h order; from brian conway (i snuck in a - tweak while here) - - ok dtucker + include bad $SSH_CONNECTION in failure output - Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67 + Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529 -commit 1dc8d93ce69d6565747eb44446ed117187621b26 -Author: deraadt@openbsd.org -Date: Thu Aug 6 14:53:21 2015 +0000 +commit 60d860e54b4f199e5e89963b1c086981309753cb +Author: Darren Tucker +Date: Wed Feb 17 13:37:09 2016 +1100 - upstream commit - - add prohibit-password as a synonymn for without-password, - since the without-password is causing too many questions. Harden it to ban - all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from - djm, ok markus + Rollback addition of va_start. - Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a + va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however + it has the wrong number of args and it's not usable in non-variadic + functions anyway so it breaks things (for example Solaris 2.6 as + reported by Tom G. Christensen).i ok djm@ -commit 90a95a4745a531b62b81ce3b025e892bdc434de5 -Author: Damien Miller -Date: Tue Aug 11 13:53:41 2015 +1000 +commit 2fee909c3cee2472a98b26eb82696297b81e0d38 +Author: Darren Tucker +Date: Wed Feb 17 09:48:15 2016 +1100 - update version in README + Look for gethostbyname in libresolv and libnsl. + + Should fix build problem on Solaris 2.6 reported by Tom G. Christensen. -commit 318c37743534b58124f1bab37a8a0087a3a9bd2f +commit 5ac712d81a84396aab441a272ec429af5b738302 Author: Damien Miller -Date: Tue Aug 11 13:53:09 2015 +1000 +Date: Tue Feb 16 10:45:02 2016 +1100 - update versions in *.spec + make existing ssh_malloc_init only for __OpenBSD__ -commit 5e75f5198769056089fb06c4d738ab0e5abc66f7 -Author: Damien Miller -Date: Tue Aug 11 13:34:12 2015 +1000 +commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec +Author: djm@openbsd.org +Date: Mon Feb 15 23:32:37 2016 +0000 - set sshpam_ctxt to NULL after free + upstream commit - Avoids use-after-free in monitor when privsep child is compromised. - Reported by Moritz Jodeit; ok dtucker@ - -commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b -Author: Damien Miller -Date: Tue Aug 11 13:33:24 2015 +1000 - - Don't resend username to PAM; it already has it. + memleak of algorithm name in mm_answer_sign; reported by + Jakub Jelen - Pointed out by Moritz Jodeit; ok dtucker@ - -commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca -Author: Darren Tucker -Date: Mon Jul 27 12:14:25 2015 +1000 - - Import updated moduli file from OpenBSD. + Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08 -commit 55b263fb7cfeacb81aaf1c2036e0394c881637da -Author: Damien Miller -Date: Mon Aug 10 11:13:44 2015 +1000 +commit ffb1e7e896139a42ceb78676f637658f44612411 +Author: dtucker@openbsd.org +Date: Mon Feb 15 09:47:49 2016 +0000 - let principals-command.sh work for noexec /var/run + upstream commit + + Add a function to enable security-related malloc_options. + With and ok deraadt@, something similar has been in the snaps for a while. + + Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed -commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897 +commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c Author: Damien Miller -Date: Thu Aug 6 11:43:42 2015 +1000 +Date: Tue Feb 16 10:34:39 2016 +1100 - work around echo -n / sed behaviour in tests + sync ssh-copy-id with upstream 783ef08b0a75 -commit d85dad81778c1aa8106acd46930b25fdf0d15b2a +commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd Author: djm@openbsd.org -Date: Wed Aug 5 05:27:33 2015 +0000 +Date: Fri Feb 12 00:20:30 2016 +0000 upstream commit - adjust for RSA minimum modulus switch; ok deraadt@ + avoid fatal() for PKCS11 tokens that present empty key IDs + bz#1773, ok markus@ - Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae + Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54 -commit 57e8e229bad5fe6056b5f1199665f5f7008192c6 +commit e4c918a6c721410792b287c9fd21356a1bed5805 Author: djm@openbsd.org -Date: Tue Aug 4 05:23:06 2015 +0000 +Date: Thu Feb 11 02:56:32 2016 +0000 upstream commit - backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this - release; problems spotted by sthen@ ok deraadt@ markus@ + sync crypto algorithm lists in ssh_config(5) and + sshd_config(5) with current reality. bz#2527 - Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822 + Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6 -commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a +commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517 Author: djm@openbsd.org -Date: Sun Aug 2 09:56:42 2015 +0000 +Date: Thu Feb 11 02:21:34 2016 +0000 upstream commit - openssh 7.0; ok deraadt@ + fix regression in openssh-6.8 sftp client: existing + destination directories would incorrectly terminate recursive uploads; + bz#2528 - Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f + Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18 -commit 3d5728a0f6874ce4efb16913a12963595070f3a9 -Author: chris@openbsd.org -Date: Fri Jul 31 15:38:09 2015 +0000 +commit 714e367226ded4dc3897078be48b961637350b05 +Author: djm@openbsd.org +Date: Tue Feb 9 05:30:04 2016 +0000 upstream commit - Allow PermitRootLogin to be overridden by config - - ok markus@ deeradt@ + turn off more old crypto in the client: hmac-md5, ripemd, + truncated HMACs, RC4, blowfish. ok markus@ dtucker@ - Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4 + Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e -commit 6f941396b6835ad18018845f515b0c4fe20be21a +commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3 Author: djm@openbsd.org -Date: Thu Jul 30 23:09:15 2015 +0000 +Date: Mon Feb 8 23:40:12 2016 +0000 upstream commit - fix pty permissions; patch from Nikolay Edigaryev; ok - deraadt + don't attempt to percent_expand() already-canonicalised + addresses, avoiding unnecessary failures when attempting to connect to scoped + IPv6 addresses (that naturally contain '%' characters) - Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550 + Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a -commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0 -Author: deraadt@openbsd.org -Date: Thu Jul 30 19:23:02 2015 +0000 +commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a +Author: djm@openbsd.org +Date: Mon Feb 8 10:57:07 2016 +0000 upstream commit - change default: PermitRootLogin without-password matching - install script changes coming as well ok djm markus + refactor activation of rekeying - Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6 + This makes automatic rekeying internal to the packet code (previously + the server and client loops needed to assist). In doing to it makes + application of rekey limits more accurate by accounting for packets + about to be sent as well as packets queued during rekeying events + themselves. + + Based on a patch from dtucker@ which was in turn based on a patch + Aleksander Adamowski in bz#2521; ok markus@ + + Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8 -commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c -Author: Damien Miller -Date: Thu Jul 30 12:31:39 2015 +1000 +commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d +Author: naddy@openbsd.org +Date: Fri Feb 5 13:28:19 2016 +0000 - downgrade OOM adjustment logging: verbose -> debug + upstream commit + + Only check errno if read() has returned an error. EOF is + not an error. This fixes a problem where the mux master would sporadically + fail to notice that the client had exited. ok mikeb@ djm@ + + Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53 -commit f9eca249d4961f28ae4b09186d7dc91de74b5895 -Author: djm@openbsd.org -Date: Thu Jul 30 00:01:34 2015 +0000 +commit 56d7dac790693ce420d225119283bc355cff9185 +Author: jsg@openbsd.org +Date: Fri Feb 5 04:31:21 2016 +0000 upstream commit - Allow ssh_config and sshd_config kex parameters options be - prefixed by a '+' to indicate that the specified items be appended to the - default rather than replacing it. - - approach suggested by dtucker@, feedback dlg@, ok markus@ + avoid an uninitialised value when NumberOfPasswordPrompts + is 0 ok markus@ djm@ - Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a + Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b -commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163 +commit deae7d52d59c5019c528f977360d87fdda15d20b Author: djm@openbsd.org -Date: Wed Jul 29 08:34:54 2015 +0000 +Date: Fri Feb 5 03:07:06 2016 +0000 upstream commit - fix bug in previous; was printing incorrect string for - failed host key algorithms negotiation + mention internal DH-GEX fallback groups; bz#2302 - Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e + Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e -commit f319912b0d0e1675b8bb051ed8213792c788bcb2 +commit cac3b6665f884d46192c0dc98a64112e8b11a766 Author: djm@openbsd.org -Date: Wed Jul 29 04:43:06 2015 +0000 +Date: Fri Feb 5 02:37:56 2016 +0000 upstream commit - include the peer's offer when logging a failure to - negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@ + better description for MaxSessions; bz#2531 - Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796 + Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da -commit b6ea0e573042eb85d84defb19227c89eb74cf05a +commit 5ef4b0fdcc7a239577a754829b50022b91ab4712 +Author: Damien Miller +Date: Wed Jan 27 17:45:56 2016 +1100 + + avoid FreeBSD RCS Id in comment + + Change old $FreeBSD version string in comment so it doesn't + become an RCS ident downstream; requested by des AT des.no + +commit 696d12683c90d20a0a9c5f4275fc916b7011fb04 Author: djm@openbsd.org -Date: Tue Jul 28 23:20:42 2015 +0000 +Date: Thu Feb 4 23:43:48 2016 +0000 upstream commit - add Cisco to the list of clients that choke on the - hostkeys update extension. Pointed out by Howard Kash + printf argument casts to avoid warnings on strict + compilers - Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84 + Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c -commit 3f628c7b537291c1019ce86af90756fb4e66d0fd -Author: guenther@openbsd.org -Date: Mon Jul 27 16:29:23 2015 +0000 +commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a +Author: millert@openbsd.org +Date: Mon Feb 1 21:18:17 2016 +0000 upstream commit - Permit kbind(2) use in the sandbox now, to ease testing - of ld.so work using it - - reminded by miod@, ok deraadt@ + Avoid ugly "DISPLAY "(null)" invalid; disabling X11 + forwarding" message when DISPLAY is not set. This could also result in a + crash on systems with a printf that doesn't handle NULL. OK djm@ - Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413 + Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412 -commit ebe27ebe520098bbc0fe58945a87ce8490121edb -Author: millert@openbsd.org -Date: Mon Jul 20 18:44:12 2015 +0000 +commit 537f88ec7bcf40bd444ac5584c707c5588c55c43 +Author: dtucker@openbsd.org +Date: Fri Jan 29 05:18:15 2016 +0000 upstream commit - Move .Pp before .Bl, not after to quiet mandoc -Tlint. - Noticed by jmc@ + Add regression test for RekeyLimit parsing of >32bit values + (4G and 8G). - Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23 + Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328 -commit d5d91d0da819611167782c66ab629159169d94d4 -Author: millert@openbsd.org -Date: Mon Jul 20 18:42:35 2015 +0000 +commit 4c6cb8330460f94e6c7ae28a364236d4188156a3 +Author: dtucker@openbsd.org +Date: Fri Jan 29 23:04:46 2016 +0000 upstream commit - Sync usage with SYNOPSIS + Remove leftover roaming dead code. ok djm markus. - Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7 + Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be -commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743 -Author: millert@openbsd.org -Date: Mon Jul 20 15:39:52 2015 +0000 +commit 28136471809806d6246ef41e4341467a39fe2f91 +Author: djm@openbsd.org +Date: Fri Jan 29 05:46:01 2016 +0000 upstream commit - Better desciption of Unix domain socket forwarding. - bz#2423; ok jmc@ + include packet type of non-data packets in debug3 output; + ok markus dtucker - Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d + Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41 -commit d56fd1828074a4031b18b8faa0bf949669eb18a0 -Author: Damien Miller -Date: Mon Jul 20 11:19:51 2015 +1000 - - make realpath.c compile -Wsign-compare clean - -commit c63c9a691dca26bb7648827f5a13668832948929 -Author: djm@openbsd.org -Date: Mon Jul 20 00:30:01 2015 +0000 +commit 6fd6e28daccafaa35f02741036abe64534c361a1 +Author: dtucker@openbsd.org +Date: Fri Jan 29 03:31:03 2016 +0000 upstream commit - mention that the default of UseDNS=no implies that - hostnames cannot be used for host matching in sshd_config and - authorized_keys; bz#2045, ok dtucker@ + Revert "account for packets buffered but not yet + processed" change as it breaks for very small RekeyLimit values due to + continuous rekeying. ok djm@ - Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1 + Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19 -commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76 -Author: djm@openbsd.org -Date: Sat Jul 18 08:02:17 2015 +0000 +commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb +Author: dtucker@openbsd.org +Date: Fri Jan 29 02:54:45 2016 +0000 upstream commit - don't ignore PKCS#11 hosted keys that return empty - CKA_ID; patch by Jakub Jelen via bz#2429; ok markus + Allow RekeyLimits in excess of 4G up to 2**63 bits + (limited by the return type of scan_scaled). Part of bz#2521, ok djm. - Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485 + Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979 -commit b15fd989c8c62074397160147a8d5bc34b3f3c63 -Author: djm@openbsd.org -Date: Sat Jul 18 08:00:21 2015 +0000 +commit c0060a65296f01d4634f274eee184c0e93ba0f23 +Author: dtucker@openbsd.org +Date: Fri Jan 29 02:42:46 2016 +0000 upstream commit - skip uninitialised PKCS#11 slots; patch from Jakub Jelen - in bz#2427 ok markus@ + Account for packets buffered but not yet processed when + computing whether or not it is time to perform rekeying. bz#2521, based + loosely on a patch from olo at fb.com, ok djm@ - Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29 + Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c -commit 5b64f85bb811246c59ebab70aed331f26ba37b18 +commit 44cf930e670488c85c9efeb373fa5f4b455692ac Author: djm@openbsd.org -Date: Sat Jul 18 07:57:14 2015 +0000 +Date: Wed Jan 27 06:44:58 2016 +0000 upstream commit - only query each keyboard-interactive device once per - authentication request regardless of how many times it is listed; ok markus@ + change old $FreeBSD version string in comment so it doesn't + become an RCS ident downstream; requested by des AT des.no - Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1 + Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722 -commit cd7324d0667794eb5c236d8a4e0f236251babc2d +commit ebacd377769ac07d1bf3c75169644336056b7060 Author: djm@openbsd.org -Date: Fri Jul 17 03:34:27 2015 +0000 +Date: Wed Jan 27 00:53:12 2016 +0000 upstream commit - remove -u flag to diff (only used for error output) to make - things easier for -portable + make the debug messages a bit more useful here - Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548 + Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64 -commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a -Author: djm@openbsd.org -Date: Fri Jul 17 03:09:19 2015 +0000 +commit 458abc2934e82034c5c281336d8dc0f910aecad3 +Author: jsg@openbsd.org +Date: Sat Jan 23 05:31:35 2016 +0000 upstream commit - direct-streamlocal@openssh.com Unix domain foward - messages do not contain a "reserved for future use" field and in fact, - serverloop.c checks that there isn't one. Remove erroneous mention from - PROTOCOL description. bz#2421 from Daniel Black + Zero a stack buffer with explicit_bzero() instead of + memset() when returning from client_loop() for consistency with + buffer_free()/sshbuf_free(). - Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac + ok dtucker@ deraadt@ djm@ + + Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66 -commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52 -Author: djm@openbsd.org -Date: Fri Jul 17 03:04:27 2015 +0000 +commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0 +Author: dtucker@openbsd.org +Date: Wed Jan 20 09:22:39 2016 +0000 upstream commit - describe magic for setting up Unix domain socket fowards - via the mux channel; bz#2422 patch from Daniel Black + Include sys/time.h for gettimeofday. From sortie at + maxsi.org. - Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861 + Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b -commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc -Author: Darren Tucker -Date: Fri Jul 17 12:52:34 2015 +1000 +commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a +Author: markus@openbsd.org +Date: Thu Jan 14 22:56:56 2016 +0000 - Check if realpath works on nonexistent files. - - On some platforms the native realpath doesn't work with non-existent - files (this is actually specified in some versions of POSIX), however - the sftp spec says its realpath with "canonicalize any given path name". - On those platforms, use realpath from the compat library. + upstream commit - In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines - the realpath symbol to the checked version, so redefine ours to - something else so we pick up the compat version we want. + fd leaks; report Qualys Security Advisory team; ok + deraadt@ - bz#2428, ok djm@ + Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d -commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0 -Author: djm@openbsd.org -Date: Fri Jul 17 02:47:45 2015 +0000 +commit a306863831c57ec5fad918687cc5d289ee8e2635 +Author: markus@openbsd.org +Date: Thu Jan 14 16:17:39 2016 +0000 upstream commit - fix incorrect test for SSH1 keys when compiled without SSH1 - support + remove roaming support; ok djm@ - Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451 + Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56 -commit df56a8035d429b2184ee94aaa7e580c1ff67f73a -Author: djm@openbsd.org -Date: Wed Jul 15 08:00:11 2015 +0000 +commit 6ef49e83e30688504552ac10875feabd5521565f +Author: deraadt@openbsd.org +Date: Thu Jan 14 14:34:34 2016 +0000 upstream commit - fix NULL-deref when SSH1 reenabled + Disable experimental client-side roaming support. Server + side was disabled/gutted for years already, but this aspect was surprisingly + forgotten. Thanks for report from Qualys - Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295 + Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df -commit 41e38c4d49dd60908484e6703316651333f16b93 +commit 8d7b523b96d3be180572d9d338cedaafc0570f60 +Author: Damien Miller +Date: Thu Jan 14 11:08:19 2016 +1100 + + bump version numbers + +commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca +Author: Damien Miller +Date: Thu Jan 14 11:04:04 2016 +1100 + + openssh-7.1p2 + +commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5 +Author: Damien Miller +Date: Fri Jan 15 01:30:36 2016 +1100 + + forcibly disable roaming support in the client + +commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Author: djm@openbsd.org -Date: Wed Jul 15 07:19:50 2015 +0000 +Date: Wed Jan 13 23:04:47 2016 +0000 upstream commit - regen RSA1 test keys; the last batch was missing their - private parts + eliminate fallback from untrusted X11 forwarding to trusted + forwarding when the X server disables the SECURITY extension; Reported by + Thomas Hoger; ok deraadt@ - Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a + Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938 -commit 5bf0933184cb622ca3f96d224bf3299fd2285acc -Author: markus@openbsd.org -Date: Fri Jul 10 06:23:25 2015 +0000 +commit 9a728cc918fad67c8a9a71201088b1e150340ba4 +Author: djm@openbsd.org +Date: Tue Jan 12 23:42:54 2016 +0000 upstream commit - Adapt tests, now that DSA if off by default; use - PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA. + use explicit_bzero() more liberally in the buffer code; ok + deraadt - Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c + Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf -commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc -Author: markus@openbsd.org -Date: Tue Jul 7 14:54:16 2015 +0000 +commit 4626cbaf78767fc8e9c86dd04785386c59ae0839 +Author: Damien Miller +Date: Fri Jan 8 14:24:56 2016 +1100 - upstream commit + Support Illumos/Solaris fine-grained privileges - regen test data after mktestdata.sh changes + Includes a pre-auth privsep sandbox and several pledge() + emulations. bz#2511, patch by Alex Wilson. - Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4 + ok dtucker@ -commit 7c8c174c69f681d4910fa41c37646763692b28e2 -Author: markus@openbsd.org -Date: Tue Jul 7 14:53:30 2015 +0000 +commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d +Author: djm@openbsd.org +Date: Thu Dec 31 00:33:52 2015 +0000 upstream commit - adapt tests to new minimum RSA size and default FP format + fix three bugs in KRL code related to (unused) signature + support: verification length was being incorrectly calculated, multiple + signatures were being incorrectly processed and a NULL dereference that + occurred when signatures were verified. Reported by Carl Jackson - Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e + Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b -commit 6a977a4b68747ade189e43d302f33403fd4a47ac +commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a Author: djm@openbsd.org -Date: Fri Jul 3 04:39:23 2015 +0000 +Date: Wed Dec 30 23:46:14 2015 +0000 upstream commit - legacy v00 certificates are gone; adapt and don't try to - test them; "sure" markus@ dtucker@ + unused prototype - Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12 + Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97 -commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385 -Author: djm@openbsd.org -Date: Wed Jul 1 23:11:18 2015 +0000 +commit 6213f0e180e54122bb1ba928e11c784e2b4e5380 +Author: guenther@openbsd.org +Date: Sat Dec 26 20:51:35 2015 +0000 upstream commit - don't expect SSH v.1 in unittests + Use pread/pwrite instead separate lseek+read/write for + lastlog. Cast to off_t before multiplication to avoid truncation on ILP32 - Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397 + ok kettenis@ mmcc@ + + Upstream-ID: fc40092568cd195719ddf1a00aa0742340d616cf -commit 3c099845798a817cdde513c39074ec2063781f18 -Author: djm@openbsd.org -Date: Mon Jun 15 06:38:50 2015 +0000 +commit d7d2bc95045a43dd56ea696cc1d030ac9d77e81f +Author: semarie@openbsd.org +Date: Sat Dec 26 07:46:03 2015 +0000 upstream commit - turn SSH1 back on to match src/usr.bin/ssh being tested + adjust pledge promises for ControlMaster: when using + "ask" or "autoask", the process will use ssh-askpass for asking confirmation. - Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333 + problem found by halex@ + + ok halex@ + + Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80 -commit b1dc2b33689668c75e95f873a42d5aea1f4af1db -Author: dtucker@openbsd.org -Date: Mon Jul 13 04:57:14 2015 +0000 +commit 271df8185d9689b3fb0523f58514481b858f6843 +Author: djm@openbsd.org +Date: Sun Dec 13 22:42:23 2015 +0000 upstream commit - Add "PuTTY_Local:" to the clients to which we do not - offer DH-GEX. This was the string that was used for development versions - prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately - there are some extant products based on those versions. bx2424 from Jay - Rouman, ok markus@ djm@ + unbreak connections with peers that set + first_kex_follows; fix from Matt Johnston va bz#2515 - Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5 + Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b -commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 -Author: markus@openbsd.org -Date: Fri Jul 10 06:21:53 2015 +0000 +commit 43849a47c5f8687699eafbcb5604f6b9c395179f +Author: doug@openbsd.org +Date: Fri Dec 11 17:41:37 2015 +0000 upstream commit - Turn off DSA by default; add HostKeyAlgorithms to the - server and PubkeyAcceptedKeyTypes to the client side, so it still can be - tested or turned back on; feedback and ok djm@ + Add "id" to ssh-agent pledge for subprocess support. - Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21 + Found the hard way by Jan Johansson when using ssh-agent with X. Also, + rearranged proc/exec and retval to match other pledge calls in the tree. + + ok djm@ + + Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db -commit 16db0a7ee9a87945cc594d13863cfcb86038db59 -Author: markus@openbsd.org -Date: Thu Jul 9 09:49:46 2015 +0000 +commit 52d7078421844b2f88329f5be3de370b0a938636 +Author: mmcc@openbsd.org +Date: Fri Dec 11 04:21:11 2015 +0000 upstream commit - re-enable ed25519-certs if compiled w/o openssl; ok djm + Remove NULL-checks before sshbuf_free(). - Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49 + ok djm@ + + Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917 -commit c355bf306ac33de6545ce9dac22b84a194601e2f -Author: markus@openbsd.org -Date: Wed Jul 8 20:24:02 2015 +0000 +commit a4b9e0f4e4a6980a0eb8072f76ea611cab5b77e7 +Author: djm@openbsd.org +Date: Fri Dec 11 03:24:25 2015 +0000 upstream commit - no need to include the old buffer/key API + include remote port number in a few more messages; makes + tying log messages together into a session a bit easier; bz#2503 ok dtucker@ - Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b + Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e -commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee -Author: markus@openbsd.org -Date: Wed Jul 8 19:09:25 2015 +0000 +commit 6091c362e89079397e68744ae30df121b0a72c07 +Author: djm@openbsd.org +Date: Fri Dec 11 03:20:09 2015 +0000 upstream commit - typedefs for Cipher&CipherContext are unused + don't try to load SSHv1 private key when compiled without + SSHv1 support. From Iain Morgan bz#2505 - Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7 + Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7 -commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0 -Author: markus@openbsd.org -Date: Wed Jul 8 19:04:21 2015 +0000 +commit cce6a36bb95e81fa8bfb46daf22eabcf13afc352 +Author: djm@openbsd.org +Date: Fri Dec 11 03:19:09 2015 +0000 upstream commit - xmalloc.h is unused + use SSH_MAX_PUBKEY_BYTES consistently as buffer size when + reading key files. Increase it to match the size of the buffers already being + used. - Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58 + Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae -commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31 -Author: markus@openbsd.org -Date: Wed Jul 8 19:01:15 2015 +0000 +commit 89540b6de025b80404a0cb8418c06377f3f98848 +Author: mmcc@openbsd.org +Date: Fri Dec 11 02:31:47 2015 +0000 upstream commit - compress.c is gone + Remove NULL-checks before sshkey_free(). - Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced + ok djm@ + + Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52 -commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615 -Author: djm@openbsd.org -Date: Fri Jul 3 04:05:54 2015 +0000 +commit 79394ed6d74572c2d2643d73937dad33727fc240 +Author: dtucker@openbsd.org +Date: Fri Dec 11 02:29:03 2015 +0000 upstream commit - another SSH_RSA_MINIMUM_MODULUS_SIZE that needed - cranking + fflush stdout so that output is seen even when running in + debug mode when output may otherwise not be flushed. Patch from dustin at + null-ptr.net. - Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1 + Upstream-ID: b0c6b4cd2cdb01d7e9eefbffdc522e35b5bc4acc -commit b1f383da5cd3cb921fc7776f17a14f44b8a31757 -Author: djm@openbsd.org -Date: Fri Jul 3 03:56:25 2015 +0000 +commit ee607cccb6636eb543282ba90e0677b0604d8b7a +Author: Darren Tucker +Date: Tue Dec 15 15:23:49 2015 +1100 - upstream commit + Increase robustness of redhat/openssh.spec - add an XXX reminder for getting correct key paths from - sshd_config + - remove configure --with-rsh, because this option isn't supported anymore + - replace last occurrence of BuildPreReq by BuildRequires + - update grep statement to query the krb5 include directory - Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db + Patch from CarstenGrohmann via github, ok djm. -commit 933935ce8d093996c34d7efa4d59113163080680 -Author: djm@openbsd.org -Date: Fri Jul 3 03:49:45 2015 +0000 +commit b5fa0cd73555b991a543145603658d7088ec6b60 +Author: Darren Tucker +Date: Tue Dec 15 15:10:32 2015 +1100 - upstream commit + Allow --without-ssl-engine with --without-openssl - refuse to generate or accept RSA keys smaller than 1024 - bits; feedback and ok dtucker@ - - Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba + Patch from Mike Frysinger via github. -commit bdfd29f60b74f3e678297269dc6247a5699583c1 -Author: djm@openbsd.org -Date: Fri Jul 3 03:47:00 2015 +0000 +commit c1d7e546f6029024f3257cc25c92f2bddf163125 +Author: Darren Tucker +Date: Tue Dec 15 14:27:09 2015 +1100 - upstream commit + Include openssl crypto.h for SSLeay. - turn off 1024 bit diffie-hellman-group1-sha1 key - exchange method (already off in server, this turns it off in the client by - default too) ok dtucker@ + Patch from doughdemon via github. + +commit c6f5f01651526e88c00d988ce59d71f481ebac62 +Author: Darren Tucker +Date: Tue Dec 15 13:59:12 2015 +1100 + + Add sys/time.h for gettimeofday. - Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa + Should allow it it compile with MUSL libc. Based on patch from + doughdemon via github. -commit c28fc62d789d860c75e23a9fa9fb250eb2beca57 +commit 39736be06c7498ef57d6970f2d85cf066ae57c82 Author: djm@openbsd.org -Date: Fri Jul 3 03:43:18 2015 +0000 +Date: Fri Dec 11 02:20:28 2015 +0000 upstream commit - delete support for legacy v00 certificates; "sure" - markus@ dtucker@ + correct error messages; from Tomas Kuthan bz#2507 - Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f + Upstream-ID: 7454a0affeab772398052954c79300aa82077093 -commit 564d63e1b4a9637a209d42a9d49646781fc9caef -Author: djm@openbsd.org -Date: Wed Jul 1 23:10:47 2015 +0000 +commit 94141b7ade24afceeb6762a3f99e09e47a6c42b6 +Author: mmcc@openbsd.org +Date: Fri Dec 11 00:20:04 2015 +0000 upstream commit - Compile-time disable SSH v.1 again + Pass (char *)NULL rather than (char *)0 to execl and + execlp. - Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af + ok dtucker@ + + Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492 -commit 868109b650504dd9bcccdb1f51d0906f967c20ff -Author: djm@openbsd.org -Date: Wed Jul 1 02:39:06 2015 +0000 +commit d59ce08811bf94111c2f442184cf7d1257ffae24 +Author: mmcc@openbsd.org +Date: Thu Dec 10 17:08:40 2015 +0000 upstream commit - twiddle PermitRootLogin back + Remove NULL-checks before free(). - Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2 + ok dtucker@ + + Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8 -commit 7de4b03a6e4071d454b72927ffaf52949fa34545 -Author: djm@openbsd.org -Date: Wed Jul 1 02:32:17 2015 +0000 +commit 8e56dd46cb37879c73bce2d6032cf5e7f82d5a71 +Author: mmcc@openbsd.org +Date: Thu Dec 10 07:01:35 2015 +0000 upstream commit - twiddle; (this commit marks the openssh-6.9 release) + Fix a couple "the the" typos. ok dtucker@ - Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234 + Upstream-ID: ec364c5af32031f013001fd28d1bd3dfacfe9a72 -commit 1bf477d3cdf1a864646d59820878783d42357a1d -Author: djm@openbsd.org -Date: Wed Jul 1 02:26:31 2015 +0000 +commit 6262a0522ddc2c0f2e9358dcb68d59b46e9c533e +Author: markus@openbsd.org +Date: Mon Dec 7 20:04:09 2015 +0000 upstream commit - better refuse ForwardX11Trusted=no connections attempted - after ForwardX11Timeout expires; reported by Jann Horn + stricter encoding type checks for ssh-rsa; ok djm@ - Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21 + Upstream-ID: 8cca7c787599a5e8391e184d0b4f36fdc3665650 -commit 47aa7a0f8551b471fcae0447c1d78464f6dba869 -Author: djm@openbsd.org -Date: Wed Jul 1 01:56:13 2015 +0000 +commit d86a3ba7af160c13496102aed861ae48a4297072 +Author: Damien Miller +Date: Wed Dec 9 09:18:45 2015 +1100 - upstream commit + Don't set IPV6_V6ONLY on OpenBSD - put back default PermitRootLogin=no - - Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728 + It isn't necessary and runs afoul of pledge(2) restrictions. -commit 984b064fe2a23733733262f88d2e1b2a1a501662 +commit da98c11d03d819a15429d8fff9688acd7505439f Author: djm@openbsd.org -Date: Wed Jul 1 01:55:13 2015 +0000 +Date: Mon Dec 7 02:20:46 2015 +0000 upstream commit - openssh-6.9 + basic unit tests for rsa-sha2-* signature types - Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45 + Upstream-Regress-ID: 7dc4b9db809d578ff104d591b4d86560c3598d3c -commit d921082ed670f516652eeba50705e1e9f6325346 -Author: djm@openbsd.org -Date: Wed Jul 1 01:55:00 2015 +0000 +commit 3da893fdec9936dd2c23739cdb3c0c9d4c59fca0 +Author: markus@openbsd.org +Date: Sat Dec 5 20:53:21 2015 +0000 upstream commit - reset default PermitRootLogin to 'yes' (momentarily, for - release) + prefer rsa-sha2-512 over -256 for hostkeys, too; noticed + by naddy@ - Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24 + Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe -commit 66295e0e1ba860e527f191b6325d2d77dec4dbce -Author: Damien Miller -Date: Wed Jul 1 11:49:12 2015 +1000 +commit 8b56e59714d87181505e4678f0d6d39955caf10e +Author: tobias@openbsd.org +Date: Fri Dec 4 21:51:06 2015 +0000 - crank version numbers for release + upstream commit + + Properly handle invalid %-format by calling fatal. + + ok deraadt, djm + + Upstream-ID: 5692bce7d9f6eaa9c488cb93d3b55e758bef1eac -commit 37035c07d4f26bb1fbe000d2acf78efdb008681d -Author: Damien Miller -Date: Wed Jul 1 10:49:37 2015 +1000 +commit 76c9fbbe35aabc1db977fb78e827644345e9442e +Author: markus@openbsd.org +Date: Fri Dec 4 16:41:28 2015 +0000 - s/--with-ssh1/--without-ssh1/ + upstream commit + + implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures + (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and + draft-ssh-ext-info-04.txt; with & ok djm@ + + Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309 -commit 629df770dbadc2accfbe1c81b3f31f876d0acd84 +commit 6064a8b8295cb5a17b5ebcfade53053377714f40 Author: djm@openbsd.org -Date: Tue Jun 30 05:25:07 2015 +0000 +Date: Fri Dec 4 00:24:55 2015 +0000 upstream commit - fatal() when a remote window update causes the window - value to overflow. Reported by Georg Wicherski, ok markus@ + clean up agent_fd handling; properly initialise it to -1 + and make tests consistent - Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351 + ok markus@ + + Upstream-ID: ac9554323d5065745caf17b5e37cb0f0d4825707 -commit f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2 -Author: djm@openbsd.org -Date: Tue Jun 30 05:23:25 2015 +0000 +commit b91926a97620f3e51761c271ba57aa5db790f48d +Author: semarie@openbsd.org +Date: Thu Dec 3 17:00:18 2015 +0000 upstream commit - Fix math error in remote window calculations that causes - eventual stalls for datagram channels. Reported by Georg Wicherski, ok - markus@ + pledges ssh client: - mux client: which is used when + ControlMaster is in use. will end with "stdio proc tty" (proc is to + permit sending SIGWINCH to mux master on window resize) - Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab + - client loop: several levels of pledging depending of your used options + + ok deraadt@ + + Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b -commit 52fb6b9b034fcfd24bf88cc7be313e9c31de9889 -Author: Damien Miller -Date: Tue Jun 30 16:05:40 2015 +1000 +commit bcce47466bbc974636f588b5e4a9a18ae386f64a +Author: doug@openbsd.org +Date: Wed Dec 2 08:30:50 2015 +0000 - skip IPv6-related portions on hosts without IPv6 + upstream commit - with Tim Rice + Add "cpath" to the ssh-agent pledge so the cleanup + handler can unlink(). + + ok djm@ + + Upstream-ID: 9e632991d48241d56db645602d381253a3d8c29d -commit 512caddf590857af6aa12218461b5c0441028cf5 +commit a90d001543f46716b6590c6dcc681d5f5322f8cf Author: djm@openbsd.org -Date: Mon Jun 29 22:35:12 2015 +0000 +Date: Wed Dec 2 08:00:58 2015 +0000 upstream commit - add getpid to sandbox, reachable by grace_alarm_handler - - reported by Jakub Jelen; bz#2419 + ssh-agent pledge needs proc for askpass; spotted by todd@ - Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8 + Upstream-ID: 349aa261b29cc0e7de47ef56167769c432630b2a -commit 78c2a4f883ea9aba866358e2acd9793a7f42ca93 +commit d952162b3c158a8f23220587bb6c8fcda75da551 Author: djm@openbsd.org -Date: Fri Jun 26 05:13:20 2015 +0000 +Date: Tue Dec 1 23:29:24 2015 +0000 upstream commit - Fix \-escaping bug that caused forward path parsing to skip - two characters and skip past the end of the string. + basic pledge() for ssh-agent, more refinement needed - Based on patch by Salvador Fandino; ok dtucker@ + Upstream-ID: 5b5b03c88162fce549e45e1b6dd833f20bbb5e13 + +commit f0191d7c8e76e30551084b79341886d9bb38e453 +Author: Damien Miller +Date: Mon Nov 30 10:53:25 2015 +1100 + + Revert "stub for pledge(2) for systems that lack it" - Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd + This reverts commit 14c887c8393adde2d9fd437d498be30f8c98535c. + + dtucker beat me to it :/ -commit bc20205c91c9920361d12b15d253d4997dba494a +commit 6283cc72eb0e49a3470d30e07ca99a1ba9e89676 Author: Damien Miller -Date: Thu Jun 25 09:51:39 2015 +1000 +Date: Mon Nov 30 10:37:03 2015 +1100 - add missing pselect6 + revert 7d4c7513: bring back S/Key prototypes - patch from Jakub Jelen + (but leave RCSID changes) -commit 9d27fb73b4a4e5e99cb880af790d5b1ce44f720a +commit 14c887c8393adde2d9fd437d498be30f8c98535c +Author: Damien Miller +Date: Mon Nov 30 09:45:29 2015 +1100 + + stub for pledge(2) for systems that lack it + +commit 452c0b6af5d14c37553e30059bf74456012493f3 Author: djm@openbsd.org -Date: Wed Jun 24 23:47:23 2015 +0000 +Date: Sun Nov 29 22:18:37 2015 +0000 upstream commit - correct test to sshkey_sign(); spotted by Albert S. + pledge, better fatal() messages; feedback deraadt@ - Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933 + Upstream-ID: 3e00f6ccfe2b9a7a2d1dbba5409586180801488f -commit 7ed01a96a1911d8b4a9ef4f3d064e1923bfad7e3 -Author: dtucker@openbsd.org -Date: Wed Jun 24 01:49:19 2015 +0000 +commit 6da413c085dba37127687b2617a415602505729b +Author: deraadt@openbsd.org +Date: Sat Nov 28 06:50:52 2015 +0000 upstream commit - Revert previous commit. We still want to call setgroups - in the case where there are zero groups to remove any that we might otherwise - inherit (as pointed out by grawity at gmail.com) and since the 2nd argument - to setgroups is always a static global it's always valid to dereference in - this case. ok deraadt@ djm@ + do not leak temp file if there is no known_hosts file + from craig leres, ok djm - Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01 + Upstream-ID: c820497fd5574844c782e79405c55860f170e426 -commit 882f8bf94f79528caa65b0ba71c185d705bb7195 -Author: dtucker@openbsd.org -Date: Wed Jun 24 01:49:19 2015 +0000 +commit 3ddd15e1b63a4d4f06c8ab16fbdd8a5a61764f16 +Author: Darren Tucker +Date: Mon Nov 30 07:23:53 2015 +1100 - upstream commit + Add a null implementation of pledge. - Revert previous commit. We still want to call setgroups in - the case where there are zero groups to remove any that we might otherwise - inherit (as pointed out by grawity at gmail.com) and since the 2nd argument - to setgroups is always a static global it's always valid to dereference in - this case. ok deraadt@ djm@ - - Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01 + Fixes builds on almost everything. -commit 9488538a726951e82b3a4374f3c558d72c80a89b +commit b1d6b3971ef256a08692efc409fc9ada719111cc Author: djm@openbsd.org -Date: Mon Jun 22 23:42:16 2015 +0000 +Date: Sat Nov 28 06:41:03 2015 +0000 upstream commit - Don't count successful partial authentication as failures - in monitor; this may have caused the monitor to refuse multiple - authentications that would otherwise have successfully completed; ok markus@ + don't include port number in tcpip-forward replies for + requests that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok + markus - Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3 + Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a -commit 63b78d003bd8ca111a736e6cea6333da50f5f09b -Author: dtucker@openbsd.org -Date: Mon Jun 22 12:29:57 2015 +0000 +commit 9080bd0b9cf10d0f13b1f642f20cb84285cb8d65 +Author: deraadt@openbsd.org +Date: Fri Nov 27 00:49:31 2015 +0000 upstream commit - Don't call setgroups if we have zero groups; there's no - guarantee that it won't try to deref the pointer. Based on a patch from mail - at quitesimple.org, ok djm deraadt + pledge "stdio rpath wpath cpath fattr tty proc exec" + except for the -p option (which sadly has insane semantics...) ok semarie + dtucker - Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1 - -commit 5c15e22c691c79a47747bcf5490126656f97cecd -Author: Damien Miller -Date: Thu Jun 18 15:07:56 2015 +1000 - - fix syntax error + Upstream-ID: 8854bbd58279abe00f6c33f8094bdc02c8c65059 -commit 596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403 -Author: jsing@openbsd.org -Date: Mon Jun 15 18:44:22 2015 +0000 +commit 4d90625b229cf6b3551d81550a9861897509a65f +Author: halex@openbsd.org +Date: Fri Nov 20 23:04:01 2015 +0000 upstream commit - If AuthorizedPrincipalsCommand is specified, however - AuthorizedPrincipalsFile is not (or is set to "none"), authentication will - potentially fail due to key_cert_check_authority() failing to locate a - principal that matches the username, even though an authorized principal has - already been matched in the output of the subprocess. Fix this by using the - same logic to determine if pw->pw_name should be passed, as is used to - determine if a authorized principal must be matched earlier on. + allow comment change for all supported formats ok djm@ - Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d + Upstream-ID: 5fc477cf2f119b2d44aa9c683af16cb00bb3744b -commit aff3e94c0d75d0d0fa84ea392b50ab04f8c57905 -Author: jsing@openbsd.org -Date: Mon Jun 15 18:42:19 2015 +0000 +commit 8ca915fc761519dd1f7766a550ec597a81db5646 +Author: djm@openbsd.org +Date: Fri Nov 20 01:45:29 2015 +0000 upstream commit - Make the arguments to match_principals_command() similar - to match_principals_file(), by changing the last argument a struct - sshkey_cert * and dereferencing key->cert in the caller. - - No functional change. - - ok djm@ + add cast to make -Werror clean - Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c + Upstream-ID: 288db4f8f810bd475be01320c198250a04ff064d -commit 97e2e1596c202a4693468378b16b2353fd2d6c5e +commit ac9473580dcd401f8281305af98635cdaae9bf96 Author: Damien Miller -Date: Wed Jun 17 14:36:54 2015 +1000 +Date: Fri Nov 20 12:35:41 2015 +1100 - trivial optimisation for seccomp-bpf + fix multiple authentication using S/Key w/ privsep - When doing arg inspection and the syscall doesn't match, skip - past the instruction that reloads the syscall into the accumulator, - since the accumulator hasn't been modified at this point. + bz#2502, patch from Kevin Korb and feandil_ -commit 99f33d7304893bd9fa04d227cb6e870171cded19 -Author: Damien Miller -Date: Wed Jun 17 10:50:51 2015 +1000 +commit 88b6fcdeb87a2fb76767854d9eb15006662dca57 +Author: djm@openbsd.org +Date: Thu Nov 19 08:23:27 2015 +0000 - aarch64 support for seccomp-bpf sandbox + upstream commit - Also resort and tidy syscall list. Based on patches by Jakub Jelen - bz#2361; ok dtucker@ + ban ConnectionAttempts=0, it makes no sense and would cause + ssh_connect_direct() to print an uninitialised stack variable; bz#2500 + reported by dvw AT phas.ubc.ca + + Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5 -commit 4ef702e1244633c1025ec7cfe044b9ab267097bf +commit 964ab3ee7a8f96bdbc963d5b5a91933d6045ebe7 Author: djm@openbsd.org -Date: Mon Jun 15 01:32:50 2015 +0000 +Date: Thu Nov 19 01:12:32 2015 +0000 upstream commit - return failure on RSA signature error; reported by Albert S + trailing whitespace - Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa + Upstream-ID: 31fe0ad7c4d08e87f1d69c79372f5e3c5cd79051 -commit a170f22baf18af0b1acf2788b8b715605f41a1f9 -Author: Tim Rice -Date: Tue Jun 9 22:41:13 2015 -0700 +commit f96516d052dbe38561f6b92b0e4365d8e24bb686 +Author: djm@openbsd.org +Date: Thu Nov 19 01:09:38 2015 +0000 - Fix t12 rules for out of tree builds. + upstream commit + + print host certificate contents at debug level + + Upstream-ID: 39354cdd8a2b32b308fd03f98645f877f540f00d -commit ec04dc4a5515c913121bc04ed261857e68fa5c18 -Author: millert@openbsd.org -Date: Fri Jun 5 15:13:13 2015 +0000 +commit 499cf36fecd6040e30e2912dd25655bc574739a7 +Author: djm@openbsd.org +Date: Thu Nov 19 01:08:55 2015 +0000 upstream commit - For "ssh -L 12345:/tmp/sock" don't fail with "No forward host - name." (we have a path, not a host name). Based on a diff from Jared - Yanovich. OK djm@ + move the certificate validity formatting code to + sshkey.[ch] - Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f + Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523 -commit 732d61f417a6aea0aa5308b59cb0f563bcd6edd6 +commit bcb7bc77bbb1535d1008c7714085556f3065d99d Author: djm@openbsd.org -Date: Fri Jun 5 03:44:14 2015 +0000 +Date: Wed Nov 18 08:37:28 2015 +0000 upstream commit - typo: accidental repetition; bz#2386 + fix "ssh-keygen -l" of private key, broken in support for + multiple plain keys on stdin - Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b + Upstream-ID: 6b3132d2c62d03d0bad6f2bcd7e2d8b7dab5cd9d -commit adfb24c69d1b6f5e758db200866c711e25a2ba73 -Author: Darren Tucker -Date: Fri Jun 5 14:51:40 2015 +1000 +commit 259adb6179e23195c8f6913635ea71040d1ccd63 +Author: millert@openbsd.org +Date: Mon Nov 16 23:47:52 2015 +0000 - Add Linux powerpc64le and powerpcle entries. + upstream commit - Stopgap to resolve bz#2409 because we are so close to release and will - update config.guess and friends shortly after the release. ok djm@ + Replace remaining calls to index(3) with strchr(3). OK + jca@ krw@ + + Upstream-ID: 33837d767a0cf1db1489b96055f9e330bc0bab6d -commit a1195a0fdc9eddddb04d3e9e44c4775431cb77da -Merge: 6397eed d2480bc -Author: Tim Rice -Date: Wed Jun 3 21:43:13 2015 -0700 - - Merge branch 'master' of git.mindrot.org:/var/git/openssh - -commit 6397eedf953b2b973d2d7cbb504ab501a07f8ddc -Author: Tim Rice -Date: Wed Jun 3 21:41:11 2015 -0700 - - Remove unneeded backslashes. Patch from Ángel González - -commit d2480bcac1caf31b03068de877a47d6e1027bf6d -Author: Darren Tucker -Date: Thu Jun 4 14:10:55 2015 +1000 - - Remove redundant include of stdarg.h. bz#2410 - -commit 5e67859a623826ccdf2df284cbb37e2d8e2787eb +commit c56a255162c2166884539c0a1f7511575325b477 Author: djm@openbsd.org -Date: Tue Jun 2 09:10:40 2015 +0000 +Date: Mon Nov 16 22:53:07 2015 +0000 upstream commit - mention CheckHostIP adding addresses to known_hosts; - bz#1993; ok dtucker@ + Allow fingerprinting from standard input "ssh-keygen -lf + -" - Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7 - -commit d7a58bbac6583e33fd5eca8e2c2cc70c57617818 -Author: Darren Tucker -Date: Tue Jun 2 20:15:26 2015 +1000 - - Replace strcpy with strlcpy. + Support fingerprinting multiple plain keys in a file and authorized_keys + files too (bz#1319) - ok djm, sanity check by Corinna Vinschen. + ok markus@ + + Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77 -commit 51a1c2115265c6e80ede8a5c9dccada9aeed7143 -Author: Damien Miller -Date: Fri May 29 18:27:21 2015 +1000 +commit 5b4010d9b923cf1b46c9c7b1887c013c2967e204 +Author: djm@openbsd.org +Date: Mon Nov 16 22:51:05 2015 +0000 - skip, rather than fatal when run without SUDO set + upstream commit + + always call privsep_preauth_child() regardless of whether + sshd was started by root; it does important priming before sandboxing and + failing to call it could result in sandbox violations later; ok markus@ + + Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383 -commit 599f01142a376645b15cbc9349d7e8975e1cf245 -Author: Damien Miller -Date: Fri May 29 18:03:15 2015 +1000 +commit 3a9f84b58b0534bbb485f1eeab75665e2d03371f +Author: djm@openbsd.org +Date: Mon Nov 16 22:50:01 2015 +0000 - fix merge botch that left ",," in KEX algs + upstream commit + + improve sshkey_read() semantics; only update *cpp when a + key is successfully read; ok markus@ + + Upstream-ID: f371e78e8f4fab366cf69a42bdecedaed5d1b089 -commit 0c2a81dfc21822f2423edd30751e5ec53467b347 -Author: Damien Miller -Date: Fri May 29 17:08:28 2015 +1000 +commit db6f8dc5dd5655b59368efd074994d4568bc3556 +Author: logan@openbsd.org +Date: Mon Nov 16 06:13:04 2015 +0000 - re-enable SSH protocol 1 at compile time + upstream commit + + 1) Use xcalloc() instead of xmalloc() to check for + potential overflow. (Feedback from both mmcc@ and djm@) 2) move set_size + just before the for loop. (suggested by djm@) + + OK djm@ + + Upstream-ID: 013534c308187284756c3141f11d2c0f33c47213 -commit db438f9285d64282d3ac9e8c0944f59f037c0151 +commit 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0 Author: djm@openbsd.org -Date: Fri May 29 03:05:13 2015 +0000 +Date: Mon Nov 16 00:30:02 2015 +0000 upstream commit - make this work without SUDO set; ok dtucker@ + Add a new authorized_keys option "restrict" that + includes all current and future key restrictions (no-*-forwarding, etc). Also + add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". + This simplifies the task of setting up restricted keys and ensures they are + maximally-restricted, regardless of any permissions we might implement in the + future. - Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715 + Example: + + restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1... + + Idea from Jann Horn; ok markus@ + + Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0 -commit 1d9a2e2849c9864fe75daabf433436341c968e14 -Author: djm@openbsd.org -Date: Thu May 28 07:37:31 2015 +0000 +commit e41a071f7bda6af1fb3f081bed0151235fa61f15 +Author: jmc@openbsd.org +Date: Sun Nov 15 23:58:04 2015 +0000 upstream commit - wrap all moduli-related code in #ifdef WITH_OPENSSL. - based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@ + correct section number for ssh-agent; - Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf + Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6 -commit 496aeb25bc2d6c434171292e4714771b594bd00e -Author: dtucker@openbsd.org -Date: Thu May 28 05:41:29 2015 +0000 +commit 1a11670286acddcc19f5eff0966c380831fc4638 +Author: jmc@openbsd.org +Date: Sun Nov 15 23:54:15 2015 +0000 upstream commit - Increase the allowed length of the known host file name - in the log message to be consistent with other cases. Part of bz#1993, ok - deraadt. + do not confuse mandoc by presenting "Dd"; - Upstream-ID: a9e97567be49f25daf286721450968251ff78397 + Upstream-ID: 1470fce171c47b60bbc7ecd0fc717a442c2cfe65 -commit dd2cfeb586c646ff8d70eb93567b2e559ace5b14 -Author: dtucker@openbsd.org -Date: Thu May 28 05:09:45 2015 +0000 +commit f361df474c49a097bfcf16d1b7b5c36fcd844b4b +Author: jcs@openbsd.org +Date: Sun Nov 15 22:26:49 2015 +0000 upstream commit - Fix typo (keywork->keyword) + Add an AddKeysToAgent client option which can be set to + 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a + private key that is used during authentication will be added to ssh-agent if + it is running (with confirmation enabled if set to 'confirm'). - Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534 + Initial version from Joachim Schipper many years ago. + + ok markus@ + + Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4 -commit 9cc6842493fbf23025ccc1edab064869640d3bec +commit d87063d9baf5479b6e813d47dfb694a97df6f6f5 Author: djm@openbsd.org -Date: Thu May 28 04:50:53 2015 +0000 +Date: Fri Nov 13 04:39:35 2015 +0000 upstream commit - add error message on ftruncate failure; bz#2176 + send SSH2_MSG_UNIMPLEMENTED replies to unexpected + messages during KEX; bz#2949, ok dtucker@ - Upstream-ID: cbcc606e0b748520c74a210d8f3cc9718d3148cf + Upstream-ID: 2b3abdff344d53c8d505f45c83a7b12e84935786 -commit d1958793a0072c22be26d136dbda5ae263e717a0 +commit 9fd04681a1e9b0af21e08ff82eb674cf0a499bfc Author: djm@openbsd.org -Date: Thu May 28 04:40:13 2015 +0000 +Date: Fri Nov 13 04:38:06 2015 +0000 upstream commit - make ssh-keygen default to ed25519 keys when compiled - without OpenSSL; bz#2388, ok dtucker@ + Support "none" as an argument for sshd_config + ForceCommand and ChrootDirectory. Useful inside Match blocks to override a + global default. bz#2486 ok dtucker@ - Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71 + Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5 -commit 3ecde664c9fc5fb3667aedf9e6671462600f6496 -Author: dtucker@openbsd.org -Date: Wed May 27 23:51:10 2015 +0000 +commit 94bc0b72c29e511cbbc5772190d43282e5acfdfe +Author: djm@openbsd.org +Date: Fri Nov 13 04:34:15 2015 +0000 upstream commit - Reorder client proposal to prefer - diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@ + support multiple certificates (one per line) and + reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@ - Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058 + Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db -commit 40f64292b907afd0a674fdbf3e4c2356d17a7d68 -Author: dtucker@openbsd.org -Date: Wed May 27 23:39:18 2015 +0000 +commit b6b9108f5b561c83612cb97ece4134eb59fde071 +Author: djm@openbsd.org +Date: Fri Nov 13 02:57:46 2015 +0000 upstream commit - Add a stronger (4k bit) fallback group that sshd can use - when the moduli file is missing or broken, sourced from RFC3526. bz#2302, ok - markus@ (earlier version), djm@ + list a couple more options usable in Match blocks; + bz#2489 - Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4 + Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879 -commit 5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a -Author: Darren Tucker -Date: Thu May 28 10:03:40 2015 +1000 +commit a7994b3f5a5a5a33b52b0a6065d08e888f0a99fb +Author: djm@openbsd.org +Date: Wed Nov 11 04:56:39 2015 +0000 - New moduli file from OpenBSD, removing 1k groups. + upstream commit - Remove 1k bit groups. ok deraadt@, markus@ + improve PEEK/POKE macros: better casts, don't multiply + evaluate arguments; ok deraadt@ + + Upstream-ID: 9a1889e19647615ededbbabab89064843ba92d3e -commit a71ba58adf34e599f30cdda6e9b93ae6e3937eea +commit 7d4c7513a7f209cb303a608ac6e46b3f1dfc11ec Author: djm@openbsd.org -Date: Wed May 27 05:15:02 2015 +0000 +Date: Wed Nov 11 01:48:01 2015 +0000 upstream commit - support PKCS#11 devices with external PIN entry devices - bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@ + remove prototypes for long-gone s/key support; ok + dtucker@ - Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d + Upstream-ID: db5bed3c57118af986490ab23d399df807359a79 -commit b282fec1aa05246ed3482270eb70fc3ec5f39a00 -Author: dtucker@openbsd.org -Date: Tue May 26 23:23:40 2015 +0000 +commit 07889c75926c040b8e095949c724e66af26441cb +Author: Damien Miller +Date: Sat Nov 14 18:44:49 2015 +1100 - upstream commit + read back from libcrypto RAND when privdropping - Cap DH-GEX group size at 4kbits for Cisco implementations. - Some of them will choke when asked for preferred sizes >4k instead of - returning the 4k group that they do have. bz#2209, ok djm@ + makes certain libcrypto implementations cache a /dev/urandom fd + in preparation of sandboxing. Based on patch by Greg Hartman. + +commit 1560596f44c01bb0cef977816410950ed17b8ecd +Author: Darren Tucker +Date: Tue Nov 10 11:14:47 2015 +1100 + + Fix compiler warnings in the openssl header check. - Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d + Noted by Austin English. -commit 3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e -Author: djm@openbsd.org -Date: Sun May 24 23:39:16 2015 +0000 +commit e72a8575ffe1d8adff42c9abe9ca36938acc036b +Author: jmc@openbsd.org +Date: Sun Nov 8 23:24:03 2015 +0000 upstream commit - add missing 'c' option to getopt(), case statement was - already there; from Felix Bolte + -c before -H, in SYNOPSIS and usage(); - Upstream-ID: 9b19b4e2e0b54d6fefa0dfac707c51cf4bae3081 + Upstream-ID: 25e8c58a69e1f37fcd54ac2cd1699370acb5e404 -commit 64a89ec07660abba4d0da7c0095b7371c98bab62 -Author: jsg@openbsd.org -Date: Sat May 23 14:28:37 2015 +0000 +commit 3a424cdd21db08c7b0ded902f97b8f02af5aa485 +Author: djm@openbsd.org +Date: Sun Nov 8 22:30:20 2015 +0000 upstream commit - fix a memory leak in an error path ok markus@ dtucker@ + Add "ssh-keyscan -c ..." flag to allow fetching + certificates instead of plain keys; ok markus@ - Upstream-ID: bc1da0f205494944918533d8780fde65dff6c598 + Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82 -commit f948737449257d2cb83ffcfe7275eb79b677fd4a -Author: djm@openbsd.org -Date: Fri May 22 05:28:45 2015 +0000 +commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346 +Author: jmc@openbsd.org +Date: Sun Nov 8 22:08:38 2015 +0000 upstream commit - mention ssh-keygen -E for comparing legacy MD5 - fingerprints; bz#2332 + remove slogin links; ok deraadt markus djm - Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859 + Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730 -commit 0882332616e4f0272c31cc47bf2018f9cb258a4e +commit 2fecfd486bdba9f51b3a789277bb0733ca36e1c0 Author: djm@openbsd.org -Date: Fri May 22 04:45:52 2015 +0000 +Date: Sun Nov 8 21:59:11 2015 +0000 upstream commit - Reorder EscapeChar option parsing to avoid a single-byte - out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@ + fix OOB read in packet code caused by missing return + statement found by Ben Hawkes; ok markus@ deraadt@ - Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060 + Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 -commit d7c31da4d42c115843edee2074d7d501f8804420 -Author: djm@openbsd.org -Date: Fri May 22 03:50:02 2015 +0000 +commit 5e288923a303ca672b686908320bc5368ebec6e6 +Author: mmcc@openbsd.org +Date: Fri Nov 6 00:31:41 2015 +0000 upstream commit - add knob to relax GSSAPI host credential check for - multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker - (kerberos/GSSAPI is not compiled by default on OpenBSD) + 1. rlogin and rsh are long gone 2. protocol version isn't + of core relevance here, and v1 is going away - Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d + ok markus@, deraadt@ + + Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8 -commit aa72196a00be6e0b666215edcffbc10af234cb0e -Author: Darren Tucker -Date: Fri May 22 17:49:46 2015 +1000 +commit 8b29008bbe97f33381d9b4b93fcfa304168d0286 +Author: jmc@openbsd.org +Date: Thu Nov 5 09:48:05 2015 +0000 - Include signal.h for sig_atomic_t, used by kex.h. + upstream commit - bz#2402, from tomas.kuthan at oracle com. + "commandline" -> "command line", since there are so few + examples of the former in the pages, so many of the latter, and in some of + these pages we had multiple spellings; + + prompted by tj + + Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659 -commit 8b02481143d75e91c49d1bfae0876ac1fbf9511a +commit 996b24cebf20077fbe5db07b3a2c20c2d9db736e Author: Darren Tucker -Date: Fri May 22 12:47:24 2015 +1000 +Date: Thu Oct 29 20:57:34 2015 +1100 - Import updated moduli file from OpenBSD. + (re)wrap SYS_sendsyslog in ifdef. + + Replace ifdef that went missing in commit + c61b42f2678f21f05653ac2d3d241b48ab5d59ac. Fixes build on older + OpenBSDs. -commit 4739e8d5e1c0be49624082bd9f6b077e9e758db9 +commit b67e2e76fcf1ae7c802eb27ca927e16c91a513ff Author: djm@openbsd.org -Date: Thu May 21 12:01:19 2015 +0000 +Date: Thu Oct 29 08:05:17 2015 +0000 upstream commit - Support "ssh-keygen -lF hostname" to find search known_hosts - and print key hashes. Already advertised by ssh-keygen(1), but not delivered - by code; ok dtucker@ + regress test for "PubkeyAcceptedKeyTypes +..." inside a + Match block - Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387 - -commit e97201feca10b5196da35819ae516d0b87cf3a50 -Author: Damien Miller -Date: Thu May 21 17:55:15 2015 +1000 - - conditionalise util.h inclusion + Upstream-Regress-ID: 246c37ed64a2e5704d4c158ccdca1ff700e10647 -commit 13640798c7dd011ece0a7d02841fe48e94cfa0e0 -Author: djm@openbsd.org -Date: Thu May 21 06:44:25 2015 +0000 +commit abd9dbc3c0d8c8c7561347cfa22166156e78c077 +Author: dtucker@openbsd.org +Date: Mon Oct 26 02:50:58 2015 +0000 upstream commit - regress test for AuthorizedPrincipalsCommand + Fix typo certopt->certopts in shell variable. This would + cause the test to hang at a host key prompt if you have an A or CNAME for + "proxy" in your local domain. - Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 + Upstream-Regress-ID: 6ea03bcd39443a83c89e2c5606392ceb9585836a -commit 84452c5d03c21f9bfb28c234e0dc1dc67dd817b1 +commit ed08510d38aef930a061ae30d10f2a9cf233bafa Author: djm@openbsd.org -Date: Thu May 21 06:40:02 2015 +0000 +Date: Thu Oct 29 08:05:01 2015 +0000 upstream commit - regress test for AuthorizedKeysCommand arguments + Fix "PubkeyAcceptedKeyTypes +..." inside a Match block; + ok dtucker@ - Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12 + Upstream-ID: 853662c4036730b966aab77684390c47b9738c69 -commit bcc50d816187fa9a03907ac1f3a52f04a52e10d1 +commit a4aef3ed29071719b2af82fdf1ac3c2514f82bc5 Author: djm@openbsd.org -Date: Thu May 21 06:43:30 2015 +0000 +Date: Tue Oct 27 08:54:52 2015 +0000 upstream commit - add AuthorizedPrincipalsCommand that allows getting - authorized_principals from a subprocess rather than a file, which is quite - useful in deployments with large userbases - - feedback and ok markus@ + fix execv arguments in a way less likely to cause grief + for -portable; ok dtucker@ - Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6 + Upstream-ID: 5902bf0ea0371f39f1300698dc3b8e4105fc0fc5 -commit 24232a3e5ab467678a86aa67968bbb915caffed4 +commit 63d188175accea83305e89fafa011136ff3d96ad Author: djm@openbsd.org -Date: Thu May 21 06:38:35 2015 +0000 +Date: Tue Oct 27 01:44:45 2015 +0000 upstream commit - support arguments to AuthorizedKeysCommand - - bz#2081 loosely based on patch by Sami Hartikainen - feedback and ok markus@ + log certificate serial in verbose() messages to match the + main auth success/fail message; ok dtucker@ - Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7 + Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288 -commit d80fbe41a57c72420c87a628444da16d09d66ca7 +commit 2aaba0cfd560ecfe92aa50c00750e6143842cf1f Author: djm@openbsd.org -Date: Thu May 21 04:55:51 2015 +0000 +Date: Tue Oct 27 00:49:53 2015 +0000 upstream commit - refactor: split base64 encoding of pubkey into its own - sshkey_to_base64() function and out of sshkey_write(); ok markus@ + avoid de-const warning & shrink; ok dtucker@ - Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a + Upstream-ID: 69a85ef94832378952a22c172009cbf52aaa11db -commit 7cc44ef74133a473734bbcbd3484f24d6a7328c5 -Author: deraadt@openbsd.org -Date: Mon May 18 15:06:05 2015 +0000 +commit 03239c18312b9bab7d1c3b03062c61e8bbc1ca6e +Author: dtucker@openbsd.org +Date: Sun Oct 25 23:42:00 2015 +0000 upstream commit - getentropy() and sendsyslog() have been around long - enough. openssh-portable may want the #ifdef's but not base. discussed with - djm few weeks back + Expand tildes in filenames passed to -i before checking + whether or not the identity file exists. This means that if the shell + doesn't do the expansion (eg because the option and filename were given as a + single argument) then we'll still add the key. bz#2481, ok markus@ - Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926 + Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6 -commit 9173d0fbe44de7ebcad8a15618e13a8b8d78902e +commit 97e184e508dd33c37860c732c0eca3fc57698b40 Author: dtucker@openbsd.org -Date: Fri May 15 05:44:21 2015 +0000 +Date: Sun Oct 25 23:14:03 2015 +0000 upstream commit - Use a salted hash of the lock passphrase instead of plain - text and do constant-time comparisons of it. Should prevent leaking any - information about it via timing, pointed out by Ryan Castellucci. Add a 0.1s - incrementing delay for each failed unlock attempt up to 10s. ok markus@ - (earlier version), djm@ + Do not prepend "exec" to the shell command run by "Match + exec" in a config file. It's an unnecessary optimization from repurposed + ProxyCommand code and prevents some things working with some shells. + bz#2471, pointed out by res at qoxp.net. ok markus@ - Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f + Upstream-ID: a1ead25ae336bfa15fb58d8c6b5589f85b4c33a3 -commit d028d5d3a697c71b21e4066d8672cacab3caa0a8 -Author: Damien Miller -Date: Tue May 5 19:10:58 2015 +1000 +commit 8db134e7f457bcb069ec72bc4ee722e2af557c69 +Author: Darren Tucker +Date: Thu Oct 29 10:48:23 2015 +1100 - upstream commit + Prevent name collisions with system glob (bz#2463) - - tedu@cvs.openbsd.org 2015/01/12 03:20:04 - [bcrypt_pbkdf.c] - rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks, - nor are they the same size. + Move glob.h from includes.h to the only caller (sftp) and override the + names for the symbols. This prevents name collisions with the system glob + in the case where something other than ssh uses it (eg kerberos). With + jjelen at redhat.com, ok djm@ -commit f6391d4e59b058984163ab28f4e317e7a72478f1 -Author: Damien Miller -Date: Tue May 5 19:10:23 2015 +1000 +commit 86c10dbbef6a5800d2431a66cf7f41a954bb62b5 +Author: dtucker@openbsd.org +Date: Fri Oct 23 02:22:01 2015 +0000 upstream commit - - deraadt@cvs.openbsd.org 2015/01/08 00:30:07 - [bcrypt_pbkdf.c] - declare a local version of MIN(), call it MINIMUM() + Update expected group sizes to match recent code changes. + + Upstream-Regress-ID: 0004f0ea93428969fe75bcfff0d521c553977794 -commit 8ac6b13cc9113eb47cd9e86c97d7b26b4b71b77f -Author: Damien Miller -Date: Tue May 5 19:09:46 2015 +1000 +commit 9ada37d36003a77902e90a3214981e417457cf13 +Author: djm@openbsd.org +Date: Sat Oct 24 22:56:19 2015 +0000 upstream commit - - djm@cvs.openbsd.org 2014/12/30 01:41:43 - [bcrypt_pbkdf.c] - typo in comment: ouput => output + fix keyscan output for multiple hosts/addrs on one line + when host hashing or a non standard port is in use; bz#2479 ok dtucker@ + + Upstream-ID: 5321dabfaeceba343da3c8a8b5754c6f4a0a307b -commit 1f792489d5cf86a4f4e3003e6e9177654033f0f2 +commit 44fc7cd7dcef6c52c6b7e9ff830dfa32879bd319 Author: djm@openbsd.org -Date: Mon May 4 06:10:48 2015 +0000 +Date: Sat Oct 24 22:52:22 2015 +0000 upstream commit - Remove pattern length argument from match_pattern_list(), we - only ever use it for strlen(pattern). + skip "Could not chdir to home directory" message when + chrooted - Prompted by hanno AT hboeck.de pointing an out-of-bound read - error caused by an incorrect pattern length found using AFL - and his own tools. + patch from Christian Hesse in bz#2485 ok dtucker@ - ok markus@ + Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431 -commit 639d6bc57b1942393ed12fb48f00bc05d4e093e4 -Author: djm@openbsd.org -Date: Fri May 1 07:10:01 2015 +0000 +commit a820a8618ec44735dabc688fab96fba38ad66bb2 +Author: sthen@openbsd.org +Date: Sat Oct 24 08:34:09 2015 +0000 upstream commit - refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() - to better report error conditions. Teach sshpkt_fatal() about ECONNRESET. + Handle the split of tun(4) "link0" into tap(4) in ssh + tun-forwarding. Adapted from portable (using separate devices for this is the + normal case in most OS). ok djm@ - Improves error messages on TCP connection resets. bz#2257 + Upstream-ID: 90facf4c59ce73d6741db1bc926e578ef465cd39 + +commit 66d2e229baa9fe57b868c373b05f7ff3bb20055b +Author: gsoares@openbsd.org +Date: Wed Oct 21 11:33:03 2015 +0000 + + upstream commit - ok dtucker@ + fix memory leak in error path ok djm@ + + Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35 -commit 9559d7de34c572d4d3fd990ca211f8ec99f62c4d -Author: djm@openbsd.org -Date: Fri May 1 07:08:08 2015 +0000 +commit 7d6c0362039ceacdc1366b5df29ad5d2693c13e5 +Author: mmcc@openbsd.org +Date: Tue Oct 20 23:24:25 2015 +0000 upstream commit - a couple of parse targets were missing activep checks, - causing them to be misapplied in match context; bz#2272 diagnosis and - original patch from Sami Hartikainen ok dtucker@ + Compare pointers to NULL rather than 0. + + ok djm@ + + Upstream-ID: 21616cfea27eda65a06e772cc887530b9a1a27f8 -commit 7e8528cad04b2775c3b7db08abf8fb42e47e6b2a -Author: djm@openbsd.org -Date: Fri May 1 04:17:51 2015 +0000 +commit f98a09cacff7baad8748c9aa217afd155a4d493f +Author: mmcc@openbsd.org +Date: Tue Oct 20 03:36:35 2015 +0000 upstream commit - make handling of AuthorizedPrincipalsFile=none more - consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@ + Replace a function-local allocation with stack memory. + + ok djm@ + + Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e -commit ca430d4d9cc0f62eca3b1fb1e2928395b7ce80f7 +commit ac908c1eeacccfa85659594d92428659320fd57e +Author: Damien Miller +Date: Thu Oct 22 09:35:24 2015 +1100 + + turn off PrintLastLog when --disable-lastlog + + bz#2278 from Brent Paulson + +commit b56deb847f4a0115a8bf488bf6ee8524658162fd Author: djm@openbsd.org -Date: Fri May 1 04:03:20 2015 +0000 +Date: Fri Oct 16 22:32:22 2015 +0000 upstream commit - remove failed remote forwards established by muliplexing - from the list of active forwards; bz#2363, patch mostly by Yoann Ricordel; ok - dtucker@ + increase the minimum modulus that we will send or accept in + diffie-hellman-group-exchange to 2048 bits; ok markus@ + + Upstream-ID: 06dce7a24c17b999a0f5fadfe95de1ed6a1a9b6a -commit 8312cfb8ad88657517b3e23ac8c56c8e38eb9792 +commit 5ee0063f024bf5b3f3ffb275b8cd20055d62b4b9 Author: djm@openbsd.org -Date: Fri May 1 04:01:58 2015 +0000 +Date: Fri Oct 16 18:40:49 2015 +0000 upstream commit - reduce stderr spam when using ssh -S /path/mux -O forward - -R 0:... ok dtucker@ + better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in + hostname canonicalisation - treat them as already canonical and remove the + trailing '.' before matching ssh_config; ok markus@ + + Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a -commit 179be0f5e62f1f492462571944e45a3da660d82b -Author: djm@openbsd.org -Date: Fri May 1 03:23:51 2015 +0000 +commit e92c499a75477ecfe94dd7b4aed89f20b1fac5a7 +Author: mmcc@openbsd.org +Date: Fri Oct 16 17:07:24 2015 +0000 upstream commit - prevent authorized_keys options picked up on public key - tests without a corresponding private key authentication being applied to - other authentication methods. Reported by halex@, ok markus@ + 0 -> NULL when comparing with a char*. + + ok dtucker@, djm@. + + Upstream-ID: a928e9c21c0a9020727d99738ff64027c1272300 -commit a42d67be65b719a430b7fcaba2a4e4118382723a +commit b1d38a3cc6fe349feb8d16a5f520ef12d1de7cb2 Author: djm@openbsd.org -Date: Fri May 1 03:20:54 2015 +0000 +Date: Thu Oct 15 23:51:40 2015 +0000 upstream commit - Don't make parsing of authorized_keys' environment= - option conditional on PermitUserEnv - always parse it, but only use the - result if the option is enabled. This prevents the syntax of authorized_keys - changing depending on which sshd_config options were enabled. + fix some signed/unsigned integer type mismatches in + format strings; reported by Nicholas Lemonias - bz#2329; based on patch from coladict AT gmail.com, ok dtucker@ + Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c -commit e661a86353e11592c7ed6a847e19a83609f49e77 +commit 1a2663a15d356bb188196b6414b4c50dc12fd42b Author: djm@openbsd.org -Date: Mon May 4 06:10:48 2015 +0000 +Date: Thu Oct 15 23:08:23 2015 +0000 upstream commit - Remove pattern length argument from match_pattern_list(), we - only ever use it for strlen(pattern). + argument to sshkey_from_private() and sshkey_demote() + can't be NULL - Prompted by hanno AT hboeck.de pointing an out-of-bound read - error caused by an incorrect pattern length found using AFL - and his own tools. + Upstream-ID: 0111245b1641d387977a9b38da15916820a5fd1f + +commit 0f754e29dd3760fc0b172c1220f18b753fb0957e +Author: Damien Miller +Date: Fri Oct 16 10:53:14 2015 +1100 + + need va_copy before va_start - ok markus@ + reported by Nicholas Lemonias -commit 0ef1de742be2ee4b10381193fe90730925b7f027 -Author: dtucker@openbsd.org -Date: Thu Apr 23 05:01:19 2015 +0000 +commit eb6c50d82aa1f0d3fc95f5630ea69761e918bfcd +Author: Damien Miller +Date: Thu Oct 15 15:48:28 2015 -0700 + + fix compilation on systems without SYMLOOP_MAX + +commit fafe1d84a210fb3dae7744f268059cc583db8c12 +Author: Damien Miller +Date: Wed Oct 14 09:22:15 2015 -0700 + + s/SANDBOX_TAME/SANDBOX_PLEDGE/g + +commit 8f22911027ff6c17d7226d232ccd20727f389310 +Author: Damien Miller +Date: Wed Oct 14 08:28:19 2015 +1100 upstream commit - Add a simple regression test for sshd's configuration - parser. Right now, all it does is run the output of sshd -T back through - itself and ensure the output is valid and invariant. + revision 1.20 + date: 2015/10/13 20:55:37; author: millert; state: Exp; lines: +2 -2; commitid: X39sl5ay1czgFIgp; + In rev 1.15 the sizeof argument was fixed in a strlcat() call but + the truncation check immediately following it was not updated to + match. Not an issue in practice since the buffers are the same + size. OK deraadt@ -commit 368f83c793275faa2c52f60eaa9bdac155c4254b -Author: djm@openbsd.org -Date: Wed Apr 22 01:38:36 2015 +0000 +commit 23fa695bb735f54f04d46123662609edb6c76767 +Author: Damien Miller +Date: Wed Oct 14 08:27:51 2015 +1100 upstream commit - use correct key for nested certificate test + revision 1.19 + date: 2015/01/16 16:48:51; author: deraadt; state: Exp; lines: +3 -3; commitid: 0DYulI8hhujBHMcR; + Move to the universe. + review by millert, binary checking process with doug, concept with guenther -commit 8d4d1bfddbbd7d21f545dc6997081d1ea1fbc99a -Author: djm@openbsd.org -Date: Fri May 1 07:11:47 2015 +0000 +commit c71be375a69af00c2d0a0c24d8752bec12d8fd1b +Author: Damien Miller +Date: Wed Oct 14 08:27:08 2015 +1100 upstream commit - mention that the user's shell from /etc/passwd is used - for commands too; bz#1459 ok dtucker@ + revision 1.18 + date: 2014/10/19 03:56:28; author: doug; state: Exp; lines: +9 -9; commitid: U6QxmtbXrGoc02S5; + Revert last commit due to changed semantics found by make release. -commit 5ab283d0016bbc9d4d71e8e5284d011bc5a930cf -Author: djm@openbsd.org -Date: Fri May 8 07:29:00 2015 +0000 +commit c39ad23b06e9aecc3ff788e92f787a08472905b1 +Author: Damien Miller +Date: Wed Oct 14 08:26:24 2015 +1100 upstream commit - whitespace + revision 1.17 + date: 2014/10/18 20:43:52; author: doug; state: Exp; lines: +10 -10; commitid: I74hI1tVZtsspKEt; + Better POSIX compliance in realpath(3). - Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519 + millert@ made changes to realpath.c based on FreeBSD's version. I merged + Todd's changes into dl_realpath.c. + + ok millert@, guenther@ -commit 8377d5008ad260048192e1e56ad7d15a56d103dd -Author: djm@openbsd.org -Date: Fri May 8 07:26:13 2015 +0000 +commit e929a43f957dbd1254aca2aaf85c8c00cbfc25f4 +Author: Damien Miller +Date: Wed Oct 14 08:25:55 2015 +1100 upstream commit - whitespace at EOL - - Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554 + revision 1.16 + date: 2013/04/05 12:59:54; author: kurt; state: Exp; lines: +3 -1; + - Add comments regarding copies of these files also in libexec/ld.so + okay guenther@ -commit c28a3436fa8737709ea88e4437f8f23a6ab50359 -Author: djm@openbsd.org -Date: Fri May 8 06:45:13 2015 +0000 +commit 5225db68e58a1048cb17f0e36e0d33bc4a8fc410 +Author: Damien Miller +Date: Wed Oct 14 08:25:32 2015 +1100 upstream commit - moar whitespace at eol + revision 1.15 + date: 2012/09/13 15:39:05; author: deraadt; state: Exp; lines: +2 -2; + specify the bounds of the dst to strlcat (both values were static and + equal, but it is more correct) + from Michal Mazurek + +commit 7365fe5b4859de2305e40ea132da3823830fa710 +Author: Damien Miller +Date: Wed Oct 14 08:25:09 2015 +1100 + + upstream commit - Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515 + revision 1.14 + date: 2011/07/24 21:03:00; author: miod; state: Exp; lines: +35 -13; + Recent Single Unix will malloc memory if the second argument of realpath() + is NULL, and third-party software is starting to rely upon this. + Adapted from FreeBSD via Jona Joachim (jaj ; hcl-club , .lu), with minor + tweaks from nicm@ and yours truly. -commit 2b64c490468fd4ca35ac8d5cc31c0520dc1508bb +commit e679c09cd1951f963793aa3d9748d1c3fdcf808f Author: djm@openbsd.org -Date: Fri May 8 06:41:56 2015 +0000 +Date: Tue Oct 13 16:15:21 2015 +0000 upstream commit - whitespace at EOL + apply PubkeyAcceptedKeyTypes filtering earlier, so all + skipped keys are noted before pubkey authentication starts. ok dtucker@ - Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c + Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8 -commit 4e636cf201ce6e7e3b9088568218f9d4e2c51712 +commit 179c353f564ec7ada64b87730b25fb41107babd7 Author: djm@openbsd.org -Date: Fri May 8 03:56:51 2015 +0000 +Date: Tue Oct 13 00:21:27 2015 +0000 upstream commit - whitespace at EOL + free the correct IV length, don't assume it's always the + cipher blocksize; ok dtucker@ + + Upstream-ID: c260d9e5ec73628d9ff4b067fbb060eff5a7d298 -commit 38b8272f823dc1dd4e29dbcee83943ed48bb12fa -Author: dtucker@openbsd.org -Date: Mon May 4 01:47:53 2015 +0000 +commit 2539dce2a049a8f6bb0d44cac51f07ad48e691d3 +Author: deraadt@openbsd.org +Date: Fri Oct 9 01:37:08 2015 +0000 upstream commit - Use diff w/out -u for better portability + Change all tame callers to namechange to pledge(2). + + Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2 -commit 297060f42d5189a4065ea1b6f0afdf6371fb0507 -Author: dtucker@openbsd.org -Date: Fri May 8 03:25:07 2015 +0000 +commit 9846a2f4067383bb76b4e31a9d2303e0a9c13a73 +Author: Damien Miller +Date: Thu Oct 8 04:30:48 2015 +1100 - upstream commit + hook tame(2) sandbox up to build - Use xcalloc for permitted_adm_opens instead of xmalloc to - ensure it's zeroed. Fixes post-auth crash with permitopen=none. bz#2355, ok - djm@ + OpenBSD only for now -commit 63ebf019be863b2d90492a85e248cf55a6e87403 +commit 0c46bbe68b70bdf0d6d20588e5847e71f3739fe6 Author: djm@openbsd.org -Date: Fri May 8 03:17:49 2015 +0000 +Date: Wed Oct 7 15:59:12 2015 +0000 upstream commit - don't choke on new-format private keys encrypted with an - AEAD cipher; bz#2366, patch from Ron Frederick; ok markus@ + include PubkeyAcceptedKeyTypes in ssh -G config dump + + Upstream-ID: 6c097ce6ffebf6fe393fb7988b5d152a5d6b36bb -commit f8484dac678ab3098ae522a5f03bb2530f822987 -Author: dtucker@openbsd.org -Date: Wed May 6 05:45:17 2015 +0000 +commit bdcb73fb7641b1cf73c0065d1a0dd57b1e8b778e +Author: sobrado@openbsd.org +Date: Wed Oct 7 14:45:30 2015 +0000 upstream commit - Clarify pseudo-terminal request behaviour and use - "pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@. + UsePrivilegeSeparation defaults to sandbox now. + + ok djm@ + + Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f -commit ea139507bef8bad26e86ed99a42c7233ad115c38 -Author: dtucker@openbsd.org -Date: Wed May 6 04:07:18 2015 +0000 +commit 2905d6f99c837bb699b6ebc61711b19acd030709 +Author: djm@openbsd.org +Date: Wed Oct 7 00:54:06 2015 +0000 upstream commit - Blacklist DH-GEX for specific PuTTY versions known to - send non-RFC4419 DH-GEX messages rather than all versions of PuTTY. - According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX - messages. ok djm@ + don't try to change tun device flags if they are already + what we need; makes it possible to use tun/tap networking as non- root user + if device permissions and interface flags are pre-established; based on patch + by Ossi Herrala + + Upstream-ID: 89099ac4634cd477b066865acf54cb230780fd21 -commit b58234f00ee3872eb84f6e9e572a9a34e902e36e -Author: dtucker@openbsd.org -Date: Tue May 5 10:17:49 2015 +0000 +commit 0dc74512bdb105b048883f07de538b37e5e024d4 +Author: Damien Miller +Date: Mon Oct 5 18:33:05 2015 -0700 + + unbreak merge botch + +commit fdd020e86439afa7f537e2429d29d4b744c94331 +Author: djm@openbsd.org +Date: Tue Oct 6 01:20:59 2015 +0000 upstream commit - WinSCP doesn't implement RFC4419 DH-GEX so flag it so we - don't offer that KEX method. ok markus@ + adapt to recent sshkey_parse_private_fileblob() API + change + + Upstream-Regress-ID: 5c0d818da511e33e0abf6a92a31bd7163b7ad988 -commit d5b1507a207253b39e810e91e68f9598691b7a29 -Author: jsg@openbsd.org -Date: Tue May 5 02:48:17 2015 +0000 +commit 21ae8ee3b630b0925f973db647a1b9aa5fcdd4c5 +Author: djm@openbsd.org +Date: Thu Sep 24 07:15:39 2015 +0000 upstream commit - use the sizeof the struct not the sizeof a pointer to the - struct in ssh_digest_start() - - This file is only used if ssh is built with OPENSSL=no + fix command-line option to match what was actually + committed - ok markus@ + Upstream-Regress-ID: 3e8c24a2044e8afd37e7ce17b69002ca817ac699 -commit a647b9b8e616c231594b2710c925d31b1b8afea3 -Author: Darren Tucker -Date: Fri May 8 11:07:27 2015 +1000 +commit e14ac43b75e68f1ffbd3e1a5e44143c8ae578dcd +Author: djm@openbsd.org +Date: Thu Sep 24 06:16:53 2015 +0000 - Put brackets around mblen() compat constant. + upstream commit - This might help with the reported problem cross compiling for Android - ("error: expected identifier or '(' before numeric constant") but - shouldn't hurt in any case. + regress test for CertificateFile; patch from Meghana Bhat + via bz#2436 + + Upstream-Regress-ID: e7a6e980cbe0f8081ba2e83de40d06c17be8bd25 -commit d1680d36e17244d9af3843aeb5025cb8e40d6c07 -Author: Darren Tucker -Date: Thu Apr 30 09:18:11 2015 +1000 +commit 905b054ed24e0d5b4ef226ebf2c8bfc02ae6d4ad +Author: djm@openbsd.org +Date: Mon Oct 5 17:11:21 2015 +0000 - xrealloc -> xreallocarray in portable code too. + upstream commit + + some more bzero->explicit_bzero, from Michael McConville + + Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0 -commit 531a57a3893f9fcd4aaaba8c312b612bbbcc021e -Author: dtucker@openbsd.org -Date: Wed Apr 29 03:48:56 2015 +0000 +commit b007159a0acdbcf65814b3ee05dbe2cf4ea46011 +Author: deraadt@openbsd.org +Date: Fri Oct 2 15:52:55 2015 +0000 upstream commit - Allow ListenAddress, Port and AddressFamily in any - order. bz#68, ok djm@, jmc@ (for the man page bit). + fix email + + Upstream-ID: 72150f2d54b94de14ebef1ea054ef974281bf834 -commit c1d5bcf1aaf1209af02f79e48ba1cbc76a87b56f -Author: jmc@openbsd.org -Date: Tue Apr 28 13:47:38 2015 +0000 +commit b19e1b4ab11884c4f62aee9f8ab53127a4732658 +Author: deraadt@openbsd.org +Date: Fri Oct 2 01:39:52 2015 +0000 upstream commit - enviroment -> environment: apologies to darren for not - spotting that first time round... + a sandbox using tame ok djm + + Upstream-ID: 4ca24e47895e72f5daaa02f3e3d3e5ca2d820fa3 -commit 43beea053db191cac47c2cd8d3dc1930158aff1a -Author: dtucker@openbsd.org -Date: Tue Apr 28 10:25:15 2015 +0000 +commit c61b42f2678f21f05653ac2d3d241b48ab5d59ac +Author: deraadt@openbsd.org +Date: Fri Oct 2 01:39:26 2015 +0000 upstream commit - Fix typo in previous + re-order system calls in order of risk, ok i'll be + honest, ordered this way they look like tame... ok djm + + Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813 -commit 85b96ef41374f3ddc9139581f87da09b2cd9199e -Author: dtucker@openbsd.org -Date: Tue Apr 28 10:17:58 2015 +0000 +commit c5f7c0843cb6e6074a93c8ac34e49ce33a6f5546 +Author: jmc@openbsd.org +Date: Fri Sep 25 18:19:54 2015 +0000 upstream commit - Document that the TERM environment variable is not - subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from - jjelen at redhat, help and ok jmc@ + some certificatefile tweaks; ok djm + + Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0 -commit 88a7c598a94ff53f76df228eeaae238d2d467565 +commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8 Author: djm@openbsd.org -Date: Mon Apr 27 21:42:48 2015 +0000 +Date: Thu Sep 24 06:15:11 2015 +0000 upstream commit - Make sshd default to PermitRootLogin=no; ok deraadt@ - rpe@ - -commit 734226b4480a6c736096c729fcf6f391400599c7 -Author: djm@openbsd.org -Date: Mon Apr 27 01:52:30 2015 +0000 - - upstream commit + add ssh_config CertificateFile option to explicitly list + a certificate; patch from Meghana Bhat on bz#2436; ok markus@ - fix compilation with OPENSSL=no; ok dtucker@ + Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8 -commit a4b9d2ce1eb7703eaf0809b0c8a82ded8aa4f1c6 -Author: dtucker@openbsd.org -Date: Mon Apr 27 00:37:53 2015 +0000 +commit e3cbb06ade83c72b640a53728d362bbefa0008e2 +Author: sobrado@openbsd.org +Date: Tue Sep 22 08:33:23 2015 +0000 upstream commit - Include stdio.h for FILE (used in sshkey.h) so it - compiles with OPENSSL=no. + fix two typos. + + Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709 -commit dbcc652f4ca11fe04e5930c7ef18a219318c6cda +commit 8408218c1ca88cb17d15278174a24a94a6f65fe1 Author: djm@openbsd.org -Date: Mon Apr 27 00:21:21 2015 +0000 +Date: Mon Sep 21 04:31:00 2015 +0000 upstream commit - allow "sshd -f none" to skip reading the config file, - much like "ssh -F none" does. ok dtucker + fix possible hang on closed output; bz#2469 reported by Tomas + Kuthan ok markus@ + + Upstream-ID: f7afd41810f8540f524284f1be6b970859f94fe3 -commit b7ca276fca316c952f0b90f5adb1448c8481eedc -Author: jmc@openbsd.org -Date: Fri Apr 24 06:26:49 2015 +0000 +commit 0097248f90a00865082e8c146b905a6555cc146f +Author: djm@openbsd.org +Date: Fri Sep 11 04:55:01 2015 +0000 upstream commit - combine -Dd onto one line and update usage(); + skip if running as root; many systems (inc OpenBSD) allow + root to ptrace arbitrary processes + + Upstream-Regress-ID: be2b925df89360dff36f972951fa0fa793769038 -commit 2ea974630d7017e4c7666d14d9dc939707613e96 +commit 9c06c814aff925e11a5cc592c06929c258a014f6 Author: djm@openbsd.org -Date: Fri Apr 24 05:26:44 2015 +0000 +Date: Fri Sep 11 03:44:21 2015 +0000 upstream commit - add ssh-agent -D to leave ssh-agent in foreground - without enabling debug mode; bz#2381 ok dtucker@ + try all supported key types here; bz#2455 reported by + Jakub Jelen + + Upstream-Regress-ID: 188cb7d9031cdbac3a0fa58b428b8fa2b2482bba -commit 8ac2ffd7aa06042f6b924c87139f2fea5c5682f7 -Author: deraadt@openbsd.org -Date: Fri Apr 24 01:36:24 2015 +0000 +commit 3c019a936b43f3e2773f3edbde7c114d73caaa4c +Author: tim@openbsd.org +Date: Sun Sep 13 14:39:16 2015 +0000 upstream commit - 2*len -> use xreallocarray() ok djm + - Fix error message: passphrase needs to be at least 5 + characters, not 4. - Remove unused function argument. - Remove two + unnecessary variables. + + OK djm@ + + Upstream-ID: 13010c05bfa8b523da1c0dc19e81dd180662bc30 -commit 657a5fbc0d0aff309079ff8fb386f17e964963c2 -Author: deraadt@openbsd.org -Date: Fri Apr 24 01:36:00 2015 +0000 +commit 2681cdb6e0de7c1af549dac37a9531af202b4434 +Author: tim@openbsd.org +Date: Sun Sep 13 13:48:19 2015 +0000 upstream commit - rename xrealloc() to xreallocarray() since it follows - that form. ok djm + When adding keys to the agent, don't ignore the comment + of keys for which the user is prompted for a passphrase. + + Tweak and OK djm@ + + Upstream-ID: dc737c620a5a8d282cc4f66e3b9b624e9abefbec -commit 1108ae242fdd2c304307b68ddf46aebe43ebffaa -Author: dtucker@openbsd.org -Date: Thu Apr 23 04:59:10 2015 +0000 +commit 14692f7b8251cdda847e648a82735eef8a4d2a33 +Author: guenther@openbsd.org +Date: Fri Sep 11 08:50:04 2015 +0000 upstream commit - Two small fixes for sshd -T: ListenAddress'es are added - to a list head so reverse the order when printing them to ensure the - behaviour remains the same, and print StreamLocalBindMask as octal with - leading zero. ok deraadt@ + Use explicit_bzero() when zeroing before free() + + from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu) + ok millert@ djm@ + + Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50 -commit bd902b8473e1168f19378d5d0ae68d0c203525df -Author: dtucker@openbsd.org -Date: Thu Apr 23 04:53:53 2015 +0000 +commit 846f6fa4cfa8483a9195971dbdd162220f199d85 +Author: jmc@openbsd.org +Date: Fri Sep 11 06:55:46 2015 +0000 upstream commit - Check for and reject missing arguments for - VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com, - ok djm@ + sync -Q in usage() to SYNOPSIS; since it's drastically + shorter, i've reformatted the block to sync with the man (80 cols) and saved + a line; + + Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd -commit ca42c1758575e592239de1d5755140e054b91a0d -Author: djm@openbsd.org -Date: Wed Apr 22 01:24:01 2015 +0000 +commit 95923e0520a8647417ee6dcdff44694703dfeef0 +Author: jmc@openbsd.org +Date: Fri Sep 11 06:51:39 2015 +0000 upstream commit - unknown certificate extensions are non-fatal, so don't - fatal when they are encountered; bz#2387 reported by Bob Van Zant; ok - dtucker@ + tweak previous; + + Upstream-ID: f29b3cfcfd9aa31fa140c393e7bd48c1c74139d6 -commit 39bfbf7caad231cc4bda6909fb1af0705bca04d8 -Author: jsg@openbsd.org -Date: Tue Apr 21 07:01:00 2015 +0000 +commit 86ac462f833b05d8ed9de9c50ccb295d7faa79ff +Author: dtucker@openbsd.org +Date: Fri Sep 11 05:27:02 2015 +0000 upstream commit - Add back a backslash removed in rev 1.42 so - KEX_SERVER_ENCRYPT will include aes again. + Update usage to match man page. - ok deraadt@ + Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675 -commit 6b0d576bb87eca3efd2b309fcfe4edfefc289f9c +commit 674b3b68c1d36b2562324927cd03857b565e05e8 Author: djm@openbsd.org -Date: Fri Apr 17 13:32:09 2015 +0000 +Date: Fri Sep 11 03:47:28 2015 +0000 upstream commit - s/recommended/required/ that private keys be og-r this - wording change was made a while ago but got accidentally reverted + expand %i in ControlPath to UID; bz#2449 + + patch from Christian Hesse w/ feedback from dtucker@ + + Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925 -commit 44a8e7ce6f3ab4c2eb1ae49115c210b98e53c4df +commit c0f55db7ee00c8202b05cb4b9ad4ce72cc45df41 Author: djm@openbsd.org -Date: Fri Apr 17 13:25:52 2015 +0000 +Date: Fri Sep 11 03:42:32 2015 +0000 upstream commit - don't try to cleanup NULL KEX proposals in - kex_prop_free(); found by Jukka Taimisto and Markus Hietava + mention -Q key-plain and -Q key-cert; bz#2455 pointed out + by Jakub Jelen + + Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896 -commit 3038a191872d2882052306098c1810d14835e704 -Author: djm@openbsd.org -Date: Fri Apr 17 13:19:22 2015 +0000 +commit cfffbdb10fdf0f02d3f4232232eef7ec3876c383 +Author: Darren Tucker +Date: Mon Sep 14 16:24:21 2015 +1000 - upstream commit + Use ssh-keygen -A when generating host keys. - use error/logit/fatal instead of fprintf(stderr, ...) - and exit(0), fix a few errors that were being printed to stdout instead of - stderr and a few non-errors that were going to stderr instead of stdout - bz#2325; ok dtucker + Use ssh-keygen -A instead of per-keytype invocations when generating host + keys. Add tests when doing host-key-force since we can't use ssh-keygen -A + since it can't specify alternate locations. bz#2459, ok djm@ -commit a58be33cb6cd24441fa7e634db0e5babdd56f07f -Author: djm@openbsd.org -Date: Fri Apr 17 13:16:48 2015 +0000 +commit 366bada1e9e124654aac55b72b6ccf878755b0dc +Author: Darren Tucker +Date: Fri Sep 11 13:29:22 2015 +1000 - upstream commit + Correct default value for --with-ssh1. - debug log missing DISPLAY environment when X11 - forwarding requested; bz#1682 ok dtucker@ + bz#2457, from konto-mindrot.org at walimnieto.com. -commit 17d4d9d9fbc8fb80e322f94d95eecc604588a474 +commit 2bca8a43e7dd9b04d7070824ffebb823c72587b2 Author: djm@openbsd.org -Date: Fri Apr 17 04:32:31 2015 +0000 +Date: Fri Sep 11 03:13:36 2015 +0000 upstream commit - don't call record_login() in monitor when UseLogin is - enabled; bz#278 reported by drk AT sgi.com; ok dtucker - -commit 40132ff87b6cbc3dc05fb5df2e9d8e3afa06aafd -Author: dtucker@openbsd.org -Date: Fri Apr 17 04:12:35 2015 +0000 - - upstream commit + more clarity on what AuthorizedKeysFile=none does; based + on diff by Thiebaud Weksteen - Add some missing options to sshd -T and fix the output - of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat - com, ok djm. + Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704 -commit 6cc7cfa936afde2d829e56ee6528c7ea47a42441 -Author: dtucker@openbsd.org -Date: Thu Apr 16 23:25:50 2015 +0000 +commit 61942ea4a01e6db4fdf37ad61de81312ffe310e9 +Author: djm@openbsd.org +Date: Wed Sep 9 00:52:44 2015 +0000 upstream commit - Document "none" for PidFile XAuthLocation - TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@ - -commit 15fdfc9b1c6808b26bc54d4d61a38b54541763ed -Author: dtucker@openbsd.org -Date: Wed Apr 15 23:23:25 2015 +0000 - - upstream commit + openssh_RSA_verify return type is int, so don't make it + size_t within the function itself with only negative numbers or zero assigned + to it. bz#2460 - Plug leak of address passed to logging. bz#2373, patch - from jjelen at redhat, ok markus@ + Upstream-ID: b6e794b0c7fc4f9f329509263c8668d35f83ea55 -commit bb2289e2a47d465eaaaeff3dee2a6b7777b4c291 +commit 4f7cc2f8cc861a21e6dbd7f6c25652afb38b9b96 Author: dtucker@openbsd.org -Date: Tue Apr 14 04:17:03 2015 +0000 +Date: Fri Sep 4 08:21:47 2015 +0000 upstream commit - Output remote username in debug output since with Host - and Match it's not always obvious what it will be. bz#2368, ok djm@ + Plug minor memory leaks when options are used more than + once. bz#2182, patch from Tiago Cunha, ok deraadt djm + + Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e -commit 70860b6d07461906730632f9758ff1b7c98c695a +commit 7ad8b287c8453a3e61dbc0d34d467632b8b06fc8 Author: Darren Tucker -Date: Fri Apr 17 10:56:13 2015 +1000 +Date: Fri Sep 11 13:11:02 2015 +1000 - Format UsePAM setting when using sshd -T. + Force resolution of _res for correct detection. - Part of bz#2346, patch from jjelen at redhat com. + bz#2259, from sconeu at yahoo.com. -commit ee15d9c9f0720f5a8b0b34e4b10ecf21f9824814 -Author: Darren Tucker -Date: Fri Apr 17 10:40:23 2015 +1000 +commit 26ad18247213ff72b4438abe7fc660c958810fa2 +Author: Damien Miller +Date: Thu Sep 10 10:57:41 2015 +1000 - Wrap endian.h include inside ifdef (bz#2370). + allow getrandom syscall; from Felix von Leitner -commit 408f4c2ad4a4c41baa7b9b2b7423d875abbfa70b -Author: Darren Tucker -Date: Fri Apr 17 09:39:58 2015 +1000 +commit 5245bc1e6b129a10a928f73f11c3aa32656c44b4 +Author: jmc@openbsd.org +Date: Fri Sep 4 06:40:45 2015 +0000 - Look for '${host}-ar' before 'ar'. + upstream commit - This changes configure.ac to look for '${host}-ar' as set by - AC_CANONICAL_HOST before looking for the unprefixed 'ar'. - Useful when cross-compiling when all your binutils are prefixed. + full stop belongs outside the brackets, not inside; - Patch from moben at exherbo org via astrand at lysator liu se and - bz#2352. - -commit 673a1c16ad078d41558247ce739fe812c960acc8 -Author: Damien Miller -Date: Thu Apr 16 11:40:20 2015 +1000 - - remove dependency on arpa/telnet.h - -commit 202d443eeda1829d336595a3cfc07827e49f45ed -Author: Darren Tucker -Date: Wed Apr 15 15:59:49 2015 +1000 - - Remove duplicate include of pwd.h. bz#2337, patch from Mordy Ovits. + Upstream-ID: 99d098287767799ac33d2442a05b5053fa5a551a -commit 597986493412c499f2bc2209420cb195f97b3668 -Author: Damien Miller -Date: Thu Apr 9 10:14:48 2015 +1000 +commit a85768a9321d74b41219eeb3c9be9f1702cbf6a5 +Author: djm@openbsd.org +Date: Fri Sep 4 04:56:09 2015 +0000 - platform's with openpty don't need pty_release + upstream commit + + add a debug2() right before DNS resolution; it's a place + where ssh could previously silently hang for a while. bz#2433 + + Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0 -commit 318be28cda1fd9108f2e6f2f86b0b7589ba2aed0 +commit 46152af8d27aa34d5d26ed1c371dc8aa142d4730 Author: djm@openbsd.org -Date: Mon Apr 13 02:04:08 2015 +0000 +Date: Fri Sep 4 04:55:24 2015 +0000 upstream commit - deprecate ancient, pre-RFC4419 and undocumented - SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message; ok markus@ deraadt@ "seems - reasonable" dtucker@ + correct function name in error messages + + Upstream-ID: 92fb2798617ad9561370897f4ab60adef2ff4c0e -commit d8f391caef62378463a0e6b36f940170dadfe605 -Author: dtucker@openbsd.org -Date: Fri Apr 10 05:16:50 2015 +0000 +commit a954cdb799a4d83c2d40fbf3e7b9f187fbfd72fc +Author: djm@openbsd.org +Date: Fri Sep 4 04:47:50 2015 +0000 upstream commit - Don't send hostkey advertisments - (hostkeys-00@openssh.com) to current versions of Tera Term as they can't - handle them. Newer versions should be OK. Patch from Bryan Drewery and - IWAMOTO Kouichi, ok djm@ + better document ExitOnForwardFailure; bz#2444, ok + dtucker@ + + Upstream-ID: a126209b5a6d9cb3117ac7ab5bc63d284538bfc2 -commit 2c2cfe1a1c97eb9a08cc9817fd0678209680c636 +commit f54d8ac2474b6fc3afa081cf759b48a6c89d3319 Author: djm@openbsd.org -Date: Fri Apr 10 00:08:55 2015 +0000 +Date: Fri Sep 4 04:44:08 2015 +0000 upstream commit - include port number if a non-default one has been - specified; based on patch from Michael Handler + don't record hostbased authentication hostkeys as user + keys in test for multiple authentication with the same key + + Upstream-ID: 26b368fa2cff481f47f37e01b8da1ae5b57b1adc -commit 4492a4f222da4cf1e8eab12689196322e27b08c4 +commit ac3451dd65f27ecf85dc045c46d49e2bbcb8dddd Author: djm@openbsd.org -Date: Tue Apr 7 23:00:42 2015 +0000 +Date: Fri Sep 4 03:57:38 2015 +0000 upstream commit - treat Protocol=1,2|2,1 as Protocol=2 when compiled - without SSH1 support; ok dtucker@ millert@ + remove extra newline in nethack-mode hostkey; from + Christian Hesse bz#2686 + + Upstream-ID: 4f56368b1cc47baeea0531912186f66007fd5b92 -commit c265e2e6e932efc6d86f6cc885dea33637a67564 -Author: miod@openbsd.org -Date: Sun Apr 5 15:43:43 2015 +0000 +commit 9e3ed9ebb1a7e47c155c28399ddf09b306ea05df +Author: djm@openbsd.org +Date: Fri Sep 4 04:23:10 2015 +0000 upstream commit - Do not use int for sig_atomic_t; spotted by - christos@netbsd; ok markus@ + trim junk from end of file; bz#2455 from Jakub Jelen + + Upstream-Regress-ID: a4e64e8931e40d23874b047074444eff919cdfe6 -commit e7bf3a5eda6a1b02bef6096fed78527ee11e54cc -Author: Darren Tucker -Date: Tue Apr 7 10:48:04 2015 +1000 +commit f3a3ea180afff080bab82087ee0b60db9fd84f6c +Author: jsg@openbsd.org +Date: Wed Sep 2 07:51:12 2015 +0000 - Use do{}while(0) for no-op functions. + upstream commit - From FreeBSD. + Fix occurrences of "r = func() != 0" which result in the + wrong error codes being returned due to != having higher precedence than =. + + ok deraadt@ markus@ + + Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840 -commit bb99844abae2b6447272f79e7fa84134802eb4df -Author: Darren Tucker -Date: Tue Apr 7 10:47:15 2015 +1000 +commit f498a98cf83feeb7ea01c15cd1c98b3111361f3a +Author: Damien Miller +Date: Thu Sep 3 09:11:22 2015 +1000 - Wrap blf.h include in ifdef. From FreeBSD. + don't check for yp_match; ok tim@ -commit d9b9b43656091cf0ad55c122f08fadb07dad0abd -Author: Darren Tucker -Date: Tue Apr 7 09:10:00 2015 +1000 +commit 9690b78b7848b0b376980a61d51b1613e187ddb5 +Author: djm@openbsd.org +Date: Fri Aug 21 23:57:48 2015 +0000 - Fix misspellings of regress CONFOPTS env variables. + upstream commit - Patch from Bryan Drewery. + Improve printing of KEX offers and decisions + + The debug output now labels the client and server offers and the + negotiated options. ok markus@ + + Upstream-ID: 8db921b3f92a4565271b1c1fbce6e7f508e1a2cb -commit 3f4ea3c9ab1d32d43c9222c4351f58ca11144156 +commit 60a92470e21340e1a3fc10f9c7140d8e1519dc55 Author: djm@openbsd.org -Date: Fri Apr 3 22:17:27 2015 +0000 +Date: Fri Aug 21 23:53:08 2015 +0000 upstream commit - correct return value in pubkey parsing, spotted by Ben Hawkes - ok markus@ + Fix printing (ssh -G ...) of HostKeyAlgorithms=+... + Reported by Bryan Drewery + + Upstream-ID: 19ad20c41bd5971e006289b6f9af829dd46c1293 -commit 7da2be0cb9601ed25460c83aa4d44052b967ba0f +commit 6310f60fffca2d1e464168e7d1f7e3b6b0268897 Author: djm@openbsd.org -Date: Tue Mar 31 22:59:01 2015 +0000 +Date: Fri Aug 21 23:52:30 2015 +0000 upstream commit - adapt to recent hostfile.c change: when parsing - known_hosts without fully parsing the keys therein, hostkeys_foreach() will - now correctly identify KEY_RSA1 keys; ok markus@ miod@ + Fix expansion of HostkeyAlgorithms=+... + + Reported by Bryan Drewery + + Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d -commit 9e1777a0d1c706714b055811c12ab8cc21033e4a -Author: markus@openbsd.org -Date: Tue Mar 24 20:19:15 2015 +0000 +commit e774e5ea56237fd626a8161f9005023dff3e76c9 +Author: deraadt@openbsd.org +Date: Fri Aug 21 23:29:31 2015 +0000 upstream commit - use ${SSH} for -Q instead of installed ssh + Improve size == 0, count == 0 checking in mm_zalloc, + which is "array" like. Discussed with tedu, millert, otto.... and ok djm + + Upstream-ID: 899b021be43b913fad3eca1aef44efe710c53e29 -commit ce1b358ea414a2cc88e4430cd5a2ea7fecd9de57 -Author: djm@openbsd.org -Date: Mon Mar 16 22:46:14 2015 +0000 +commit 189de02d9ad6f3645417c0ddf359b923aae5f926 +Author: Damien Miller +Date: Fri Aug 21 15:45:02 2015 +1000 - upstream commit - - make CLEANFILES clean up more of the tests' droppings + expose POLLHUP and POLLNVAL for netcat.c -commit 398f9ef192d820b67beba01ec234d66faca65775 -Author: djm@openbsd.org -Date: Tue Mar 31 22:57:06 2015 +0000 +commit e91346dc2bbf460246df2ab591b7613908c1b0ad +Author: Damien Miller +Date: Fri Aug 21 14:49:03 2015 +1000 - upstream commit - - downgrade error() for known_hosts parse errors to debug() - to quiet warnings from ssh1 keys present when compiled !ssh1. - - also identify ssh1 keys when scanning, even when compiled !ssh1 - - ok markus@ miod@ + we don't use Github for issues/pull-requests -commit 9a47ab80030a31f2d122b8fd95bd48c408b9fcd9 +commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23 +Author: Damien Miller +Date: Fri Aug 21 14:43:55 2015 +1000 + + fix URL for connect.c + +commit d026a8d3da0f8186598442997c7d0a28e7275414 +Author: Damien Miller +Date: Fri Aug 21 13:47:10 2015 +1000 + + update version numbers for 7.1 + +commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed Author: djm@openbsd.org -Date: Tue Mar 31 22:55:50 2015 +0000 +Date: Fri Aug 21 03:45:26 2015 +0000 upstream commit - fd leak for !ssh1 case; found by unittests; ok markus@ + openssh-7.1 + + Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f -commit c9a0805a6280681901c270755a7cd630d7c5280e +commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf Author: djm@openbsd.org -Date: Tue Mar 31 22:55:24 2015 +0000 +Date: Fri Aug 21 03:42:19 2015 +0000 upstream commit - don't fatal when a !ssh1 sshd is reexeced from a w/ssh1 - listener; reported by miod@; ok miod@ markus@ + fix inverted logic that broke PermitRootLogin; reported + by Mantas Mikulenas; ok markus@ + + Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5 -commit 704d8c88988cae38fb755a6243b119731d223222 -Author: tobias@openbsd.org -Date: Tue Mar 31 11:06:49 2015 +0000 +commit ce445b0ed927e45bd5bdce8f836eb353998dd65c +Author: deraadt@openbsd.org +Date: Thu Aug 20 22:32:42 2015 +0000 upstream commit - Comments are only supported for RSA1 keys. If a user - tried to add one and entered his passphrase, explicitly clear it before exit. - This is done in all other error paths, too. + Do not cast result of malloc/calloc/realloc* if stdlib.h + is in scope ok krw millert - ok djm + Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667 -commit 78de1673c05ea2c33e0d4a4b64ecb5186b6ea2e9 -Author: jmc@openbsd.org -Date: Mon Mar 30 18:28:37 2015 +0000 +commit 05291e5288704d1a98bacda269eb5a0153599146 +Author: naddy@openbsd.org +Date: Thu Aug 20 19:20:06 2015 +0000 upstream commit - ssh-askpass(1) is the default, overridden by SSH_ASKPASS; - diff originally from jiri b; + In the certificates section, be consistent about using + "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@ + + Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb -commit 26e0bcf766fadb4a44fb6199386fb1dcab65ad00 +commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4 Author: djm@openbsd.org -Date: Mon Mar 30 00:00:29 2015 +0000 +Date: Wed Aug 19 23:21:42 2015 +0000 upstream commit - fix uninitialised memory read when parsing a config file - consisting of a single nul byte. Found by hanno AT hboeck.de using AFL; ok - dtucker - -commit fecede00a76fbb33a349f5121c0b2f9fbc04a777 -Author: markus@openbsd.org -Date: Thu Mar 26 19:32:19 2015 +0000 - - upstream commit + Better compat matching for WinSCP, add compat matching + for FuTTY (fork of PuTTY); ok markus@ deraadt@ - sigp and lenp are not optional in ssh_agent_sign(); ok - djm@ + Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389 -commit 1b0ef3813244c78669e6d4d54c624f600945327d -Author: naddy@openbsd.org -Date: Thu Mar 26 12:32:38 2015 +0000 +commit ec6eda16ebab771aa3dfc90629b41953b999cb1e +Author: djm@openbsd.org +Date: Wed Aug 19 23:19:01 2015 +0000 upstream commit - don't try to load .ssh/identity by default if SSH1 is - disabled; ok markus@ + fix double-free() in error path of DSA key generation + reported by Mateusz Kocielski; ok markus@ + + Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c -commit f9b78852379b74a2d14e6fc94fe52af30b7e9c31 +commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b Author: djm@openbsd.org -Date: Thu Mar 26 07:00:04 2015 +0000 +Date: Wed Aug 19 23:18:26 2015 +0000 upstream commit - ban all-zero curve25519 keys as recommended by latest - CFRG curves draft; ok markus + fix free() of uninitialised pointer reported by Mateusz + Kocielski; ok markus@ + + Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663 -commit b8afbe2c1aaf573565e4da775261dfafc8b1ba9c +commit c837643b93509a3ef538cb6624b678c5fe32ff79 Author: djm@openbsd.org -Date: Thu Mar 26 06:59:28 2015 +0000 +Date: Wed Aug 19 23:17:51 2015 +0000 upstream commit - relax bits needed check to allow - diffie-hellman-group1-sha1 key exchange to complete for chacha20-poly1305 was - selected as symmetric cipher; ok markus + fixed unlink([uninitialised memory]) reported by Mateusz + Kocielski; ok markus@ + + Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109 -commit 47842f71e31da130555353c1d57a1e5a8937f1c0 -Author: markus@openbsd.org -Date: Wed Mar 25 19:29:58 2015 +0000 +commit 1f8d3d629cd553031021068eb9c646a5f1e50994 +Author: jmc@openbsd.org +Date: Fri Aug 14 15:32:41 2015 +0000 upstream commit - ignore v1 errors on ssh-add -D; only try v2 keys on - -l/-L (unless WITH_SSH1) ok djm@ + match myproposal.h order; from brian conway (i snuck in a + tweak while here) + + ok dtucker + + Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67 -commit 5f57e77f91bf2230c09eca96eb5ecec39e5f2da6 -Author: markus@openbsd.org -Date: Wed Mar 25 19:21:48 2015 +0000 +commit 1dc8d93ce69d6565747eb44446ed117187621b26 +Author: deraadt@openbsd.org +Date: Thu Aug 6 14:53:21 2015 +0000 upstream commit - unbreak ssh_agent_sign (lenp vs *lenp) + add prohibit-password as a synonymn for without-password, + since the without-password is causing too many questions. Harden it to ban + all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from + djm, ok markus + + Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a -commit 4daeb67181054f2a377677fac919ee8f9ed3490e -Author: markus@openbsd.org -Date: Tue Mar 24 20:10:08 2015 +0000 +commit 90a95a4745a531b62b81ce3b025e892bdc434de5 +Author: Damien Miller +Date: Tue Aug 11 13:53:41 2015 +1000 - upstream commit - - don't leak 'setp' on error; noted by Nicholas Lemonias; - ok djm@ + update version in README -commit 7d4f96f9de2a18af0d9fa75ea89a4990de0344f5 -Author: markus@openbsd.org -Date: Tue Mar 24 20:09:11 2015 +0000 +commit 318c37743534b58124f1bab37a8a0087a3a9bd2f +Author: Damien Miller +Date: Tue Aug 11 13:53:09 2015 +1000 - upstream commit - - consistent check for NULL as noted by Nicholas - Lemonias; ok djm@ + update versions in *.spec -commit df100be51354e447d9345cf1ec22e6013c0eed50 -Author: markus@openbsd.org -Date: Tue Mar 24 20:03:44 2015 +0000 +commit 5e75f5198769056089fb06c4d738ab0e5abc66f7 +Author: Damien Miller +Date: Tue Aug 11 13:34:12 2015 +1000 - upstream commit + set sshpam_ctxt to NULL after free - correct fmt-string for size_t as noted by Nicholas - Lemonias; ok djm@ + Avoids use-after-free in monitor when privsep child is compromised. + Reported by Moritz Jodeit; ok dtucker@ -commit a22b9ef21285e81775732436f7c84a27bd3f71e0 -Author: djm@openbsd.org -Date: Tue Mar 24 09:17:21 2015 +0000 +commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b +Author: Damien Miller +Date: Tue Aug 11 13:33:24 2015 +1000 - upstream commit + Don't resend username to PAM; it already has it. - promote chacha20-poly1305@openssh.com to be the default - cipher; ok markus + Pointed out by Moritz Jodeit; ok dtucker@ -commit 2aa9da1a3b360cf7b13e96fe1521534b91501fb5 -Author: djm@openbsd.org -Date: Tue Mar 24 01:29:19 2015 +0000 +commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca +Author: Darren Tucker +Date: Mon Jul 27 12:14:25 2015 +1000 - upstream commit - - Compile-time disable SSH protocol 1. You can turn it - back on using the Makefile.inc knob if you need it to talk to ancient - devices. + Import updated moduli file from OpenBSD. -commit 53097b2022154edf96b4e8526af5666f979503f7 -Author: djm@openbsd.org -Date: Tue Mar 24 01:11:12 2015 +0000 +commit 55b263fb7cfeacb81aaf1c2036e0394c881637da +Author: Damien Miller +Date: Mon Aug 10 11:13:44 2015 +1000 - upstream commit - - fix double-negative error message "ssh1 is not - unsupported" + let principals-command.sh work for noexec /var/run -commit 5c27e3b6ec2db711dfcd40e6359c0bcdd0b62ea9 +commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897 +Author: Damien Miller +Date: Thu Aug 6 11:43:42 2015 +1000 + + work around echo -n / sed behaviour in tests + +commit d85dad81778c1aa8106acd46930b25fdf0d15b2a Author: djm@openbsd.org -Date: Mon Mar 23 06:06:38 2015 +0000 +Date: Wed Aug 5 05:27:33 2015 +0000 upstream commit - for ssh-keygen -A, don't try (and fail) to generate ssh - v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled - without OpenSSL based on patch by Mike Frysinger; bz#2369 + adjust for RSA minimum modulus switch; ok deraadt@ + + Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae -commit 725fd22a8c41db7de73a638539a5157b7e4424ae +commit 57e8e229bad5fe6056b5f1199665f5f7008192c6 Author: djm@openbsd.org -Date: Wed Mar 18 01:44:21 2015 +0000 +Date: Tue Aug 4 05:23:06 2015 +0000 upstream commit - KRL support doesn't need OpenSSL anymore, remove #ifdefs - from around call + backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this + release; problems spotted by sthen@ ok deraadt@ markus@ + + Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822 -commit b07011c18e0b2e172c5fd09d21fb159a0bf5fcc7 +commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a Author: djm@openbsd.org -Date: Mon Mar 16 11:09:52 2015 +0000 +Date: Sun Aug 2 09:56:42 2015 +0000 upstream commit - #if 0 some more arrays used only for decrypting (we don't - use since we only need encrypt for AES-CTR) + openssh 7.0; ok deraadt@ + + Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f -commit 1cb3016635898d287e9d58b50c430995652d5358 -Author: jsg@openbsd.org -Date: Wed Mar 11 00:48:39 2015 +0000 +commit 3d5728a0f6874ce4efb16913a12963595070f3a9 +Author: chris@openbsd.org +Date: Fri Jul 31 15:38:09 2015 +0000 upstream commit - add back the changes from rev 1.206, djm reverted this by - mistake in rev 1.207 - -commit 4d24b3b6a4a6383e05e7da26d183b79fa8663697 -Author: Damien Miller -Date: Fri Mar 20 09:11:59 2015 +1100 - - remove error() accidentally inserted for debugging + Allow PermitRootLogin to be overridden by config - pointed out by Christian Hesse - -commit 9f82e5a9042f2d872e98f48a876fcab3e25dd9bb -Author: Tim Rice -Date: Mon Mar 16 22:49:20 2015 -0700 - - portability fix: Solaris systems may not have a grep that understands -q - -commit 8ef691f7d9ef500257a549d0906d78187490668f -Author: Damien Miller -Date: Wed Mar 11 10:35:26 2015 +1100 - - fix compile with clang + ok markus@ deeradt@ + + Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4 -commit 4df590cf8dc799e8986268d62019b487a8ed63ad -Author: Damien Miller -Date: Wed Mar 11 10:02:39 2015 +1100 +commit 6f941396b6835ad18018845f515b0c4fe20be21a +Author: djm@openbsd.org +Date: Thu Jul 30 23:09:15 2015 +0000 - make unit tests work for !OPENSSH_HAS_ECC + upstream commit + + fix pty permissions; patch from Nikolay Edigaryev; ok + deraadt + + Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550 -commit 307bb40277ca2c32e97e61d70d1ed74b571fd6ba -Author: djm@openbsd.org -Date: Sat Mar 7 04:41:48 2015 +0000 +commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0 +Author: deraadt@openbsd.org +Date: Thu Jul 30 19:23:02 2015 +0000 upstream commit - unbreak for w/SSH1 (default) case; ok markus@ deraadt@ + change default: PermitRootLogin without-password matching + install script changes coming as well ok djm markus + + Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6 -commit b44ee0c998fb4c5f3c3281f2398af5ce42840b6f +commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c Author: Damien Miller -Date: Thu Mar 5 18:39:20 2015 -0800 +Date: Thu Jul 30 12:31:39 2015 +1000 - unbreak hostkeys test for w/ SSH1 case + downgrade OOM adjustment logging: verbose -> debug -commit 55e5bdeb519cb60cc18b7ba0545be581fb8598b4 +commit f9eca249d4961f28ae4b09186d7dc91de74b5895 Author: djm@openbsd.org -Date: Fri Mar 6 01:40:56 2015 +0000 +Date: Thu Jul 30 00:01:34 2015 +0000 upstream commit - fix sshkey_certify() return value for unsupported key types; - ok markus@ deraadt@ + Allow ssh_config and sshd_config kex parameters options be + prefixed by a '+' to indicate that the specified items be appended to the + default rather than replacing it. + + approach suggested by dtucker@, feedback dlg@, ok markus@ + + Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a -commit be8f658e550a434eac04256bfbc4289457a24e99 -Author: Damien Miller -Date: Wed Mar 4 15:38:03 2015 -0800 +commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163 +Author: djm@openbsd.org +Date: Wed Jul 29 08:34:54 2015 +0000 - update version numbers to match version.h + upstream commit + + fix bug in previous; was printing incorrect string for + failed host key algorithms negotiation + + Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e -commit ac5e8acefa253eb5e5ba186e34236c0e8007afdc +commit f319912b0d0e1675b8bb051ed8213792c788bcb2 Author: djm@openbsd.org -Date: Wed Mar 4 23:22:35 2015 +0000 +Date: Wed Jul 29 04:43:06 2015 +0000 upstream commit - make these work with !SSH1; ok markus@ deraadt@ + include the peer's offer when logging a failure to + negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@ + + Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796 -commit 2f04af92f036b0c87a23efb259c37da98cd81fe6 +commit b6ea0e573042eb85d84defb19227c89eb74cf05a Author: djm@openbsd.org -Date: Wed Mar 4 21:12:59 2015 +0000 +Date: Tue Jul 28 23:20:42 2015 +0000 upstream commit - make ssh-add -D work with !SSH1 agent + add Cisco to the list of clients that choke on the + hostkeys update extension. Pointed out by Howard Kash + + Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84 -commit a05adf95d2af6abb2b7826ddaa7a0ec0cdc1726b -Author: Damien Miller -Date: Wed Mar 4 00:55:48 2015 -0800 +commit 3f628c7b537291c1019ce86af90756fb4e66d0fd +Author: guenther@openbsd.org +Date: Mon Jul 27 16:29:23 2015 +0000 - netcat needs poll.h portability goop + upstream commit + + Permit kbind(2) use in the sandbox now, to ease testing + of ld.so work using it + + reminded by miod@, ok deraadt@ + + Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413 -commit dad2b1892b4c1b7e58df483a8c5b983c4454e099 -Author: markus@openbsd.org -Date: Tue Mar 3 22:35:19 2015 +0000 +commit ebe27ebe520098bbc0fe58945a87ce8490121edb +Author: millert@openbsd.org +Date: Mon Jul 20 18:44:12 2015 +0000 upstream commit - make it possible to run tests w/o ssh1 support; ok djm@ + Move .Pp before .Bl, not after to quiet mandoc -Tlint. + Noticed by jmc@ + + Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23 -commit d48a22601bdd3eec054794c535f4ae8d8ae4c6e2 -Author: djm@openbsd.org -Date: Wed Mar 4 18:53:53 2015 +0000 +commit d5d91d0da819611167782c66ab629159169d94d4 +Author: millert@openbsd.org +Date: Mon Jul 20 18:42:35 2015 +0000 upstream commit - crank; ok markus, deraadt + Sync usage with SYNOPSIS + + Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7 -commit bbffb23daa0b002dd9f296e396a9ab8a5866b339 -Author: Damien Miller -Date: Tue Mar 3 13:50:27 2015 -0800 +commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743 +Author: millert@openbsd.org +Date: Mon Jul 20 15:39:52 2015 +0000 - more --without-ssh1 fixes + upstream commit + + Better desciption of Unix domain socket forwarding. + bz#2423; ok jmc@ + + Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d -commit 6c2039286f503e2012a58a1d109e389016e7a99b +commit d56fd1828074a4031b18b8faa0bf949669eb18a0 Author: Damien Miller -Date: Tue Mar 3 13:48:48 2015 -0800 +Date: Mon Jul 20 11:19:51 2015 +1000 - fix merge both that broke --without-ssh1 compile + make realpath.c compile -Wsign-compare clean -commit 111dfb225478a76f89ecbcd31e96eaf1311b59d3 +commit c63c9a691dca26bb7648827f5a13668832948929 Author: djm@openbsd.org -Date: Tue Mar 3 21:21:13 2015 +0000 +Date: Mon Jul 20 00:30:01 2015 +0000 upstream commit - add SSH1 Makefile knob to make it easier to build without - SSH1 support; ok markus@ + mention that the default of UseDNS=no implies that + hostnames cannot be used for host matching in sshd_config and + authorized_keys; bz#2045, ok dtucker@ + + Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1 -commit 3f7f5e6c5d2aa3f6710289c1a30119e534e56c5c +commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76 Author: djm@openbsd.org -Date: Tue Mar 3 20:42:49 2015 +0000 +Date: Sat Jul 18 08:02:17 2015 +0000 upstream commit - expand __unused to full __attribute__ for better portability - -commit 2fab9b0f8720baf990c931e3f68babb0bf9949c6 -Author: Damien Miller -Date: Wed Mar 4 07:41:27 2015 +1100 - - avoid warning + don't ignore PKCS#11 hosted keys that return empty + CKA_ID; patch by Jakub Jelen via bz#2429; ok markus + + Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485 -commit d1bc844322461f882b4fd2277ba9a8d4966573d2 -Author: Damien Miller -Date: Wed Mar 4 06:31:45 2015 +1100 +commit b15fd989c8c62074397160147a8d5bc34b3f3c63 +Author: djm@openbsd.org +Date: Sat Jul 18 08:00:21 2015 +0000 - Revert "define __unused to nothing if not already defined" + upstream commit - This reverts commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908. + skip uninitialised PKCS#11 slots; patch from Jakub Jelen + in bz#2427 ok markus@ - Some system headers have objects named __unused + Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29 -commit 00797e86b2d98334d1bb808f65fa1fd47f328ff1 -Author: Damien Miller -Date: Wed Mar 4 05:02:45 2015 +1100 +commit 5b64f85bb811246c59ebab70aed331f26ba37b18 +Author: djm@openbsd.org +Date: Sat Jul 18 07:57:14 2015 +0000 - check for crypt and DES_crypt in openssl block + upstream commit - fixes builds on systems that use DES_crypt; based on patch - from Roumen Petrov - -commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908 -Author: Damien Miller -Date: Wed Mar 4 04:59:13 2015 +1100 - - define __unused to nothing if not already defined + only query each keyboard-interactive device once per + authentication request regardless of how many times it is listed; ok markus@ - fixes builds on BSD/OS + Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1 -commit d608a51daad4f14ad6ab43d7cf74ef4801cc3fe9 +commit cd7324d0667794eb5c236d8a4e0f236251babc2d Author: djm@openbsd.org -Date: Tue Mar 3 17:53:40 2015 +0000 +Date: Fri Jul 17 03:34:27 2015 +0000 upstream commit - reorder logic for better portability; patch from Roumen - Petrov + remove -u flag to diff (only used for error output) to make + things easier for -portable + + Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548 -commit 68d2dfc464fbcdf8d6387884260f9801f4352393 +commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a Author: djm@openbsd.org -Date: Tue Mar 3 06:48:58 2015 +0000 +Date: Fri Jul 17 03:09:19 2015 +0000 upstream commit - Allow "ssh -Q protocol-version" to list supported SSH - protocol versions. Useful for detecting builds without SSH v.1 support; idea - and ok markus@ + direct-streamlocal@openssh.com Unix domain foward + messages do not contain a "reserved for future use" field and in fact, + serverloop.c checks that there isn't one. Remove erroneous mention from + PROTOCOL description. bz#2421 from Daniel Black + + Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac -commit 39e2f1229562e1195169905607bc12290d21f021 -Author: millert@openbsd.org -Date: Sun Mar 1 15:44:40 2015 +0000 +commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52 +Author: djm@openbsd.org +Date: Fri Jul 17 03:04:27 2015 +0000 upstream commit - Make sure we only call getnameinfo() for AF_INET or AF_INET6 - sockets. getpeername() of a Unix domain socket may return without error on - some systems without actually setting ss_family so getnameinfo() was getting - called with ss_family set to AF_UNSPEC. OK djm@ - -commit e47536ba9692d271b8ad89078abdecf0a1c11707 -Author: Damien Miller -Date: Sat Feb 28 08:20:11 2015 -0800 - - portability fixes for regress/netcat.c + describe magic for setting up Unix domain socket fowards + via the mux channel; bz#2422 patch from Daniel Black - Mostly avoiding "err(1, NULL)" + Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861 -commit 02973ad5f6f49d8420e50a392331432b0396c100 -Author: Damien Miller -Date: Sat Feb 28 08:05:27 2015 -0800 +commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc +Author: Darren Tucker +Date: Fri Jul 17 12:52:34 2015 +1000 - twiddle another test for portability + Check if realpath works on nonexistent files. - from Tom G. Christensen + On some platforms the native realpath doesn't work with non-existent + files (this is actually specified in some versions of POSIX), however + the sftp spec says its realpath with "canonicalize any given path name". + On those platforms, use realpath from the compat library. + + In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines + the realpath symbol to the checked version, so redefine ours to + something else so we pick up the compat version we want. + + bz#2428, ok djm@ -commit f7f3116abf2a6e2f309ab096b08c58d19613e5d0 -Author: Damien Miller -Date: Fri Feb 27 15:52:49 2015 -0800 +commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0 +Author: djm@openbsd.org +Date: Fri Jul 17 02:47:45 2015 +0000 - twiddle test for portability + upstream commit + + fix incorrect test for SSH1 keys when compiled without SSH1 + support + + Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451 -commit 1ad3a77cc9d5568f5437ff99d377aa7a41859b83 -Author: Damien Miller -Date: Thu Feb 26 20:33:22 2015 -0800 +commit df56a8035d429b2184ee94aaa7e580c1ff67f73a +Author: djm@openbsd.org +Date: Wed Jul 15 08:00:11 2015 +0000 - make regress/netcat.c fd passing (more) portable + upstream commit + + fix NULL-deref when SSH1 reenabled + + Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295 -commit 9e1cfca7e1fe9cf8edb634fc894e43993e4da1ea -Author: Damien Miller -Date: Thu Feb 26 20:32:58 2015 -0800 +commit 41e38c4d49dd60908484e6703316651333f16b93 +Author: djm@openbsd.org +Date: Wed Jul 15 07:19:50 2015 +0000 - create OBJ/valgrind-out before running unittests + upstream commit + + regen RSA1 test keys; the last batch was missing their + private parts + + Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a -commit bd58853102cee739f0e115e6d4b5334332ab1442 -Author: Damien Miller -Date: Wed Feb 25 16:58:22 2015 -0800 +commit 5bf0933184cb622ca3f96d224bf3299fd2285acc +Author: markus@openbsd.org +Date: Fri Jul 10 06:23:25 2015 +0000 - valgrind support + upstream commit + + Adapt tests, now that DSA if off by default; use + PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA. + + Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c -commit f43d17269194761eded9e89f17456332f4c83824 -Author: djm@openbsd.org -Date: Thu Feb 26 20:45:47 2015 +0000 +commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc +Author: markus@openbsd.org +Date: Tue Jul 7 14:54:16 2015 +0000 upstream commit - don't printf NULL key comments; reported by Tom Christensen + regen test data after mktestdata.sh changes + + Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4 -commit 6e6458b476ec854db33e3e68ebf4f489d0ab3df8 -Author: djm@openbsd.org -Date: Wed Feb 25 23:05:47 2015 +0000 +commit 7c8c174c69f681d4910fa41c37646763692b28e2 +Author: markus@openbsd.org +Date: Tue Jul 7 14:53:30 2015 +0000 upstream commit - zero cmsgbuf before use; we initialise the bits we use - but valgrind still spams warning on it + adapt tests to new minimum RSA size and default FP format + + Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e -commit a63cfa26864b93ab6afefad0b630e5358ed8edfa +commit 6a977a4b68747ade189e43d302f33403fd4a47ac Author: djm@openbsd.org -Date: Wed Feb 25 19:54:02 2015 +0000 +Date: Fri Jul 3 04:39:23 2015 +0000 upstream commit - fix small memory leak when UpdateHostkeys=no + legacy v00 certificates are gone; adapt and don't try to + test them; "sure" markus@ dtucker@ + + Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12 -commit e6b950341dd75baa8526f1862bca39e52f5b879b -Author: Tim Rice -Date: Wed Feb 25 09:56:48 2015 -0800 +commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385 +Author: djm@openbsd.org +Date: Wed Jul 1 23:11:18 2015 +0000 - Revert "Work around finicky USL linker so netcat will build." + upstream commit - This reverts commit d1db656021d0cd8c001a6692f772f1de29b67c8b. + don't expect SSH v.1 in unittests - No longer needed with commit 678e473e2af2e4802f24dd913985864d9ead7fb3 + Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397 -commit 6f621603f9cff2a5d6016a404c96cb2f8ac2dec0 +commit 3c099845798a817cdde513c39074ec2063781f18 Author: djm@openbsd.org -Date: Wed Feb 25 17:29:38 2015 +0000 +Date: Mon Jun 15 06:38:50 2015 +0000 upstream commit - don't leak validity of user in "too many authentication - failures" disconnect message; reported by Sebastian Reitenbach + turn SSH1 back on to match src/usr.bin/ssh being tested + + Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333 -commit 6288e3a935494df12519164f52ca5c8c65fc3ca5 -Author: naddy@openbsd.org -Date: Tue Feb 24 15:24:05 2015 +0000 +commit b1dc2b33689668c75e95f873a42d5aea1f4af1db +Author: dtucker@openbsd.org +Date: Mon Jul 13 04:57:14 2015 +0000 upstream commit - add -v (show ASCII art) to -l's synopsis; ok djm@ + Add "PuTTY_Local:" to the clients to which we do not + offer DH-GEX. This was the string that was used for development versions + prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately + there are some extant products based on those versions. bx2424 from Jay + Rouman, ok markus@ djm@ + + Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5 -commit 678e473e2af2e4802f24dd913985864d9ead7fb3 -Author: Darren Tucker -Date: Thu Feb 26 04:12:58 2015 +1100 +commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 +Author: markus@openbsd.org +Date: Fri Jul 10 06:21:53 2015 +0000 - Remove dependency on xmalloc. + upstream commit - Remove ssh_get_progname's dependency on xmalloc, which should reduce - link order problems. ok djm@ + Turn off DSA by default; add HostKeyAlgorithms to the + server and PubkeyAcceptedKeyTypes to the client side, so it still can be + tested or turned back on; feedback and ok djm@ + + Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21 -commit 5d5ec165c5b614b03678afdad881f10e25832e46 -Author: Darren Tucker -Date: Wed Feb 25 15:32:49 2015 +1100 +commit 16db0a7ee9a87945cc594d13863cfcb86038db59 +Author: markus@openbsd.org +Date: Thu Jul 9 09:49:46 2015 +0000 - Restrict ECDSA and ECDH tests. + upstream commit - ifdef out some more ECDSA and ECDH tests when built against an OpenSSL - that does not have eliptic curve functionality. + re-enable ed25519-certs if compiled w/o openssl; ok djm + + Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49 -commit 1734e276d99b17e92d4233fac7aef3a3180aaca7 -Author: Darren Tucker -Date: Wed Feb 25 13:40:45 2015 +1100 +commit c355bf306ac33de6545ce9dac22b84a194601e2f +Author: markus@openbsd.org +Date: Wed Jul 8 20:24:02 2015 +0000 - Move definition of _NSIG. + upstream commit - _NSIG is only unsed in one file, so move it there prevent redefinition - warnings reported by Kevin Brott. + no need to include the old buffer/key API + + Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b -commit a47ead7c95cfbeb72721066c4da2312e5b1b9f3d -Author: Darren Tucker -Date: Wed Feb 25 13:17:40 2015 +1100 +commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee +Author: markus@openbsd.org +Date: Wed Jul 8 19:09:25 2015 +0000 - Add includes.h for compatibility stuff. + upstream commit + + typedefs for Cipher&CipherContext are unused + + Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7 -commit 38806bda6d2e48ad32812b461eebe17672ada771 -Author: Damien Miller -Date: Tue Feb 24 16:50:06 2015 -0800 +commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0 +Author: markus@openbsd.org +Date: Wed Jul 8 19:04:21 2015 +0000 - include netdb.h to look for MAXHOSTNAMELEN; ok tim + upstream commit + + xmalloc.h is unused + + Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58 -commit d1db656021d0cd8c001a6692f772f1de29b67c8b -Author: Tim Rice -Date: Tue Feb 24 10:42:08 2015 -0800 +commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31 +Author: markus@openbsd.org +Date: Wed Jul 8 19:01:15 2015 +0000 - Work around finicky USL linker so netcat will build. + upstream commit + + compress.c is gone + + Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced -commit cb030ce25f555737e8ba97bdd7883ac43f3ff2a3 -Author: Damien Miller -Date: Tue Feb 24 09:23:04 2015 -0800 +commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615 +Author: djm@openbsd.org +Date: Fri Jul 3 04:05:54 2015 +0000 - include includes.h to avoid build failure on AIX + upstream commit + + another SSH_RSA_MINIMUM_MODULUS_SIZE that needed + cranking + + Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1 -commit 13af342458f5064144abbb07e5ac9bbd4eb42567 -Author: Tim Rice -Date: Tue Feb 24 07:56:47 2015 -0800 +commit b1f383da5cd3cb921fc7776f17a14f44b8a31757 +Author: djm@openbsd.org +Date: Fri Jul 3 03:56:25 2015 +0000 - Original portability patch from djm@ for platforms missing err.h. - Fix name space clash on Solaris 10. Still more to do for Solaris 10 - to deal with msghdr structure differences. ok djm@ + upstream commit + + add an XXX reminder for getting correct key paths from + sshd_config + + Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db -commit 910209203d0cd60c5083901cbcc0b7b44d9f48d2 -Author: Tim Rice -Date: Mon Feb 23 22:06:56 2015 -0800 +commit 933935ce8d093996c34d7efa4d59113163080680 +Author: djm@openbsd.org +Date: Fri Jul 3 03:49:45 2015 +0000 - cleaner way fix dispatch.h portion of commit - a88dd1da119052870bb2654c1a32c51971eade16 - (some systems have sig_atomic_t in signal.h, some in sys/signal.h) - Sounds good to me djm@ - -commit 676c38d7cbe65b76bbfff796861bb6615cc6a596 -Author: Tim Rice -Date: Mon Feb 23 21:51:33 2015 -0800 - - portability fix: if we can't dind a better define for HOST_NAME_MAX, use 255 - -commit 1221b22023dce38cbc90ba77eae4c5d78c77a5e6 -Author: Tim Rice -Date: Mon Feb 23 21:50:34 2015 -0800 - - portablity fix: s/__inline__/inline/ - -commit 4c356308a88d309c796325bb75dce90ca16591d5 -Author: Darren Tucker -Date: Tue Feb 24 13:49:31 2015 +1100 - - Wrap stdint.h includes in HAVE_STDINT_H. - -commit c9c88355c6a27a908e7d1e5003a2b35ea99c1614 -Author: Darren Tucker -Date: Tue Feb 24 13:43:57 2015 +1100 - - Add AI_NUMERICSERV to fake-rfc2553. + upstream commit - Our getaddrinfo implementation always returns numeric values already. - -commit ef342ab1ce6fb9a4b30186c89c309d0ae9d0eeb4 -Author: Darren Tucker -Date: Tue Feb 24 13:39:57 2015 +1100 - - Include OpenSSL's objects.h before bn.h. + refuse to generate or accept RSA keys smaller than 1024 + bits; feedback and ok dtucker@ - Prevents compile errors on some platforms (at least old GCCs and AIX's - XLC compilers). + Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba -commit dcc8997d116f615195aa7c9ec019fb36c28c6228 -Author: Darren Tucker -Date: Tue Feb 24 12:30:59 2015 +1100 +commit bdfd29f60b74f3e678297269dc6247a5699583c1 +Author: djm@openbsd.org +Date: Fri Jul 3 03:47:00 2015 +0000 - Convert two macros into functions. + upstream commit - Convert packet_send_debug and packet_disconnect from macros to - functions. Some older GCCs (2.7.x, 2.95.x) see to have problems with - variadic macros with only one argument so we convert these two into - functions. ok djm@ + turn off 1024 bit diffie-hellman-group1-sha1 key + exchange method (already off in server, this turns it off in the client by + default too) ok dtucker@ + + Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa -commit 2285c30d51b7e2052c6526445abe7e7cc7e170a1 +commit c28fc62d789d860c75e23a9fa9fb250eb2beca57 Author: djm@openbsd.org -Date: Mon Feb 23 22:21:21 2015 +0000 +Date: Fri Jul 3 03:43:18 2015 +0000 upstream commit - further silence spurious error message even when -v is - specified (e.g. to get visual host keys); reported by naddy@ - -commit 9af21979c00652029e160295e988dea40758ece2 -Author: Damien Miller -Date: Tue Feb 24 09:04:32 2015 +1100 - - don't include stdint.h unless HAVE_STDINT_H set + delete support for legacy v00 certificates; "sure" + markus@ dtucker@ + + Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f -commit 62f678dd51660d6f8aee1da33d3222c5de10a89e -Author: Damien Miller -Date: Tue Feb 24 09:02:54 2015 +1100 +commit 564d63e1b4a9637a209d42a9d49646781fc9caef +Author: djm@openbsd.org +Date: Wed Jul 1 23:10:47 2015 +0000 - nother sys/queue.h -> sys-queue.h fix + upstream commit - spotted by Tom Christensen + Compile-time disable SSH v.1 again + + Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af -commit b3c19151cba2c0ed01b27f55de0d723ad07ca98f +commit 868109b650504dd9bcccdb1f51d0906f967c20ff Author: djm@openbsd.org -Date: Mon Feb 23 20:32:15 2015 +0000 +Date: Wed Jul 1 02:39:06 2015 +0000 upstream commit - fix a race condition by using a mux socket rather than an - ineffectual wait statement + twiddle PermitRootLogin back + + Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2 -commit a88dd1da119052870bb2654c1a32c51971eade16 -Author: Damien Miller -Date: Tue Feb 24 06:30:29 2015 +1100 +commit 7de4b03a6e4071d454b72927ffaf52949fa34545 +Author: djm@openbsd.org +Date: Wed Jul 1 02:32:17 2015 +0000 - various include fixes for portable + upstream commit + + twiddle; (this commit marks the openssh-6.9 release) + + Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234 -commit 5248429b5ec524d0a65507cff0cdd6e0cb99effd +commit 1bf477d3cdf1a864646d59820878783d42357a1d Author: djm@openbsd.org -Date: Mon Feb 23 16:55:51 2015 +0000 +Date: Wed Jul 1 02:26:31 2015 +0000 upstream commit - add an XXX to remind me to improve sshkey_load_public + better refuse ForwardX11Trusted=no connections attempted + after ForwardX11Timeout expires; reported by Jann Horn + + Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21 -commit e94e4b07ef2eaead38b085a60535df9981cdbcdb +commit 47aa7a0f8551b471fcae0447c1d78464f6dba869 Author: djm@openbsd.org -Date: Mon Feb 23 16:55:31 2015 +0000 +Date: Wed Jul 1 01:56:13 2015 +0000 upstream commit - silence a spurious error message when listing - fingerprints for known_hosts; bz#2342 + put back default PermitRootLogin=no + + Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728 -commit f2293a65392b54ac721f66bc0b44462e8d1d81f8 +commit 984b064fe2a23733733262f88d2e1b2a1a501662 Author: djm@openbsd.org -Date: Mon Feb 23 16:33:25 2015 +0000 +Date: Wed Jul 1 01:55:13 2015 +0000 upstream commit - fix setting/clearing of TTY raw mode around - UpdateHostKeys=ask confirmation question; reported by Herb Goldman + openssh-6.9 + + Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45 -commit f2004cd1adf34492eae0a44b1ef84e0e31b06088 -Author: Darren Tucker -Date: Mon Feb 23 05:04:21 2015 +1100 +commit d921082ed670f516652eeba50705e1e9f6325346 +Author: djm@openbsd.org +Date: Wed Jul 1 01:55:00 2015 +0000 - Repair for non-ECC OpenSSL. + upstream commit - Ifdef out the ECC parts when building with an OpenSSL that doesn't have - it. + reset default PermitRootLogin to 'yes' (momentarily, for + release) + + Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24 -commit 37f9220db8d1a52c75894c3de1e5f2ae5bd71b6f -Author: Darren Tucker -Date: Mon Feb 23 03:07:24 2015 +1100 +commit 66295e0e1ba860e527f191b6325d2d77dec4dbce +Author: Damien Miller +Date: Wed Jul 1 11:49:12 2015 +1000 - Wrap stdint.h includes in ifdefs. + crank version numbers for release -commit f81f1bbc5b892c8614ea740b1f92735652eb43f0 -Author: Tim Rice -Date: Sat Feb 21 18:12:10 2015 -0800 +commit 37035c07d4f26bb1fbe000d2acf78efdb008681d +Author: Damien Miller +Date: Wed Jul 1 10:49:37 2015 +1000 - out of tree build fix + s/--with-ssh1/--without-ssh1/ -commit 2e13a1e4d22f3b503c3bfc878562cc7386a1d1ae -Author: Tim Rice -Date: Sat Feb 21 18:08:51 2015 -0800 +commit 629df770dbadc2accfbe1c81b3f31f876d0acd84 +Author: djm@openbsd.org +Date: Tue Jun 30 05:25:07 2015 +0000 - mkdir kex unit test directory so testing out of tree builds works + upstream commit + + fatal() when a remote window update causes the window + value to overflow. Reported by Georg Wicherski, ok markus@ + + Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351 -commit 1797f49b1ba31e8700231cd6b1d512d80bb50d2c -Author: halex@openbsd.org -Date: Sat Feb 21 21:46:57 2015 +0000 +commit f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2 +Author: djm@openbsd.org +Date: Tue Jun 30 05:23:25 2015 +0000 upstream commit - make "ssh-add -d" properly remove a corresponding - certificate, and also not whine and fail if there is none + Fix math error in remote window calculations that causes + eventual stalls for datagram channels. Reported by Georg Wicherski, ok + markus@ - ok djm@ + Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab -commit 7faaa32da83a609059d95dbfcb0649fdb04caaf6 +commit 52fb6b9b034fcfd24bf88cc7be313e9c31de9889 Author: Damien Miller -Date: Sun Feb 22 07:57:27 2015 +1100 +Date: Tue Jun 30 16:05:40 2015 +1000 - mkdir hostkey and bitmap unit test directories + skip IPv6-related portions on hosts without IPv6 + + with Tim Rice -commit bd49da2ef197efac5e38f5399263a8b47990c538 +commit 512caddf590857af6aa12218461b5c0441028cf5 Author: djm@openbsd.org -Date: Fri Feb 20 23:46:01 2015 +0000 +Date: Mon Jun 29 22:35:12 2015 +0000 upstream commit - sort options useable under Match case-insensitively; prodded - jmc@ + add getpid to sandbox, reachable by grace_alarm_handler + + reported by Jakub Jelen; bz#2419 + + Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8 -commit 1a779a0dd6cd8b4a1a40ea33b5415ab8408128ac +commit 78c2a4f883ea9aba866358e2acd9793a7f42ca93 Author: djm@openbsd.org -Date: Sat Feb 21 20:51:02 2015 +0000 +Date: Fri Jun 26 05:13:20 2015 +0000 upstream commit - correct paths to configuration files being written/updated; - they live in $OBJ not cwd; some by Roumen Petrov - -commit 28ba006c1acddff992ae946d0bc0b500b531ba6b -Author: Darren Tucker -Date: Sat Feb 21 15:41:07 2015 +1100 - - More correct checking of HAVE_DECL_AI_NUMERICSERV. + Fix \-escaping bug that caused forward path parsing to skip + two characters and skip past the end of the string. + + Based on patch by Salvador Fandino; ok dtucker@ + + Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd -commit e50e8c97a9cecae1f28febccaa6ca5ab3bc10f54 -Author: Darren Tucker -Date: Sat Feb 21 15:10:33 2015 +1100 +commit bc20205c91c9920361d12b15d253d4997dba494a +Author: Damien Miller +Date: Thu Jun 25 09:51:39 2015 +1000 - Add null declaration of AI_NUMERICINFO. + add missing pselect6 - Some platforms (older FreeBSD and DragonFly versions) do have - getaddrinfo() but do not have AI_NUMERICINFO. so define it to zero - in those cases. + patch from Jakub Jelen -commit 18a208d6a460d707a45916db63a571e805f5db46 +commit 9d27fb73b4a4e5e99cb880af790d5b1ce44f720a Author: djm@openbsd.org -Date: Fri Feb 20 22:40:32 2015 +0000 +Date: Wed Jun 24 23:47:23 2015 +0000 upstream commit - more options that are available under Match; bz#2353 reported - by calestyo AT scientia.net + correct test to sshkey_sign(); spotted by Albert S. + + Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933 -commit 44732de06884238049f285f1455b2181baa7dc82 -Author: djm@openbsd.org -Date: Fri Feb 20 22:17:21 2015 +0000 +commit 7ed01a96a1911d8b4a9ef4f3d064e1923bfad7e3 +Author: dtucker@openbsd.org +Date: Wed Jun 24 01:49:19 2015 +0000 upstream commit - UpdateHostKeys fixes: - - I accidentally changed the format of the hostkeys@openssh.com messages - last week without changing the extension name, and this has been causing - connection failures for people who are running -current. First reported - by sthen@ - - s/hostkeys@openssh.com/hostkeys-00@openssh.com/ - Change the name of the proof message too, and reorder it a little. + Revert previous commit. We still want to call setgroups + in the case where there are zero groups to remove any that we might otherwise + inherit (as pointed out by grawity at gmail.com) and since the 2nd argument + to setgroups is always a static global it's always valid to dereference in + this case. ok deraadt@ djm@ - Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY - available to read the response) so disable UpdateHostKeys if it is in - ask mode and ControlPersist is active (and document this) + Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01 -commit 13a39414d25646f93e6d355521d832a03aaaffe2 -Author: djm@openbsd.org -Date: Tue Feb 17 00:14:05 2015 +0000 +commit 882f8bf94f79528caa65b0ba71c185d705bb7195 +Author: dtucker@openbsd.org +Date: Wed Jun 24 01:49:19 2015 +0000 upstream commit - Regression: I broke logging of public key fingerprints in - 1.46. Pointed out by Pontus Lundkvist - -commit 773dda25e828c4c9a52f7bdce6e1e5924157beab -Author: Damien Miller -Date: Fri Jan 30 23:10:17 2015 +1100 - - repair --without-openssl; broken in refactor - -commit e89c780886b23600de1e1c8d74aabd1ff61f43f0 -Author: Damien Miller -Date: Tue Feb 17 10:04:55 2015 +1100 - - hook up hostkeys unittest to portable Makefiles - -commit 0abf41f99aa16ff09b263bead242d6cb2dbbcf99 -Author: djm@openbsd.org -Date: Mon Feb 16 22:21:03 2015 +0000 - - upstream commit + Revert previous commit. We still want to call setgroups in + the case where there are zero groups to remove any that we might otherwise + inherit (as pointed out by grawity at gmail.com) and since the 2nd argument + to setgroups is always a static global it's always valid to dereference in + this case. ok deraadt@ djm@ - enable hostkeys unit tests + Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01 -commit 68a5d647ccf0fb6782b2f749433a1eee5bc9044b +commit 9488538a726951e82b3a4374f3c558d72c80a89b Author: djm@openbsd.org -Date: Mon Feb 16 22:20:50 2015 +0000 +Date: Mon Jun 22 23:42:16 2015 +0000 upstream commit - check string/memory compare arguments aren't NULL + Don't count successful partial authentication as failures + in monitor; this may have caused the monitor to refuse multiple + authentications that would otherwise have successfully completed; ok markus@ + + Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3 -commit ef575ef20d09f20722e26b45dab80b3620469687 -Author: djm@openbsd.org -Date: Mon Feb 16 22:18:34 2015 +0000 +commit 63b78d003bd8ca111a736e6cea6333da50f5f09b +Author: dtucker@openbsd.org +Date: Mon Jun 22 12:29:57 2015 +0000 upstream commit - unit tests for hostfile.c code, just hostkeys_foreach so - far + Don't call setgroups if we have zero groups; there's no + guarantee that it won't try to deref the pointer. Based on a patch from mail + at quitesimple.org, ok djm deraadt + + Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1 -commit 8ea3365e6aa2759ccf5c76eaea62cbc8a280b0e7 -Author: markus@openbsd.org -Date: Sat Feb 14 12:43:16 2015 +0000 +commit 5c15e22c691c79a47747bcf5490126656f97cecd +Author: Damien Miller +Date: Thu Jun 18 15:07:56 2015 +1000 - upstream commit - - test server rekey limit + fix syntax error -commit ce63c4b063c39b2b22d4ada449c9e3fbde788cb3 -Author: djm@openbsd.org -Date: Mon Feb 16 22:30:03 2015 +0000 +commit 596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403 +Author: jsing@openbsd.org +Date: Mon Jun 15 18:44:22 2015 +0000 upstream commit - partial backout of: + If AuthorizedPrincipalsCommand is specified, however + AuthorizedPrincipalsFile is not (or is set to "none"), authentication will + potentially fail due to key_cert_check_authority() failing to locate a + principal that matches the username, even though an authorized principal has + already been matched in the output of the subprocess. Fix this by using the + same logic to determine if pw->pw_name should be passed, as is used to + determine if a authorized principal must be matched earlier on. - revision 1.441 - date: 2015/01/31 20:30:05; author: djm; state: Exp; lines: +17 -10; commitid - : x8klYPZMJSrVlt3O; - Let sshd load public host keys even when private keys are missing. - Allows sshd to advertise additional keys for future key rotation. - Also log fingerprint of hostkeys loaded; ok markus@ + ok djm@ - hostkey updates now require access to the private key, so we can't - load public keys only. The improved log messages (fingerprints of keys - loaded) are kept. + Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d -commit 523463a3a2a9bfc6cfc5afa01bae9147f76a37cc -Author: djm@openbsd.org -Date: Mon Feb 16 22:13:32 2015 +0000 +commit aff3e94c0d75d0d0fa84ea392b50ab04f8c57905 +Author: jsing@openbsd.org +Date: Mon Jun 15 18:42:19 2015 +0000 upstream commit - Revise hostkeys@openssh.com hostkey learning extension. + Make the arguments to match_principals_command() similar + to match_principals_file(), by changing the last argument a struct + sshkey_cert * and dereferencing key->cert in the caller. - The client will not ask the server to prove ownership of the private - halves of any hitherto-unseen hostkeys it offers to the client. + No functional change. - Allow UpdateHostKeys option to take an 'ask' argument to let the - user manually review keys offered. + ok djm@ - ok markus@ + Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c -commit 6c5c949782d86a6e7d58006599c7685bfcd01685 -Author: djm@openbsd.org -Date: Mon Feb 16 22:08:57 2015 +0000 +commit 97e2e1596c202a4693468378b16b2353fd2d6c5e +Author: Damien Miller +Date: Wed Jun 17 14:36:54 2015 +1000 - upstream commit + trivial optimisation for seccomp-bpf - Refactor hostkeys_foreach() and dependent code Deal with - IP addresses (i.e. CheckHostIP) Don't clobber known_hosts when nothing - changed ok markus@ as part of larger commit + When doing arg inspection and the syscall doesn't match, skip + past the instruction that reloads the syscall into the accumulator, + since the accumulator hasn't been modified at this point. -commit 51b082ccbe633dc970df1d1f4c9c0497115fe721 -Author: miod@openbsd.org -Date: Mon Feb 16 18:26:26 2015 +0000 +commit 99f33d7304893bd9fa04d227cb6e870171cded19 +Author: Damien Miller +Date: Wed Jun 17 10:50:51 2015 +1000 - upstream commit + aarch64 support for seccomp-bpf sandbox - Declare ge25519_base as extern, to prevent it from - becoming a common. Gets us rid of ``lignment 4 of symbol - `crypto_sign_ed25519_ref_ge25519_base' in mod_ge25519.o is smaller than 16 in - mod_ed25519.o'' warnings at link time. + Also resort and tidy syscall list. Based on patches by Jakub Jelen + bz#2361; ok dtucker@ -commit 02db468bf7e3281a8e3c058ced571b38b6407c34 -Author: markus@openbsd.org -Date: Fri Feb 13 18:57:00 2015 +0000 +commit 4ef702e1244633c1025ec7cfe044b9ab267097bf +Author: djm@openbsd.org +Date: Mon Jun 15 01:32:50 2015 +0000 upstream commit - make rekey_limit for sshd w/privsep work; ok djm@ - dtucker@ + return failure on RSA signature error; reported by Albert S + + Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa -commit 8ec67d505bd23c8bf9e17b7a364b563a07a58ec8 -Author: dtucker@openbsd.org -Date: Thu Feb 12 20:34:19 2015 +0000 +commit a170f22baf18af0b1acf2788b8b715605f41a1f9 +Author: Tim Rice +Date: Tue Jun 9 22:41:13 2015 -0700 - upstream commit - - Prevent sshd spamming syslog with - "ssh_dispatch_run_fatal: disconnected". ok markus@ + Fix t12 rules for out of tree builds. -commit d4c0295d1afc342057ba358237acad6be8af480b -Author: djm@openbsd.org -Date: Wed Feb 11 01:20:38 2015 +0000 +commit ec04dc4a5515c913121bc04ed261857e68fa5c18 +Author: millert@openbsd.org +Date: Fri Jun 5 15:13:13 2015 +0000 upstream commit - Some packet error messages show the address of the peer, - but might be generated after the socket to the peer has suffered a TCP reset. - In these cases, getpeername() won't work so cache the address earlier. + For "ssh -L 12345:/tmp/sock" don't fail with "No forward host + name." (we have a path, not a host name). Based on a diff from Jared + Yanovich. OK djm@ - spotted in the wild via deraadt@ and tedu@ + Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f -commit 4af1709cf774475ce5d1bc3ddcc165f6c222897d -Author: jsg@openbsd.org -Date: Mon Feb 9 23:22:37 2015 +0000 +commit 732d61f417a6aea0aa5308b59cb0f563bcd6edd6 +Author: djm@openbsd.org +Date: Fri Jun 5 03:44:14 2015 +0000 upstream commit - fix some leaks in error paths ok markus@ + typo: accidental repetition; bz#2386 + + Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b -commit fd36834871d06a03e1ff8d69e41992efa1bbf85f -Author: millert@openbsd.org -Date: Fri Feb 6 23:21:59 2015 +0000 +commit adfb24c69d1b6f5e758db200866c711e25a2ba73 +Author: Darren Tucker +Date: Fri Jun 5 14:51:40 2015 +1000 - upstream commit + Add Linux powerpc64le and powerpcle entries. - SIZE_MAX is standard, we should be using it in preference to - the obsolete SIZE_T_MAX. OK miod@ beck@ + Stopgap to resolve bz#2409 because we are so close to release and will + update config.guess and friends shortly after the release. ok djm@ -commit 1910a286d7771eab84c0b047f31c0a17505236fa -Author: millert@openbsd.org -Date: Thu Feb 5 12:59:57 2015 +0000 +commit a1195a0fdc9eddddb04d3e9e44c4775431cb77da +Merge: 6397eed d2480bc +Author: Tim Rice +Date: Wed Jun 3 21:43:13 2015 -0700 - upstream commit - - Include stdint.h, not limits.h to get SIZE_MAX. OK guenther@ + Merge branch 'master' of git.mindrot.org:/var/git/openssh -commit ce4f59b2405845584f45e0b3214760eb0008c06c -Author: deraadt@openbsd.org -Date: Tue Feb 3 08:07:20 2015 +0000 +commit 6397eedf953b2b973d2d7cbb504ab501a07f8ddc +Author: Tim Rice +Date: Wed Jun 3 21:41:11 2015 -0700 - upstream commit - - missing ; djm and mlarkin really having great - interactions recently + Remove unneeded backslashes. Patch from Ángel González -commit 5d34aa94938abb12b877a25be51862757f25d54b -Author: halex@openbsd.org -Date: Tue Feb 3 00:34:14 2015 +0000 +commit d2480bcac1caf31b03068de877a47d6e1027bf6d +Author: Darren Tucker +Date: Thu Jun 4 14:10:55 2015 +1000 - upstream commit - - slightly extend the passphrase prompt if running with -c - in order to give the user a chance to notice if unintentionally running - without it - - wording tweak and ok djm@ + Remove redundant include of stdarg.h. bz#2410 -commit cb3bde373e80902c7d5d0db429f85068d19b2918 +commit 5e67859a623826ccdf2df284cbb37e2d8e2787eb Author: djm@openbsd.org -Date: Mon Feb 2 22:48:53 2015 +0000 +Date: Tue Jun 2 09:10:40 2015 +0000 upstream commit - handle PKCS#11 C_Login returning - CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@ + mention CheckHostIP adding addresses to known_hosts; + bz#1993; ok dtucker@ + + Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7 -commit 15ad750e5ec3cc69765b7eba1ce90060e7083399 -Author: djm@openbsd.org -Date: Mon Feb 2 07:41:40 2015 +0000 +commit d7a58bbac6583e33fd5eca8e2c2cc70c57617818 +Author: Darren Tucker +Date: Tue Jun 2 20:15:26 2015 +1000 - upstream commit + Replace strcpy with strlcpy. - turn UpdateHostkeys off by default until I figure out - mlarkin@'s warning message; requested by deraadt@ + ok djm, sanity check by Corinna Vinschen. -commit 3cd5103c1e1aaa59bd66f7f52f6ebbcd5deb12f9 -Author: deraadt@openbsd.org -Date: Mon Feb 2 01:57:44 2015 +0000 +commit 51a1c2115265c6e80ede8a5c9dccada9aeed7143 +Author: Damien Miller +Date: Fri May 29 18:27:21 2015 +1000 - upstream commit - - increasing encounters with difficult DNS setups in - darknets has convinced me UseDNS off by default is better ok djm + skip, rather than fatal when run without SUDO set -commit 6049a548a8a68ff0bbe581ab1748ea6a59ecdc38 -Author: djm@openbsd.org -Date: Sat Jan 31 20:30:05 2015 +0000 +commit 599f01142a376645b15cbc9349d7e8975e1cf245 +Author: Damien Miller +Date: Fri May 29 18:03:15 2015 +1000 - upstream commit - - Let sshd load public host keys even when private keys are - missing. Allows sshd to advertise additional keys for future key rotation. - Also log fingerprint of hostkeys loaded; ok markus@ + fix merge botch that left ",," in KEX algs -commit 46347ed5968f582661e8a70a45f448e0179ca0ab -Author: djm@openbsd.org -Date: Fri Jan 30 11:43:14 2015 +0000 +commit 0c2a81dfc21822f2423edd30751e5ec53467b347 +Author: Damien Miller +Date: Fri May 29 17:08:28 2015 +1000 - upstream commit - - Add a ssh_config HostbasedKeyType option to control which - host public key types are tried during hostbased authentication. - - This may be used to prevent too many keys being sent to the server, - and blowing past its MaxAuthTries limit. - - bz#2211 based on patch by Iain Morgan; ok markus@ + re-enable SSH protocol 1 at compile time -commit 802660cb70453fa4d230cb0233bc1bbdf8328de1 +commit db438f9285d64282d3ac9e8c0944f59f037c0151 Author: djm@openbsd.org -Date: Fri Jan 30 10:44:49 2015 +0000 +Date: Fri May 29 03:05:13 2015 +0000 upstream commit - set a timeout to prevent hangs when talking to busted - servers; ok markus@ + make this work without SUDO set; ok dtucker@ + + Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715 -commit 86936ec245a15c7abe71a0722610998b0a28b194 +commit 1d9a2e2849c9864fe75daabf433436341c968e14 Author: djm@openbsd.org -Date: Fri Jan 30 01:11:39 2015 +0000 +Date: Thu May 28 07:37:31 2015 +0000 upstream commit - regression test for 'wildcard CA' serial/key ID revocations + wrap all moduli-related code in #ifdef WITH_OPENSSL. + based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@ + + Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf -commit 4509b5d4a4fa645a022635bfa7e86d09b285001f -Author: djm@openbsd.org -Date: Fri Jan 30 01:13:33 2015 +0000 +commit 496aeb25bc2d6c434171292e4714771b594bd00e +Author: dtucker@openbsd.org +Date: Thu May 28 05:41:29 2015 +0000 upstream commit - avoid more fatal/exit in the packet.c paths that - ssh-keyscan uses; feedback and "looks good" markus@ + Increase the allowed length of the known host file name + in the log message to be consistent with other cases. Part of bz#1993, ok + deraadt. + + Upstream-ID: a9e97567be49f25daf286721450968251ff78397 -commit 669aee994348468af8b4b2ebd29b602cf2860b22 -Author: djm@openbsd.org -Date: Fri Jan 30 01:10:33 2015 +0000 +commit dd2cfeb586c646ff8d70eb93567b2e559ace5b14 +Author: dtucker@openbsd.org +Date: Thu May 28 05:09:45 2015 +0000 upstream commit - permit KRLs that revoke certificates by serial number or - key ID without scoping to a particular CA; ok markus@ + Fix typo (keywork->keyword) + + Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534 -commit 7a2c368477e26575d0866247d3313da4256cb2b5 +commit 9cc6842493fbf23025ccc1edab064869640d3bec Author: djm@openbsd.org -Date: Fri Jan 30 00:59:19 2015 +0000 +Date: Thu May 28 04:50:53 2015 +0000 upstream commit - missing parentheses after if in do_convert_from() broke - private key conversion from other formats some time in 2010; bz#2345 reported - by jjelen AT redhat.com + add error message on ftruncate failure; bz#2176 + + Upstream-ID: cbcc606e0b748520c74a210d8f3cc9718d3148cf -commit 25f5f78d8bf5c22d9cea8b49de24ebeee648a355 +commit d1958793a0072c22be26d136dbda5ae263e717a0 Author: djm@openbsd.org -Date: Fri Jan 30 00:22:25 2015 +0000 +Date: Thu May 28 04:40:13 2015 +0000 upstream commit - fix ssh protocol 1, spotted by miod@ + make ssh-keygen default to ed25519 keys when compiled + without OpenSSL; bz#2388, ok dtucker@ + + Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71 -commit 9ce86c926dfa6e0635161b035e3944e611cbccf0 -Author: djm@openbsd.org -Date: Wed Jan 28 22:36:00 2015 +0000 +commit 3ecde664c9fc5fb3667aedf9e6671462600f6496 +Author: dtucker@openbsd.org +Date: Wed May 27 23:51:10 2015 +0000 upstream commit - update to new API (key_fingerprint => sshkey_fingerprint) - check sshkey_fingerprint return values; ok markus + Reorder client proposal to prefer + diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@ + + Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058 -commit 9125525c37bf73ad3ee4025520889d2ce9d10f29 -Author: djm@openbsd.org -Date: Wed Jan 28 22:05:31 2015 +0000 +commit 40f64292b907afd0a674fdbf3e4c2356d17a7d68 +Author: dtucker@openbsd.org +Date: Wed May 27 23:39:18 2015 +0000 upstream commit - avoid fatal() calls in packet code makes ssh-keyscan more - reliable against server failures ok dtucker@ markus@ + Add a stronger (4k bit) fallback group that sshd can use + when the moduli file is missing or broken, sourced from RFC3526. bz#2302, ok + markus@ (earlier version), djm@ + + Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4 -commit fae7bbe544cba7a9e5e4ab47ff6faa3d978646eb -Author: djm@openbsd.org -Date: Wed Jan 28 21:15:47 2015 +0000 +commit 5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a +Author: Darren Tucker +Date: Thu May 28 10:03:40 2015 +1000 - upstream commit + New moduli file from OpenBSD, removing 1k groups. - avoid fatal() calls in packet code makes ssh-keyscan more - reliable against server failures ok dtucker@ markus@ + Remove 1k bit groups. ok deraadt@, markus@ -commit 1a3d14f6b44a494037c7deab485abe6496bf2c60 +commit a71ba58adf34e599f30cdda6e9b93ae6e3937eea Author: djm@openbsd.org -Date: Wed Jan 28 11:07:25 2015 +0000 +Date: Wed May 27 05:15:02 2015 +0000 upstream commit - remove obsolete comment + support PKCS#11 devices with external PIN entry devices + bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@ + + Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d -commit 80c25b7bc0a71d75c43a4575d9a1336f589eb639 -Author: okan@openbsd.org -Date: Tue Jan 27 12:54:06 2015 +0000 +commit b282fec1aa05246ed3482270eb70fc3ec5f39a00 +Author: dtucker@openbsd.org +Date: Tue May 26 23:23:40 2015 +0000 upstream commit - Since r1.2 removed the use of PRI* macros, inttypes.h is - no longer required. - - ok djm@ - -commit 69ff64f69615c2a21c97cb5878a0996c21423257 -Author: Damien Miller -Date: Tue Jan 27 23:07:43 2015 +1100 - - compile on systems without TCP_MD5SIG (e.g. OSX) - -commit 358964f3082fb90b2ae15bcab07b6105cfad5a43 -Author: Damien Miller -Date: Tue Jan 27 23:07:25 2015 +1100 - - use ssh-keygen under test rather than system's - -commit a2c95c1bf33ea53038324d1fdd774bc953f98236 -Author: Damien Miller -Date: Tue Jan 27 23:06:59 2015 +1100 - - OSX lacks HOST_NAME_MAX, has _POSIX_HOST_NAME_MAX - -commit ade31d7b6f608a19b85bee29a7a00b1e636a2919 -Author: Damien Miller -Date: Tue Jan 27 23:06:23 2015 +1100 - - these need active_state defined to link on OSX + Cap DH-GEX group size at 4kbits for Cisco implementations. + Some of them will choke when asked for preferred sizes >4k instead of + returning the 4k group that they do have. bz#2209, ok djm@ - temporary measure until active_state goes away entirely + Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d -commit e56aa87502f22c5844918c10190e8b4f785f067b +commit 3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e Author: djm@openbsd.org -Date: Tue Jan 27 12:01:36 2015 +0000 +Date: Sun May 24 23:39:16 2015 +0000 upstream commit - use printf instead of echo -n to reduce diff against - -portable + add missing 'c' option to getopt(), case statement was + already there; from Felix Bolte + + Upstream-ID: 9b19b4e2e0b54d6fefa0dfac707c51cf4bae3081 -commit 9f7637f56eddfaf62ce3c0af89c25480f2cf1068 -Author: jmc@openbsd.org -Date: Mon Jan 26 13:55:29 2015 +0000 +commit 64a89ec07660abba4d0da7c0095b7371c98bab62 +Author: jsg@openbsd.org +Date: Sat May 23 14:28:37 2015 +0000 upstream commit - sort previous; + fix a memory leak in an error path ok markus@ dtucker@ + + Upstream-ID: bc1da0f205494944918533d8780fde65dff6c598 -commit 3076ee7d530d5b16842fac7a6229706c7e5acd26 +commit f948737449257d2cb83ffcfe7275eb79b677fd4a Author: djm@openbsd.org -Date: Mon Jan 26 13:36:53 2015 +0000 +Date: Fri May 22 05:28:45 2015 +0000 upstream commit - properly restore umask + mention ssh-keygen -E for comparing legacy MD5 + fingerprints; bz#2332 + + Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859 -commit d411d395556b73ba1b9e451516a0bd6697c4b03d +commit 0882332616e4f0272c31cc47bf2018f9cb258a4e Author: djm@openbsd.org -Date: Mon Jan 26 06:12:18 2015 +0000 +Date: Fri May 22 04:45:52 2015 +0000 upstream commit - regression test for host key rotation + Reorder EscapeChar option parsing to avoid a single-byte + out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@ + + Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060 -commit fe8a3a51699afbc6407a8fae59b73349d01e49f8 +commit d7c31da4d42c115843edee2074d7d501f8804420 Author: djm@openbsd.org -Date: Mon Jan 26 06:11:28 2015 +0000 +Date: Fri May 22 03:50:02 2015 +0000 upstream commit - adapt to sshkey API tweaks + add knob to relax GSSAPI host credential check for + multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker + (kerberos/GSSAPI is not compiled by default on OpenBSD) + + Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d -commit 7dd355fb1f0038a3d5cdca57ebab4356c7a5b434 -Author: miod@openbsd.org -Date: Sat Jan 24 10:39:21 2015 +0000 +commit aa72196a00be6e0b666215edcffbc10af234cb0e +Author: Darren Tucker +Date: Fri May 22 17:49:46 2015 +1000 - upstream commit + Include signal.h for sig_atomic_t, used by kex.h. - Move -lz late in the linker commandline for things to - build on static arches. + bz#2402, from tomas.kuthan at oracle com. -commit 0dad3b806fddb93c475b30853b9be1a25d673a33 -Author: miod@openbsd.org -Date: Fri Jan 23 21:21:23 2015 +0000 +commit 8b02481143d75e91c49d1bfae0876ac1fbf9511a +Author: Darren Tucker +Date: Fri May 22 12:47:24 2015 +1000 - upstream commit - - -Wpointer-sign is supported by gcc 4 only. + Import updated moduli file from OpenBSD. -commit 2b3b1c1e4bd9577b6e780c255c278542ea66c098 +commit 4739e8d5e1c0be49624082bd9f6b077e9e758db9 Author: djm@openbsd.org -Date: Tue Jan 20 22:58:57 2015 +0000 +Date: Thu May 21 12:01:19 2015 +0000 upstream commit - use SUBDIR to recuse into unit tests; makes "make obj" - actually work + Support "ssh-keygen -lF hostname" to find search known_hosts + and print key hashes. Already advertised by ssh-keygen(1), but not delivered + by code; ok dtucker@ + + Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387 -commit 1d1092bff8db27080155541212b420703f8b9c92 +commit e97201feca10b5196da35819ae516d0b87cf3a50 +Author: Damien Miller +Date: Thu May 21 17:55:15 2015 +1000 + + conditionalise util.h inclusion + +commit 13640798c7dd011ece0a7d02841fe48e94cfa0e0 Author: djm@openbsd.org -Date: Mon Jan 26 12:16:36 2015 +0000 +Date: Thu May 21 06:44:25 2015 +0000 upstream commit - correct description of UpdateHostKeys in ssh_config.5 and - add it to -o lists for ssh, scp and sftp; pointed out by jmc@ + regress test for AuthorizedPrincipalsCommand + + Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219 -commit 5104db7cbd6cdd9c5971f4358e74414862fc1022 +commit 84452c5d03c21f9bfb28c234e0dc1dc67dd817b1 Author: djm@openbsd.org -Date: Mon Jan 26 06:10:03 2015 +0000 +Date: Thu May 21 06:40:02 2015 +0000 upstream commit - correctly match ECDSA subtype (== curve) for - offered/recevied host keys. Fixes connection-killing host key mismatches when - a server offers multiple ECDSA keys with different curve type (an extremely - unlikely configuration). + regress test for AuthorizedKeysCommand arguments - ok markus, "looks mechanical" deraadt@ + Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12 -commit 8d4f87258f31cb6def9b3b55b6a7321d84728ff2 +commit bcc50d816187fa9a03907ac1f3a52f04a52e10d1 Author: djm@openbsd.org -Date: Mon Jan 26 03:04:45 2015 +0000 +Date: Thu May 21 06:43:30 2015 +0000 upstream commit - Host key rotation support. - - Add a hostkeys@openssh.com protocol extension (global request) for - a server to inform a client of all its available host key after - authentication has completed. The client may record the keys in - known_hosts, allowing it to upgrade to better host key algorithms - and a server to gracefully rotate its keys. + add AuthorizedPrincipalsCommand that allows getting + authorized_principals from a subprocess rather than a file, which is quite + useful in deployments with large userbases - The client side of this is controlled by a UpdateHostkeys config - option (default on). + feedback and ok markus@ - ok markus@ + Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6 -commit 60b1825262b1f1e24fc72050b907189c92daf18e +commit 24232a3e5ab467678a86aa67968bbb915caffed4 Author: djm@openbsd.org -Date: Mon Jan 26 02:59:11 2015 +0000 +Date: Thu May 21 06:38:35 2015 +0000 upstream commit - small refactor and add some convenience functions; ok - markus + support arguments to AuthorizedKeysCommand + + bz#2081 loosely based on patch by Sami Hartikainen + feedback and ok markus@ + + Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7 -commit a5a3e3328ddce91e76f71ff479022d53e35c60c9 -Author: jmc@openbsd.org -Date: Thu Jan 22 21:00:42 2015 +0000 +commit d80fbe41a57c72420c87a628444da16d09d66ca7 +Author: djm@openbsd.org +Date: Thu May 21 04:55:51 2015 +0000 upstream commit - heirarchy -> hierarchy; + refactor: split base64 encoding of pubkey into its own + sshkey_to_base64() function and out of sshkey_write(); ok markus@ + + Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a -commit dcff5810a11195c57e1b3343c0d6b6f2b9974c11 +commit 7cc44ef74133a473734bbcbd3484f24d6a7328c5 Author: deraadt@openbsd.org -Date: Thu Jan 22 20:24:41 2015 +0000 +Date: Mon May 18 15:06:05 2015 +0000 upstream commit - Provide a warning about chroot misuses (which sadly, seem - to have become quite popular because shiny). sshd cannot detect/manage/do - anything about these cases, best we can do is warn in the right spot in the - man page. ok markus + getentropy() and sendsyslog() have been around long + enough. openssh-portable may want the #ifdef's but not base. discussed with + djm few weeks back + + Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926 -commit 087266ec33c76fc8d54ac5a19efacf2f4a4ca076 -Author: deraadt@openbsd.org -Date: Tue Jan 20 23:14:00 2015 +0000 +commit 9173d0fbe44de7ebcad8a15618e13a8b8d78902e +Author: dtucker@openbsd.org +Date: Fri May 15 05:44:21 2015 +0000 upstream commit - Reduce use of and transition to - throughout. ok djm markus + Use a salted hash of the lock passphrase instead of plain + text and do constant-time comparisons of it. Should prevent leaking any + information about it via timing, pointed out by Ryan Castellucci. Add a 0.1s + incrementing delay for each failed unlock attempt up to 10s. ok markus@ + (earlier version), djm@ + + Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f -commit 57e783c8ba2c0797f93977e83b2a8644a03065d8 -Author: markus@openbsd.org -Date: Tue Jan 20 20:16:21 2015 +0000 +commit d028d5d3a697c71b21e4066d8672cacab3caa0a8 +Author: Damien Miller +Date: Tue May 5 19:10:58 2015 +1000 upstream commit - kex_setup errors are fatal() + - tedu@cvs.openbsd.org 2015/01/12 03:20:04 + [bcrypt_pbkdf.c] + rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks, + nor are they the same size. -commit 1d6424a6ff94633c221297ae8f42d54e12a20912 -Author: djm@openbsd.org -Date: Tue Jan 20 08:02:33 2015 +0000 +commit f6391d4e59b058984163ab28f4e317e7a72478f1 +Author: Damien Miller +Date: Tue May 5 19:10:23 2015 +1000 upstream commit - this test would accidentally delete agent.sh if run without - obj/ + - deraadt@cvs.openbsd.org 2015/01/08 00:30:07 + [bcrypt_pbkdf.c] + declare a local version of MIN(), call it MINIMUM() -commit 12b5f50777203e12575f1b08568281e447249ed3 -Author: djm@openbsd.org -Date: Tue Jan 20 07:56:44 2015 +0000 +commit 8ac6b13cc9113eb47cd9e86c97d7b26b4b71b77f +Author: Damien Miller +Date: Tue May 5 19:09:46 2015 +1000 upstream commit - make this compile with KERBEROS5 enabled + - djm@cvs.openbsd.org 2014/12/30 01:41:43 + [bcrypt_pbkdf.c] + typo in comment: ouput => output -commit e2cc6bef08941256817d44d146115b3478586ad4 +commit 1f792489d5cf86a4f4e3003e6e9177654033f0f2 Author: djm@openbsd.org -Date: Tue Jan 20 07:55:33 2015 +0000 +Date: Mon May 4 06:10:48 2015 +0000 upstream commit - fix hostkeys in agent; ok markus@ - -commit 1ca3e2155aa5d3801a7ae050f85c71f41fcb95b1 -Author: Damien Miller -Date: Tue Jan 20 10:11:31 2015 +1100 - - fix kex test - -commit c78a578107c7e6dcf5d30a2f34cb6581bef14029 -Author: markus@openbsd.org -Date: Mon Jan 19 20:45:25 2015 +0000 - - upstream commit + Remove pattern length argument from match_pattern_list(), we + only ever use it for strlen(pattern). - finally enable the KEX tests I wrote some years ago... + Prompted by hanno AT hboeck.de pointing an out-of-bound read + error caused by an incorrect pattern length found using AFL + and his own tools. + + ok markus@ -commit 31821d7217e686667d04935aeec99e1fc4a46e7e -Author: markus@openbsd.org -Date: Mon Jan 19 20:42:31 2015 +0000 +commit 639d6bc57b1942393ed12fb48f00bc05d4e093e4 +Author: djm@openbsd.org +Date: Fri May 1 07:10:01 2015 +0000 upstream commit - adapt to new error message (SSH_ERR_MAC_INVALID) + refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() + to better report error conditions. Teach sshpkt_fatal() about ECONNRESET. + + Improves error messages on TCP connection resets. bz#2257 + + ok dtucker@ -commit d3716ca19e510e95d956ae14d5b367e364bff7f1 +commit 9559d7de34c572d4d3fd990ca211f8ec99f62c4d Author: djm@openbsd.org -Date: Mon Jan 19 17:31:13 2015 +0000 +Date: Fri May 1 07:08:08 2015 +0000 upstream commit - this test was broken in at least two ways, such that it - wasn't checking that a KRL was not excluding valid keys + a couple of parse targets were missing activep checks, + causing them to be misapplied in match context; bz#2272 diagnosis and + original patch from Sami Hartikainen ok dtucker@ -commit 3f797653748e7c2b037dacb57574c01d9ef3b4d3 -Author: markus@openbsd.org -Date: Mon Jan 19 20:32:39 2015 +0000 +commit 7e8528cad04b2775c3b7db08abf8fb42e47e6b2a +Author: djm@openbsd.org +Date: Fri May 1 04:17:51 2015 +0000 upstream commit - switch ssh-keyscan from setjmp to multiple ssh transport - layer instances ok djm@ + make handling of AuthorizedPrincipalsFile=none more + consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@ -commit f582f0e917bb0017b00944783cd5f408bf4b0b5e -Author: markus@openbsd.org -Date: Mon Jan 19 20:30:23 2015 +0000 +commit ca430d4d9cc0f62eca3b1fb1e2928395b7ce80f7 +Author: djm@openbsd.org +Date: Fri May 1 04:03:20 2015 +0000 upstream commit - add experimental api for packet layer; ok djm@ + remove failed remote forwards established by muliplexing + from the list of active forwards; bz#2363, patch mostly by Yoann Ricordel; ok + dtucker@ -commit 48b3b2ba75181f11fca7f327058a591f4426cade -Author: markus@openbsd.org -Date: Mon Jan 19 20:20:20 2015 +0000 +commit 8312cfb8ad88657517b3e23ac8c56c8e38eb9792 +Author: djm@openbsd.org +Date: Fri May 1 04:01:58 2015 +0000 upstream commit - store compat flags in struct ssh; ok djm@ + reduce stderr spam when using ssh -S /path/mux -O forward + -R 0:... ok dtucker@ -commit 57d10cbe861a235dd269c74fb2fe248469ecee9d -Author: markus@openbsd.org -Date: Mon Jan 19 20:16:15 2015 +0000 +commit 179be0f5e62f1f492462571944e45a3da660d82b +Author: djm@openbsd.org +Date: Fri May 1 03:23:51 2015 +0000 upstream commit - adapt kex to sshbuf and struct ssh; ok djm@ + prevent authorized_keys options picked up on public key + tests without a corresponding private key authentication being applied to + other authentication methods. Reported by halex@, ok markus@ -commit 3fdc88a0def4f86aa88a5846ac079dc964c0546a -Author: markus@openbsd.org -Date: Mon Jan 19 20:07:45 2015 +0000 +commit a42d67be65b719a430b7fcaba2a4e4118382723a +Author: djm@openbsd.org +Date: Fri May 1 03:20:54 2015 +0000 upstream commit - move dispatch to struct ssh; ok djm@ + Don't make parsing of authorized_keys' environment= + option conditional on PermitUserEnv - always parse it, but only use the + result if the option is enabled. This prevents the syntax of authorized_keys + changing depending on which sshd_config options were enabled. + + bz#2329; based on patch from coladict AT gmail.com, ok dtucker@ -commit 091c302829210c41e7f57c3f094c7b9c054306f0 -Author: markus@openbsd.org -Date: Mon Jan 19 19:52:16 2015 +0000 +commit e661a86353e11592c7ed6a847e19a83609f49e77 +Author: djm@openbsd.org +Date: Mon May 4 06:10:48 2015 +0000 upstream commit - update packet.c & isolate, introduce struct ssh a) switch - packet.c to buffer api and isolate per-connection info into struct ssh b) - (de)serialization of the state is moved from monitor to packet.c c) the old - packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and - integrated into packet.c with and ok djm@ + Remove pattern length argument from match_pattern_list(), we + only ever use it for strlen(pattern). + + Prompted by hanno AT hboeck.de pointing an out-of-bound read + error caused by an incorrect pattern length found using AFL + and his own tools. + + ok markus@ -commit 4e62cc68ce4ba20245d208b252e74e91d3785b74 -Author: djm@openbsd.org -Date: Mon Jan 19 17:35:48 2015 +0000 +commit 0ef1de742be2ee4b10381193fe90730925b7f027 +Author: dtucker@openbsd.org +Date: Thu Apr 23 05:01:19 2015 +0000 upstream commit - fix format strings in (disabled) debugging + Add a simple regression test for sshd's configuration + parser. Right now, all it does is run the output of sshd -T back through + itself and ensure the output is valid and invariant. -commit d85e06245907d49a2cd0cfa0abf59150ad616f42 +commit 368f83c793275faa2c52f60eaa9bdac155c4254b Author: djm@openbsd.org -Date: Mon Jan 19 06:01:32 2015 +0000 +Date: Wed Apr 22 01:38:36 2015 +0000 upstream commit - be a bit more careful in these tests to ensure that - known_hosts is clean + use correct key for nested certificate test -commit 7947810eab5fe0ad311f32a48f4d4eb1f71be6cf +commit 8d4d1bfddbbd7d21f545dc6997081d1ea1fbc99a Author: djm@openbsd.org -Date: Sun Jan 18 22:00:18 2015 +0000 +Date: Fri May 1 07:11:47 2015 +0000 upstream commit - regression test for known_host file editing using - ssh-keygen (-H / -R / -F) after hostkeys_foreach() change; feedback and ok - markus@ + mention that the user's shell from /etc/passwd is used + for commands too; bz#1459 ok dtucker@ -commit 3a2b09d147a565d8a47edf37491e149a02c0d3a3 +commit 5ab283d0016bbc9d4d71e8e5284d011bc5a930cf Author: djm@openbsd.org -Date: Sun Jan 18 19:54:46 2015 +0000 +Date: Fri May 8 07:29:00 2015 +0000 upstream commit - more and better key tests - - test signatures and verification - test certificate generation - flesh out nested cert test + whitespace - removes most of the XXX todo markers + Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519 -commit 589e69fd82724cfc9738f128e4771da2e6405d0d +commit 8377d5008ad260048192e1e56ad7d15a56d103dd Author: djm@openbsd.org -Date: Sun Jan 18 19:53:58 2015 +0000 +Date: Fri May 8 07:26:13 2015 +0000 upstream commit - make the signature fuzzing test much more rigorous: - ensure that the fuzzed input cases do not match the original (using new - fuzz_matches_original() function) and check that the verification fails in - each case + whitespace at EOL + + Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554 -commit 80603c0daa2538c349c1c152405580b164d5475f +commit c28a3436fa8737709ea88e4437f8f23a6ab50359 Author: djm@openbsd.org -Date: Sun Jan 18 19:52:44 2015 +0000 +Date: Fri May 8 06:45:13 2015 +0000 upstream commit - add a fuzz_matches_original() function to the fuzzer to - detect fuzz cases that are identical to the original data. Hacky - implementation, but very useful when you need the fuzz to be different, e.g. - when verifying signature + moar whitespace at eol + + Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515 -commit 87d5495bd337e358ad69c524fcb9495208c0750b +commit 2b64c490468fd4ca35ac8d5cc31c0520dc1508bb Author: djm@openbsd.org -Date: Sun Jan 18 19:50:55 2015 +0000 +Date: Fri May 8 06:41:56 2015 +0000 upstream commit - better dumps from the fuzzer (shown on errors) - - include the original data as well as the fuzzed copy. + whitespace at EOL + + Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c -commit d59ec478c453a3fff05badbbfd96aa856364f2c2 +commit 4e636cf201ce6e7e3b9088568218f9d4e2c51712 Author: djm@openbsd.org -Date: Sun Jan 18 19:47:55 2015 +0000 +Date: Fri May 8 03:56:51 2015 +0000 upstream commit - enable hostkey-agent.sh test + whitespace at EOL -commit 26b3425170bf840e4b095e1c10bf25a0a3e3a105 -Author: djm@openbsd.org -Date: Sat Jan 17 18:54:30 2015 +0000 +commit 38b8272f823dc1dd4e29dbcee83943ed48bb12fa +Author: dtucker@openbsd.org +Date: Mon May 4 01:47:53 2015 +0000 upstream commit - unit test for hostkeys in ssh-agent + Use diff w/out -u for better portability -commit 9e06a0fb23ec55d9223b26a45bb63c7649e2f2f2 -Author: markus@openbsd.org -Date: Thu Jan 15 23:41:29 2015 +0000 +commit 297060f42d5189a4065ea1b6f0afdf6371fb0507 +Author: dtucker@openbsd.org +Date: Fri May 8 03:25:07 2015 +0000 upstream commit - add kex unit tests + Use xcalloc for permitted_adm_opens instead of xmalloc to + ensure it's zeroed. Fixes post-auth crash with permitopen=none. bz#2355, ok + djm@ -commit d2099dec6da21ae627f6289aedae6bc1d41a22ce -Author: deraadt@openbsd.org -Date: Mon Jan 19 00:32:54 2015 +0000 +commit 63ebf019be863b2d90492a85e248cf55a6e87403 +Author: djm@openbsd.org +Date: Fri May 8 03:17:49 2015 +0000 upstream commit - djm, your /usr/include tree is old + don't choke on new-format private keys encrypted with an + AEAD cipher; bz#2366, patch from Ron Frederick; ok markus@ -commit 2b3c3c76c30dc5076fe09d590f5b26880f148a54 -Author: djm@openbsd.org -Date: Sun Jan 18 21:51:19 2015 +0000 +commit f8484dac678ab3098ae522a5f03bb2530f822987 +Author: dtucker@openbsd.org +Date: Wed May 6 05:45:17 2015 +0000 upstream commit - some feedback from markus@: comment hostkeys_foreach() - context and avoid a member in it. + Clarify pseudo-terminal request behaviour and use + "pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@. -commit cecb30bc2ba6d594366e657d664d5c494b6c8a7f -Author: djm@openbsd.org -Date: Sun Jan 18 21:49:42 2015 +0000 +commit ea139507bef8bad26e86ed99a42c7233ad115c38 +Author: dtucker@openbsd.org +Date: Wed May 6 04:07:18 2015 +0000 upstream commit - make ssh-keygen use hostkeys_foreach(). Removes some - horrendous code; ok markus@ + Blacklist DH-GEX for specific PuTTY versions known to + send non-RFC4419 DH-GEX messages rather than all versions of PuTTY. + According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX + messages. ok djm@ -commit ec3d065df3a9557ea96b02d061fd821a18c1a0b9 -Author: djm@openbsd.org -Date: Sun Jan 18 21:48:09 2015 +0000 +commit b58234f00ee3872eb84f6e9e572a9a34e902e36e +Author: dtucker@openbsd.org +Date: Tue May 5 10:17:49 2015 +0000 upstream commit - convert load_hostkeys() (hostkey ordering and - known_host matching) to use the new hostkey_foreach() iterator; ok markus + WinSCP doesn't implement RFC4419 DH-GEX so flag it so we + don't offer that KEX method. ok markus@ -commit c29811cc480a260e42fd88849fc86a80c1e91038 -Author: djm@openbsd.org -Date: Sun Jan 18 21:40:23 2015 +0000 +commit d5b1507a207253b39e810e91e68f9598691b7a29 +Author: jsg@openbsd.org +Date: Tue May 5 02:48:17 2015 +0000 upstream commit - introduce hostkeys_foreach() to allow iteration over a - known_hosts file or controlled subset thereof. This will allow us to pull out - some ugly and duplicated code, and will be used to implement hostkey rotation - later. + use the sizeof the struct not the sizeof a pointer to the + struct in ssh_digest_start() - feedback and ok markus + This file is only used if ssh is built with OPENSSL=no + + ok markus@ -commit f101d8291da01bbbfd6fb8c569cfd0cc61c0d346 -Author: deraadt@openbsd.org -Date: Sun Jan 18 14:01:00 2015 +0000 +commit a647b9b8e616c231594b2710c925d31b1b8afea3 +Author: Darren Tucker +Date: Fri May 8 11:07:27 2015 +1000 - upstream commit + Put brackets around mblen() compat constant. - string truncation due to sizeof(size) ok djm markus + This might help with the reported problem cross compiling for Android + ("error: expected identifier or '(' before numeric constant") but + shouldn't hurt in any case. -commit 35d6022b55b7969fc10c261cb6aa78cc4a5fcc41 -Author: djm@openbsd.org -Date: Sun Jan 18 13:33:34 2015 +0000 +commit d1680d36e17244d9af3843aeb5025cb8e40d6c07 +Author: Darren Tucker +Date: Thu Apr 30 09:18:11 2015 +1000 + + xrealloc -> xreallocarray in portable code too. + +commit 531a57a3893f9fcd4aaaba8c312b612bbbcc021e +Author: dtucker@openbsd.org +Date: Wed Apr 29 03:48:56 2015 +0000 upstream commit - avoid trailing ',' in host key algorithms + Allow ListenAddress, Port and AddressFamily in any + order. bz#68, ok djm@, jmc@ (for the man page bit). -commit 7efb455789a0cb76bdcdee91c6060a3dc8f5c007 -Author: djm@openbsd.org -Date: Sun Jan 18 13:22:28 2015 +0000 +commit c1d5bcf1aaf1209af02f79e48ba1cbc76a87b56f +Author: jmc@openbsd.org +Date: Tue Apr 28 13:47:38 2015 +0000 upstream commit - infer key length correctly when user specified a fully- - qualified key name instead of using the -b bits option; ok markus@ + enviroment -> environment: apologies to darren for not + spotting that first time round... -commit 83f8ffa6a55ccd0ce9d8a205e3e7439ec18fedf5 -Author: djm@openbsd.org -Date: Sat Jan 17 18:53:34 2015 +0000 +commit 43beea053db191cac47c2cd8d3dc1930158aff1a +Author: dtucker@openbsd.org +Date: Tue Apr 28 10:25:15 2015 +0000 upstream commit - fix hostkeys on ssh agent; found by unit test I'm about - to commit + Fix typo in previous -commit 369d61f17657b814124268f99c033e4dc6e436c1 -Author: schwarze@openbsd.org -Date: Fri Jan 16 16:20:23 2015 +0000 +commit 85b96ef41374f3ddc9139581f87da09b2cd9199e +Author: dtucker@openbsd.org +Date: Tue Apr 28 10:17:58 2015 +0000 upstream commit - garbage collect empty .No macros mandoc warns about + Document that the TERM environment variable is not + subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from + jjelen at redhat, help and ok jmc@ -commit bb8b442d32dbdb8521d610e10d8b248d938bd747 +commit 88a7c598a94ff53f76df228eeaae238d2d467565 Author: djm@openbsd.org -Date: Fri Jan 16 15:55:07 2015 +0000 +Date: Mon Apr 27 21:42:48 2015 +0000 upstream commit - regression: incorrect error message on - otherwise-successful ssh-keygen -A. Reported by Dmitry Orlov, via deraadt@ + Make sshd default to PermitRootLogin=no; ok deraadt@ + rpe@ -commit 9010902954a40b59d0bf3df3ccbc3140a653e2bc +commit 734226b4480a6c736096c729fcf6f391400599c7 Author: djm@openbsd.org -Date: Fri Jan 16 07:19:48 2015 +0000 +Date: Mon Apr 27 01:52:30 2015 +0000 upstream commit - when hostname canonicalisation is enabled, try to parse - hostnames as addresses before looking them up for canonicalisation. fixes - bz#2074 and avoids needless DNS lookups in some cases; ok markus + fix compilation with OPENSSL=no; ok dtucker@ -commit 2ae4f337b2a5fb2841b6b0053b49496fef844d1c -Author: deraadt@openbsd.org -Date: Fri Jan 16 06:40:12 2015 +0000 +commit a4b9d2ce1eb7703eaf0809b0c8a82ded8aa4f1c6 +Author: dtucker@openbsd.org +Date: Mon Apr 27 00:37:53 2015 +0000 upstream commit - Replace with and other less - dirty headers where possible. Annotate lines with their - current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, - LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of - MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. - These are the files confirmed through binary verification. ok guenther, - millert, doug (helped with the verification protocol) + Include stdio.h for FILE (used in sshkey.h) so it + compiles with OPENSSL=no. -commit 3c4726f4c24118e8f1bb80bf75f1456c76df072c -Author: markus@openbsd.org -Date: Thu Jan 15 21:38:50 2015 +0000 +commit dbcc652f4ca11fe04e5930c7ef18a219318c6cda +Author: djm@openbsd.org +Date: Mon Apr 27 00:21:21 2015 +0000 upstream commit - remove xmalloc, switch to sshbuf + allow "sshd -f none" to skip reading the config file, + much like "ssh -F none" does. ok dtucker -commit e17ac01f8b763e4b83976b9e521e90a280acc097 -Author: markus@openbsd.org -Date: Thu Jan 15 21:37:14 2015 +0000 +commit b7ca276fca316c952f0b90f5adb1448c8481eedc +Author: jmc@openbsd.org +Date: Fri Apr 24 06:26:49 2015 +0000 upstream commit - switch to sshbuf + combine -Dd onto one line and update usage(); -commit ddef9995a1fa6c7a8ff3b38bfe6cf724bebf13d0 -Author: naddy@openbsd.org -Date: Thu Jan 15 18:32:54 2015 +0000 +commit 2ea974630d7017e4c7666d14d9dc939707613e96 +Author: djm@openbsd.org +Date: Fri Apr 24 05:26:44 2015 +0000 upstream commit - handle UMAC128 initialization like UMAC; ok djm@ markus@ + add ssh-agent -D to leave ssh-agent in foreground + without enabling debug mode; bz#2381 ok dtucker@ -commit f14564c1f7792446bca143580aef0e7ac25dcdae -Author: djm@openbsd.org -Date: Thu Jan 15 11:04:36 2015 +0000 +commit 8ac2ffd7aa06042f6b924c87139f2fea5c5682f7 +Author: deraadt@openbsd.org +Date: Fri Apr 24 01:36:24 2015 +0000 upstream commit - fix regression reported by brad@ for passworded keys without - agent present - -commit 45c0fd70bb2a88061319dfff20cb12ef7b1bc47e -Author: Damien Miller -Date: Thu Jan 15 22:08:23 2015 +1100 - - make bitmap test compile + 2*len -> use xreallocarray() ok djm -commit d333f89abf7179021e5c3f28673f469abe032062 -Author: djm@openbsd.org -Date: Thu Jan 15 07:36:28 2015 +0000 +commit 657a5fbc0d0aff309079ff8fb386f17e964963c2 +Author: deraadt@openbsd.org +Date: Fri Apr 24 01:36:00 2015 +0000 upstream commit - unit tests for KRL bitmap + rename xrealloc() to xreallocarray() since it follows + that form. ok djm -commit 7613f828f49c55ff356007ae9645038ab6682556 -Author: markus@openbsd.org -Date: Wed Jan 14 09:58:21 2015 +0000 +commit 1108ae242fdd2c304307b68ddf46aebe43ebffaa +Author: dtucker@openbsd.org +Date: Thu Apr 23 04:59:10 2015 +0000 upstream commit - re-add comment about full path + Two small fixes for sshd -T: ListenAddress'es are added + to a list head so reverse the order when printing them to ensure the + behaviour remains the same, and print StreamLocalBindMask as octal with + leading zero. ok deraadt@ -commit 6c43b48b307c41cd656b415621a644074579a578 -Author: markus@openbsd.org -Date: Wed Jan 14 09:54:38 2015 +0000 +commit bd902b8473e1168f19378d5d0ae68d0c203525df +Author: dtucker@openbsd.org +Date: Thu Apr 23 04:53:53 2015 +0000 upstream commit - don't reset to the installed sshd; connect before - reconfigure, too + Check for and reject missing arguments for + VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com, + ok djm@ -commit 771bb47a1df8b69061f09462e78aa0b66cd594bf +commit ca42c1758575e592239de1d5755140e054b91a0d Author: djm@openbsd.org -Date: Tue Jan 13 14:51:51 2015 +0000 +Date: Wed Apr 22 01:24:01 2015 +0000 upstream commit - implement a SIGINFO handler so we can discern a stuck - fuzz test from a merely glacial one; prompted by and ok markus + unknown certificate extensions are non-fatal, so don't + fatal when they are encountered; bz#2387 reported by Bob Van Zant; ok + dtucker@ -commit cfaa57962f8536f3cf0fd7daf4d6a55d6f6de45f -Author: djm@openbsd.org -Date: Tue Jan 13 08:23:26 2015 +0000 +commit 39bfbf7caad231cc4bda6909fb1af0705bca04d8 +Author: jsg@openbsd.org +Date: Tue Apr 21 07:01:00 2015 +0000 upstream commit - use $SSH instead of installed ssh to allow override; - spotted by markus@ + Add back a backslash removed in rev 1.42 so + KEX_SERVER_ENCRYPT will include aes again. + + ok deraadt@ -commit 0920553d0aee117a596b03ed5b49b280d34a32c5 +commit 6b0d576bb87eca3efd2b309fcfe4edfefc289f9c Author: djm@openbsd.org -Date: Tue Jan 13 07:49:49 2015 +0000 +Date: Fri Apr 17 13:32:09 2015 +0000 upstream commit - regress test for PubkeyAcceptedKeyTypes; ok markus@ + s/recommended/required/ that private keys be og-r this + wording change was made a while ago but got accidentally reverted -commit 27ca1a5c0095eda151934bca39a77e391f875d17 -Author: markus@openbsd.org -Date: Mon Jan 12 20:13:27 2015 +0000 +commit 44a8e7ce6f3ab4c2eb1ae49115c210b98e53c4df +Author: djm@openbsd.org +Date: Fri Apr 17 13:25:52 2015 +0000 upstream commit - unbreak parsing of pubkey comments; with gerhard; ok - djm/deraadt + don't try to cleanup NULL KEX proposals in + kex_prop_free(); found by Jukka Taimisto and Markus Hietava -commit 55358f0b4e0b83bc0df81c5f854c91b11e0bb4dc +commit 3038a191872d2882052306098c1810d14835e704 Author: djm@openbsd.org -Date: Mon Jan 12 11:46:32 2015 +0000 +Date: Fri Apr 17 13:19:22 2015 +0000 upstream commit - fatal if soft-PKCS11 library is missing rather (rather - than continue and fail with a more cryptic error) + use error/logit/fatal instead of fprintf(stderr, ...) + and exit(0), fix a few errors that were being printed to stdout instead of + stderr and a few non-errors that were going to stderr instead of stdout + bz#2325; ok dtucker -commit c3554cdd2a1a62434b8161017aa76fa09718a003 +commit a58be33cb6cd24441fa7e634db0e5babdd56f07f Author: djm@openbsd.org -Date: Mon Jan 12 11:12:38 2015 +0000 +Date: Fri Apr 17 13:16:48 2015 +0000 upstream commit - let this test all supporte key types; pointed out/ok - markus@ + debug log missing DISPLAY environment when X11 + forwarding requested; bz#1682 ok dtucker@ -commit 1129dcfc5a3e508635004bcc05a3574cb7687167 +commit 17d4d9d9fbc8fb80e322f94d95eecc604588a474 Author: djm@openbsd.org -Date: Thu Jan 15 09:40:00 2015 +0000 +Date: Fri Apr 17 04:32:31 2015 +0000 upstream commit - sync ssh-keysign, ssh-keygen and some dependencies to the - new buffer/key API; mostly mechanical, ok markus@ + don't call record_login() in monitor when UseLogin is + enabled; bz#278 reported by drk AT sgi.com; ok dtucker -commit e4ebf5586452bf512da662ac277aaf6ecf0efe7c -Author: djm@openbsd.org -Date: Thu Jan 15 07:57:08 2015 +0000 +commit 40132ff87b6cbc3dc05fb5df2e9d8e3afa06aafd +Author: dtucker@openbsd.org +Date: Fri Apr 17 04:12:35 2015 +0000 upstream commit - remove commented-out test code now that it has moved to a - proper unit test + Add some missing options to sshd -T and fix the output + of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat + com, ok djm. -commit e81cba066c1e9eb70aba0f6e7c0ff220611b370f -Author: djm@openbsd.org -Date: Wed Jan 14 20:54:29 2015 +0000 +commit 6cc7cfa936afde2d829e56ee6528c7ea47a42441 +Author: dtucker@openbsd.org +Date: Thu Apr 16 23:25:50 2015 +0000 upstream commit - whitespace + Document "none" for PidFile XAuthLocation + TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@ -commit 141efe49542f7156cdbc2e4cd0a041d8b1aab622 -Author: djm@openbsd.org -Date: Wed Jan 14 20:05:27 2015 +0000 +commit 15fdfc9b1c6808b26bc54d4d61a38b54541763ed +Author: dtucker@openbsd.org +Date: Wed Apr 15 23:23:25 2015 +0000 upstream commit - move authfd.c and its tentacles to the new buffer/key - API; ok markus@ + Plug leak of address passed to logging. bz#2373, patch + from jjelen at redhat, ok markus@ -commit 0088c57af302cda278bd26d8c3ae81d5b6f7c289 -Author: djm@openbsd.org -Date: Wed Jan 14 19:33:41 2015 +0000 +commit bb2289e2a47d465eaaaeff3dee2a6b7777b4c291 +Author: dtucker@openbsd.org +Date: Tue Apr 14 04:17:03 2015 +0000 upstream commit - fix small regression: ssh-agent would return a success - message but an empty signature if asked to sign using an unknown key; ok - markus@ + Output remote username in debug output since with Host + and Match it's not always obvious what it will be. bz#2368, ok djm@ -commit b03ebe2c22b8166e4f64c37737f4278676e3488d -Author: Damien Miller -Date: Thu Jan 15 03:08:58 2015 +1100 +commit 70860b6d07461906730632f9758ff1b7c98c695a +Author: Darren Tucker +Date: Fri Apr 17 10:56:13 2015 +1000 - more --without-openssl - - fix some regressions caused by upstream merges + Format UsePAM setting when using sshd -T. - enable KRLs now that they no longer require BIGNUMs + Part of bz#2346, patch from jjelen at redhat com. -commit bc42cc6fe784f36df225c44c93b74830027cb5a2 -Author: Damien Miller -Date: Thu Jan 15 03:08:29 2015 +1100 +commit ee15d9c9f0720f5a8b0b34e4b10ecf21f9824814 +Author: Darren Tucker +Date: Fri Apr 17 10:40:23 2015 +1000 - kludge around tun API mismatch betterer + Wrap endian.h include inside ifdef (bz#2370). -commit c332110291089b624fa0951fbf2d1ee6de525b9f -Author: Damien Miller -Date: Thu Jan 15 02:59:51 2015 +1100 +commit 408f4c2ad4a4c41baa7b9b2b7423d875abbfa70b +Author: Darren Tucker +Date: Fri Apr 17 09:39:58 2015 +1000 - some systems lack SO_REUSEPORT + Look for '${host}-ar' before 'ar'. + + This changes configure.ac to look for '${host}-ar' as set by + AC_CANONICAL_HOST before looking for the unprefixed 'ar'. + Useful when cross-compiling when all your binutils are prefixed. + + Patch from moben at exherbo org via astrand at lysator liu se and + bz#2352. -commit 83b9678a62cbdc74eb2031cf1e1e4ffd58e233ae -Author: Damien Miller -Date: Thu Jan 15 02:35:50 2015 +1100 +commit 673a1c16ad078d41558247ce739fe812c960acc8 +Author: Damien Miller +Date: Thu Apr 16 11:40:20 2015 +1000 - fix merge botch + remove dependency on arpa/telnet.h -commit 0cdc5a3eb6fb383569a4da2a30705d9b90428d6b -Author: Damien Miller -Date: Thu Jan 15 02:35:33 2015 +1100 +commit 202d443eeda1829d336595a3cfc07827e49f45ed +Author: Darren Tucker +Date: Wed Apr 15 15:59:49 2015 +1000 - unbreak across API change + Remove duplicate include of pwd.h. bz#2337, patch from Mordy Ovits. -commit 6e2549ac2b5e7f96cbc2d83a6e0784b120444b47 -Author: Damien Miller -Date: Thu Jan 15 02:30:18 2015 +1100 +commit 597986493412c499f2bc2209420cb195f97b3668 +Author: Damien Miller +Date: Thu Apr 9 10:14:48 2015 +1000 - need includes.h for portable OpenSSH + platform's with openpty don't need pty_release -commit 72ef7c148c42db7d5632a29f137f8b87b579f2d9 -Author: Damien Miller -Date: Thu Jan 15 02:21:31 2015 +1100 +commit 318be28cda1fd9108f2e6f2f86b0b7589ba2aed0 +Author: djm@openbsd.org +Date: Mon Apr 13 02:04:08 2015 +0000 - support --without-openssl at configure time - - Disables and removes dependency on OpenSSL. Many features don't - work and the set of crypto options is greatly restricted. This - will only work on system with native arc4random or /dev/urandom. + upstream commit - Considered highly experimental for now. - -commit 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9 -Author: Damien Miller -Date: Thu Jan 15 02:28:00 2015 +1100 - - add files missed in last commit + deprecate ancient, pre-RFC4419 and undocumented + SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message; ok markus@ deraadt@ "seems + reasonable" dtucker@ -commit a165bab605f7be55940bb8fae977398e8c96a46d -Author: djm@openbsd.org -Date: Wed Jan 14 15:02:39 2015 +0000 +commit d8f391caef62378463a0e6b36f940170dadfe605 +Author: dtucker@openbsd.org +Date: Fri Apr 10 05:16:50 2015 +0000 upstream commit - avoid BIGNUM in KRL code by using a simple bitmap; - feedback and ok markus + Don't send hostkey advertisments + (hostkeys-00@openssh.com) to current versions of Tera Term as they can't + handle them. Newer versions should be OK. Patch from Bryan Drewery and + IWAMOTO Kouichi, ok djm@ -commit 7d845f4a0b7ec97887be204c3760e44de8bf1f32 +commit 2c2cfe1a1c97eb9a08cc9817fd0678209680c636 Author: djm@openbsd.org -Date: Wed Jan 14 13:54:13 2015 +0000 +Date: Fri Apr 10 00:08:55 2015 +0000 upstream commit - update sftp client and server to new buffer API. pretty - much just mechanical changes; with & ok markus + include port number if a non-default one has been + specified; based on patch from Michael Handler -commit 139ca81866ec1b219c717d17061e5e7ad1059e2a -Author: markus@openbsd.org -Date: Wed Jan 14 13:09:09 2015 +0000 +commit 4492a4f222da4cf1e8eab12689196322e27b08c4 +Author: djm@openbsd.org +Date: Tue Apr 7 23:00:42 2015 +0000 upstream commit - switch to sshbuf/sshkey; with & ok djm@ + treat Protocol=1,2|2,1 as Protocol=2 when compiled + without SSH1 support; ok dtucker@ millert@ -commit 81bfbd0bd35683de5d7f2238b985e5f8150a9180 -Author: Damien Miller -Date: Wed Jan 14 21:48:18 2015 +1100 +commit c265e2e6e932efc6d86f6cc885dea33637a67564 +Author: miod@openbsd.org +Date: Sun Apr 5 15:43:43 2015 +0000 - support --without-openssl at configure time + upstream commit - Disables and removes dependency on OpenSSL. Many features don't - work and the set of crypto options is greatly restricted. This - will only work on system with native arc4random or /dev/urandom. + Do not use int for sig_atomic_t; spotted by + christos@netbsd; ok markus@ + +commit e7bf3a5eda6a1b02bef6096fed78527ee11e54cc +Author: Darren Tucker +Date: Tue Apr 7 10:48:04 2015 +1000 + + Use do{}while(0) for no-op functions. - Considered highly experimental for now. + From FreeBSD. -commit 54924b53af15ccdcbb9f89984512b5efef641a31 -Author: djm@openbsd.org -Date: Wed Jan 14 10:46:28 2015 +0000 +commit bb99844abae2b6447272f79e7fa84134802eb4df +Author: Darren Tucker +Date: Tue Apr 7 10:47:15 2015 +1000 - upstream commit + Wrap blf.h include in ifdef. From FreeBSD. + +commit d9b9b43656091cf0ad55c122f08fadb07dad0abd +Author: Darren Tucker +Date: Tue Apr 7 09:10:00 2015 +1000 + + Fix misspellings of regress CONFOPTS env variables. - avoid an warning for the !OPENSSL case + Patch from Bryan Drewery. -commit ae8b463217f7c9b66655bfc3945c050ffdaeb861 -Author: markus@openbsd.org -Date: Wed Jan 14 10:30:34 2015 +0000 +commit 3f4ea3c9ab1d32d43c9222c4351f58ca11144156 +Author: djm@openbsd.org +Date: Fri Apr 3 22:17:27 2015 +0000 upstream commit - swith auth-options to new sshbuf/sshkey; ok djm@ + correct return value in pubkey parsing, spotted by Ben Hawkes + ok markus@ -commit 540e891191b98b89ee90aacf5b14a4a68635e763 +commit 7da2be0cb9601ed25460c83aa4d44052b967ba0f Author: djm@openbsd.org -Date: Wed Jan 14 10:29:45 2015 +0000 +Date: Tue Mar 31 22:59:01 2015 +0000 upstream commit - make non-OpenSSL aes-ctr work on sshd w/ privsep; ok - markus@ + adapt to recent hostfile.c change: when parsing + known_hosts without fully parsing the keys therein, hostkeys_foreach() will + now correctly identify KEY_RSA1 keys; ok markus@ miod@ -commit 60c2c4ea5e1ad0ddfe8b2877b78ed5143be79c53 +commit 9e1777a0d1c706714b055811c12ab8cc21033e4a Author: markus@openbsd.org -Date: Wed Jan 14 10:24:42 2015 +0000 +Date: Tue Mar 24 20:19:15 2015 +0000 upstream commit - remove unneeded includes, sync my copyright across files - & whitespace; ok djm@ + use ${SSH} for -Q instead of installed ssh -commit 128343bcdb0b60fc826f2733df8cf979ec1627b4 -Author: markus@openbsd.org -Date: Tue Jan 13 19:31:40 2015 +0000 +commit ce1b358ea414a2cc88e4430cd5a2ea7fecd9de57 +Author: djm@openbsd.org +Date: Mon Mar 16 22:46:14 2015 +0000 upstream commit - adapt mac.c to ssherr.h return codes (de-fatal) and - simplify dependencies ok djm@ + make CLEANFILES clean up more of the tests' droppings -commit e7fd952f4ea01f09ceb068721a5431ac2fd416ed +commit 398f9ef192d820b67beba01ec234d66faca65775 Author: djm@openbsd.org -Date: Tue Jan 13 19:04:35 2015 +0000 +Date: Tue Mar 31 22:57:06 2015 +0000 upstream commit - sync changes from libopenssh; prepared by markus@ mostly - debug output tweaks, a couple of error return value changes and some other - minor stuff + downgrade error() for known_hosts parse errors to debug() + to quiet warnings from ssh1 keys present when compiled !ssh1. + + also identify ssh1 keys when scanning, even when compiled !ssh1 + + ok markus@ miod@ -commit 76c0480a85675f03a1376167cb686abed01a3583 -Author: Damien Miller -Date: Tue Jan 13 19:38:18 2015 +1100 +commit 9a47ab80030a31f2d122b8fd95bd48c408b9fcd9 +Author: djm@openbsd.org +Date: Tue Mar 31 22:55:50 2015 +0000 - add --without-ssh1 option to configure + upstream commit - Allows disabling support for SSH protocol 1. + fd leak for !ssh1 case; found by unittests; ok markus@ -commit 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03 +commit c9a0805a6280681901c270755a7cd630d7c5280e Author: djm@openbsd.org -Date: Tue Jan 13 07:39:19 2015 +0000 +Date: Tue Mar 31 22:55:24 2015 +0000 upstream commit - add sshd_config HostbasedAcceptedKeyTypes and - PubkeyAcceptedKeyTypes options to allow sshd to control what public key types - will be accepted. Currently defaults to all. Feedback & ok markus@ + don't fatal when a !ssh1 sshd is reexeced from a w/ssh1 + listener; reported by miod@; ok miod@ markus@ -commit 816d1538c24209a93ba0560b27c4fda57c3fff65 -Author: markus@openbsd.org -Date: Mon Jan 12 20:13:27 2015 +0000 +commit 704d8c88988cae38fb755a6243b119731d223222 +Author: tobias@openbsd.org +Date: Tue Mar 31 11:06:49 2015 +0000 upstream commit - unbreak parsing of pubkey comments; with gerhard; ok - djm/deraadt + Comments are only supported for RSA1 keys. If a user + tried to add one and entered his passphrase, explicitly clear it before exit. + This is done in all other error paths, too. + + ok djm -commit 0097565f849851812df610b7b6b3c4bd414f6c62 -Author: markus@openbsd.org -Date: Mon Jan 12 19:22:46 2015 +0000 +commit 78de1673c05ea2c33e0d4a4b64ecb5186b6ea2e9 +Author: jmc@openbsd.org +Date: Mon Mar 30 18:28:37 2015 +0000 upstream commit - missing error assigment on sshbuf_put_string() + ssh-askpass(1) is the default, overridden by SSH_ASKPASS; + diff originally from jiri b; -commit a7f49dcb527dd17877fcb8d5c3a9a6f550e0bba5 +commit 26e0bcf766fadb4a44fb6199386fb1dcab65ad00 Author: djm@openbsd.org -Date: Mon Jan 12 15:18:07 2015 +0000 +Date: Mon Mar 30 00:00:29 2015 +0000 upstream commit - apparently memcpy(x, NULL, 0) is undefined behaviour - according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls - when length==0; ok markus@ + fix uninitialised memory read when parsing a config file + consisting of a single nul byte. Found by hanno AT hboeck.de using AFL; ok + dtucker -commit 905fe30fca82f38213763616d0d26eb6790bde33 +commit fecede00a76fbb33a349f5121c0b2f9fbc04a777 Author: markus@openbsd.org -Date: Mon Jan 12 14:05:19 2015 +0000 +Date: Thu Mar 26 19:32:19 2015 +0000 upstream commit - free->sshkey_free; ok djm@ + sigp and lenp are not optional in ssh_agent_sign(); ok + djm@ -commit f067cca2bc20c86b110174c3fef04086a7f57b13 -Author: markus@openbsd.org -Date: Mon Jan 12 13:29:27 2015 +0000 +commit 1b0ef3813244c78669e6d4d54c624f600945327d +Author: naddy@openbsd.org +Date: Thu Mar 26 12:32:38 2015 +0000 upstream commit - allow WITH_OPENSSL w/o WITH_SSH1; ok djm@ + don't try to load .ssh/identity by default if SSH1 is + disabled; ok markus@ -commit c4bfafcc2a9300d9cfb3c15e75572d3a7d74670d +commit f9b78852379b74a2d14e6fc94fe52af30b7e9c31 Author: djm@openbsd.org -Date: Thu Jan 8 13:10:58 2015 +0000 +Date: Thu Mar 26 07:00:04 2015 +0000 upstream commit - adjust for sshkey_load_file() API change + ban all-zero curve25519 keys as recommended by latest + CFRG curves draft; ok markus -commit e752c6d547036c602b89e9e704851463bd160e32 +commit b8afbe2c1aaf573565e4da775261dfafc8b1ba9c Author: djm@openbsd.org -Date: Thu Jan 8 13:44:36 2015 +0000 +Date: Thu Mar 26 06:59:28 2015 +0000 upstream commit - fix ssh_config FingerprintHash evaluation order; from Petr - Lautrbach + relax bits needed check to allow + diffie-hellman-group1-sha1 key exchange to complete for chacha20-poly1305 was + selected as symmetric cipher; ok markus -commit ab24ab847b0fc94c8d5e419feecff0bcb6d6d1bf -Author: djm@openbsd.org -Date: Thu Jan 8 10:15:45 2015 +0000 +commit 47842f71e31da130555353c1d57a1e5a8937f1c0 +Author: markus@openbsd.org +Date: Wed Mar 25 19:29:58 2015 +0000 upstream commit - reorder hostbased key attempts to better match the - default hostkey algorithms order in myproposal.h; ok markus@ + ignore v1 errors on ssh-add -D; only try v2 keys on + -l/-L (unless WITH_SSH1) ok djm@ -commit 1195f4cb07ef4b0405c839293c38600b3e9bdb46 -Author: djm@openbsd.org -Date: Thu Jan 8 10:14:08 2015 +0000 +commit 5f57e77f91bf2230c09eca96eb5ecec39e5f2da6 +Author: markus@openbsd.org +Date: Wed Mar 25 19:21:48 2015 +0000 upstream commit - deprecate key_load_private_pem() and - sshkey_load_private_pem() interfaces. Refactor the generic key loading API to - not require pathnames to be specified (they weren't really used). - - Fixes a few other things en passant: - - Makes ed25519 keys work for hostbased authentication (ssh-keysign - previously used the PEM-only routines). - - Fixes key comment regression bz#2306: key pathnames were being lost as - comment fields. - - ok markus@ + unbreak ssh_agent_sign (lenp vs *lenp) -commit febbe09e4e9aff579b0c5cc1623f756862e4757d -Author: tedu@openbsd.org -Date: Wed Jan 7 18:15:07 2015 +0000 +commit 4daeb67181054f2a377677fac919ee8f9ed3490e +Author: markus@openbsd.org +Date: Tue Mar 24 20:10:08 2015 +0000 upstream commit - workaround for the Meyer, et al, Bleichenbacher Side - Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm - markus + don't leak 'setp' on error; noted by Nicholas Lemonias; + ok djm@ -commit 5191df927db282d3123ca2f34a04d8d96153911a -Author: djm@openbsd.org -Date: Tue Dec 23 22:42:48 2014 +0000 +commit 7d4f96f9de2a18af0d9fa75ea89a4990de0344f5 +Author: markus@openbsd.org +Date: Tue Mar 24 20:09:11 2015 +0000 upstream commit - KNF and add a little more debug() + consistent check for NULL as noted by Nicholas + Lemonias; ok djm@ -commit 8abd80315d3419b20e6938f74d37e2e2b547f0b7 -Author: jmc@openbsd.org -Date: Mon Dec 22 09:26:31 2014 +0000 +commit df100be51354e447d9345cf1ec22e6013c0eed50 +Author: markus@openbsd.org +Date: Tue Mar 24 20:03:44 2015 +0000 upstream commit - add fingerprinthash to the options list; + correct fmt-string for size_t as noted by Nicholas + Lemonias; ok djm@ -commit 296ef0560f60980da01d83b9f0e1a5257826536f -Author: jmc@openbsd.org -Date: Mon Dec 22 09:24:59 2014 +0000 +commit a22b9ef21285e81775732436f7c84a27bd3f71e0 +Author: djm@openbsd.org +Date: Tue Mar 24 09:17:21 2015 +0000 upstream commit - tweak previous; + promote chacha20-poly1305@openssh.com to be the default + cipher; ok markus -commit 462082eacbd37778a173afb6b84c6f4d898a18b5 -Author: Damien Miller -Date: Tue Dec 30 08:16:11 2014 +1100 - - avoid uninitialised free of ldns_res - - If an invalid rdclass was passed to getrrsetbyname() then - this would execute a free on an uninitialised pointer. - OpenSSH only ever calls this with a fixed and valid rdclass. - - Reported by Joshua Rogers - -commit 01b63498801053f131a0740eb9d13faf35d636c8 -Author: Damien Miller -Date: Mon Dec 29 18:10:18 2014 +1100 - - pull updated OpenBSD BCrypt PBKDF implementation - - Includes fix for 1 byte output overflow for large key length - requests (not reachable in OpenSSH). - - Pointed out by Joshua Rogers - -commit c528c1b4af2f06712177b3de9b30705752f7cbcb -Author: Damien Miller -Date: Tue Dec 23 15:26:13 2014 +1100 - - fix variable name for IPv6 case in construct_utmpx - - patch from writeonce AT midipix.org via bz#2296 - -commit 293cac52dcda123244b2e594d15592e5e481c55e -Author: Damien Miller -Date: Mon Dec 22 16:30:42 2014 +1100 - - include and use OpenBSD netcat in regress/ - -commit 8f6784f0cb56dc4fd00af3e81a10050a5785228d +commit 2aa9da1a3b360cf7b13e96fe1521534b91501fb5 Author: djm@openbsd.org -Date: Mon Dec 22 09:05:17 2014 +0000 +Date: Tue Mar 24 01:29:19 2015 +0000 upstream commit - mention ssh -Q feature to list supported { MAC, cipher, - KEX, key } algorithms in more places and include the query string used to - list the relevant information; bz#2288 + Compile-time disable SSH protocol 1. You can turn it + back on using the Makefile.inc knob if you need it to talk to ancient + devices. -commit 449e11b4d7847079bd0a2daa6e3e7ea03d8ef700 -Author: jmc@openbsd.org -Date: Mon Dec 22 08:24:17 2014 +0000 +commit 53097b2022154edf96b4e8526af5666f979503f7 +Author: djm@openbsd.org +Date: Tue Mar 24 01:11:12 2015 +0000 upstream commit - tweak previous; + fix double-negative error message "ssh1 is not + unsupported" -commit 4bea0ab3290c0b9dd2aa199e932de8e7e18062d6 +commit 5c27e3b6ec2db711dfcd40e6359c0bcdd0b62ea9 Author: djm@openbsd.org -Date: Mon Dec 22 08:06:03 2014 +0000 +Date: Mon Mar 23 06:06:38 2015 +0000 upstream commit - regression test for multiple required pubkey authentication; - ok markus@ + for ssh-keygen -A, don't try (and fail) to generate ssh + v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled + without OpenSSL based on patch by Mike Frysinger; bz#2369 -commit f1c4d8ec52158b6f57834b8cd839605b0a33e7f2 +commit 725fd22a8c41db7de73a638539a5157b7e4424ae Author: djm@openbsd.org -Date: Mon Dec 22 08:04:23 2014 +0000 +Date: Wed Mar 18 01:44:21 2015 +0000 upstream commit - correct description of what will happen when a - AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd - will refuse to start) + KRL support doesn't need OpenSSL anymore, remove #ifdefs + from around call -commit 161cf419f412446635013ac49e8c660cadc36080 +commit b07011c18e0b2e172c5fd09d21fb159a0bf5fcc7 Author: djm@openbsd.org -Date: Mon Dec 22 07:55:51 2014 +0000 +Date: Mon Mar 16 11:09:52 2015 +0000 upstream commit - make internal handling of filename arguments of "none" - more consistent with ssh. "none" arguments are now replaced with NULL when - the configuration is finalised. - - Simplifies checking later on (just need to test not-NULL rather than - that + strcmp) and cleans up some inconsistencies. ok markus@ + #if 0 some more arrays used only for decrypting (we don't + use since we only need encrypt for AES-CTR) -commit f69b69b8625be447b8826b21d87713874dac25a6 -Author: djm@openbsd.org -Date: Mon Dec 22 07:51:30 2014 +0000 +commit 1cb3016635898d287e9d58b50c430995652d5358 +Author: jsg@openbsd.org +Date: Wed Mar 11 00:48:39 2015 +0000 upstream commit - remember which public keys have been used for - authentication and refuse to accept previously-used keys. - - This allows AuthenticationMethods=publickey,publickey to require - that users authenticate using two _different_ pubkeys. + add back the changes from rev 1.206, djm reverted this by + mistake in rev 1.207 + +commit 4d24b3b6a4a6383e05e7da26d183b79fa8663697 +Author: Damien Miller +Date: Fri Mar 20 09:11:59 2015 +1100 + + remove error() accidentally inserted for debugging - ok markus@ + pointed out by Christian Hesse -commit 46ac2ed4677968224c4ca825bc98fc68dae183f0 +commit 9f82e5a9042f2d872e98f48a876fcab3e25dd9bb +Author: Tim Rice +Date: Mon Mar 16 22:49:20 2015 -0700 + + portability fix: Solaris systems may not have a grep that understands -q + +commit 8ef691f7d9ef500257a549d0906d78187490668f +Author: Damien Miller +Date: Wed Mar 11 10:35:26 2015 +1100 + + fix compile with clang + +commit 4df590cf8dc799e8986268d62019b487a8ed63ad +Author: Damien Miller +Date: Wed Mar 11 10:02:39 2015 +1100 + + make unit tests work for !OPENSSH_HAS_ECC + +commit 307bb40277ca2c32e97e61d70d1ed74b571fd6ba Author: djm@openbsd.org -Date: Mon Dec 22 07:24:11 2014 +0000 +Date: Sat Mar 7 04:41:48 2015 +0000 upstream commit - fix passing of wildcard forward bind addresses when - connection multiplexing is in use; patch from Sami Hartikainen via bz#2324; - ok dtucker@ + unbreak for w/SSH1 (default) case; ok markus@ deraadt@ -commit 0d1b241a262e4d0a6bbfdd595489ab1b853c43a1 +commit b44ee0c998fb4c5f3c3281f2398af5ce42840b6f +Author: Damien Miller +Date: Thu Mar 5 18:39:20 2015 -0800 + + unbreak hostkeys test for w/ SSH1 case + +commit 55e5bdeb519cb60cc18b7ba0545be581fb8598b4 Author: djm@openbsd.org -Date: Mon Dec 22 06:14:29 2014 +0000 +Date: Fri Mar 6 01:40:56 2015 +0000 upstream commit - make this slightly easier to diff against portable + fix sshkey_certify() return value for unsupported key types; + ok markus@ deraadt@ -commit 0715bcdddbf68953964058f17255bf54734b8737 +commit be8f658e550a434eac04256bfbc4289457a24e99 Author: Damien Miller -Date: Mon Dec 22 13:47:07 2014 +1100 +Date: Wed Mar 4 15:38:03 2015 -0800 - add missing regress output file + update version numbers to match version.h -commit 1e30483c8ad2c2f39445d4a4b6ab20c241e40593 +commit ac5e8acefa253eb5e5ba186e34236c0e8007afdc Author: djm@openbsd.org -Date: Mon Dec 22 02:15:52 2014 +0000 +Date: Wed Mar 4 23:22:35 2015 +0000 upstream commit - adjust for new SHA256 key fingerprints and - slightly-different MD5 hex fingerprint format + make these work with !SSH1; ok markus@ deraadt@ -commit 6b40567ed722df98593ad8e6a2d2448fc2b4b151 +commit 2f04af92f036b0c87a23efb259c37da98cd81fe6 Author: djm@openbsd.org -Date: Mon Dec 22 01:14:49 2014 +0000 +Date: Wed Mar 4 21:12:59 2015 +0000 upstream commit - poll changes to netcat (usr.bin/netcat.c r1.125) broke - this test; fix it by ensuring more stdio fds are sent to devnull + make ssh-add -D work with !SSH1 agent -commit a5375ccb970f49dddf7d0ef63c9b713ede9e7260 -Author: jmc@openbsd.org -Date: Sun Dec 21 23:35:14 2014 +0000 +commit a05adf95d2af6abb2b7826ddaa7a0ec0cdc1726b +Author: Damien Miller +Date: Wed Mar 4 00:55:48 2015 -0800 + + netcat needs poll.h portability goop + +commit dad2b1892b4c1b7e58df483a8c5b983c4454e099 +Author: markus@openbsd.org +Date: Tue Mar 3 22:35:19 2015 +0000 upstream commit - tweak previous; + make it possible to run tests w/o ssh1 support; ok djm@ -commit b79efde5c3badf5ce4312fe608d8307eade533c5 +commit d48a22601bdd3eec054794c535f4ae8d8ae4c6e2 Author: djm@openbsd.org -Date: Sun Dec 21 23:12:42 2014 +0000 +Date: Wed Mar 4 18:53:53 2015 +0000 upstream commit - document FingerprintHash here too + crank; ok markus, deraadt -commit d16bdd8027dd116afa01324bb071a4016cdc1a75 +commit bbffb23daa0b002dd9f296e396a9ab8a5866b339 Author: Damien Miller -Date: Mon Dec 22 10:18:09 2014 +1100 +Date: Tue Mar 3 13:50:27 2015 -0800 - missing include for base64 encoding + more --without-ssh1 fixes -commit 56d1c83cdd1ac76f1c6bd41e01e80dad834f3994 -Author: djm@openbsd.org -Date: Sun Dec 21 22:27:55 2014 +0000 +commit 6c2039286f503e2012a58a1d109e389016e7a99b +Author: Damien Miller +Date: Tue Mar 3 13:48:48 2015 -0800 - upstream commit - - Add FingerprintHash option to control algorithm used for - key fingerprints. Default changes from MD5 to SHA256 and format from hex to - base64. - - Feedback and ok naddy@ markus@ + fix merge both that broke --without-ssh1 compile -commit 058f839fe15c51be8b3a844a76ab9a8db550be4f +commit 111dfb225478a76f89ecbcd31e96eaf1311b59d3 Author: djm@openbsd.org -Date: Thu Dec 18 23:58:04 2014 +0000 +Date: Tue Mar 3 21:21:13 2015 +0000 upstream commit - don't count partial authentication success as a failure - against MaxAuthTries; ok deraadt@ + add SSH1 Makefile knob to make it easier to build without + SSH1 support; ok markus@ -commit c7219f4f54d64d6dde66dbcf7a2699daa782d2a1 +commit 3f7f5e6c5d2aa3f6710289c1a30119e534e56c5c Author: djm@openbsd.org -Date: Fri Dec 12 00:02:17 2014 +0000 +Date: Tue Mar 3 20:42:49 2015 +0000 upstream commit - revert chunk I didn't mean to commit yet; via jmc@ + expand __unused to full __attribute__ for better portability -commit 7de5991aa3997e2981440f39c1ea01273a0a2c7b +commit 2fab9b0f8720baf990c931e3f68babb0bf9949c6 Author: Damien Miller -Date: Thu Dec 18 11:44:06 2014 +1100 +Date: Wed Mar 4 07:41:27 2015 +1100 - upstream libc change - - revision 1.2 - date: 2014/12/08 03:45:00; author: bcook; state: Exp; lines: +2 -2; commitid: 7zWEBgJJOCZ2hvTV; - avoid left shift overflow in reallocarray. - - Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting - 1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with - (size_t)1 so that we get the correct constant size for the platform. - - discussed with tedu@ & deraadt@ + avoid warning -commit 2048f85a5e6da8bc6e0532efe02ecfd4e63c978c +commit d1bc844322461f882b4fd2277ba9a8d4966573d2 Author: Damien Miller -Date: Thu Dec 18 10:15:49 2014 +1100 +Date: Wed Mar 4 06:31:45 2015 +1100 - include CFLAGS in gnome askpass targets + Revert "define __unused to nothing if not already defined" - from Fedora + This reverts commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908. + + Some system headers have objects named __unused -commit 48b68ce19ca42fa488960028048dec023f7899bb -Author: djm@openbsd.org -Date: Thu Dec 11 08:20:09 2014 +0000 +commit 00797e86b2d98334d1bb808f65fa1fd47f328ff1 +Author: Damien Miller +Date: Wed Mar 4 05:02:45 2015 +1100 - upstream commit + check for crypt and DES_crypt in openssl block - explicitly include sys/param.h in files that use the - howmany() macro; from portable + fixes builds on systems that use DES_crypt; based on patch + from Roumen Petrov -commit d663bea30a294d440fef4398e5cd816317bd4518 +commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908 +Author: Damien Miller +Date: Wed Mar 4 04:59:13 2015 +1100 + + define __unused to nothing if not already defined + + fixes builds on BSD/OS + +commit d608a51daad4f14ad6ab43d7cf74ef4801cc3fe9 Author: djm@openbsd.org -Date: Thu Dec 11 05:25:06 2014 +0000 +Date: Tue Mar 3 17:53:40 2015 +0000 upstream commit - mention AuthorizedKeysCommandUser must be set for - AuthorizedKeysCommand to be run; bz#2287 + reorder logic for better portability; patch from Roumen + Petrov -commit 17bf3d81e00f2abb414a4fd271118cf4913f049f +commit 68d2dfc464fbcdf8d6387884260f9801f4352393 Author: djm@openbsd.org -Date: Thu Dec 11 05:13:28 2014 +0000 +Date: Tue Mar 3 06:48:58 2015 +0000 upstream commit - show in debug output which hostkeys are being tried when - attempting hostbased auth; patch from Iain Morgan + Allow "ssh -Q protocol-version" to list supported SSH + protocol versions. Useful for detecting builds without SSH v.1 support; idea + and ok markus@ -commit da0277e3717eadf5b15e03379fc29db133487e94 -Author: djm@openbsd.org -Date: Thu Dec 11 04:16:14 2014 +0000 +commit 39e2f1229562e1195169905607bc12290d21f021 +Author: millert@openbsd.org +Date: Sun Mar 1 15:44:40 2015 +0000 upstream commit - Make manual reflect reality: sftp-server's -d option - accepts a "%d" option, not a "%h" one. + Make sure we only call getnameinfo() for AF_INET or AF_INET6 + sockets. getpeername() of a Unix domain socket may return without error on + some systems without actually setting ss_family so getnameinfo() was getting + called with ss_family set to AF_UNSPEC. OK djm@ + +commit e47536ba9692d271b8ad89078abdecf0a1c11707 +Author: Damien Miller +Date: Sat Feb 28 08:20:11 2015 -0800 + + portability fixes for regress/netcat.c - bz#2316; reported by Kirk Wolf + Mostly avoiding "err(1, NULL)" -commit 4cf87f4b81fa9380bce5fcff7b0f8382ae3ad996 -Author: djm@openbsd.org -Date: Wed Dec 10 01:24:09 2014 +0000 +commit 02973ad5f6f49d8420e50a392331432b0396c100 +Author: Damien Miller +Date: Sat Feb 28 08:05:27 2015 -0800 - upstream commit + twiddle another test for portability - better error value for invalid signature length + from Tom G. Christensen -commit 4bfad14ca56f8ae04f418997816b4ba84e2cfc3c -Author: Darren Tucker -Date: Wed Dec 10 02:12:51 2014 +1100 +commit f7f3116abf2a6e2f309ab096b08c58d19613e5d0 +Author: Damien Miller +Date: Fri Feb 27 15:52:49 2015 -0800 - Resync more with OpenBSD's rijndael.c, in particular "#if 0"-ing out some - unused code. Should fix compile error reported by plautrba at redhat. + twiddle test for portability -commit 642652d280499691c8212ec6b79724b50008ce09 -Author: Darren Tucker -Date: Wed Dec 10 01:32:23 2014 +1100 +commit 1ad3a77cc9d5568f5437ff99d377aa7a41859b83 +Author: Damien Miller +Date: Thu Feb 26 20:33:22 2015 -0800 - Add reallocarray to compat library + make regress/netcat.c fd passing (more) portable -commit 3dfd8d93dfcc69261f5af99df56f3ff598581979 +commit 9e1cfca7e1fe9cf8edb634fc894e43993e4da1ea +Author: Damien Miller +Date: Thu Feb 26 20:32:58 2015 -0800 + + create OBJ/valgrind-out before running unittests + +commit bd58853102cee739f0e115e6d4b5334332ab1442 +Author: Damien Miller +Date: Wed Feb 25 16:58:22 2015 -0800 + + valgrind support + +commit f43d17269194761eded9e89f17456332f4c83824 Author: djm@openbsd.org -Date: Thu Dec 4 22:31:50 2014 +0000 +Date: Thu Feb 26 20:45:47 2015 +0000 upstream commit - add tests for new client RevokedHostKeys option; refactor - to make it a bit more readable + don't printf NULL key comments; reported by Tom Christensen -commit a31046cad1aed16a0b55171192faa6d02665ccec -Author: krw@openbsd.org -Date: Wed Nov 19 13:35:37 2014 +0000 +commit 6e6458b476ec854db33e3e68ebf4f489d0ab3df8 +Author: djm@openbsd.org +Date: Wed Feb 25 23:05:47 2015 +0000 upstream commit - Nuke yet more obvious #include duplications. - - ok deraadt@ + zero cmsgbuf before use; we initialise the bits we use + but valgrind still spams warning on it -commit a7c762e5b2c1093542c0bc1df25ccec0b4cf479f +commit a63cfa26864b93ab6afefad0b630e5358ed8edfa Author: djm@openbsd.org -Date: Thu Dec 4 20:47:36 2014 +0000 +Date: Wed Feb 25 19:54:02 2015 +0000 upstream commit - key_in_file() wrapper is no longer used + fix small memory leak when UpdateHostkeys=no -commit 5e39a49930d885aac9c76af3129332b6e772cd75 -Author: djm@openbsd.org -Date: Thu Dec 4 02:24:32 2014 +0000 +commit e6b950341dd75baa8526f1862bca39e52f5b879b +Author: Tim Rice +Date: Wed Feb 25 09:56:48 2015 -0800 - upstream commit + Revert "Work around finicky USL linker so netcat will build." - add RevokedHostKeys option for the client + This reverts commit d1db656021d0cd8c001a6692f772f1de29b67c8b. - Allow textfile or KRL-based revocation of hostkeys. + No longer needed with commit 678e473e2af2e4802f24dd913985864d9ead7fb3 -commit 74de254bb92c684cf53461da97f52d5ba34ded80 +commit 6f621603f9cff2a5d6016a404c96cb2f8ac2dec0 Author: djm@openbsd.org -Date: Thu Dec 4 01:49:59 2014 +0000 +Date: Wed Feb 25 17:29:38 2015 +0000 upstream commit - convert KRL code to new buffer API - - ok markus@ + don't leak validity of user in "too many authentication + failures" disconnect message; reported by Sebastian Reitenbach -commit db995f2eed5fc432598626fa3e30654503bf7151 -Author: millert@openbsd.org -Date: Wed Nov 26 18:34:51 2014 +0000 +commit 6288e3a935494df12519164f52ca5c8c65fc3ca5 +Author: naddy@openbsd.org +Date: Tue Feb 24 15:24:05 2015 +0000 upstream commit - Prefer setvbuf() to setlinebuf() for portability; ok - deraadt@ + add -v (show ASCII art) to -l's synopsis; ok djm@ -commit 72bba3d179ced8b425272efe6956a309202a91f3 -Author: jsg@openbsd.org -Date: Mon Nov 24 03:39:22 2014 +0000 +commit 678e473e2af2e4802f24dd913985864d9ead7fb3 +Author: Darren Tucker +Date: Thu Feb 26 04:12:58 2015 +1100 - upstream commit - - Fix crashes in the handling of the sshd config file found - with the afl fuzzer. + Remove dependency on xmalloc. - ok deraadt@ djm@ + Remove ssh_get_progname's dependency on xmalloc, which should reduce + link order problems. ok djm@ -commit 867f49c666adcfe92bf539d9c37c1accdea08bf6 -Author: Damien Miller -Date: Wed Nov 26 13:22:41 2014 +1100 +commit 5d5ec165c5b614b03678afdad881f10e25832e46 +Author: Darren Tucker +Date: Wed Feb 25 15:32:49 2015 +1100 - Avoid Cygwin ssh-host-config reading /etc/group + Restrict ECDSA and ECDH tests. - Patch from Corinna Vinschen + ifdef out some more ECDSA and ECDH tests when built against an OpenSSL + that does not have eliptic curve functionality. -commit 8b66f36291a721b1ba7c44f24a07fdf39235593e -Author: Damien Miller -Date: Wed Nov 26 13:20:35 2014 +1100 +commit 1734e276d99b17e92d4233fac7aef3a3180aaca7 +Author: Darren Tucker +Date: Wed Feb 25 13:40:45 2015 +1100 - allow custom service name for sshd on Cygwin - - Permits the use of multiple sshd running with different service names. + Move definition of _NSIG. - Patch by Florian Friesdorf via Corinna Vinschen + _NSIG is only unsed in one file, so move it there prevent redefinition + warnings reported by Kevin Brott. -commit 08c0eebf55d70a9ae1964399e609288ae3186a0c -Author: jmc@openbsd.org -Date: Sat Nov 22 19:21:03 2014 +0000 +commit a47ead7c95cfbeb72721066c4da2312e5b1b9f3d +Author: Darren Tucker +Date: Wed Feb 25 13:17:40 2015 +1100 - upstream commit - - restore word zapped in previous, and remove some useless - "No" macros; + Add includes.h for compatibility stuff. -commit a1418a0033fba43f061513e992e1cbcc3343e563 -Author: deraadt@openbsd.org -Date: Sat Nov 22 18:15:41 2014 +0000 +commit 38806bda6d2e48ad32812b461eebe17672ada771 +Author: Damien Miller +Date: Tue Feb 24 16:50:06 2015 -0800 - upstream commit - - /dev/random has created the same effect as /dev/arandom - (and /dev/urandom) for quite some time. Mop up the last few, by using - /dev/random where we actually want it, or not even mentioning arandom where - it is irrelevant. + include netdb.h to look for MAXHOSTNAMELEN; ok tim -commit b6de5ac9ed421362f479d1ad4fa433d2e25dad5b -Author: djm@openbsd.org -Date: Fri Nov 21 01:00:38 2014 +0000 +commit d1db656021d0cd8c001a6692f772f1de29b67c8b +Author: Tim Rice +Date: Tue Feb 24 10:42:08 2015 -0800 - upstream commit - - fix NULL pointer dereference crash on invalid timestamp - - found using Michal Zalewski's afl fuzzer + Work around finicky USL linker so netcat will build. -commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e -Author: mikeb@openbsd.org -Date: Tue Nov 18 22:38:48 2014 +0000 +commit cb030ce25f555737e8ba97bdd7883ac43f3ff2a3 +Author: Damien Miller +Date: Tue Feb 24 09:23:04 2015 -0800 - upstream commit - - Sync AES code to the one shipped in OpenSSL/LibreSSL. - - This includes a commit made by Andy Polyakov - to the OpenSSL source tree on Wed, 28 Jun 2006 with the following - message: "Mitigate cache-collision timing attack on last round." - - OK naddy, miod, djm + include includes.h to avoid build failure on AIX -commit 335c83d5f35d8620e16b8aa26592d4f836e09ad2 -Author: krw@openbsd.org -Date: Tue Nov 18 20:54:28 2014 +0000 +commit 13af342458f5064144abbb07e5ac9bbd4eb42567 +Author: Tim Rice +Date: Tue Feb 24 07:56:47 2015 -0800 - upstream commit - - Nuke more obvious #include duplications. - - ok deraadt@ millert@ tedu@ + Original portability patch from djm@ for platforms missing err.h. + Fix name space clash on Solaris 10. Still more to do for Solaris 10 + to deal with msghdr structure differences. ok djm@ -commit 51b64e44121194ae4bf153dee391228dada2abcb -Author: djm@openbsd.org -Date: Mon Nov 17 00:21:40 2014 +0000 +commit 910209203d0cd60c5083901cbcc0b7b44d9f48d2 +Author: Tim Rice +Date: Mon Feb 23 22:06:56 2015 -0800 - upstream commit - - fix KRL generation when multiple CAs are in use - - We would generate an invalid KRL when revoking certs by serial - number for multiple CA keys due to a section being written out - twice. - - Also extend the regress test to catch this case by having it - produce a multi-CA KRL. - - Reported by peter AT pean.org + cleaner way fix dispatch.h portion of commit + a88dd1da119052870bb2654c1a32c51971eade16 + (some systems have sig_atomic_t in signal.h, some in sys/signal.h) + Sounds good to me djm@ -commit d2d51003a623e21fb2b25567c4878d915e90aa2a -Author: djm@openbsd.org -Date: Tue Nov 18 01:02:25 2014 +0000 +commit 676c38d7cbe65b76bbfff796861bb6615cc6a596 +Author: Tim Rice +Date: Mon Feb 23 21:51:33 2015 -0800 - upstream commit - - fix NULL pointer dereference crash in key loading - - found by Michal Zalewski's AFL fuzzer + portability fix: if we can't dind a better define for HOST_NAME_MAX, use 255 -commit 9f9fad0191028edc43d100d0ded39419b6895fdf -Author: djm@openbsd.org -Date: Mon Nov 17 00:21:40 2014 +0000 +commit 1221b22023dce38cbc90ba77eae4c5d78c77a5e6 +Author: Tim Rice +Date: Mon Feb 23 21:50:34 2015 -0800 - upstream commit - - fix KRL generation when multiple CAs are in use - - We would generate an invalid KRL when revoking certs by serial - number for multiple CA keys due to a section being written out - twice. - - Also extend the regress test to catch this case by having it - produce a multi-CA KRL. - - Reported by peter AT pean.org + portablity fix: s/__inline__/inline/ -commit da8af83d3f7ec00099963e455010e0ed1d7d0140 -Author: bentley@openbsd.org -Date: Sat Nov 15 14:41:03 2014 +0000 +commit 4c356308a88d309c796325bb75dce90ca16591d5 +Author: Darren Tucker +Date: Tue Feb 24 13:49:31 2015 +1100 - upstream commit - - Reduce instances of `` '' in manuals. - - troff displays these as typographic quotes, but nroff implementations - almost always print them literally, which rarely has the intended effect - with modern fonts, even in stock xterm. - - These uses of `` '' can be replaced either with more semantic alternatives - or with Dq, which prints typographic quotes in a UTF-8 locale (but will - automatically fall back to `` '' in an ASCII locale). - - improvements and ok schwarze@ + Wrap stdint.h includes in HAVE_STDINT_H. -commit fc302561369483bb755b17f671f70fb894aec01d -Author: djm@openbsd.org -Date: Mon Nov 10 22:25:49 2014 +0000 +commit c9c88355c6a27a908e7d1e5003a2b35ea99c1614 +Author: Darren Tucker +Date: Tue Feb 24 13:43:57 2015 +1100 - upstream commit - - mux-related manual tweaks - - mention ControlPersist=0 is the same as ControlPersist=yes + Add AI_NUMERICSERV to fake-rfc2553. - recommend that ControlPath sockets be placed in a og-w directory + Our getaddrinfo implementation always returns numeric values already. -commit 0e4cff5f35ed11102fe3783779960ef07e0cd381 -Author: Damien Miller -Date: Wed Nov 5 11:01:31 2014 +1100 +commit ef342ab1ce6fb9a4b30186c89c309d0ae9d0eeb4 +Author: Darren Tucker +Date: Tue Feb 24 13:39:57 2015 +1100 - Prepare scripts for next Cygwin release - - Makes the Cygwin-specific ssh-user-config script independent of the - existence of /etc/passwd. The next Cygwin release will allow to - generate passwd and group entries from the Windows account DBs, so the - scripts have to adapt. + Include OpenSSL's objects.h before bn.h. - from Corinna Vinschen - -commit 7d0ba5336651731949762eb8877ce9e3b52df436 -Author: Damien Miller -Date: Thu Oct 30 10:45:41 2014 +1100 - - include version number in OpenSSL-too-old error + Prevents compile errors on some platforms (at least old GCCs and AIX's + XLC compilers). -commit 3bcb92e04d9207e9f78d82f7918c6d3422054ce9 -Author: lteo@openbsd.org -Date: Fri Oct 24 02:01:20 2014 +0000 +commit dcc8997d116f615195aa7c9ec019fb36c28c6228 +Author: Darren Tucker +Date: Tue Feb 24 12:30:59 2015 +1100 - upstream commit - - Remove unnecessary include: netinet/in_systm.h is not needed - by these programs. - - NB. skipped for portable + Convert two macros into functions. - ok deraadt@ millert@ + Convert packet_send_debug and packet_disconnect from macros to + functions. Some older GCCs (2.7.x, 2.95.x) see to have problems with + variadic macros with only one argument so we convert these two into + functions. ok djm@ -commit 6fdcaeb99532e28a69f1a1599fbd540bb15b70a0 +commit 2285c30d51b7e2052c6526445abe7e7cc7e170a1 Author: djm@openbsd.org -Date: Mon Oct 20 03:43:01 2014 +0000 +Date: Mon Feb 23 22:21:21 2015 +0000 upstream commit - whitespace + further silence spurious error message even when -v is + specified (e.g. to get visual host keys); reported by naddy@ -commit 165bc8786299e261706ed60342985f9de93a7461 -Author: daniel@openbsd.org -Date: Tue Oct 14 03:09:59 2014 +0000 +commit 9af21979c00652029e160295e988dea40758ece2 +Author: Damien Miller +Date: Tue Feb 24 09:04:32 2015 +1100 - upstream commit - - plug a memory leak; from Maxime Villard. - - ok djm@ + don't include stdint.h unless HAVE_STDINT_H set -commit b1ba15f3885947c245c2dbfaad0a04ba050abea0 -Author: jmc@openbsd.org -Date: Thu Oct 9 06:21:31 2014 +0000 +commit 62f678dd51660d6f8aee1da33d3222c5de10a89e +Author: Damien Miller +Date: Tue Feb 24 09:02:54 2015 +1100 - upstream commit + nother sys/queue.h -> sys-queue.h fix - tweak previous; + spotted by Tom Christensen -commit 259a02ebdf74ad90b41d116ecf70aa823fa4c6e7 +commit b3c19151cba2c0ed01b27f55de0d723ad07ca98f Author: djm@openbsd.org -Date: Mon Oct 13 00:38:35 2014 +0000 +Date: Mon Feb 23 20:32:15 2015 +0000 upstream commit - whitespace + fix a race condition by using a mux socket rather than an + ineffectual wait statement -commit 957fbceb0f3166e41b76fdb54075ab3b9cc84cba -Author: djm@openbsd.org -Date: Wed Oct 8 22:20:25 2014 +0000 +commit a88dd1da119052870bb2654c1a32c51971eade16 +Author: Damien Miller +Date: Tue Feb 24 06:30:29 2015 +1100 - upstream commit - - Tweak config reparsing with host canonicalisation - - Make the second pass through the config files always run when - hostname canonicalisation is enabled. - - Add a "Match canonical" criteria that allows ssh_config Match - blocks to trigger only in the second config pass. - - Add a -G option to ssh that causes it to parse its configuration - and dump the result to stdout, similar to "sshd -T" - - Allow ssh_config Port options set in the second config parse - phase to be applied (they were being ignored). - - bz#2267 bz#2286; ok markus + various include fixes for portable -commit 5c0dafd38bf66feeeb45fa0741a5baf5ad8039ba +commit 5248429b5ec524d0a65507cff0cdd6e0cb99effd Author: djm@openbsd.org -Date: Wed Oct 8 22:15:27 2014 +0000 +Date: Mon Feb 23 16:55:51 2015 +0000 upstream commit - another -Wpointer-sign from clang + add an XXX to remind me to improve sshkey_load_public -commit bb005dc815ebda9af3ae4b39ca101c4da918f835 +commit e94e4b07ef2eaead38b085a60535df9981cdbcdb Author: djm@openbsd.org -Date: Wed Oct 8 22:15:06 2014 +0000 +Date: Mon Feb 23 16:55:31 2015 +0000 upstream commit - fix a few -Wpointer-sign warnings from clang + silence a spurious error message when listing + fingerprints for known_hosts; bz#2342 -commit 3cc1fbb4fb0e804bfb873fd363cea91b27fc8188 +commit f2293a65392b54ac721f66bc0b44462e8d1d81f8 Author: djm@openbsd.org -Date: Wed Oct 8 21:45:48 2014 +0000 +Date: Mon Feb 23 16:33:25 2015 +0000 upstream commit - parse cert sections using nested buffers to reduce - copies; ok markus + fix setting/clearing of TTY raw mode around + UpdateHostKeys=ask confirmation question; reported by Herb Goldman -commit 4a45922aebf99164e2fc83d34fe55b11ae1866ef -Author: djm@openbsd.org -Date: Mon Oct 6 00:47:15 2014 +0000 +commit f2004cd1adf34492eae0a44b1ef84e0e31b06088 +Author: Darren Tucker +Date: Mon Feb 23 05:04:21 2015 +1100 - upstream commit + Repair for non-ECC OpenSSL. - correct options in usage(); from mancha1 AT zoho.com + Ifdef out the ECC parts when building with an OpenSSL that doesn't have + it. -commit 48dffd5bebae6fed0556dc5c36cece0370690618 -Author: djm@openbsd.org -Date: Tue Sep 9 09:45:36 2014 +0000 +commit 37f9220db8d1a52c75894c3de1e5f2ae5bd71b6f +Author: Darren Tucker +Date: Mon Feb 23 03:07:24 2015 +1100 - upstream commit - - mention permissions on tun(4) devices in PermitTunnel - documentation; bz#2273 + Wrap stdint.h includes in ifdefs. -commit a5883d4eccb94b16c355987f58f86a7dee17a0c2 -Author: djm@openbsd.org -Date: Wed Sep 3 18:55:07 2014 +0000 +commit f81f1bbc5b892c8614ea740b1f92735652eb43f0 +Author: Tim Rice +Date: Sat Feb 21 18:12:10 2015 -0800 - upstream commit - - tighten permissions on pty when the "tty" group does - not exist; pointed out by Corinna Vinschen; ok markus + out of tree build fix -commit 180bcb406b58bf30723c01a6b010e48ee626dda8 -Author: sobrado@openbsd.org -Date: Sat Aug 30 16:32:25 2014 +0000 +commit 2e13a1e4d22f3b503c3bfc878562cc7386a1d1ae +Author: Tim Rice +Date: Sat Feb 21 18:08:51 2015 -0800 - upstream commit - - typo. + mkdir kex unit test directory so testing out of tree builds works -commit f70b22bcdd52f6bf127047b3584371e6e5d45627 -Author: sobrado@openbsd.org -Date: Sat Aug 30 15:33:50 2014 +0000 +commit 1797f49b1ba31e8700231cd6b1d512d80bb50d2c +Author: halex@openbsd.org +Date: Sat Feb 21 21:46:57 2015 +0000 upstream commit - improve capitalization for the Ed25519 public-key - signature system. + make "ssh-add -d" properly remove a corresponding + certificate, and also not whine and fail if there is none ok djm@ -commit 7df8818409c752cf3f0c3f8044fe9aebed8647bd -Author: doug@openbsd.org -Date: Thu Aug 21 01:08:52 2014 +0000 +commit 7faaa32da83a609059d95dbfcb0649fdb04caaf6 +Author: Damien Miller +Date: Sun Feb 22 07:57:27 2015 +1100 - upstream commit - - Free resources on error in mkstemp and fdopen - - ok djm@ + mkdir hostkey and bitmap unit test directories -commit 40ba4c9733aaed08304714faeb61529f18da144b -Author: deraadt@openbsd.org -Date: Wed Aug 20 01:28:55 2014 +0000 +commit bd49da2ef197efac5e38f5399263a8b47990c538 +Author: djm@openbsd.org +Date: Fri Feb 20 23:46:01 2015 +0000 upstream commit - djm how did you make a typo like that... + sort options useable under Match case-insensitively; prodded + jmc@ -commit 57d378ec9278ba417a726f615daad67d157de666 +commit 1a779a0dd6cd8b4a1a40ea33b5415ab8408128ac Author: djm@openbsd.org -Date: Tue Aug 19 23:58:28 2014 +0000 +Date: Sat Feb 21 20:51:02 2015 +0000 upstream commit - When dumping the server configuration (sshd -T), print - correct KEX, MAC and cipher defaults. Spotted by Iain Morgan + correct paths to configuration files being written/updated; + they live in $OBJ not cwd; some by Roumen Petrov -commit 7ff880ede5195d0b17e7f1e3b6cfbc4cb6f85240 +commit 28ba006c1acddff992ae946d0bc0b500b531ba6b +Author: Darren Tucker +Date: Sat Feb 21 15:41:07 2015 +1100 + + More correct checking of HAVE_DECL_AI_NUMERICSERV. + +commit e50e8c97a9cecae1f28febccaa6ca5ab3bc10f54 +Author: Darren Tucker +Date: Sat Feb 21 15:10:33 2015 +1100 + + Add null declaration of AI_NUMERICINFO. + + Some platforms (older FreeBSD and DragonFly versions) do have + getaddrinfo() but do not have AI_NUMERICINFO. so define it to zero + in those cases. + +commit 18a208d6a460d707a45916db63a571e805f5db46 Author: djm@openbsd.org -Date: Tue Aug 19 23:57:18 2014 +0000 +Date: Fri Feb 20 22:40:32 2015 +0000 upstream commit - ~-expand lcd paths + more options that are available under Match; bz#2353 reported + by calestyo AT scientia.net -commit 4460a7ad0c78d4cd67c467f6e9f4254d0404ed59 -Author: Damien Miller -Date: Sun Oct 12 12:35:48 2014 +1100 +commit 44732de06884238049f285f1455b2181baa7dc82 +Author: djm@openbsd.org +Date: Fri Feb 20 22:17:21 2015 +0000 - remove duplicated KEX_DH1 entry + upstream commit + + UpdateHostKeys fixes: + + I accidentally changed the format of the hostkeys@openssh.com messages + last week without changing the extension name, and this has been causing + connection failures for people who are running -current. First reported + by sthen@ + + s/hostkeys@openssh.com/hostkeys-00@openssh.com/ + Change the name of the proof message too, and reorder it a little. + + Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY + available to read the response) so disable UpdateHostKeys if it is in + ask mode and ControlPersist is active (and document this) -commit c9b8426a616138d0d762176c94f51aff3faad5ff -Author: Damien Miller -Date: Thu Oct 9 10:34:06 2014 +1100 +commit 13a39414d25646f93e6d355521d832a03aaaffe2 +Author: djm@openbsd.org +Date: Tue Feb 17 00:14:05 2015 +0000 - remove ChangeLog file + upstream commit - Commit logs will be generated from git at release time. + Regression: I broke logging of public key fingerprints in + 1.46. Pointed out by Pontus Lundkvist -commit 81d18ff7c93a04affbf3903e0963859763219aed -Author: Damien Miller -Date: Tue Oct 7 21:24:25 2014 +1100 +commit 773dda25e828c4c9a52f7bdce6e1e5924157beab +Author: Damien Miller +Date: Fri Jan 30 23:10:17 2015 +1100 - delete contrib/caldera directory + repair --without-openssl; broken in refactor -commit 0ec9e87d3638206456968202f05bb5123670607a +commit e89c780886b23600de1e1c8d74aabd1ff61f43f0 Author: Damien Miller -Date: Tue Oct 7 19:57:27 2014 +1100 - - test commit +Date: Tue Feb 17 10:04:55 2015 +1100 -commit 8fb65a44568701b779f3d77326bceae63412d28d -Author: Damien Miller -Date: Tue Oct 7 09:21:49 2014 +1100 + hook up hostkeys unittest to portable Makefiles - - (djm) Release OpenSSH-6.7 +commit 0abf41f99aa16ff09b263bead242d6cb2dbbcf99 +Author: djm@openbsd.org +Date: Mon Feb 16 22:21:03 2015 +0000 -commit e8c9f2602c46f6781df5e52e6cd8413dab4602a3 -Author: Damien Miller -Date: Fri Oct 3 09:24:56 2014 +1000 + upstream commit + + enable hostkeys unit tests - - (djm) [sshd_config.5] typo; from Iain Morgan +commit 68a5d647ccf0fb6782b2f749433a1eee5bc9044b +Author: djm@openbsd.org +Date: Mon Feb 16 22:20:50 2015 +0000 -commit 703b98a26706f5083801d11059486d77491342ae -Author: Damien Miller -Date: Wed Oct 1 09:43:07 2014 +1000 + upstream commit + + check string/memory compare arguments aren't NULL - - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c] - [openbsd-compat/openbsd-compat.h] Kludge around bad glibc - _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets; - ok dtucker@ +commit ef575ef20d09f20722e26b45dab80b3620469687 +Author: djm@openbsd.org +Date: Mon Feb 16 22:18:34 2015 +0000 -commit 0fa0ed061bbfedb0daa705e220748154a84c3413 -Author: Damien Miller -Date: Wed Sep 10 08:15:34 2014 +1000 + upstream commit + + unit tests for hostfile.c code, just hostkeys_foreach so + far - - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc; - patch from Felix von Leitner; ok dtucker +commit 8ea3365e6aa2759ccf5c76eaea62cbc8a280b0e7 +Author: markus@openbsd.org +Date: Sat Feb 14 12:43:16 2015 +0000 -commit ad7d23d461c3b7e1dcb15db13aee5f4b94dc1a95 -Author: Darren Tucker -Date: Tue Sep 9 12:23:10 2014 +1000 + upstream commit + + test server rekey limit - 20140908 - - (dtucker) [INSTALL] Update info about egd. ok djm@ +commit ce63c4b063c39b2b22d4ada449c9e3fbde788cb3 +Author: djm@openbsd.org +Date: Mon Feb 16 22:30:03 2015 +0000 -commit 2a8699f37cc2515e3bc60e0c677ba060f4d48191 -Author: Damien Miller -Date: Thu Sep 4 03:46:05 2014 +1000 + upstream commit + + partial backout of: + + revision 1.441 + date: 2015/01/31 20:30:05; author: djm; state: Exp; lines: +17 -10; commitid + : x8klYPZMJSrVlt3O; + Let sshd load public host keys even when private keys are missing. + Allows sshd to advertise additional keys for future key rotation. + Also log fingerprint of hostkeys loaded; ok markus@ + + hostkey updates now require access to the private key, so we can't + load public keys only. The improved log messages (fingerprints of keys + loaded) are kept. - - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG +commit 523463a3a2a9bfc6cfc5afa01bae9147f76a37cc +Author: djm@openbsd.org +Date: Mon Feb 16 22:13:32 2015 +0000 -commit 44988defb1f5e3afe576d86000365e1f07a1b494 -Author: Damien Miller -Date: Wed Sep 3 05:35:32 2014 +1000 + upstream commit + + Revise hostkeys@openssh.com hostkey learning extension. + + The client will not ask the server to prove ownership of the private + halves of any hitherto-unseen hostkeys it offers to the client. + + Allow UpdateHostKeys option to take an 'ask' argument to let the + user manually review keys offered. + + ok markus@ - - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to - permissions/ACLs; from Corinna Vinschen +commit 6c5c949782d86a6e7d58006599c7685bfcd01685 +Author: djm@openbsd.org +Date: Mon Feb 16 22:08:57 2015 +0000 -commit 23f269562b7537b2f6f5014e50a25e5dcc55a837 -Author: Damien Miller -Date: Wed Sep 3 05:33:25 2014 +1000 + upstream commit + + Refactor hostkeys_foreach() and dependent code Deal with + IP addresses (i.e. CheckHostIP) Don't clobber known_hosts when nothing + changed ok markus@ as part of larger commit - - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and - conditionalise to avoid duplicate definition. +commit 51b082ccbe633dc970df1d1f4c9c0497115fe721 +Author: miod@openbsd.org +Date: Mon Feb 16 18:26:26 2015 +0000 -commit 41c8de2c0031cf59e7cf0c06b5bcfbf4852c1fda -Author: Damien Miller -Date: Sat Aug 30 16:23:06 2014 +1000 + upstream commit + + Declare ge25519_base as extern, to prevent it from + becoming a common. Gets us rid of ``lignment 4 of symbol + `crypto_sign_ed25519_ref_ge25519_base' in mod_ge25519.o is smaller than 16 in + mod_ed25519.o'' warnings at link time. - - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@ +commit 02db468bf7e3281a8e3c058ced571b38b6407c34 +Author: markus@openbsd.org +Date: Fri Feb 13 18:57:00 2015 +0000 -commit d7c81e216a7bd9eed6e239c970d9261bb1651947 -Author: Damien Miller -Date: Sat Aug 30 04:18:28 2014 +1000 + upstream commit + + make rekey_limit for sshd w/privsep work; ok djm@ + dtucker@ - - (djm) [openbsd-compat/openssl-compat.h] add include guard +commit 8ec67d505bd23c8bf9e17b7a364b563a07a58ec8 +Author: dtucker@openbsd.org +Date: Thu Feb 12 20:34:19 2015 +0000 -commit 4687802dda57365b984b897fc3c8e2867ea09b22 -Author: Damien Miller -Date: Sat Aug 30 03:29:19 2014 +1000 + upstream commit + + Prevent sshd spamming syslog with + "ssh_dispatch_run_fatal: disconnected". ok markus@ - - (djm) [misc.c] Missing newline between functions +commit d4c0295d1afc342057ba358237acad6be8af480b +Author: djm@openbsd.org +Date: Wed Feb 11 01:20:38 2015 +0000 -commit 51c77e29220dee87c53be2dc47092934acab26fe -Author: Damien Miller -Date: Sat Aug 30 02:30:30 2014 +1000 + upstream commit + + Some packet error messages show the address of the peer, + but might be generated after the socket to the peer has suffered a TCP reset. + In these cases, getpeername() won't work so cache the address earlier. + + spotted in the wild via deraadt@ and tedu@ - - (djm) [openbsd-compat/openssl-compat.h] add - OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them +commit 4af1709cf774475ce5d1bc3ddcc165f6c222897d +Author: jsg@openbsd.org +Date: Mon Feb 9 23:22:37 2015 +0000 -commit 3d673d103bad35afaec6e7ef73e5277216ce33a3 -Author: Damien Miller -Date: Wed Aug 27 06:32:01 2014 +1000 + upstream commit + + fix some leaks in error paths ok markus@ - - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero() - using memset_s() where possible; improve fallback to indirect bzero - via a volatile pointer to give it more of a chance to avoid being - optimised away. +commit fd36834871d06a03e1ff8d69e41992efa1bbf85f +Author: millert@openbsd.org +Date: Fri Feb 6 23:21:59 2015 +0000 -commit 146218ac11a1eb0dcade6f793d7acdef163b5ddc -Author: Damien Miller -Date: Wed Aug 27 04:11:55 2014 +1000 + upstream commit + + SIZE_MAX is standard, we should be using it in preference to + the obsolete SIZE_T_MAX. OK miod@ beck@ - - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth - monitor, not preauth; bz#2263 +commit 1910a286d7771eab84c0b047f31c0a17505236fa +Author: millert@openbsd.org +Date: Thu Feb 5 12:59:57 2015 +0000 -commit 1b215c098b3b37e38aa4e4c91bb908eee41183b1 -Author: Damien Miller -Date: Wed Aug 27 04:04:40 2014 +1000 + upstream commit + + Include stdint.h, not limits.h to get SIZE_MAX. OK guenther@ - - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] - [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] - [regress/unittests/sshkey/common.c] - [regress/unittests/sshkey/test_file.c] - [regress/unittests/sshkey/test_fuzz.c] - [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h - on !ECC OpenSSL systems +commit ce4f59b2405845584f45e0b3214760eb0008c06c +Author: deraadt@openbsd.org +Date: Tue Feb 3 08:07:20 2015 +0000 -commit ad013944af0a19e3f612089d0099bb397cf6502d -Author: Damien Miller -Date: Tue Aug 26 09:27:28 2014 +1000 + upstream commit + + missing ; djm and mlarkin really having great + interactions recently - - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL, - update OpenSSL version requirement. +commit 5d34aa94938abb12b877a25be51862757f25d54b +Author: halex@openbsd.org +Date: Tue Feb 3 00:34:14 2015 +0000 -commit ed126de8ee04c66640a0ea2697c4aaf36801f100 -Author: Damien Miller -Date: Tue Aug 26 08:37:47 2014 +1000 + upstream commit + + slightly extend the passphrase prompt if running with -c + in order to give the user a chance to notice if unintentionally running + without it + + wording tweak and ok djm@ - - (djm) [bufec.c] Skip this file on !ECC OpenSSL +commit cb3bde373e80902c7d5d0db429f85068d19b2918 +Author: djm@openbsd.org +Date: Mon Feb 2 22:48:53 2015 +0000 -commit 9c1dede005746864a4fdb36a7cdf6c51296ca909 -Author: Damien Miller -Date: Sun Aug 24 03:01:06 2014 +1000 + upstream commit + + handle PKCS#11 C_Login returning + CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@ - - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not - PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen +commit 15ad750e5ec3cc69765b7eba1ce90060e7083399 +Author: djm@openbsd.org +Date: Mon Feb 2 07:41:40 2015 +0000 -commit d244a5816fd1312a33404b436e4dd83594f1119e -Author: Damien Miller -Date: Sat Aug 23 17:06:49 2014 +1000 + upstream commit + + turn UpdateHostkeys off by default until I figure out + mlarkin@'s warning message; requested by deraadt@ - - (djm) [configure.ac] We now require a working vsnprintf everywhere (not - just for systems that lack asprintf); check for it always and extend - test to catch more brokenness. Fixes builds on Solaris <= 9 +commit 3cd5103c1e1aaa59bd66f7f52f6ebbcd5deb12f9 +Author: deraadt@openbsd.org +Date: Mon Feb 2 01:57:44 2015 +0000 -commit 4cec036362a358e398e6a2e6d19d8e5780558634 -Author: Damien Miller -Date: Sat Aug 23 03:11:09 2014 +1000 + upstream commit + + increasing encounters with difficult DNS setups in + darknets has convinced me UseDNS off by default is better ok djm - - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on - lastlog writing on platforms with high UIDs; bz#2263 +commit 6049a548a8a68ff0bbe581ab1748ea6a59ecdc38 +Author: djm@openbsd.org +Date: Sat Jan 31 20:30:05 2015 +0000 -commit 394a60f2598d28b670d934b93942a3370b779b39 -Author: Damien Miller -Date: Fri Aug 22 18:06:20 2014 +1000 + upstream commit + + Let sshd load public host keys even when private keys are + missing. Allows sshd to advertise additional keys for future key rotation. + Also log fingerprint of hostkeys loaded; ok markus@ - - (djm) [configure.ac] double braces to appease autoconf +commit 46347ed5968f582661e8a70a45f448e0179ca0ab +Author: djm@openbsd.org +Date: Fri Jan 30 11:43:14 2015 +0000 -commit 4d69aeabd6e60afcdc7cca177ca751708ab79a9d -Author: Damien Miller -Date: Fri Aug 22 17:48:27 2014 +1000 + upstream commit + + Add a ssh_config HostbasedKeyType option to control which + host public key types are tried during hostbased authentication. + + This may be used to prevent too many keys being sent to the server, + and blowing past its MaxAuthTries limit. + + bz#2211 based on patch by Iain Morgan; ok markus@ - - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/ - definition mismatch) and warning for broken/missing snprintf case. +commit 802660cb70453fa4d230cb0233bc1bbdf8328de1 +Author: djm@openbsd.org +Date: Fri Jan 30 10:44:49 2015 +0000 -commit 0c11f1ac369d2c0aeb0ab0458a7cd04c72fe5e9e -Author: Damien Miller -Date: Fri Aug 22 17:36:56 2014 +1000 + upstream commit + + set a timeout to prevent hangs when talking to busted + servers; ok markus@ - - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC +commit 86936ec245a15c7abe71a0722610998b0a28b194 +Author: djm@openbsd.org +Date: Fri Jan 30 01:11:39 2015 +0000 -commit 6d62784b8973340b251fea6b04890f471adf28db -Author: Damien Miller -Date: Fri Aug 22 17:36:19 2014 +1000 + upstream commit + + regression test for 'wildcard CA' serial/key ID revocations - - (djm) [configure.ac] include leading zero characters in OpenSSL version - number; fixes test for unsupported versions +commit 4509b5d4a4fa645a022635bfa7e86d09b285001f +Author: djm@openbsd.org +Date: Fri Jan 30 01:13:33 2015 +0000 -commit 4f1ff1ed782117f5d5204d4e91156ed5da07cbb7 -Author: Damien Miller -Date: Thu Aug 21 15:54:50 2014 +1000 + upstream commit + + avoid more fatal/exit in the packet.c paths that + ssh-keyscan uses; feedback and "looks good" markus@ - - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that - don't set __progname. Diagnosed by Tom Christensen. +commit 669aee994348468af8b4b2ebd29b602cf2860b22 +Author: djm@openbsd.org +Date: Fri Jan 30 01:10:33 2015 +0000 -commit 005a64da0f457410045ef0bfa93c863c2450447d -Author: Damien Miller -Date: Thu Aug 21 10:48:41 2014 +1000 + upstream commit + + permit KRLs that revoke certificates by serial number or + key ID without scoping to a particular CA; ok markus@ - - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL +commit 7a2c368477e26575d0866247d3313da4256cb2b5 +Author: djm@openbsd.org +Date: Fri Jan 30 00:59:19 2015 +0000 -commit aa6598ebb3343c7380e918388e10e8ca5852b613 -Author: Damien Miller -Date: Thu Aug 21 10:47:54 2014 +1000 + upstream commit + + missing parentheses after if in do_convert_from() broke + private key conversion from other formats some time in 2010; bz#2345 reported + by jjelen AT redhat.com - - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too. +commit 25f5f78d8bf5c22d9cea8b49de24ebeee648a355 +Author: djm@openbsd.org +Date: Fri Jan 30 00:22:25 2015 +0000 -commit 54703e3cf63f0c80d4157e5ad7dbc2b363ee2c56 -Author: Damien Miller -Date: Wed Aug 20 11:10:51 2014 +1000 + upstream commit + + fix ssh protocol 1, spotted by miod@ - - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna +commit 9ce86c926dfa6e0635161b035e3944e611cbccf0 +Author: djm@openbsd.org +Date: Wed Jan 28 22:36:00 2015 +0000 -commit f0935698f0461f24d8d1f1107b476ee5fd4db1cb -Author: Damien Miller -Date: Wed Aug 20 11:06:50 2014 +1000 + upstream commit + + update to new API (key_fingerprint => sshkey_fingerprint) + check sshkey_fingerprint return values; ok markus - - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC +commit 9125525c37bf73ad3ee4025520889d2ce9d10f29 +Author: djm@openbsd.org +Date: Wed Jan 28 22:05:31 2015 +0000 -commit c5089ecaec3b2c02f014f4e67518390702a4ba14 -Author: Damien Miller -Date: Wed Aug 20 11:06:20 2014 +1000 + upstream commit + + avoid fatal() calls in packet code makes ssh-keyscan more + reliable against server failures ok dtucker@ markus@ - - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than - -L/-l; fixes linking problems on some platforms +commit fae7bbe544cba7a9e5e4ab47ff6faa3d978646eb +Author: djm@openbsd.org +Date: Wed Jan 28 21:15:47 2015 +0000 -commit 2195847e503a382f83ee969b0a8bd3dfe0e55c18 -Author: Damien Miller -Date: Wed Aug 20 11:05:03 2014 +1000 + upstream commit + + avoid fatal() calls in packet code makes ssh-keyscan more + reliable against server failures ok dtucker@ markus@ - - (djm) [configure.ac] Check OpenSSL version is supported at configure time; - suggested by Kevin Brott +commit 1a3d14f6b44a494037c7deab485abe6496bf2c60 +Author: djm@openbsd.org +Date: Wed Jan 28 11:07:25 2015 +0000 -commit a75aca1bbc989aa9f8b1b08489d37855f3d24d1a -Author: Damien Miller -Date: Tue Aug 19 11:36:07 2014 +1000 + upstream commit + + remove obsolete comment - - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README] - [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions - of TCP wrappers. +commit 80c25b7bc0a71d75c43a4575d9a1336f589eb639 +Author: okan@openbsd.org +Date: Tue Jan 27 12:54:06 2015 +0000 -commit 3f022b5a9477abceeb1bbeab04b055f3cc7ca8f6 + upstream commit + + Since r1.2 removed the use of PRI* macros, inttypes.h is + no longer required. + + ok djm@ + +commit 69ff64f69615c2a21c97cb5878a0996c21423257 Author: Damien Miller -Date: Tue Aug 19 11:32:34 2014 +1000 +Date: Tue Jan 27 23:07:43 2015 +1100 - - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG + compile on systems without TCP_MD5SIG (e.g. OSX) -commit 88137902632aceb923990e98cf5dc923bb3ef2f5 +commit 358964f3082fb90b2ae15bcab07b6105cfad5a43 Author: Damien Miller -Date: Tue Aug 19 11:28:11 2014 +1000 +Date: Tue Jan 27 23:07:25 2015 +1100 - - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC. + use ssh-keygen under test rather than system's -commit 2f3d1e7fb2eabd3cfbfd8d0f7bdd2f9a1888690b +commit a2c95c1bf33ea53038324d1fdd774bc953f98236 Author: Damien Miller -Date: Tue Aug 19 11:14:36 2014 +1000 +Date: Tue Jan 27 23:06:59 2015 +1100 - - (djm) [myproposal.h] Make curve25519 KEX dependent on - HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC. + OSX lacks HOST_NAME_MAX, has _POSIX_HOST_NAME_MAX -commit d4e7d59d01a6c7f59e8c1f94a83c086e9a33d8aa +commit ade31d7b6f608a19b85bee29a7a00b1e636a2919 Author: Damien Miller -Date: Tue Aug 19 11:14:17 2014 +1000 +Date: Tue Jan 27 23:06:23 2015 +1100 - - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen + these need active_state defined to link on OSX + + temporary measure until active_state goes away entirely -commit 9eaeea2cf2b6af5f166cfa9ad3c7a90711a147a9 -Author: Damien Miller -Date: Sun Aug 10 11:35:05 2014 +1000 +commit e56aa87502f22c5844918c10190e8b4f785f067b +Author: djm@openbsd.org +Date: Tue Jan 27 12:01:36 2015 +0000 - - (djm) [README contrib/caldera/openssh.spec] - [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions + upstream commit + + use printf instead of echo -n to reduce diff against + -portable -commit f8988fbef0c9801d19fa2f8f4f041690412bec37 -Author: Damien Miller -Date: Fri Aug 1 13:31:52 2014 +1000 +commit 9f7637f56eddfaf62ce3c0af89c25480f2cf1068 +Author: jmc@openbsd.org +Date: Mon Jan 26 13:55:29 2015 +0000 - - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate - nc from stdin, it's more portable + upstream commit + + sort previous; -commit 5b3879fd4b7a4e3d43bab8f40addda39bc1169d0 -Author: Damien Miller -Date: Fri Aug 1 12:28:31 2014 +1000 +commit 3076ee7d530d5b16842fac7a6229706c7e5acd26 +Author: djm@openbsd.org +Date: Mon Jan 26 13:36:53 2015 +0000 - - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin - is closed; avoid regress failures when stdin is /dev/null + upstream commit + + properly restore umask -commit a9c46746d266f8a1b092a72b2150682d1af8ebfc -Author: Damien Miller -Date: Fri Aug 1 12:26:49 2014 +1000 +commit d411d395556b73ba1b9e451516a0bd6697c4b03d +Author: djm@openbsd.org +Date: Mon Jan 26 06:12:18 2015 +0000 - - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need - a better solution, but this will have to do for now. + upstream commit + + regression test for host key rotation -commit 426117b2e965e43f47015942b5be8dd88fe74b88 -Author: Damien Miller -Date: Wed Jul 30 12:33:20 2014 +1000 +commit fe8a3a51699afbc6407a8fae59b73349d01e49f8 +Author: djm@openbsd.org +Date: Mon Jan 26 06:11:28 2015 +0000 - - schwarze@cvs.openbsd.org 2014/07/28 15:40:08 - [sftp-server.8 sshd_config.5] - some systems no longer need /dev/log; - issue noticed by jirib; - ok deraadt + upstream commit + + adapt to sshkey API tweaks -commit f497794b6962eaf802ab4ac2a7b22ae591cca1d5 -Author: Damien Miller -Date: Wed Jul 30 12:32:46 2014 +1000 +commit 7dd355fb1f0038a3d5cdca57ebab4356c7a5b434 +Author: miod@openbsd.org +Date: Sat Jan 24 10:39:21 2015 +0000 - - dtucker@cvs.openbsd.org 2014/07/25 21:22:03 - [ssh-agent.c] - Clear buffer used for handling messages. This prevents keys being - left in memory after they have been expired or deleted in some cases - (but note that ssh-agent is setgid so you would still need root to - access them). Pointed out by Kevin Burns, ok deraadt + upstream commit + + Move -lz late in the linker commandline for things to + build on static arches. -commit a8a0f65c57c8ecba94d65948e9090da54014dfef -Author: Damien Miller -Date: Wed Jul 30 12:32:28 2014 +1000 +commit 0dad3b806fddb93c475b30853b9be1a25d673a33 +Author: miod@openbsd.org +Date: Fri Jan 23 21:21:23 2015 +0000 - - OpenBSD CVS Sync - - millert@cvs.openbsd.org 2014/07/24 22:57:10 - [ssh.1] - Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@ + upstream commit + + -Wpointer-sign is supported by gcc 4 only. -commit 56b840f2b81e14a2f95c203403633a72566736f8 -Author: Damien Miller -Date: Fri Jul 25 08:11:30 2014 +1000 +commit 2b3b1c1e4bd9577b6e780c255c278542ea66c098 +Author: djm@openbsd.org +Date: Tue Jan 20 22:58:57 2015 +0000 - - (djm) [regress/multiplex.sh] restore incorrectly deleted line; - pointed out by Christian Hesse + upstream commit + + use SUBDIR to recuse into unit tests; makes "make obj" + actually work -commit dd417b60d5ca220565d1014e92b7f8f43dc081eb -Author: Darren Tucker -Date: Wed Jul 23 10:41:21 2014 +1000 +commit 1d1092bff8db27080155541212b420703f8b9c92 +Author: djm@openbsd.org +Date: Mon Jan 26 12:16:36 2015 +0000 - - dtucker@cvs.openbsd.org 2014/07/22 23:35:38 - [regress/unittests/sshkey/testdata/*] - Regenerate test keys with certs signed with ed25519 instead of ecdsa. - These can be used in -portable on platforms that don't support ECDSA. + upstream commit + + correct description of UpdateHostKeys in ssh_config.5 and + add it to -o lists for ssh, scp and sftp; pointed out by jmc@ -commit 40e50211896369dba8f64f3b5e5fd58b76f5ac3f -Author: Darren Tucker -Date: Wed Jul 23 10:35:45 2014 +1000 +commit 5104db7cbd6cdd9c5971f4358e74414862fc1022 +Author: djm@openbsd.org +Date: Mon Jan 26 06:10:03 2015 +0000 - - dtucker@cvs.openbsd.org 2014/07/22 23:57:40 - [regress/unittests/sshkey/mktestdata.sh] - Add $OpenBSD tag to make syncs easier + upstream commit + + correctly match ECDSA subtype (== curve) for + offered/recevied host keys. Fixes connection-killing host key mismatches when + a server offers multiple ECDSA keys with different curve type (an extremely + unlikely configuration). + + ok markus, "looks mechanical" deraadt@ -commit 07e644251e809b1d4c062cf85bd1146a7e3f5a8a -Author: Darren Tucker -Date: Wed Jul 23 10:34:26 2014 +1000 +commit 8d4f87258f31cb6def9b3b55b6a7321d84728ff2 +Author: djm@openbsd.org +Date: Mon Jan 26 03:04:45 2015 +0000 - - dtucker@cvs.openbsd.org 2014/07/22 23:23:22 - [regress/unittests/sshkey/mktestdata.sh] - Sign test certs with ed25519 instead of ecdsa so that they'll work in - -portable on platforms that don't have ECDSA in their OpenSSL. ok djm + upstream commit + + Host key rotation support. + + Add a hostkeys@openssh.com protocol extension (global request) for + a server to inform a client of all its available host key after + authentication has completed. The client may record the keys in + known_hosts, allowing it to upgrade to better host key algorithms + and a server to gracefully rotate its keys. + + The client side of this is controlled by a UpdateHostkeys config + option (default on). + + ok markus@ -commit cea099a7c4eaecb01b001e5453bb4e5c25006c22 -Author: Darren Tucker -Date: Wed Jul 23 10:04:02 2014 +1000 +commit 60b1825262b1f1e24fc72050b907189c92daf18e +Author: djm@openbsd.org +Date: Mon Jan 26 02:59:11 2015 +0000 - - djm@cvs.openbsd.org 2014/07/22 01:32:12 - [regress/multiplex.sh] - change the test for still-open Unix domain sockets to be robust against - nc implementations that produce error messages. from -portable - (Id sync only) + upstream commit + + small refactor and add some convenience functions; ok + markus -commit 31eb78078d349b32ea41952ecc944b3ad6cb0d45 -Author: Darren Tucker -Date: Wed Jul 23 09:43:42 2014 +1000 +commit a5a3e3328ddce91e76f71ff479022d53e35c60c9 +Author: jmc@openbsd.org +Date: Thu Jan 22 21:00:42 2015 +0000 - - guenther@cvs.openbsd.org 2014/07/22 07:13:42 - [umac.c] - Convert from to the shiney new - ok dtucker@, who also confirmed that -portable handles this already - (ID sync only, includes.h pulls in endian.h if available.) + upstream commit + + heirarchy -> hierarchy; -commit 820763efef2d19d965602533036c2b4badc9d465 -Author: Darren Tucker -Date: Wed Jul 23 09:40:46 2014 +1000 +commit dcff5810a11195c57e1b3343c0d6b6f2b9974c11 +Author: deraadt@openbsd.org +Date: Thu Jan 22 20:24:41 2015 +0000 - - dtucker@cvs.openbsd.org 2014/07/22 01:18:50 - [key.c] - Prevent spam from key_load_private_pem during hostbased auth. ok djm@ + upstream commit + + Provide a warning about chroot misuses (which sadly, seem + to have become quite popular because shiny). sshd cannot detect/manage/do + anything about these cases, best we can do is warn in the right spot in the + man page. ok markus -commit c4ee219a66f3190fa96cbd45b4d11015685c6306 -Author: Darren Tucker -Date: Wed Jul 23 04:27:50 2014 +1000 +commit 087266ec33c76fc8d54ac5a19efacf2f4a4ca076 +Author: deraadt@openbsd.org +Date: Tue Jan 20 23:14:00 2015 +0000 - - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa- - specific tests inside OPENSSL_HAS_ECC. + upstream commit + + Reduce use of and transition to + throughout. ok djm markus -commit 04f4824940ea3edd60835416ececbae16438968a -Author: Damien Miller -Date: Tue Jul 22 11:31:47 2014 +1000 +commit 57e783c8ba2c0797f93977e83b2a8644a03065d8 +Author: markus@openbsd.org +Date: Tue Jan 20 20:16:21 2015 +0000 - - (djm) [regress/multiplex.sh] change the test for still-open Unix - domain sockets to be robust against nc implementations that produce - error messages. + upstream commit + + kex_setup errors are fatal() -commit 5ea4fe00d55453aaa44007330bb4c3181bd9b796 -Author: Damien Miller -Date: Tue Jul 22 09:39:19 2014 +1000 +commit 1d6424a6ff94633c221297ae8f42d54e12a20912 +Author: djm@openbsd.org +Date: Tue Jan 20 08:02:33 2015 +0000 - - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow; - put it back + upstream commit + + this test would accidentally delete agent.sh if run without + obj/ -commit 948a1774a79a85f9deba6d74db95f402dee32c69 -Author: Darren Tucker -Date: Tue Jul 22 01:07:11 2014 +1000 +commit 12b5f50777203e12575f1b08568281e447249ed3 +Author: djm@openbsd.org +Date: Tue Jan 20 07:56:44 2015 +0000 - - (dtucker) [sshkey.c] ifdef out unused variable when compiling without - OPENSSL_HAS_ECC. + upstream commit + + make this compile with KERBEROS5 enabled -commit c8f610f6cc57ae129758052439d9baf13699097b -Author: Damien Miller -Date: Mon Jul 21 10:23:27 2014 +1000 +commit e2cc6bef08941256817d44d146115b3478586ad4 +Author: djm@openbsd.org +Date: Tue Jan 20 07:55:33 2015 +0000 - - (djm) [regress/multiplex.sh] Not all netcat accept the -N option. + upstream commit + + fix hostkeys in agent; ok markus@ -commit 0e4e95566cd95c887f69272499b8f3880b3ec0f5 +commit 1ca3e2155aa5d3801a7ae050f85c71f41fcb95b1 Author: Damien Miller -Date: Mon Jul 21 09:52:54 2014 +1000 +Date: Tue Jan 20 10:11:31 2015 +1100 - - millert@cvs.openbsd.org 2014/07/15 15:54:15 - [forwarding.sh multiplex.sh] - Add support for Unix domain socket forwarding. A remote TCP port - may be forwarded to a local Unix domain socket and vice versa or - both ends may be a Unix domain socket. This is a reimplementation - of the streamlocal patches by William Ahern from: - http://www.25thandclement.com/~william/projects/streamlocal.html - OK djm@ markus@ + fix kex test -commit 93a87ab27ecdc709169fb24411133998f81e2761 -Author: Darren Tucker -Date: Mon Jul 21 06:30:25 2014 +1000 +commit c78a578107c7e6dcf5d30a2f34cb6581bef14029 +Author: markus@openbsd.org +Date: Mon Jan 19 20:45:25 2015 +0000 - - (dtucker) [regress/unittests/sshkey/ - {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in - ifdefs. + upstream commit + + finally enable the KEX tests I wrote some years ago... -commit 5573171352ea23df2dc6d2fe0324d023b7ba697c -Author: Darren Tucker -Date: Mon Jul 21 02:24:59 2014 +1000 +commit 31821d7217e686667d04935aeec99e1fc4a46e7e +Author: markus@openbsd.org +Date: Mon Jan 19 20:42:31 2015 +0000 - - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits - needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm + upstream commit + + adapt to new error message (SSH_ERR_MAC_INVALID) -commit 74e28682711d005026c7c8f15f96aea9d3c8b5a3 -Author: Tim Rice -Date: Fri Jul 18 20:00:11 2014 -0700 +commit d3716ca19e510e95d956ae14d5b367e364bff7f1 +Author: djm@openbsd.org +Date: Mon Jan 19 17:31:13 2015 +0000 - - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used - in servconf.h. + upstream commit + + this test was broken in at least two ways, such that it + wasn't checking that a KRL was not excluding valid keys -commit d1a0421f8e5e933fee6fb58ee6b9a22c63c8a613 -Author: Darren Tucker -Date: Sat Jul 19 07:23:55 2014 +1000 +commit 3f797653748e7c2b037dacb57574c01d9ef3b4d3 +Author: markus@openbsd.org +Date: Mon Jan 19 20:32:39 2015 +0000 - - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC. + upstream commit + + switch ssh-keyscan from setjmp to multiple ssh transport + layer instances ok djm@ -commit f0fe9ea1be62227c130b317769de3d1e736b6dc1 -Author: Darren Tucker -Date: Sat Jul 19 06:33:12 2014 +1000 +commit f582f0e917bb0017b00944783cd5f408bf4b0b5e +Author: markus@openbsd.org +Date: Mon Jan 19 20:30:23 2015 +0000 - - (dtucker) [Makefile.in] Add a t-exec target to run just the executable - tests. + upstream commit + + add experimental api for packet layer; ok djm@ -commit 450bc1180d4b061434a4b733c5c8814fa30b022b -Author: Darren Tucker -Date: Sat Jul 19 06:23:18 2014 +1000 +commit 48b3b2ba75181f11fca7f327058a591f4426cade +Author: markus@openbsd.org +Date: Mon Jan 19 20:20:20 2015 +0000 - - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used - in servconf.h. + upstream commit + + store compat flags in struct ssh; ok djm@ -commit ab2ec586baad122ed169285c31927ccf58bc7b28 -Author: Damien Miller -Date: Fri Jul 18 15:04:47 2014 +1000 +commit 57d10cbe861a235dd269c74fb2fe248469ecee9d +Author: markus@openbsd.org +Date: Mon Jan 19 20:16:15 2015 +0000 - - djm@cvs.openbsd.org 2014/07/18 02:46:01 - [ssh-agent.c] - restore umask around listener socket creation (dropped in streamlocal patch - merge) + upstream commit + + adapt kex to sshbuf and struct ssh; ok djm@ -commit 357610d15946381ae90c271837dcdd0cdce7145f -Author: Damien Miller -Date: Fri Jul 18 15:04:10 2014 +1000 +commit 3fdc88a0def4f86aa88a5846ac079dc964c0546a +Author: markus@openbsd.org +Date: Mon Jan 19 20:07:45 2015 +0000 - - djm@cvs.openbsd.org 2014/07/17 07:22:19 - [mux.c ssh.c] - reflect stdio-forward ("ssh -W host:port ...") failures in exit status. - previously we were always returning 0. bz#2255 reported by Brendan - Germain; ok dtucker + upstream commit + + move dispatch to struct ssh; ok djm@ -commit dad9a4a0b7c2b5d78605f8df28718f116524134e -Author: Damien Miller -Date: Fri Jul 18 15:03:49 2014 +1000 +commit 091c302829210c41e7f57c3f094c7b9c054306f0 +Author: markus@openbsd.org +Date: Mon Jan 19 19:52:16 2015 +0000 - - djm@cvs.openbsd.org 2014/07/17 00:12:03 - [key.c] - silence "incorrect passphrase" error spam; reported and ok dtucker@ + upstream commit + + update packet.c & isolate, introduce struct ssh a) switch + packet.c to buffer api and isolate per-connection info into struct ssh b) + (de)serialization of the state is moved from monitor to packet.c c) the old + packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and + integrated into packet.c with and ok djm@ -commit f42f7684ecbeec6ce50e0310f80b3d6da2aaf533 -Author: Damien Miller -Date: Fri Jul 18 15:03:27 2014 +1000 +commit 4e62cc68ce4ba20245d208b252e74e91d3785b74 +Author: djm@openbsd.org +Date: Mon Jan 19 17:35:48 2015 +0000 - - djm@cvs.openbsd.org 2014/07/17 00:10:18 - [mux.c] - preserve errno across syscall + upstream commit + + fix format strings in (disabled) debugging -commit 1b83320628cb0733e3688b85bfe4d388a7c51909 -Author: Damien Miller -Date: Fri Jul 18 15:03:02 2014 +1000 +commit d85e06245907d49a2cd0cfa0abf59150ad616f42 +Author: djm@openbsd.org +Date: Mon Jan 19 06:01:32 2015 +0000 - - djm@cvs.openbsd.org 2014/07/17 00:10:56 - [sandbox-systrace.c] - ifdef SYS_sendsyslog so this will compile without patching on -stable + upstream commit + + be a bit more careful in these tests to ensure that + known_hosts is clean -commit 6d57656331bcd754d912950e4a18ad259d596e61 -Author: Damien Miller -Date: Fri Jul 18 15:02:06 2014 +1000 +commit 7947810eab5fe0ad311f32a48f4d4eb1f71be6cf +Author: djm@openbsd.org +Date: Sun Jan 18 22:00:18 2015 +0000 - - jmc@cvs.openbsd.org 2014/07/16 14:48:57 - [ssh.1] - add the streamlocal* options to ssh's -o list; millert says they're - irrelevant for scp/sftp; + upstream commit - ok markus millert + regression test for known_host file editing using + ssh-keygen (-H / -R / -F) after hostkeys_foreach() change; feedback and ok + markus@ -commit 7acefbbcbeab725420ea07397ae35992f505f702 -Author: Damien Miller -Date: Fri Jul 18 14:11:24 2014 +1000 +commit 3a2b09d147a565d8a47edf37491e149a02c0d3a3 +Author: djm@openbsd.org +Date: Sun Jan 18 19:54:46 2015 +0000 - - millert@cvs.openbsd.org 2014/07/15 15:54:14 - [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] - [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] - [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] - [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] - [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] - [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] - [sshd_config.5 sshlogin.c] - Add support for Unix domain socket forwarding. A remote TCP port - may be forwarded to a local Unix domain socket and vice versa or - both ends may be a Unix domain socket. This is a reimplementation - of the streamlocal patches by William Ahern from: - http://www.25thandclement.com/~william/projects/streamlocal.html - OK djm@ markus@ + upstream commit + + more and better key tests + + test signatures and verification + test certificate generation + flesh out nested cert test + + removes most of the XXX todo markers -commit 6262d760e00714523633bd989d62e273a3dca99a -Author: Damien Miller -Date: Thu Jul 17 09:52:07 2014 +1000 +commit 589e69fd82724cfc9738f128e4771da2e6405d0d +Author: djm@openbsd.org +Date: Sun Jan 18 19:53:58 2015 +0000 - - tedu@cvs.openbsd.org 2014/07/11 13:54:34 - [myproposal.h] - by popular demand, add back hamc-sha1 to server proposal for better compat - with many clients still in use. ok deraadt + upstream commit + + make the signature fuzzing test much more rigorous: + ensure that the fuzzed input cases do not match the original (using new + fuzz_matches_original() function) and check that the verification fails in + each case -commit 9d69d937b46ecba17f16d923e538ceda7b705c7a -Author: Damien Miller -Date: Thu Jul 17 09:49:37 2014 +1000 +commit 80603c0daa2538c349c1c152405580b164d5475f +Author: djm@openbsd.org +Date: Sun Jan 18 19:52:44 2015 +0000 - - deraadt@cvs.openbsd.org 2014/07/11 08:09:54 - [sandbox-systrace.c] - Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking, - update your kernels and sshd soon.. libc will start using sendsyslog() - in about 4 days. + upstream commit + + add a fuzz_matches_original() function to the fuzzer to + detect fuzz cases that are identical to the original data. Hacky + implementation, but very useful when you need the fuzz to be different, e.g. + when verifying signature -commit f6293a0b4129826fc2e37e4062f96825df43c326 -Author: Damien Miller -Date: Thu Jul 17 09:01:25 2014 +1000 +commit 87d5495bd337e358ad69c524fcb9495208c0750b +Author: djm@openbsd.org +Date: Sun Jan 18 19:50:55 2015 +0000 - - (djm) [digest-openssl.c] Preserve array order when disabling digests. - Reported by Petr Lautrbach. + upstream commit + + better dumps from the fuzzer (shown on errors) - + include the original data as well as the fuzzed copy. -commit 00f9cd230709c04399ef5ff80492d70a55230694 -Author: Damien Miller -Date: Tue Jul 15 10:41:38 2014 +1000 +commit d59ec478c453a3fff05badbbfd96aa856364f2c2 +Author: djm@openbsd.org +Date: Sun Jan 18 19:47:55 2015 +0000 - - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto - has been located; fixes builds agains libressl-portable + upstream commit + + enable hostkey-agent.sh test -commit 1d0df3249c87019556b83306c28d4769375c2edc -Author: Damien Miller -Date: Fri Jul 11 09:19:04 2014 +1000 +commit 26b3425170bf840e4b095e1c10bf25a0a3e3a105 +Author: djm@openbsd.org +Date: Sat Jan 17 18:54:30 2015 +0000 - - OpenBSD CVS Sync - - benno@cvs.openbsd.org 2014/07/09 14:15:56 - [ssh-add.c] - fix ssh-add crash while loading more than one key - ok markus@ + upstream commit + + unit test for hostkeys in ssh-agent -commit 7a57eb3d105aa4ced15fb47001092c58811e6d9d -Author: Damien Miller -Date: Wed Jul 9 13:22:31 2014 +1000 +commit 9e06a0fb23ec55d9223b26a45bb63c7649e2f2f2 +Author: markus@openbsd.org +Date: Thu Jan 15 23:41:29 2015 +0000 - - djm@cvs.openbsd.org 2014/07/07 08:15:26 - [multiplex.sh] - remove forced-fatal that I stuck in there to test the new cleanup - logic and forgot to remove... + upstream commit + + add kex unit tests -commit 612f965239a30fe536b11ece1834d9f470aeb029 -Author: Damien Miller -Date: Wed Jul 9 13:22:03 2014 +1000 +commit d2099dec6da21ae627f6289aedae6bc1d41a22ce +Author: deraadt@openbsd.org +Date: Mon Jan 19 00:32:54 2015 +0000 - - djm@cvs.openbsd.org 2014/07/06 07:42:03 - [multiplex.sh test-exec.sh] - add a hook to the cleanup() function to kill $SSH_PID if it is set + upstream commit - use it to kill the mux master started in multiplex.sh (it was being left - around on fatal failures) + djm, your /usr/include tree is old -commit d0bb950485ba121e43a77caf434115ed6417b46f -Author: Damien Miller -Date: Wed Jul 9 13:07:28 2014 +1000 +commit 2b3c3c76c30dc5076fe09d590f5b26880f148a54 +Author: djm@openbsd.org +Date: Sun Jan 18 21:51:19 2015 +0000 - - djm@cvs.openbsd.org 2014/07/09 03:02:15 - [key.c] - downgrade more error() to debug() to better match what old authfile.c - did; suppresses spurious errors with hostbased authentication enabled + upstream commit + + some feedback from markus@: comment hostkeys_foreach() + context and avoid a member in it. -commit 0070776a038655c57f57e70cd05e4c38a5de9d84 -Author: Damien Miller -Date: Wed Jul 9 13:07:06 2014 +1000 +commit cecb30bc2ba6d594366e657d664d5c494b6c8a7f +Author: djm@openbsd.org +Date: Sun Jan 18 21:49:42 2015 +0000 - - djm@cvs.openbsd.org 2014/07/09 01:45:10 - [sftp.c] - more useful error message when GLOB_NOSPACE occurs; - bz#2254, patch from Orion Poplawski + upstream commit + + make ssh-keygen use hostkeys_foreach(). Removes some + horrendous code; ok markus@ -commit 079bac2a43c74ef7cf56850afbab3b1932534c50 -Author: Damien Miller -Date: Wed Jul 9 13:06:25 2014 +1000 +commit ec3d065df3a9557ea96b02d061fd821a18c1a0b9 +Author: djm@openbsd.org +Date: Sun Jan 18 21:48:09 2015 +0000 - - djm@cvs.openbsd.org 2014/07/07 08:19:12 - [ssh_config.5] - mention that ProxyCommand is executed using shell "exec" to avoid - a lingering process; bz#1977 + upstream commit + + convert load_hostkeys() (hostkey ordering and + known_host matching) to use the new hostkey_foreach() iterator; ok markus -commit 3a48cc090096cf99b9de592deb5f90e444edebfb -Author: Damien Miller -Date: Sun Jul 6 09:32:49 2014 +1000 +commit c29811cc480a260e42fd88849fc86a80c1e91038 +Author: djm@openbsd.org +Date: Sun Jan 18 21:40:23 2015 +0000 - - djm@cvs.openbsd.org 2014/07/05 23:11:48 - [channels.c] - fix remote-forward cancel regression; ok markus@ + upstream commit + + introduce hostkeys_foreach() to allow iteration over a + known_hosts file or controlled subset thereof. This will allow us to pull out + some ugly and duplicated code, and will be used to implement hostkey rotation + later. + + feedback and ok markus -commit 48bae3a38cb578713e676708164f6e7151cc64fa -Author: Damien Miller -Date: Sun Jul 6 09:27:06 2014 +1000 +commit f101d8291da01bbbfd6fb8c569cfd0cc61c0d346 +Author: deraadt@openbsd.org +Date: Sun Jan 18 14:01:00 2015 +0000 - - djm@cvs.openbsd.org 2014/07/03 23:18:35 - [authfile.h] - remove leakmalloc droppings + upstream commit + + string truncation due to sizeof(size) ok djm markus -commit 72e6b5c9ed5e72ca3a6ccc3177941b7c487a0826 -Author: Damien Miller -Date: Fri Jul 4 09:00:04 2014 +1000 +commit 35d6022b55b7969fc10c261cb6aa78cc4a5fcc41 +Author: djm@openbsd.org +Date: Sun Jan 18 13:33:34 2015 +0000 - - djm@cvs.openbsd.org 2014/07/03 22:40:43 - [servconf.c servconf.h session.c sshd.8 sshd_config.5] - Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is - executed, mirroring the no-user-rc authorized_keys option; - bz#2160; ok markus@ + upstream commit + + avoid trailing ',' in host key algorithms -commit 602943d1179a08dfa70af94f62296ea5e3d6ebb8 -Author: Damien Miller -Date: Fri Jul 4 08:59:41 2014 +1000 +commit 7efb455789a0cb76bdcdee91c6060a3dc8f5c007 +Author: djm@openbsd.org +Date: Sun Jan 18 13:22:28 2015 +0000 - - djm@cvs.openbsd.org 2014/07/03 22:33:41 - [channels.c] - allow explicit ::1 and 127.0.0.1 forwarding bind addresses when - GatewayPorts=no; allows client to choose address family; - bz#2222 ok markus@ + upstream commit + + infer key length correctly when user specified a fully- + qualified key name instead of using the -b bits option; ok markus@ -commit 6b37fbb7921d156b31e2c8f39d9e1b6746c34983 -Author: Damien Miller -Date: Fri Jul 4 08:59:24 2014 +1000 +commit 83f8ffa6a55ccd0ce9d8a205e3e7439ec18fedf5 +Author: djm@openbsd.org +Date: Sat Jan 17 18:53:34 2015 +0000 - - djm@cvs.openbsd.org 2014/07/03 22:23:46 - [sshconnect.c] - when rekeying, skip file/DNS lookup if it is the same as the key sent - during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@ + upstream commit + + fix hostkeys on ssh agent; found by unit test I'm about + to commit -commit d2c3cd5f2e47ee24cf7093ce8e948c2e79dfc3fd -Author: Damien Miller -Date: Fri Jul 4 08:59:01 2014 +1000 +commit 369d61f17657b814124268f99c033e4dc6e436c1 +Author: schwarze@openbsd.org +Date: Fri Jan 16 16:20:23 2015 +0000 - - jsing@cvs.openbsd.org 2014/07/03 12:42:16 - [cipher-chachapoly.c] - Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this - makes it easier to verify that chacha_encrypt_bytes() is only called once - per chacha_ivsetup() call. - ok djm@ + upstream commit + + garbage collect empty .No macros mandoc warns about -commit 686feb560ec43a06ba04da82b50f3c183c947309 -Author: Damien Miller -Date: Thu Jul 3 21:29:38 2014 +1000 +commit bb8b442d32dbdb8521d610e10d8b248d938bd747 +Author: djm@openbsd.org +Date: Fri Jan 16 15:55:07 2015 +0000 - - djm@cvs.openbsd.org 2014/07/03 11:16:55 - [auth.c auth.h auth1.c auth2.c] - make the "Too many authentication failures" message include the - user, source address, port and protocol in a format similar to the - authentication success / failure messages; bz#2199, ok dtucker + upstream commit + + regression: incorrect error message on + otherwise-successful ssh-keygen -A. Reported by Dmitry Orlov, via deraadt@ -commit 0f12341402e18fd9996ec23189b9418d2722453f -Author: Damien Miller -Date: Thu Jul 3 21:28:09 2014 +1000 +commit 9010902954a40b59d0bf3df3ccbc3140a653e2bc +Author: djm@openbsd.org +Date: Fri Jan 16 07:19:48 2015 +0000 - - jmc@cvs.openbsd.org 2014/07/03 07:45:27 - [ssh_config.5] - escape %C since groff thinks it part of an Rs/Re block; + upstream commit + + when hostname canonicalisation is enabled, try to parse + hostnames as addresses before looking them up for canonicalisation. fixes + bz#2074 and avoids needless DNS lookups in some cases; ok markus -commit 9c38643c5cd47a19db2cc28279dcc28abadc22b3 -Author: Damien Miller -Date: Thu Jul 3 21:27:46 2014 +1000 +commit 2ae4f337b2a5fb2841b6b0053b49496fef844d1c +Author: deraadt@openbsd.org +Date: Fri Jan 16 06:40:12 2015 +0000 - - djm@cvs.openbsd.org 2014/07/03 06:39:19 - [ssh.c ssh_config.5] - Add a %C escape sequence for LocalCommand and ControlPath that expands - to a unique identifer based on a has of the tuple of (local host, - remote user, hostname, port). - - Helps avoid exceeding sockaddr_un's miserly pathname limits for mux - control paths. + upstream commit - bz#2220, based on patch from mancha1 AT zoho.com; ok markus@ - -commit 49d9bfe2b2f3e90cc158a215dffa7675e57e7830 -Author: Damien Miller -Date: Thu Jul 3 21:26:42 2014 +1000 + Replace with and other less + dirty headers where possible. Annotate lines with their + current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, + LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of + MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. + These are the files confirmed through binary verification. ok guenther, + millert, doug (helped with the verification protocol) - - djm@cvs.openbsd.org 2014/07/03 05:38:17 - [ssh.1] - document that -g will only work in the multiplexed case if applied to - the mux master +commit 3c4726f4c24118e8f1bb80bf75f1456c76df072c +Author: markus@openbsd.org +Date: Thu Jan 15 21:38:50 2015 +0000 -commit ef9f13ba4c58057b2166d1f2e790535da402fbe5 -Author: Damien Miller -Date: Thu Jul 3 21:26:21 2014 +1000 + upstream commit + + remove xmalloc, switch to sshbuf - - djm@cvs.openbsd.org 2014/07/03 05:32:36 - [ssh_config.5] - mention '%%' escape sequence in HostName directives and how it may - be used to specify IPv6 link-local addresses +commit e17ac01f8b763e4b83976b9e521e90a280acc097 +Author: markus@openbsd.org +Date: Thu Jan 15 21:37:14 2015 +0000 -commit e6a407789e5432dd2e53336fb73476cc69048c54 + upstream commit + + switch to sshbuf + +commit ddef9995a1fa6c7a8ff3b38bfe6cf724bebf13d0 +Author: naddy@openbsd.org +Date: Thu Jan 15 18:32:54 2015 +0000 + + upstream commit + + handle UMAC128 initialization like UMAC; ok djm@ markus@ + +commit f14564c1f7792446bca143580aef0e7ac25dcdae +Author: djm@openbsd.org +Date: Thu Jan 15 11:04:36 2015 +0000 + + upstream commit + + fix regression reported by brad@ for passworded keys without + agent present + +commit 45c0fd70bb2a88061319dfff20cb12ef7b1bc47e +Author: Damien Miller +Date: Thu Jan 15 22:08:23 2015 +1100 + + make bitmap test compile + +commit d333f89abf7179021e5c3f28673f469abe032062 +Author: djm@openbsd.org +Date: Thu Jan 15 07:36:28 2015 +0000 + + upstream commit + + unit tests for KRL bitmap + +commit 7613f828f49c55ff356007ae9645038ab6682556 +Author: markus@openbsd.org +Date: Wed Jan 14 09:58:21 2015 +0000 + + upstream commit + + re-add comment about full path + +commit 6c43b48b307c41cd656b415621a644074579a578 +Author: markus@openbsd.org +Date: Wed Jan 14 09:54:38 2015 +0000 + + upstream commit + + don't reset to the installed sshd; connect before + reconfigure, too + +commit 771bb47a1df8b69061f09462e78aa0b66cd594bf +Author: djm@openbsd.org +Date: Tue Jan 13 14:51:51 2015 +0000 + + upstream commit + + implement a SIGINFO handler so we can discern a stuck + fuzz test from a merely glacial one; prompted by and ok markus + +commit cfaa57962f8536f3cf0fd7daf4d6a55d6f6de45f +Author: djm@openbsd.org +Date: Tue Jan 13 08:23:26 2015 +0000 + + upstream commit + + use $SSH instead of installed ssh to allow override; + spotted by markus@ + +commit 0920553d0aee117a596b03ed5b49b280d34a32c5 +Author: djm@openbsd.org +Date: Tue Jan 13 07:49:49 2015 +0000 + + upstream commit + + regress test for PubkeyAcceptedKeyTypes; ok markus@ + +commit 27ca1a5c0095eda151934bca39a77e391f875d17 +Author: markus@openbsd.org +Date: Mon Jan 12 20:13:27 2015 +0000 + + upstream commit + + unbreak parsing of pubkey comments; with gerhard; ok + djm/deraadt + +commit 55358f0b4e0b83bc0df81c5f854c91b11e0bb4dc +Author: djm@openbsd.org +Date: Mon Jan 12 11:46:32 2015 +0000 + + upstream commit + + fatal if soft-PKCS11 library is missing rather (rather + than continue and fail with a more cryptic error) + +commit c3554cdd2a1a62434b8161017aa76fa09718a003 +Author: djm@openbsd.org +Date: Mon Jan 12 11:12:38 2015 +0000 + + upstream commit + + let this test all supporte key types; pointed out/ok + markus@ + +commit 1129dcfc5a3e508635004bcc05a3574cb7687167 +Author: djm@openbsd.org +Date: Thu Jan 15 09:40:00 2015 +0000 + + upstream commit + + sync ssh-keysign, ssh-keygen and some dependencies to the + new buffer/key API; mostly mechanical, ok markus@ + +commit e4ebf5586452bf512da662ac277aaf6ecf0efe7c +Author: djm@openbsd.org +Date: Thu Jan 15 07:57:08 2015 +0000 + + upstream commit + + remove commented-out test code now that it has moved to a + proper unit test + +commit e81cba066c1e9eb70aba0f6e7c0ff220611b370f +Author: djm@openbsd.org +Date: Wed Jan 14 20:54:29 2015 +0000 + + upstream commit + + whitespace + +commit 141efe49542f7156cdbc2e4cd0a041d8b1aab622 +Author: djm@openbsd.org +Date: Wed Jan 14 20:05:27 2015 +0000 + + upstream commit + + move authfd.c and its tentacles to the new buffer/key + API; ok markus@ + +commit 0088c57af302cda278bd26d8c3ae81d5b6f7c289 +Author: djm@openbsd.org +Date: Wed Jan 14 19:33:41 2015 +0000 + + upstream commit + + fix small regression: ssh-agent would return a success + message but an empty signature if asked to sign using an unknown key; ok + markus@ + +commit b03ebe2c22b8166e4f64c37737f4278676e3488d +Author: Damien Miller +Date: Thu Jan 15 03:08:58 2015 +1100 + + more --without-openssl + + fix some regressions caused by upstream merges + + enable KRLs now that they no longer require BIGNUMs + +commit bc42cc6fe784f36df225c44c93b74830027cb5a2 +Author: Damien Miller +Date: Thu Jan 15 03:08:29 2015 +1100 + + kludge around tun API mismatch betterer + +commit c332110291089b624fa0951fbf2d1ee6de525b9f +Author: Damien Miller +Date: Thu Jan 15 02:59:51 2015 +1100 + + some systems lack SO_REUSEPORT + +commit 83b9678a62cbdc74eb2031cf1e1e4ffd58e233ae +Author: Damien Miller +Date: Thu Jan 15 02:35:50 2015 +1100 + + fix merge botch + +commit 0cdc5a3eb6fb383569a4da2a30705d9b90428d6b +Author: Damien Miller +Date: Thu Jan 15 02:35:33 2015 +1100 + + unbreak across API change + +commit 6e2549ac2b5e7f96cbc2d83a6e0784b120444b47 +Author: Damien Miller +Date: Thu Jan 15 02:30:18 2015 +1100 + + need includes.h for portable OpenSSH + +commit 72ef7c148c42db7d5632a29f137f8b87b579f2d9 +Author: Damien Miller +Date: Thu Jan 15 02:21:31 2015 +1100 + + support --without-openssl at configure time + + Disables and removes dependency on OpenSSL. Many features don't + work and the set of crypto options is greatly restricted. This + will only work on system with native arc4random or /dev/urandom. + + Considered highly experimental for now. + +commit 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9 +Author: Damien Miller +Date: Thu Jan 15 02:28:00 2015 +1100 + + add files missed in last commit + +commit a165bab605f7be55940bb8fae977398e8c96a46d +Author: djm@openbsd.org +Date: Wed Jan 14 15:02:39 2015 +0000 + + upstream commit + + avoid BIGNUM in KRL code by using a simple bitmap; + feedback and ok markus + +commit 7d845f4a0b7ec97887be204c3760e44de8bf1f32 +Author: djm@openbsd.org +Date: Wed Jan 14 13:54:13 2015 +0000 + + upstream commit + + update sftp client and server to new buffer API. pretty + much just mechanical changes; with & ok markus + +commit 139ca81866ec1b219c717d17061e5e7ad1059e2a +Author: markus@openbsd.org +Date: Wed Jan 14 13:09:09 2015 +0000 + + upstream commit + + switch to sshbuf/sshkey; with & ok djm@ + +commit 81bfbd0bd35683de5d7f2238b985e5f8150a9180 +Author: Damien Miller +Date: Wed Jan 14 21:48:18 2015 +1100 + + support --without-openssl at configure time + + Disables and removes dependency on OpenSSL. Many features don't + work and the set of crypto options is greatly restricted. This + will only work on system with native arc4random or /dev/urandom. + + Considered highly experimental for now. + +commit 54924b53af15ccdcbb9f89984512b5efef641a31 +Author: djm@openbsd.org +Date: Wed Jan 14 10:46:28 2015 +0000 + + upstream commit + + avoid an warning for the !OPENSSL case + +commit ae8b463217f7c9b66655bfc3945c050ffdaeb861 +Author: markus@openbsd.org +Date: Wed Jan 14 10:30:34 2015 +0000 + + upstream commit + + swith auth-options to new sshbuf/sshkey; ok djm@ + +commit 540e891191b98b89ee90aacf5b14a4a68635e763 +Author: djm@openbsd.org +Date: Wed Jan 14 10:29:45 2015 +0000 + + upstream commit + + make non-OpenSSL aes-ctr work on sshd w/ privsep; ok + markus@ + +commit 60c2c4ea5e1ad0ddfe8b2877b78ed5143be79c53 +Author: markus@openbsd.org +Date: Wed Jan 14 10:24:42 2015 +0000 + + upstream commit + + remove unneeded includes, sync my copyright across files + & whitespace; ok djm@ + +commit 128343bcdb0b60fc826f2733df8cf979ec1627b4 +Author: markus@openbsd.org +Date: Tue Jan 13 19:31:40 2015 +0000 + + upstream commit + + adapt mac.c to ssherr.h return codes (de-fatal) and + simplify dependencies ok djm@ + +commit e7fd952f4ea01f09ceb068721a5431ac2fd416ed +Author: djm@openbsd.org +Date: Tue Jan 13 19:04:35 2015 +0000 + + upstream commit + + sync changes from libopenssh; prepared by markus@ mostly + debug output tweaks, a couple of error return value changes and some other + minor stuff + +commit 76c0480a85675f03a1376167cb686abed01a3583 +Author: Damien Miller +Date: Tue Jan 13 19:38:18 2015 +1100 + + add --without-ssh1 option to configure + + Allows disabling support for SSH protocol 1. + +commit 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03 +Author: djm@openbsd.org +Date: Tue Jan 13 07:39:19 2015 +0000 + + upstream commit + + add sshd_config HostbasedAcceptedKeyTypes and + PubkeyAcceptedKeyTypes options to allow sshd to control what public key types + will be accepted. Currently defaults to all. Feedback & ok markus@ + +commit 816d1538c24209a93ba0560b27c4fda57c3fff65 +Author: markus@openbsd.org +Date: Mon Jan 12 20:13:27 2015 +0000 + + upstream commit + + unbreak parsing of pubkey comments; with gerhard; ok + djm/deraadt + +commit 0097565f849851812df610b7b6b3c4bd414f6c62 +Author: markus@openbsd.org +Date: Mon Jan 12 19:22:46 2015 +0000 + + upstream commit + + missing error assigment on sshbuf_put_string() + +commit a7f49dcb527dd17877fcb8d5c3a9a6f550e0bba5 +Author: djm@openbsd.org +Date: Mon Jan 12 15:18:07 2015 +0000 + + upstream commit + + apparently memcpy(x, NULL, 0) is undefined behaviour + according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls + when length==0; ok markus@ + +commit 905fe30fca82f38213763616d0d26eb6790bde33 +Author: markus@openbsd.org +Date: Mon Jan 12 14:05:19 2015 +0000 + + upstream commit + + free->sshkey_free; ok djm@ + +commit f067cca2bc20c86b110174c3fef04086a7f57b13 +Author: markus@openbsd.org +Date: Mon Jan 12 13:29:27 2015 +0000 + + upstream commit + + allow WITH_OPENSSL w/o WITH_SSH1; ok djm@ + +commit c4bfafcc2a9300d9cfb3c15e75572d3a7d74670d +Author: djm@openbsd.org +Date: Thu Jan 8 13:10:58 2015 +0000 + + upstream commit + + adjust for sshkey_load_file() API change + +commit e752c6d547036c602b89e9e704851463bd160e32 +Author: djm@openbsd.org +Date: Thu Jan 8 13:44:36 2015 +0000 + + upstream commit + + fix ssh_config FingerprintHash evaluation order; from Petr + Lautrbach + +commit ab24ab847b0fc94c8d5e419feecff0bcb6d6d1bf +Author: djm@openbsd.org +Date: Thu Jan 8 10:15:45 2015 +0000 + + upstream commit + + reorder hostbased key attempts to better match the + default hostkey algorithms order in myproposal.h; ok markus@ + +commit 1195f4cb07ef4b0405c839293c38600b3e9bdb46 +Author: djm@openbsd.org +Date: Thu Jan 8 10:14:08 2015 +0000 + + upstream commit + + deprecate key_load_private_pem() and + sshkey_load_private_pem() interfaces. Refactor the generic key loading API to + not require pathnames to be specified (they weren't really used). + + Fixes a few other things en passant: + + Makes ed25519 keys work for hostbased authentication (ssh-keysign + previously used the PEM-only routines). + + Fixes key comment regression bz#2306: key pathnames were being lost as + comment fields. + + ok markus@ + +commit febbe09e4e9aff579b0c5cc1623f756862e4757d +Author: tedu@openbsd.org +Date: Wed Jan 7 18:15:07 2015 +0000 + + upstream commit + + workaround for the Meyer, et al, Bleichenbacher Side + Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm + markus + +commit 5191df927db282d3123ca2f34a04d8d96153911a +Author: djm@openbsd.org +Date: Tue Dec 23 22:42:48 2014 +0000 + + upstream commit + + KNF and add a little more debug() + +commit 8abd80315d3419b20e6938f74d37e2e2b547f0b7 +Author: jmc@openbsd.org +Date: Mon Dec 22 09:26:31 2014 +0000 + + upstream commit + + add fingerprinthash to the options list; + +commit 296ef0560f60980da01d83b9f0e1a5257826536f +Author: jmc@openbsd.org +Date: Mon Dec 22 09:24:59 2014 +0000 + + upstream commit + + tweak previous; + +commit 462082eacbd37778a173afb6b84c6f4d898a18b5 +Author: Damien Miller +Date: Tue Dec 30 08:16:11 2014 +1100 + + avoid uninitialised free of ldns_res + + If an invalid rdclass was passed to getrrsetbyname() then + this would execute a free on an uninitialised pointer. + OpenSSH only ever calls this with a fixed and valid rdclass. + + Reported by Joshua Rogers + +commit 01b63498801053f131a0740eb9d13faf35d636c8 +Author: Damien Miller +Date: Mon Dec 29 18:10:18 2014 +1100 + + pull updated OpenBSD BCrypt PBKDF implementation + + Includes fix for 1 byte output overflow for large key length + requests (not reachable in OpenSSH). + + Pointed out by Joshua Rogers + +commit c528c1b4af2f06712177b3de9b30705752f7cbcb +Author: Damien Miller +Date: Tue Dec 23 15:26:13 2014 +1100 + + fix variable name for IPv6 case in construct_utmpx + + patch from writeonce AT midipix.org via bz#2296 + +commit 293cac52dcda123244b2e594d15592e5e481c55e +Author: Damien Miller +Date: Mon Dec 22 16:30:42 2014 +1100 + + include and use OpenBSD netcat in regress/ + +commit 8f6784f0cb56dc4fd00af3e81a10050a5785228d +Author: djm@openbsd.org +Date: Mon Dec 22 09:05:17 2014 +0000 + + upstream commit + + mention ssh -Q feature to list supported { MAC, cipher, + KEX, key } algorithms in more places and include the query string used to + list the relevant information; bz#2288 + +commit 449e11b4d7847079bd0a2daa6e3e7ea03d8ef700 +Author: jmc@openbsd.org +Date: Mon Dec 22 08:24:17 2014 +0000 + + upstream commit + + tweak previous; + +commit 4bea0ab3290c0b9dd2aa199e932de8e7e18062d6 +Author: djm@openbsd.org +Date: Mon Dec 22 08:06:03 2014 +0000 + + upstream commit + + regression test for multiple required pubkey authentication; + ok markus@ + +commit f1c4d8ec52158b6f57834b8cd839605b0a33e7f2 +Author: djm@openbsd.org +Date: Mon Dec 22 08:04:23 2014 +0000 + + upstream commit + + correct description of what will happen when a + AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd + will refuse to start) + +commit 161cf419f412446635013ac49e8c660cadc36080 +Author: djm@openbsd.org +Date: Mon Dec 22 07:55:51 2014 +0000 + + upstream commit + + make internal handling of filename arguments of "none" + more consistent with ssh. "none" arguments are now replaced with NULL when + the configuration is finalised. + + Simplifies checking later on (just need to test not-NULL rather than + that + strcmp) and cleans up some inconsistencies. ok markus@ + +commit f69b69b8625be447b8826b21d87713874dac25a6 +Author: djm@openbsd.org +Date: Mon Dec 22 07:51:30 2014 +0000 + + upstream commit + + remember which public keys have been used for + authentication and refuse to accept previously-used keys. + + This allows AuthenticationMethods=publickey,publickey to require + that users authenticate using two _different_ pubkeys. + + ok markus@ + +commit 46ac2ed4677968224c4ca825bc98fc68dae183f0 +Author: djm@openbsd.org +Date: Mon Dec 22 07:24:11 2014 +0000 + + upstream commit + + fix passing of wildcard forward bind addresses when + connection multiplexing is in use; patch from Sami Hartikainen via bz#2324; + ok dtucker@ + +commit 0d1b241a262e4d0a6bbfdd595489ab1b853c43a1 +Author: djm@openbsd.org +Date: Mon Dec 22 06:14:29 2014 +0000 + + upstream commit + + make this slightly easier to diff against portable + +commit 0715bcdddbf68953964058f17255bf54734b8737 +Author: Damien Miller +Date: Mon Dec 22 13:47:07 2014 +1100 + + add missing regress output file + +commit 1e30483c8ad2c2f39445d4a4b6ab20c241e40593 +Author: djm@openbsd.org +Date: Mon Dec 22 02:15:52 2014 +0000 + + upstream commit + + adjust for new SHA256 key fingerprints and + slightly-different MD5 hex fingerprint format + +commit 6b40567ed722df98593ad8e6a2d2448fc2b4b151 +Author: djm@openbsd.org +Date: Mon Dec 22 01:14:49 2014 +0000 + + upstream commit + + poll changes to netcat (usr.bin/netcat.c r1.125) broke + this test; fix it by ensuring more stdio fds are sent to devnull + +commit a5375ccb970f49dddf7d0ef63c9b713ede9e7260 +Author: jmc@openbsd.org +Date: Sun Dec 21 23:35:14 2014 +0000 + + upstream commit + + tweak previous; + +commit b79efde5c3badf5ce4312fe608d8307eade533c5 +Author: djm@openbsd.org +Date: Sun Dec 21 23:12:42 2014 +0000 + + upstream commit + + document FingerprintHash here too + +commit d16bdd8027dd116afa01324bb071a4016cdc1a75 +Author: Damien Miller +Date: Mon Dec 22 10:18:09 2014 +1100 + + missing include for base64 encoding + +commit 56d1c83cdd1ac76f1c6bd41e01e80dad834f3994 +Author: djm@openbsd.org +Date: Sun Dec 21 22:27:55 2014 +0000 + + upstream commit + + Add FingerprintHash option to control algorithm used for + key fingerprints. Default changes from MD5 to SHA256 and format from hex to + base64. + + Feedback and ok naddy@ markus@ + +commit 058f839fe15c51be8b3a844a76ab9a8db550be4f +Author: djm@openbsd.org +Date: Thu Dec 18 23:58:04 2014 +0000 + + upstream commit + + don't count partial authentication success as a failure + against MaxAuthTries; ok deraadt@ + +commit c7219f4f54d64d6dde66dbcf7a2699daa782d2a1 +Author: djm@openbsd.org +Date: Fri Dec 12 00:02:17 2014 +0000 + + upstream commit + + revert chunk I didn't mean to commit yet; via jmc@ + +commit 7de5991aa3997e2981440f39c1ea01273a0a2c7b +Author: Damien Miller +Date: Thu Dec 18 11:44:06 2014 +1100 + + upstream libc change + + revision 1.2 + date: 2014/12/08 03:45:00; author: bcook; state: Exp; lines: +2 -2; commitid: 7zWEBgJJOCZ2hvTV; + avoid left shift overflow in reallocarray. + + Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting + 1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with + (size_t)1 so that we get the correct constant size for the platform. + + discussed with tedu@ & deraadt@ + +commit 2048f85a5e6da8bc6e0532efe02ecfd4e63c978c +Author: Damien Miller +Date: Thu Dec 18 10:15:49 2014 +1100 + + include CFLAGS in gnome askpass targets + + from Fedora + +commit 48b68ce19ca42fa488960028048dec023f7899bb +Author: djm@openbsd.org +Date: Thu Dec 11 08:20:09 2014 +0000 + + upstream commit + + explicitly include sys/param.h in files that use the + howmany() macro; from portable + +commit d663bea30a294d440fef4398e5cd816317bd4518 +Author: djm@openbsd.org +Date: Thu Dec 11 05:25:06 2014 +0000 + + upstream commit + + mention AuthorizedKeysCommandUser must be set for + AuthorizedKeysCommand to be run; bz#2287 + +commit 17bf3d81e00f2abb414a4fd271118cf4913f049f +Author: djm@openbsd.org +Date: Thu Dec 11 05:13:28 2014 +0000 + + upstream commit + + show in debug output which hostkeys are being tried when + attempting hostbased auth; patch from Iain Morgan + +commit da0277e3717eadf5b15e03379fc29db133487e94 +Author: djm@openbsd.org +Date: Thu Dec 11 04:16:14 2014 +0000 + + upstream commit + + Make manual reflect reality: sftp-server's -d option + accepts a "%d" option, not a "%h" one. + + bz#2316; reported by Kirk Wolf + +commit 4cf87f4b81fa9380bce5fcff7b0f8382ae3ad996 +Author: djm@openbsd.org +Date: Wed Dec 10 01:24:09 2014 +0000 + + upstream commit + + better error value for invalid signature length + +commit 4bfad14ca56f8ae04f418997816b4ba84e2cfc3c +Author: Darren Tucker +Date: Wed Dec 10 02:12:51 2014 +1100 + + Resync more with OpenBSD's rijndael.c, in particular "#if 0"-ing out some + unused code. Should fix compile error reported by plautrba at redhat. + +commit 642652d280499691c8212ec6b79724b50008ce09 +Author: Darren Tucker +Date: Wed Dec 10 01:32:23 2014 +1100 + + Add reallocarray to compat library + +commit 3dfd8d93dfcc69261f5af99df56f3ff598581979 +Author: djm@openbsd.org +Date: Thu Dec 4 22:31:50 2014 +0000 + + upstream commit + + add tests for new client RevokedHostKeys option; refactor + to make it a bit more readable + +commit a31046cad1aed16a0b55171192faa6d02665ccec +Author: krw@openbsd.org +Date: Wed Nov 19 13:35:37 2014 +0000 + + upstream commit + + Nuke yet more obvious #include duplications. + + ok deraadt@ + +commit a7c762e5b2c1093542c0bc1df25ccec0b4cf479f +Author: djm@openbsd.org +Date: Thu Dec 4 20:47:36 2014 +0000 + + upstream commit + + key_in_file() wrapper is no longer used + +commit 5e39a49930d885aac9c76af3129332b6e772cd75 +Author: djm@openbsd.org +Date: Thu Dec 4 02:24:32 2014 +0000 + + upstream commit + + add RevokedHostKeys option for the client + + Allow textfile or KRL-based revocation of hostkeys. + +commit 74de254bb92c684cf53461da97f52d5ba34ded80 +Author: djm@openbsd.org +Date: Thu Dec 4 01:49:59 2014 +0000 + + upstream commit + + convert KRL code to new buffer API + + ok markus@ + +commit db995f2eed5fc432598626fa3e30654503bf7151 +Author: millert@openbsd.org +Date: Wed Nov 26 18:34:51 2014 +0000 + + upstream commit + + Prefer setvbuf() to setlinebuf() for portability; ok + deraadt@ + +commit 72bba3d179ced8b425272efe6956a309202a91f3 +Author: jsg@openbsd.org +Date: Mon Nov 24 03:39:22 2014 +0000 + + upstream commit + + Fix crashes in the handling of the sshd config file found + with the afl fuzzer. + + ok deraadt@ djm@ + +commit 867f49c666adcfe92bf539d9c37c1accdea08bf6 +Author: Damien Miller +Date: Wed Nov 26 13:22:41 2014 +1100 + + Avoid Cygwin ssh-host-config reading /etc/group + + Patch from Corinna Vinschen + +commit 8b66f36291a721b1ba7c44f24a07fdf39235593e +Author: Damien Miller +Date: Wed Nov 26 13:20:35 2014 +1100 + + allow custom service name for sshd on Cygwin + + Permits the use of multiple sshd running with different service names. + + Patch by Florian Friesdorf via Corinna Vinschen + +commit 08c0eebf55d70a9ae1964399e609288ae3186a0c +Author: jmc@openbsd.org +Date: Sat Nov 22 19:21:03 2014 +0000 + + upstream commit + + restore word zapped in previous, and remove some useless + "No" macros; + +commit a1418a0033fba43f061513e992e1cbcc3343e563 +Author: deraadt@openbsd.org +Date: Sat Nov 22 18:15:41 2014 +0000 + + upstream commit + + /dev/random has created the same effect as /dev/arandom + (and /dev/urandom) for quite some time. Mop up the last few, by using + /dev/random where we actually want it, or not even mentioning arandom where + it is irrelevant. + +commit b6de5ac9ed421362f479d1ad4fa433d2e25dad5b +Author: djm@openbsd.org +Date: Fri Nov 21 01:00:38 2014 +0000 + + upstream commit + + fix NULL pointer dereference crash on invalid timestamp + + found using Michal Zalewski's afl fuzzer + +commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e +Author: mikeb@openbsd.org +Date: Tue Nov 18 22:38:48 2014 +0000 + + upstream commit + + Sync AES code to the one shipped in OpenSSL/LibreSSL. + + This includes a commit made by Andy Polyakov + to the OpenSSL source tree on Wed, 28 Jun 2006 with the following + message: "Mitigate cache-collision timing attack on last round." + + OK naddy, miod, djm + +commit 335c83d5f35d8620e16b8aa26592d4f836e09ad2 +Author: krw@openbsd.org +Date: Tue Nov 18 20:54:28 2014 +0000 + + upstream commit + + Nuke more obvious #include duplications. + + ok deraadt@ millert@ tedu@ + +commit 51b64e44121194ae4bf153dee391228dada2abcb +Author: djm@openbsd.org +Date: Mon Nov 17 00:21:40 2014 +0000 + + upstream commit + + fix KRL generation when multiple CAs are in use + + We would generate an invalid KRL when revoking certs by serial + number for multiple CA keys due to a section being written out + twice. + + Also extend the regress test to catch this case by having it + produce a multi-CA KRL. + + Reported by peter AT pean.org + +commit d2d51003a623e21fb2b25567c4878d915e90aa2a +Author: djm@openbsd.org +Date: Tue Nov 18 01:02:25 2014 +0000 + + upstream commit + + fix NULL pointer dereference crash in key loading + + found by Michal Zalewski's AFL fuzzer + +commit 9f9fad0191028edc43d100d0ded39419b6895fdf +Author: djm@openbsd.org +Date: Mon Nov 17 00:21:40 2014 +0000 + + upstream commit + + fix KRL generation when multiple CAs are in use + + We would generate an invalid KRL when revoking certs by serial + number for multiple CA keys due to a section being written out + twice. + + Also extend the regress test to catch this case by having it + produce a multi-CA KRL. + + Reported by peter AT pean.org + +commit da8af83d3f7ec00099963e455010e0ed1d7d0140 +Author: bentley@openbsd.org +Date: Sat Nov 15 14:41:03 2014 +0000 + + upstream commit + + Reduce instances of `` '' in manuals. + + troff displays these as typographic quotes, but nroff implementations + almost always print them literally, which rarely has the intended effect + with modern fonts, even in stock xterm. + + These uses of `` '' can be replaced either with more semantic alternatives + or with Dq, which prints typographic quotes in a UTF-8 locale (but will + automatically fall back to `` '' in an ASCII locale). + + improvements and ok schwarze@ + +commit fc302561369483bb755b17f671f70fb894aec01d +Author: djm@openbsd.org +Date: Mon Nov 10 22:25:49 2014 +0000 + + upstream commit + + mux-related manual tweaks + + mention ControlPersist=0 is the same as ControlPersist=yes + + recommend that ControlPath sockets be placed in a og-w directory + +commit 0e4cff5f35ed11102fe3783779960ef07e0cd381 +Author: Damien Miller +Date: Wed Nov 5 11:01:31 2014 +1100 + + Prepare scripts for next Cygwin release + + Makes the Cygwin-specific ssh-user-config script independent of the + existence of /etc/passwd. The next Cygwin release will allow to + generate passwd and group entries from the Windows account DBs, so the + scripts have to adapt. + + from Corinna Vinschen + +commit 7d0ba5336651731949762eb8877ce9e3b52df436 +Author: Damien Miller +Date: Thu Oct 30 10:45:41 2014 +1100 + + include version number in OpenSSL-too-old error + +commit 3bcb92e04d9207e9f78d82f7918c6d3422054ce9 +Author: lteo@openbsd.org +Date: Fri Oct 24 02:01:20 2014 +0000 + + upstream commit + + Remove unnecessary include: netinet/in_systm.h is not needed + by these programs. + + NB. skipped for portable + + ok deraadt@ millert@ + +commit 6fdcaeb99532e28a69f1a1599fbd540bb15b70a0 +Author: djm@openbsd.org +Date: Mon Oct 20 03:43:01 2014 +0000 + + upstream commit + + whitespace + +commit 165bc8786299e261706ed60342985f9de93a7461 +Author: daniel@openbsd.org +Date: Tue Oct 14 03:09:59 2014 +0000 + + upstream commit + + plug a memory leak; from Maxime Villard. + + ok djm@ + +commit b1ba15f3885947c245c2dbfaad0a04ba050abea0 +Author: jmc@openbsd.org +Date: Thu Oct 9 06:21:31 2014 +0000 + + upstream commit + + tweak previous; + +commit 259a02ebdf74ad90b41d116ecf70aa823fa4c6e7 +Author: djm@openbsd.org +Date: Mon Oct 13 00:38:35 2014 +0000 + + upstream commit + + whitespace + +commit 957fbceb0f3166e41b76fdb54075ab3b9cc84cba +Author: djm@openbsd.org +Date: Wed Oct 8 22:20:25 2014 +0000 + + upstream commit + + Tweak config reparsing with host canonicalisation + + Make the second pass through the config files always run when + hostname canonicalisation is enabled. + + Add a "Match canonical" criteria that allows ssh_config Match + blocks to trigger only in the second config pass. + + Add a -G option to ssh that causes it to parse its configuration + and dump the result to stdout, similar to "sshd -T" + + Allow ssh_config Port options set in the second config parse + phase to be applied (they were being ignored). + + bz#2267 bz#2286; ok markus + +commit 5c0dafd38bf66feeeb45fa0741a5baf5ad8039ba +Author: djm@openbsd.org +Date: Wed Oct 8 22:15:27 2014 +0000 + + upstream commit + + another -Wpointer-sign from clang + +commit bb005dc815ebda9af3ae4b39ca101c4da918f835 +Author: djm@openbsd.org +Date: Wed Oct 8 22:15:06 2014 +0000 + + upstream commit + + fix a few -Wpointer-sign warnings from clang + +commit 3cc1fbb4fb0e804bfb873fd363cea91b27fc8188 +Author: djm@openbsd.org +Date: Wed Oct 8 21:45:48 2014 +0000 + + upstream commit + + parse cert sections using nested buffers to reduce + copies; ok markus + +commit 4a45922aebf99164e2fc83d34fe55b11ae1866ef +Author: djm@openbsd.org +Date: Mon Oct 6 00:47:15 2014 +0000 + + upstream commit + + correct options in usage(); from mancha1 AT zoho.com + +commit 48dffd5bebae6fed0556dc5c36cece0370690618 +Author: djm@openbsd.org +Date: Tue Sep 9 09:45:36 2014 +0000 + + upstream commit + + mention permissions on tun(4) devices in PermitTunnel + documentation; bz#2273 + +commit a5883d4eccb94b16c355987f58f86a7dee17a0c2 +Author: djm@openbsd.org +Date: Wed Sep 3 18:55:07 2014 +0000 + + upstream commit + + tighten permissions on pty when the "tty" group does + not exist; pointed out by Corinna Vinschen; ok markus + +commit 180bcb406b58bf30723c01a6b010e48ee626dda8 +Author: sobrado@openbsd.org +Date: Sat Aug 30 16:32:25 2014 +0000 + + upstream commit + + typo. + +commit f70b22bcdd52f6bf127047b3584371e6e5d45627 +Author: sobrado@openbsd.org +Date: Sat Aug 30 15:33:50 2014 +0000 + + upstream commit + + improve capitalization for the Ed25519 public-key + signature system. + + ok djm@ + +commit 7df8818409c752cf3f0c3f8044fe9aebed8647bd +Author: doug@openbsd.org +Date: Thu Aug 21 01:08:52 2014 +0000 + + upstream commit + + Free resources on error in mkstemp and fdopen + + ok djm@ + +commit 40ba4c9733aaed08304714faeb61529f18da144b +Author: deraadt@openbsd.org +Date: Wed Aug 20 01:28:55 2014 +0000 + + upstream commit + + djm how did you make a typo like that... + +commit 57d378ec9278ba417a726f615daad67d157de666 +Author: djm@openbsd.org +Date: Tue Aug 19 23:58:28 2014 +0000 + + upstream commit + + When dumping the server configuration (sshd -T), print + correct KEX, MAC and cipher defaults. Spotted by Iain Morgan + +commit 7ff880ede5195d0b17e7f1e3b6cfbc4cb6f85240 +Author: djm@openbsd.org +Date: Tue Aug 19 23:57:18 2014 +0000 + + upstream commit + + ~-expand lcd paths + +commit 4460a7ad0c78d4cd67c467f6e9f4254d0404ed59 Author: Damien Miller -Date: Thu Jul 3 21:25:03 2014 +1000 +Date: Sun Oct 12 12:35:48 2014 +1100 - - djm@cvs.openbsd.org 2014/07/03 04:36:45 - [digest.h] - forward-declare struct sshbuf so consumers don't need to include sshbuf.h + remove duplicated KEX_DH1 entry -commit 4a1d3d50f02d0a8a4ef95ea4749293cbfb89f919 +commit c9b8426a616138d0d762176c94f51aff3faad5ff Author: Damien Miller -Date: Thu Jul 3 21:24:40 2014 +1000 +Date: Thu Oct 9 10:34:06 2014 +1100 - - djm@cvs.openbsd.org 2014/07/03 03:47:27 - [ssh-keygen.c] - When hashing or removing hosts using ssh-keygen, don't choke on - @revoked markers and don't remove @cert-authority markers; - bz#2241, reported by mlindgren AT runelind.net + remove ChangeLog file + + Commit logs will be generated from git at release time. -commit e5c0d52ceb575c3db8c313e0b1aa3845943d7ba8 +commit 81d18ff7c93a04affbf3903e0963859763219aed +Author: Damien Miller +Date: Tue Oct 7 21:24:25 2014 +1100 + + delete contrib/caldera directory + +commit 0ec9e87d3638206456968202f05bb5123670607a +Author: Damien Miller +Date: Tue Oct 7 19:57:27 2014 +1100 + + test commit + +commit 8fb65a44568701b779f3d77326bceae63412d28d Author: Damien Miller -Date: Thu Jul 3 21:24:19 2014 +1000 +Date: Tue Oct 7 09:21:49 2014 +1100 - - djm@cvs.openbsd.org 2014/07/03 03:34:09 - [gss-serv.c session.c ssh-keygen.c] - standardise on NI_MAXHOST for gethostname() string lengths; about - 1/2 the cases were using it already. Fixes bz#2239 en passant + - (djm) Release OpenSSH-6.7 -commit c174a3b7c14e0d178c61219de2aa1110e209950c +commit e8c9f2602c46f6781df5e52e6cd8413dab4602a3 Author: Damien Miller -Date: Thu Jul 3 21:23:24 2014 +1000 +Date: Fri Oct 3 09:24:56 2014 +1000 - - djm@cvs.openbsd.org 2014/07/03 03:26:43 - [digest-openssl.c] - use EVP_Digest() for one-shot hash instead of creating, updating, - finalising and destroying a context. - bz#2231, based on patch from Timo Teras + - (djm) [sshd_config.5] typo; from Iain Morgan -commit d7ca2cd31ecc4d63a055e2dcc4bf35c13f2db4c5 +commit 703b98a26706f5083801d11059486d77491342ae Author: Damien Miller -Date: Thu Jul 3 21:23:01 2014 +1000 +Date: Wed Oct 1 09:43:07 2014 +1000 - - djm@cvs.openbsd.org 2014/07/03 03:15:01 - [ssh-add.c] - make stdout line-buffered; saves partial output getting lost when - ssh-add fatal()s part-way through (e.g. when listing keys from an - agent that supports key types that ssh-add doesn't); - bz#2234, reported by Phil Pennock + - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c] + [openbsd-compat/openbsd-compat.h] Kludge around bad glibc + _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets; + ok dtucker@ -commit b1e967c8d7c7578dd0c172d85b3046cf54ea42ba +commit 0fa0ed061bbfedb0daa705e220748154a84c3413 Author: Damien Miller -Date: Thu Jul 3 21:22:40 2014 +1000 +Date: Wed Sep 10 08:15:34 2014 +1000 - - djm@cvs.openbsd.org 2014/07/03 03:11:03 - [ssh-agent.c] - Only cleanup agent socket in the main agent process and not in any - subprocesses it may have started (e.g. forked askpass). Fixes - agent sockets being zapped when askpass processes fatal(); - bz#2236 patch from Dmitry V. Levin + - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc; + patch from Felix von Leitner; ok dtucker -commit 61e28e55c3438d796b02ef878bcd28620d452670 +commit ad7d23d461c3b7e1dcb15db13aee5f4b94dc1a95 +Author: Darren Tucker +Date: Tue Sep 9 12:23:10 2014 +1000 + + 20140908 + - (dtucker) [INSTALL] Update info about egd. ok djm@ + +commit 2a8699f37cc2515e3bc60e0c677ba060f4d48191 Author: Damien Miller -Date: Thu Jul 3 21:22:22 2014 +1000 +Date: Thu Sep 4 03:46:05 2014 +1000 - - djm@cvs.openbsd.org 2014/07/03 01:45:38 - [sshkey.c] - make Ed25519 keys' title fit properly in the randomart border; bz#2247 - based on patch from Christian Hesse + - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG -commit 9eb4cd9a32c32d40d36450b68ed93badc6a94c68 +commit 44988defb1f5e3afe576d86000365e1f07a1b494 Author: Damien Miller -Date: Thu Jul 3 13:29:50 2014 +1000 +Date: Wed Sep 3 05:35:32 2014 +1000 - - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist; - bz#2237 + - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to + permissions/ACLs; from Corinna Vinschen -commit 8da0fa24934501909408327298097b1629b89eaa +commit 23f269562b7537b2f6f5014e50a25e5dcc55a837 +Author: Damien Miller +Date: Wed Sep 3 05:33:25 2014 +1000 + + - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and + conditionalise to avoid duplicate definition. + +commit 41c8de2c0031cf59e7cf0c06b5bcfbf4852c1fda +Author: Damien Miller +Date: Sat Aug 30 16:23:06 2014 +1000 + + - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@ + +commit d7c81e216a7bd9eed6e239c970d9261bb1651947 +Author: Damien Miller +Date: Sat Aug 30 04:18:28 2014 +1000 + + - (djm) [openbsd-compat/openssl-compat.h] add include guard + +commit 4687802dda57365b984b897fc3c8e2867ea09b22 +Author: Damien Miller +Date: Sat Aug 30 03:29:19 2014 +1000 + + - (djm) [misc.c] Missing newline between functions + +commit 51c77e29220dee87c53be2dc47092934acab26fe +Author: Damien Miller +Date: Sat Aug 30 02:30:30 2014 +1000 + + - (djm) [openbsd-compat/openssl-compat.h] add + OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them + +commit 3d673d103bad35afaec6e7ef73e5277216ce33a3 +Author: Damien Miller +Date: Wed Aug 27 06:32:01 2014 +1000 + + - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero() + using memset_s() where possible; improve fallback to indirect bzero + via a volatile pointer to give it more of a chance to avoid being + optimised away. + +commit 146218ac11a1eb0dcade6f793d7acdef163b5ddc +Author: Damien Miller +Date: Wed Aug 27 04:11:55 2014 +1000 + + - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth + monitor, not preauth; bz#2263 + +commit 1b215c098b3b37e38aa4e4c91bb908eee41183b1 +Author: Damien Miller +Date: Wed Aug 27 04:04:40 2014 +1000 + + - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] + [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] + [regress/unittests/sshkey/common.c] + [regress/unittests/sshkey/test_file.c] + [regress/unittests/sshkey/test_fuzz.c] + [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h + on !ECC OpenSSL systems + +commit ad013944af0a19e3f612089d0099bb397cf6502d +Author: Damien Miller +Date: Tue Aug 26 09:27:28 2014 +1000 + + - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL, + update OpenSSL version requirement. + +commit ed126de8ee04c66640a0ea2697c4aaf36801f100 +Author: Damien Miller +Date: Tue Aug 26 08:37:47 2014 +1000 + + - (djm) [bufec.c] Skip this file on !ECC OpenSSL + +commit 9c1dede005746864a4fdb36a7cdf6c51296ca909 +Author: Damien Miller +Date: Sun Aug 24 03:01:06 2014 +1000 + + - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not + PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen + +commit d244a5816fd1312a33404b436e4dd83594f1119e +Author: Damien Miller +Date: Sat Aug 23 17:06:49 2014 +1000 + + - (djm) [configure.ac] We now require a working vsnprintf everywhere (not + just for systems that lack asprintf); check for it always and extend + test to catch more brokenness. Fixes builds on Solaris <= 9 + +commit 4cec036362a358e398e6a2e6d19d8e5780558634 +Author: Damien Miller +Date: Sat Aug 23 03:11:09 2014 +1000 + + - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on + lastlog writing on platforms with high UIDs; bz#2263 + +commit 394a60f2598d28b670d934b93942a3370b779b39 +Author: Damien Miller +Date: Fri Aug 22 18:06:20 2014 +1000 + + - (djm) [configure.ac] double braces to appease autoconf + +commit 4d69aeabd6e60afcdc7cca177ca751708ab79a9d +Author: Damien Miller +Date: Fri Aug 22 17:48:27 2014 +1000 + + - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/ + definition mismatch) and warning for broken/missing snprintf case. + +commit 0c11f1ac369d2c0aeb0ab0458a7cd04c72fe5e9e +Author: Damien Miller +Date: Fri Aug 22 17:36:56 2014 +1000 + + - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC + +commit 6d62784b8973340b251fea6b04890f471adf28db +Author: Damien Miller +Date: Fri Aug 22 17:36:19 2014 +1000 + + - (djm) [configure.ac] include leading zero characters in OpenSSL version + number; fixes test for unsupported versions + +commit 4f1ff1ed782117f5d5204d4e91156ed5da07cbb7 +Author: Damien Miller +Date: Thu Aug 21 15:54:50 2014 +1000 + + - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that + don't set __progname. Diagnosed by Tom Christensen. + +commit 005a64da0f457410045ef0bfa93c863c2450447d Author: Damien Miller -Date: Thu Jul 3 11:54:19 2014 +1000 +Date: Thu Aug 21 10:48:41 2014 +1000 - - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto - doesn't support it. + - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL -commit 81309c857dd0dbc0a1245a16d621c490ad48cfbb +commit aa6598ebb3343c7380e918388e10e8ca5852b613 Author: Damien Miller -Date: Wed Jul 2 17:45:55 2014 +1000 +Date: Thu Aug 21 10:47:54 2014 +1000 - - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test + - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too. -commit 82b2482ce68654815ee049b9bf021bb362a35ff2 +commit 54703e3cf63f0c80d4157e5ad7dbc2b363ee2c56 Author: Damien Miller -Date: Wed Jul 2 17:43:41 2014 +1000 +Date: Wed Aug 20 11:10:51 2014 +1000 - - (djm) [sshkey.c] Conditionalise inclusion of util.h + - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna -commit dd8b1dd7933eb6f5652641b0cdced34a387f2e80 +commit f0935698f0461f24d8d1f1107b476ee5fd4db1cb Author: Damien Miller -Date: Wed Jul 2 17:38:31 2014 +1000 +Date: Wed Aug 20 11:06:50 2014 +1000 - - djm@cvs.openbsd.org 2014/06/24 01:14:17 - [Makefile.in regress/Makefile regress/unittests/Makefile] - [regress/unittests/sshkey/Makefile] - [regress/unittests/sshkey/common.c] - [regress/unittests/sshkey/common.h] - [regress/unittests/sshkey/mktestdata.sh] - [regress/unittests/sshkey/test_file.c] - [regress/unittests/sshkey/test_fuzz.c] - [regress/unittests/sshkey/test_sshkey.c] - [regress/unittests/sshkey/tests.c] - [regress/unittests/sshkey/testdata/dsa_1] - [regress/unittests/sshkey/testdata/dsa_1-cert.fp] - [regress/unittests/sshkey/testdata/dsa_1-cert.pub] - [regress/unittests/sshkey/testdata/dsa_1.fp] - [regress/unittests/sshkey/testdata/dsa_1.fp.bb] - [regress/unittests/sshkey/testdata/dsa_1.param.g] - [regress/unittests/sshkey/testdata/dsa_1.param.priv] - [regress/unittests/sshkey/testdata/dsa_1.param.pub] - [regress/unittests/sshkey/testdata/dsa_1.pub] - [regress/unittests/sshkey/testdata/dsa_1_pw] - [regress/unittests/sshkey/testdata/dsa_2] - [regress/unittests/sshkey/testdata/dsa_2.fp] - [regress/unittests/sshkey/testdata/dsa_2.fp.bb] - [regress/unittests/sshkey/testdata/dsa_2.pub] - [regress/unittests/sshkey/testdata/dsa_n] - [regress/unittests/sshkey/testdata/dsa_n_pw] - [regress/unittests/sshkey/testdata/ecdsa_1] - [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp] - [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub] - [regress/unittests/sshkey/testdata/ecdsa_1.fp] - [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb] - [regress/unittests/sshkey/testdata/ecdsa_1.param.curve] - [regress/unittests/sshkey/testdata/ecdsa_1.param.priv] - [regress/unittests/sshkey/testdata/ecdsa_1.param.pub] - [regress/unittests/sshkey/testdata/ecdsa_1.pub] - [regress/unittests/sshkey/testdata/ecdsa_1_pw] - [regress/unittests/sshkey/testdata/ecdsa_2] - [regress/unittests/sshkey/testdata/ecdsa_2.fp] - [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb] - [regress/unittests/sshkey/testdata/ecdsa_2.param.curve] - [regress/unittests/sshkey/testdata/ecdsa_2.param.priv] - [regress/unittests/sshkey/testdata/ecdsa_2.param.pub] - [regress/unittests/sshkey/testdata/ecdsa_2.pub] - [regress/unittests/sshkey/testdata/ecdsa_n] - [regress/unittests/sshkey/testdata/ecdsa_n_pw] - [regress/unittests/sshkey/testdata/ed25519_1] - [regress/unittests/sshkey/testdata/ed25519_1-cert.fp] - [regress/unittests/sshkey/testdata/ed25519_1-cert.pub] - [regress/unittests/sshkey/testdata/ed25519_1.fp] - [regress/unittests/sshkey/testdata/ed25519_1.fp.bb] - [regress/unittests/sshkey/testdata/ed25519_1.pub] - [regress/unittests/sshkey/testdata/ed25519_1_pw] - [regress/unittests/sshkey/testdata/ed25519_2] - [regress/unittests/sshkey/testdata/ed25519_2.fp] - [regress/unittests/sshkey/testdata/ed25519_2.fp.bb] - [regress/unittests/sshkey/testdata/ed25519_2.pub] - [regress/unittests/sshkey/testdata/pw] - [regress/unittests/sshkey/testdata/rsa1_1] - [regress/unittests/sshkey/testdata/rsa1_1.fp] - [regress/unittests/sshkey/testdata/rsa1_1.fp.bb] - [regress/unittests/sshkey/testdata/rsa1_1.param.n] - [regress/unittests/sshkey/testdata/rsa1_1.pub] - [regress/unittests/sshkey/testdata/rsa1_1_pw] - [regress/unittests/sshkey/testdata/rsa1_2] - [regress/unittests/sshkey/testdata/rsa1_2.fp] - [regress/unittests/sshkey/testdata/rsa1_2.fp.bb] - [regress/unittests/sshkey/testdata/rsa1_2.param.n] - [regress/unittests/sshkey/testdata/rsa1_2.pub] - [regress/unittests/sshkey/testdata/rsa_1] - [regress/unittests/sshkey/testdata/rsa_1-cert.fp] - [regress/unittests/sshkey/testdata/rsa_1-cert.pub] - [regress/unittests/sshkey/testdata/rsa_1.fp] - [regress/unittests/sshkey/testdata/rsa_1.fp.bb] - [regress/unittests/sshkey/testdata/rsa_1.param.n] - [regress/unittests/sshkey/testdata/rsa_1.param.p] - [regress/unittests/sshkey/testdata/rsa_1.param.q] - [regress/unittests/sshkey/testdata/rsa_1.pub] - [regress/unittests/sshkey/testdata/rsa_1_pw] - [regress/unittests/sshkey/testdata/rsa_2] - [regress/unittests/sshkey/testdata/rsa_2.fp] - [regress/unittests/sshkey/testdata/rsa_2.fp.bb] - [regress/unittests/sshkey/testdata/rsa_2.param.n] - [regress/unittests/sshkey/testdata/rsa_2.param.p] - [regress/unittests/sshkey/testdata/rsa_2.param.q] - [regress/unittests/sshkey/testdata/rsa_2.pub] - [regress/unittests/sshkey/testdata/rsa_n] - [regress/unittests/sshkey/testdata/rsa_n_pw] - unit and fuzz tests for new key API + - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC -commit c1dc24b71f087f385b92652b9673f52af64e0428 +commit c5089ecaec3b2c02f014f4e67518390702a4ba14 Author: Damien Miller -Date: Wed Jul 2 17:02:03 2014 +1000 +Date: Wed Aug 20 11:06:20 2014 +1000 - - djm@cvs.openbsd.org 2014/06/24 01:04:43 - [regress/krl.sh] - regress test for broken consecutive revoked serial number ranges + - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than + -L/-l; fixes linking problems on some platforms -commit 43d3ed2dd3feca6d0326c7dc82588d2faa115e92 +commit 2195847e503a382f83ee969b0a8bd3dfe0e55c18 Author: Damien Miller -Date: Wed Jul 2 17:01:08 2014 +1000 +Date: Wed Aug 20 11:05:03 2014 +1000 - - djm@cvs.openbsd.org 2014/05/21 07:04:21 - [regress/integrity.sh] - when failing because of unexpected output, show the offending output + - (djm) [configure.ac] Check OpenSSL version is supported at configure time; + suggested by Kevin Brott -commit 5a96707ffc8d227c2e7d94fa6b0317f8a152cf4e +commit a75aca1bbc989aa9f8b1b08489d37855f3d24d1a Author: Damien Miller -Date: Wed Jul 2 15:38:05 2014 +1000 +Date: Tue Aug 19 11:36:07 2014 +1000 - - djm@cvs.openbsd.org 2014/04/30 05:32:00 - [regress/Makefile] - unit tests for new buffer API; including basic fuzz testing - NB. Id sync only. + - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README] + [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions + of TCP wrappers. -commit 3ff92ba756aee48e4ae3e0aeff7293517b3dd185 +commit 3f022b5a9477abceeb1bbeab04b055f3cc7ca8f6 Author: Damien Miller -Date: Wed Jul 2 15:33:09 2014 +1000 +Date: Tue Aug 19 11:32:34 2014 +1000 - - djm@cvs.openbsd.org 2014/06/30 12:54:39 - [key.c] - suppress spurious error message when loading key with a passphrase; - reported by kettenis@ ok markus@ - - djm@cvs.openbsd.org 2014/07/02 04:59:06 - [cipher-3des1.c] - fix ssh protocol 1 on the server that regressed with the sshkey change - (sometimes fatal() after auth completed), make file return useful status - codes. - NB. Id sync only for these two. They were bundled into the sshkey merge - above, since it was easier to sync the entire file and then apply - portable-specific changed atop it. + - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG -commit ec3d0e24a1e46873d80507f5cd8ee6d0d03ac5dc +commit 88137902632aceb923990e98cf5dc923bb3ef2f5 Author: Damien Miller -Date: Wed Jul 2 15:30:00 2014 +1000 +Date: Tue Aug 19 11:28:11 2014 +1000 - - markus@cvs.openbsd.org 2014/06/27 18:50:39 - [ssh-add.c] - fix loading of private keys + - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC. -commit 4b3ed647d5b328cf68e6a8ffbee490d8e0683e82 +commit 2f3d1e7fb2eabd3cfbfd8d0f7bdd2f9a1888690b Author: Damien Miller -Date: Wed Jul 2 15:29:40 2014 +1000 +Date: Tue Aug 19 11:14:36 2014 +1000 - - markus@cvs.openbsd.org 2014/06/27 16:41:56 - [channels.c channels.h clientloop.c ssh.c] - fix remote fwding with same listen port but different listen address - with gerhard@, ok djm@ + - (djm) [myproposal.h] Make curve25519 KEX dependent on + HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC. -commit 9e01ff28664921ce9b6500681333e42fb133b4d0 +commit d4e7d59d01a6c7f59e8c1f94a83c086e9a33d8aa Author: Damien Miller -Date: Wed Jul 2 15:29:21 2014 +1000 +Date: Tue Aug 19 11:14:17 2014 +1000 - - deraadt@cvs.openbsd.org 2014/06/25 14:16:09 - [sshbuf.c] - unblock SIGSEGV before raising it - ok djm + - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen -commit 1845fe6bda0729e52f4c645137f4fc3070b5438a +commit 9eaeea2cf2b6af5f166cfa9ad3c7a90711a147a9 Author: Damien Miller -Date: Wed Jul 2 15:29:01 2014 +1000 +Date: Sun Aug 10 11:35:05 2014 +1000 - - djm@cvs.openbsd.org 2014/06/24 02:21:01 - [scp.c] - when copying local->remote fails during read, don't send uninitialised - heap to the remote end. Reported by Jann Horn + - (djm) [README contrib/caldera/openssh.spec] + [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions -commit 19439e9a2a0ac0b4b3b1210e89695418beb1c883 +commit f8988fbef0c9801d19fa2f8f4f041690412bec37 Author: Damien Miller -Date: Wed Jul 2 15:28:40 2014 +1000 +Date: Fri Aug 1 13:31:52 2014 +1000 - - djm@cvs.openbsd.org 2014/06/24 02:19:48 - [ssh.c] - don't fatal() when hostname canonicalisation fails with a - ProxyCommand in use; continue and allow the ProxyCommand to - connect anyway (e.g. to a host with a name outside the DNS - behind a bastion) + - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate + nc from stdin, it's more portable -commit 8668706d0f52654fe64c0ca41a96113aeab8d2b8 +commit 5b3879fd4b7a4e3d43bab8f40addda39bc1169d0 Author: Damien Miller -Date: Wed Jul 2 15:28:02 2014 +1000 +Date: Fri Aug 1 12:28:31 2014 +1000 - - djm@cvs.openbsd.org 2014/06/24 01:13:21 - [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c - [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c - [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h - [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h - [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h - [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c - [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c - [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c - [sshconnect2.c sshd.c sshkey.c sshkey.h - [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] - New key API: refactor key-related functions to be more library-like, - existing API is offered as a set of wrappers. - - with and ok markus@ - - Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew - Dempsky and Ron Bowes for a detailed review a few months ago. - - NB. This commit also removes portable OpenSSH support for OpenSSL - <0.9.8e. + - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin + is closed; avoid regress failures when stdin is /dev/null -commit 2cd7929250cf9e9f658d70dcd452f529ba08c942 +commit a9c46746d266f8a1b092a72b2150682d1af8ebfc Author: Damien Miller -Date: Wed Jul 2 12:48:30 2014 +1000 +Date: Fri Aug 1 12:26:49 2014 +1000 - - djm@cvs.openbsd.org 2014/06/24 00:52:02 - [krl.c] - fix bug in KRL generation: multiple consecutive revoked certificate - serial number ranges could be serialised to an invalid format. - - Readers of a broken KRL caused by this bug will fail closed, so no - should-have-been-revoked key will be accepted. + - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need + a better solution, but this will have to do for now. -commit 99db840ee8dbbd2b3fbc6c45d0ee2f6a65e96898 +commit 426117b2e965e43f47015942b5be8dd88fe74b88 Author: Damien Miller -Date: Wed Jul 2 12:48:04 2014 +1000 +Date: Wed Jul 30 12:33:20 2014 +1000 - - naddy@cvs.openbsd.org 2014/06/18 15:42:09 - [sshbuf-getput-crypto.c] - The ssh_get_bignum functions must accept the same range of bignums - the corresponding ssh_put_bignum functions create. This fixes the - use of 16384-bit RSA keys (bug reported by Eivind Evensen). - ok djm@ + - schwarze@cvs.openbsd.org 2014/07/28 15:40:08 + [sftp-server.8 sshd_config.5] + some systems no longer need /dev/log; + issue noticed by jirib; + ok deraadt -commit 84a89161a9629239b64171ef3e22ef6a3e462d51 +commit f497794b6962eaf802ab4ac2a7b22ae591cca1d5 Author: Damien Miller -Date: Wed Jul 2 12:47:48 2014 +1000 +Date: Wed Jul 30 12:32:46 2014 +1000 - - matthew@cvs.openbsd.org 2014/06/18 02:59:13 - [sandbox-systrace.c] - Now that we have a dedicated getentropy(2) system call for - arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace - sandbox. - - ok djm + - dtucker@cvs.openbsd.org 2014/07/25 21:22:03 + [ssh-agent.c] + Clear buffer used for handling messages. This prevents keys being + left in memory after they have been expired or deleted in some cases + (but note that ssh-agent is setgid so you would still need root to + access them). Pointed out by Kevin Burns, ok deraadt -commit 51504ceec627c0ad57b9f75585c7b3d277f326be +commit a8a0f65c57c8ecba94d65948e9090da54014dfef Author: Damien Miller -Date: Wed Jul 2 12:47:25 2014 +1000 +Date: Wed Jul 30 12:32:28 2014 +1000 - - deraadt@cvs.openbsd.org 2014/06/13 08:26:29 - [sandbox-systrace.c] - permit SYS_getentropy - from matthew + - OpenBSD CVS Sync + - millert@cvs.openbsd.org 2014/07/24 22:57:10 + [ssh.1] + Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@ -commit a261b8df59117f7dc52abb3a34b35a40c2c9fa88 -Author: Tim Rice -Date: Wed Jun 18 16:17:28 2014 -0700 +commit 56b840f2b81e14a2f95c203403633a72566736f8 +Author: Damien Miller +Date: Fri Jul 25 08:11:30 2014 +1000 - - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare + - (djm) [regress/multiplex.sh] restore incorrectly deleted line; + pointed out by Christian Hesse -commit 316fac6f18f87262a315c79bcf68b9f92c9337e4 +commit dd417b60d5ca220565d1014e92b7f8f43dc081eb Author: Darren Tucker -Date: Tue Jun 17 23:06:07 2014 +1000 +Date: Wed Jul 23 10:41:21 2014 +1000 - - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h} - openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}] - Move the OpenSSL header/library version test into its own function and add - tests for it. Fix it to allow fix version upgrades (but not downgrades). - Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150). - ok djm@ chl@ + - dtucker@cvs.openbsd.org 2014/07/22 23:35:38 + [regress/unittests/sshkey/testdata/*] + Regenerate test keys with certs signed with ed25519 instead of ecdsa. + These can be used in -portable on platforms that don't support ECDSA. -commit af665bb7b092a59104db1e65577851cf35b86e32 +commit 40e50211896369dba8f64f3b5e5fd58b76f5ac3f Author: Darren Tucker -Date: Mon Jun 16 22:50:55 2014 +1000 +Date: Wed Jul 23 10:35:45 2014 +1000 - - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via - OpenSMTPD and chl@ + - dtucker@cvs.openbsd.org 2014/07/22 23:57:40 + [regress/unittests/sshkey/mktestdata.sh] + Add $OpenBSD tag to make syncs easier -commit f9696566fb41320820f3b257ab564fa321bb3751 +commit 07e644251e809b1d4c062cf85bd1146a7e3f5a8a Author: Darren Tucker -Date: Fri Jun 13 11:06:04 2014 +1000 +Date: Wed Jul 23 10:34:26 2014 +1000 - - (dtucker) [configure.ac] Remove tcpwrappers support, support has already - been removed from sshd.c. + - dtucker@cvs.openbsd.org 2014/07/22 23:23:22 + [regress/unittests/sshkey/mktestdata.sh] + Sign test certs with ed25519 instead of ecdsa so that they'll work in + -portable on platforms that don't have ECDSA in their OpenSSL. ok djm -commit 5e2b8894b0b24af4ad0a2f7aa33ebf255df7a8bc -Author: Tim Rice -Date: Wed Jun 11 18:31:10 2014 -0700 +commit cea099a7c4eaecb01b001e5453bb4e5c25006c22 +Author: Darren Tucker +Date: Wed Jul 23 10:04:02 2014 +1000 - - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for - u_intXX_t types. + - djm@cvs.openbsd.org 2014/07/22 01:32:12 + [regress/multiplex.sh] + change the test for still-open Unix domain sockets to be robust against + nc implementations that produce error messages. from -portable + (Id sync only) -commit 985ee2cbc3e43bc65827c3c0d4df3faa99160c37 +commit 31eb78078d349b32ea41952ecc944b3ad6cb0d45 Author: Darren Tucker -Date: Thu Jun 12 05:32:29 2014 +1000 +Date: Wed Jul 23 09:43:42 2014 +1000 - - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*] - Wrap stdlib.h include an ifdef for platforms that don't have it. + - guenther@cvs.openbsd.org 2014/07/22 07:13:42 + [umac.c] + Convert from to the shiney new + ok dtucker@, who also confirmed that -portable handles this already + (ID sync only, includes.h pulls in endian.h if available.) -commit cf5392c2db2bb1dbef9818511d34056404436109 +commit 820763efef2d19d965602533036c2b4badc9d465 Author: Darren Tucker -Date: Thu Jun 12 05:22:49 2014 +1000 +Date: Wed Jul 23 09:40:46 2014 +1000 - - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from - openbsd-compat/bsd-asprintf.c. + - dtucker@cvs.openbsd.org 2014/07/22 01:18:50 + [key.c] + Prevent spam from key_load_private_pem during hostbased auth. ok djm@ -commit 58538d795e0b662f2f4e5a7193f1204bbe992ddd +commit c4ee219a66f3190fa96cbd45b4d11015685c6306 Author: Darren Tucker -Date: Wed Jun 11 13:39:24 2014 +1000 +Date: Wed Jul 23 04:27:50 2014 +1000 - - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for - compat stuff, specifically whether or not OpenSSL has ECC. + - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa- + specific tests inside OPENSSL_HAS_ECC. -commit eb012ac581fd0abc16ee86ee3a68cf07c8ce4d08 -Author: Darren Tucker -Date: Wed Jun 11 13:10:00 2014 +1000 +commit 04f4824940ea3edd60835416ececbae16438968a +Author: Damien Miller +Date: Tue Jul 22 11:31:47 2014 +1000 - - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an - assigment that might get optimized out. ok djm@ + - (djm) [regress/multiplex.sh] change the test for still-open Unix + domain sockets to be robust against nc implementations that produce + error messages. -commit b9609fd86c623d6d440e630f5f9a63295f7aea20 -Author: Darren Tucker -Date: Wed Jun 11 08:04:02 2014 +1000 +commit 5ea4fe00d55453aaa44007330bb4c3181bd9b796 +Author: Damien Miller +Date: Tue Jul 22 09:39:19 2014 +1000 - - (dtucker) [sshbuf.h] Only declare ECC functions if building without - OpenSSL or if OpenSSL has ECC. + - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow; + put it back -commit a54a040f66944c6e8913df8635a01a2327219be9 +commit 948a1774a79a85f9deba6d74db95f402dee32c69 Author: Darren Tucker -Date: Wed Jun 11 07:58:35 2014 +1000 +Date: Tue Jul 22 01:07:11 2014 +1000 - - dtucker@cvs.openbsd.org 2014/06/10 21:46:11 - [sshbuf.h] - Group ECC functions together to make things a little easier in -portable. - "doesn't bother me" deraadt@ + - (dtucker) [sshkey.c] ifdef out unused variable when compiling without + OPENSSL_HAS_ECC. -commit 9f92c53bad04a89067756be8198d4ec2d8a08875 +commit c8f610f6cc57ae129758052439d9baf13699097b +Author: Damien Miller +Date: Mon Jul 21 10:23:27 2014 +1000 + + - (djm) [regress/multiplex.sh] Not all netcat accept the -N option. + +commit 0e4e95566cd95c887f69272499b8f3880b3ec0f5 +Author: Damien Miller +Date: Mon Jul 21 09:52:54 2014 +1000 + + - millert@cvs.openbsd.org 2014/07/15 15:54:15 + [forwarding.sh multiplex.sh] + Add support for Unix domain socket forwarding. A remote TCP port + may be forwarded to a local Unix domain socket and vice versa or + both ends may be a Unix domain socket. This is a reimplementation + of the streamlocal patches by William Ahern from: + http://www.25thandclement.com/~william/projects/streamlocal.html + OK djm@ markus@ + +commit 93a87ab27ecdc709169fb24411133998f81e2761 Author: Darren Tucker -Date: Wed Jun 11 07:57:58 2014 +1000 +Date: Mon Jul 21 06:30:25 2014 +1000 - - djm@cvs.openbsd.org 2014/06/05 22:17:50 - [sshconnect2.c] - fix inverted test that caused PKCS#11 keys that were explicitly listed - not to be preferred. Reported by Dirk-Willem van Gulik + - (dtucker) [regress/unittests/sshkey/ + {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in + ifdefs. -commit 15c254a25394f96643da2ad0f674acdc51e89856 +commit 5573171352ea23df2dc6d2fe0324d023b7ba697c Author: Darren Tucker -Date: Wed Jun 11 07:38:49 2014 +1000 +Date: Mon Jul 21 02:24:59 2014 +1000 - - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef - ECC variable too. + - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits + needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm -commit d7af0cc5bf273eeed0897a99420bc26841d07d8f +commit 74e28682711d005026c7c8f15f96aea9d3c8b5a3 +Author: Tim Rice +Date: Fri Jul 18 20:00:11 2014 -0700 + + - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used + in servconf.h. + +commit d1a0421f8e5e933fee6fb58ee6b9a22c63c8a613 Author: Darren Tucker -Date: Wed Jun 11 07:37:25 2014 +1000 +Date: Sat Jul 19 07:23:55 2014 +1000 - - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in - the proposal if the version of OpenSSL we're using doesn't support ECC. + - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC. -commit 67508ac2563c33d582be181a3e777c65f549d22f +commit f0fe9ea1be62227c130b317769de3d1e736b6dc1 Author: Darren Tucker -Date: Wed Jun 11 06:27:16 2014 +1000 +Date: Sat Jul 19 06:33:12 2014 +1000 - - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c - regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256 - curve tests if OpenSSL has them. + - (dtucker) [Makefile.in] Add a t-exec target to run just the executable + tests. -commit 6482d90a65459a88c18c925368525855832272b3 -Author: Damien Miller -Date: Tue May 27 14:34:42 2014 +1000 +commit 450bc1180d4b061434a4b733c5c8814fa30b022b +Author: Darren Tucker +Date: Sat Jul 19 06:23:18 2014 +1000 - - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c] - [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege - separation user at runtime, since it may need to be a domain account. - Patch from Corinna Vinschen. + - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used + in servconf.h. -commit f9eb5e0734f7a7f6e975809eb54684d2a06a7ffc +commit ab2ec586baad122ed169285c31927ccf58bc7b28 Author: Damien Miller -Date: Tue May 27 14:31:58 2014 +1000 +Date: Fri Jul 18 15:04:47 2014 +1000 - - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config - from Corinna Vinschen, fixing a number of bugs and preparing for - Cygwin 1.7.30. + - djm@cvs.openbsd.org 2014/07/18 02:46:01 + [ssh-agent.c] + restore umask around listener socket creation (dropped in streamlocal patch + merge) -commit eae88744662e6b149f43ef071657727f1a157d95 +commit 357610d15946381ae90c271837dcdd0cdce7145f Author: Damien Miller -Date: Tue May 27 14:27:02 2014 +1000 +Date: Fri Jul 18 15:04:10 2014 +1000 - - (djm) [cipher.c] Fix merge botch. + - djm@cvs.openbsd.org 2014/07/17 07:22:19 + [mux.c ssh.c] + reflect stdio-forward ("ssh -W host:port ...") failures in exit status. + previously we were always returning 0. bz#2255 reported by Brendan + Germain; ok dtucker -commit 564b5e253c1d95c26a00e8288f0089a2571661c3 +commit dad9a4a0b7c2b5d78605f8df28718f116524134e Author: Damien Miller -Date: Thu May 22 08:23:59 2014 +1000 +Date: Fri Jul 18 15:03:49 2014 +1000 - - (djm) [Makefile.in] typo in path + - djm@cvs.openbsd.org 2014/07/17 00:12:03 + [key.c] + silence "incorrect passphrase" error spam; reported and ok dtucker@ -commit e84d10302aeaf7a1acb05c451f8718143656856a +commit f42f7684ecbeec6ce50e0310f80b3d6da2aaf533 Author: Damien Miller -Date: Wed May 21 17:13:36 2014 +1000 +Date: Fri Jul 18 15:03:27 2014 +1000 - revert a diff I didn't mean to commit + - djm@cvs.openbsd.org 2014/07/17 00:10:18 + [mux.c] + preserve errno across syscall -commit 795b86313f1f1aab9691666c4f2d5dae6e4acd50 +commit 1b83320628cb0733e3688b85bfe4d388a7c51909 Author: Damien Miller -Date: Wed May 21 17:12:53 2014 +1000 +Date: Fri Jul 18 15:03:02 2014 +1000 - - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC - when it is available. It takes into account time spent suspended, - thereby ensuring timeouts (e.g. for expiring agent keys) fire - correctly. bz#2228 reported by John Haxby + - djm@cvs.openbsd.org 2014/07/17 00:10:56 + [sandbox-systrace.c] + ifdef SYS_sendsyslog so this will compile without patching on -stable -commit 18912775cb97c0b1e75e838d3c7d4b56648137b5 +commit 6d57656331bcd754d912950e4a18ad259d596e61 Author: Damien Miller -Date: Wed May 21 17:06:46 2014 +1000 +Date: Fri Jul 18 15:02:06 2014 +1000 - - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use - vhangup on Linux. It doens't work for non-root users, and for them - it just messes up the tty settings. + - jmc@cvs.openbsd.org 2014/07/16 14:48:57 + [ssh.1] + add the streamlocal* options to ssh's -o list; millert says they're + irrelevant for scp/sftp; + + ok markus millert -commit 7f1c264d3049cd95234e91970ccb5406e1d15b27 +commit 7acefbbcbeab725420ea07397ae35992f505f702 Author: Damien Miller -Date: Thu May 15 18:01:52 2014 +1000 +Date: Fri Jul 18 14:11:24 2014 +1000 - - (djm) [sshbuf.c] need __predict_false + - millert@cvs.openbsd.org 2014/07/15 15:54:14 + [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] + [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] + [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] + [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] + [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] + [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] + [sshd_config.5 sshlogin.c] + Add support for Unix domain socket forwarding. A remote TCP port + may be forwarded to a local Unix domain socket and vice versa or + both ends may be a Unix domain socket. This is a reimplementation + of the streamlocal patches by William Ahern from: + http://www.25thandclement.com/~william/projects/streamlocal.html + OK djm@ markus@ -commit e7429f2be8643e1100380a8a7389d85cc286c8fe +commit 6262d760e00714523633bd989d62e273a3dca99a Author: Damien Miller -Date: Thu May 15 18:01:01 2014 +1000 +Date: Thu Jul 17 09:52:07 2014 +1000 - - (djm) [regress/Makefile Makefile.in] - [regress/unittests/sshbuf/test_sshbuf.c - [regress/unittests/sshbuf/test_sshbuf_fixed.c] - [regress/unittests/sshbuf/test_sshbuf_fuzz.c] - [regress/unittests/sshbuf/test_sshbuf_getput_basic.c] - [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] - [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] - [regress/unittests/sshbuf/test_sshbuf_misc.c] - [regress/unittests/sshbuf/tests.c] - [regress/unittests/test_helper/fuzz.c] - [regress/unittests/test_helper/test_helper.c] - Hook new unit tests into the build and "make tests" + - tedu@cvs.openbsd.org 2014/07/11 13:54:34 + [myproposal.h] + by popular demand, add back hamc-sha1 to server proposal for better compat + with many clients still in use. ok deraadt -commit def1de086707b0e6b046fe7e115c60aca0227a99 +commit 9d69d937b46ecba17f16d923e538ceda7b705c7a Author: Damien Miller -Date: Thu May 15 15:17:15 2014 +1000 +Date: Thu Jul 17 09:49:37 2014 +1000 - - (djm) [regress/unittests/Makefile] - [regress/unittests/Makefile.inc] - [regress/unittests/sshbuf/Makefile] - [regress/unittests/sshbuf/test_sshbuf.c] - [regress/unittests/sshbuf/test_sshbuf_fixed.c] - [regress/unittests/sshbuf/test_sshbuf_fuzz.c] - [regress/unittests/sshbuf/test_sshbuf_getput_basic.c] - [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] - [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] - [regress/unittests/sshbuf/test_sshbuf_misc.c] - [regress/unittests/sshbuf/tests.c] - [regress/unittests/test_helper/Makefile] - [regress/unittests/test_helper/fuzz.c] - [regress/unittests/test_helper/test_helper.c] - [regress/unittests/test_helper/test_helper.h] - Import new unit tests from OpenBSD; not yet hooked up to build. + - deraadt@cvs.openbsd.org 2014/07/11 08:09:54 + [sandbox-systrace.c] + Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking, + update your kernels and sshd soon.. libc will start using sendsyslog() + in about 4 days. -commit 167685756fde8bc213a8df2c8e1848e312db0f46 +commit f6293a0b4129826fc2e37e4062f96825df43c326 Author: Damien Miller -Date: Thu May 15 15:08:40 2014 +1000 +Date: Thu Jul 17 09:01:25 2014 +1000 - - logan@cvs.openbsd.org 2014/05/04 10:40:59 - [connect-privsep.sh] - Remove the Z flag from the list of malloc options as it - was removed from malloc.c 10 days ago. - - OK from miod@ + - (djm) [digest-openssl.c] Preserve array order when disabling digests. + Reported by Petr Lautrbach. -commit d0b69fe90466920d69c96069312e24b581771bd7 +commit 00f9cd230709c04399ef5ff80492d70a55230694 Author: Damien Miller -Date: Thu May 15 15:08:19 2014 +1000 +Date: Tue Jul 15 10:41:38 2014 +1000 - - dtucker@cvs.openbsd.org 2014/05/03 18:46:14 - [proxy-connect.sh] - Add tests for with and without compression, with and without privsep. + - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto + has been located; fixes builds agains libressl-portable -commit edb1af50441d19fb2dd9ccb4d75bf14473fca584 +commit 1d0df3249c87019556b83306c28d4769375c2edc Author: Damien Miller -Date: Thu May 15 15:07:53 2014 +1000 +Date: Fri Jul 11 09:19:04 2014 +1000 - - djm@cvs.openbsd.org 2014/04/21 22:15:37 - [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh] - repair regress tests broken by server-side default cipher/kex/mac changes - by ensuring that the option under test is included in the server's - algorithm list + - OpenBSD CVS Sync + - benno@cvs.openbsd.org 2014/07/09 14:15:56 + [ssh-add.c] + fix ssh-add crash while loading more than one key + ok markus@ -commit 54343e95c70994695f8842fb22836321350198d3 +commit 7a57eb3d105aa4ced15fb47001092c58811e6d9d Author: Damien Miller -Date: Thu May 15 15:07:33 2014 +1000 +Date: Wed Jul 9 13:22:31 2014 +1000 - - djm@cvs.openbsd.org 2014/03/13 20:44:49 - [login-timeout.sh] - this test is a sorry mess of race conditions; add another sleep - to avoid a failure on slow machines (at least until I find a - better way) + - djm@cvs.openbsd.org 2014/07/07 08:15:26 + [multiplex.sh] + remove forced-fatal that I stuck in there to test the new cleanup + logic and forgot to remove... -commit e5b9f0f2ee6e133894307e44e862b66426990733 +commit 612f965239a30fe536b11ece1834d9f470aeb029 Author: Damien Miller -Date: Thu May 15 14:58:07 2014 +1000 +Date: Wed Jul 9 13:22:03 2014 +1000 - - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c] - [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes + - djm@cvs.openbsd.org 2014/07/06 07:42:03 + [multiplex.sh test-exec.sh] + add a hook to the cleanup() function to kill $SSH_PID if it is set + + use it to kill the mux master started in multiplex.sh (it was being left + around on fatal failures) -commit b9c566788a9ebd6a9d466f47a532124f111f0542 +commit d0bb950485ba121e43a77caf434115ed6417b46f Author: Damien Miller -Date: Thu May 15 14:43:37 2014 +1000 +Date: Wed Jul 9 13:07:28 2014 +1000 - - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write - portability glue to support building without libcrypto + - djm@cvs.openbsd.org 2014/07/09 03:02:15 + [key.c] + downgrade more error() to debug() to better match what old authfile.c + did; suppresses spurious errors with hostbased authentication enabled -commit 3dc27178b42234b653a32f7a87292d7994045ee3 +commit 0070776a038655c57f57e70cd05e4c38a5de9d84 Author: Damien Miller -Date: Thu May 15 14:37:59 2014 +1000 +Date: Wed Jul 9 13:07:06 2014 +1000 - - logan@cvs.openbsd.org 2014/05/05 07:02:30 + - djm@cvs.openbsd.org 2014/07/09 01:45:10 [sftp.c] - Zap extra whitespace. - - OK from djm@ and dtucker@ + more useful error message when GLOB_NOSPACE occurs; + bz#2254, patch from Orion Poplawski -commit c31a0cd5b31961f01c5b731f62a6cb9d4f767472 +commit 079bac2a43c74ef7cf56850afbab3b1932534c50 Author: Damien Miller -Date: Thu May 15 14:37:39 2014 +1000 +Date: Wed Jul 9 13:06:25 2014 +1000 - - markus@cvs.openbsd.org 2014/05/03 17:20:34 - [monitor.c packet.c packet.h] - unbreak compression, by re-init-ing the compression code in the - post-auth child. the new buffer code is more strict, and requires - buffer_init() while the old code was happy after a bzero(); - originally from djm@ + - djm@cvs.openbsd.org 2014/07/07 08:19:12 + [ssh_config.5] + mention that ProxyCommand is executed using shell "exec" to avoid + a lingering process; bz#1977 -commit 686c7d9ee6f44b2be4128d7860b6b37adaeba733 +commit 3a48cc090096cf99b9de592deb5f90e444edebfb Author: Damien Miller -Date: Thu May 15 14:37:03 2014 +1000 +Date: Sun Jul 6 09:32:49 2014 +1000 - - djm@cvs.openbsd.org 2014/05/02 03:27:54 - [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c] - [misc.h poly1305.h ssh-pkcs11.c defines.h] - revert __bounded change; it causes way more problems for portable than - it solves; pointed out by dtucker@ + - djm@cvs.openbsd.org 2014/07/05 23:11:48 + [channels.c] + fix remote-forward cancel regression; ok markus@ -commit 294c58a007cfb2f3bddc4fc3217e255857ffb9bf +commit 48bae3a38cb578713e676708164f6e7151cc64fa Author: Damien Miller -Date: Thu May 15 14:35:03 2014 +1000 +Date: Sun Jul 6 09:27:06 2014 +1000 - - naddy@cvs.openbsd.org 2014/04/30 19:07:48 - [mac.c myproposal.h umac.c] - UMAC can use our local fallback implementation of AES when OpenSSL isn't - available. Glue code straight from Ted Krovetz's original umac.c. - ok markus@ + - djm@cvs.openbsd.org 2014/07/03 23:18:35 + [authfile.h] + remove leakmalloc droppings -commit 05e82c3b963c33048128baf72a6f6b3a1c10b4c1 +commit 72e6b5c9ed5e72ca3a6ccc3177941b7c487a0826 Author: Damien Miller -Date: Thu May 15 14:33:43 2014 +1000 +Date: Fri Jul 4 09:00:04 2014 +1000 - - djm@cvs.openbsd.org 2014/04/30 05:29:56 - [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c] - [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c] - [ssherr.h] - New buffer API; the first installment of the conversion/replacement - of OpenSSH's internals to make them usable as a standalone library. - - This includes a set of wrappers to make it compatible with the - existing buffer API so replacement can occur incrementally. - - With and ok markus@ - - Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew - Dempsky and Ron Bowes for a detailed review. + - djm@cvs.openbsd.org 2014/07/03 22:40:43 + [servconf.c servconf.h session.c sshd.8 sshd_config.5] + Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is + executed, mirroring the no-user-rc authorized_keys option; + bz#2160; ok markus@ -commit 380948180f847a26f2d0c85b4dad3dca2ed2fd8b +commit 602943d1179a08dfa70af94f62296ea5e3d6ebb8 Author: Damien Miller -Date: Thu May 15 14:25:18 2014 +1000 +Date: Fri Jul 4 08:59:41 2014 +1000 - - dtucker@cvs.openbsd.org 2014/04/29 20:36:51 - [sftp.c] - Don't attempt to append a nul quote char to the filename. Should prevent - fatal'ing with "el_insertstr failed" when there's a single quote char - somewhere in the string. bz#2238, ok markus@ + - djm@cvs.openbsd.org 2014/07/03 22:33:41 + [channels.c] + allow explicit ::1 and 127.0.0.1 forwarding bind addresses when + GatewayPorts=no; allows client to choose address family; + bz#2222 ok markus@ -commit d7fd8bedd4619a2ec7fd02aae4c4e1db4431ad9f +commit 6b37fbb7921d156b31e2c8f39d9e1b6746c34983 Author: Damien Miller -Date: Thu May 15 14:24:59 2014 +1000 +Date: Fri Jul 4 08:59:24 2014 +1000 - - dtucker@cvs.openbsd.org 2014/04/29 19:58:50 - [sftp.c] - Move nulling of variable next to where it's freed. ok markus@ + - djm@cvs.openbsd.org 2014/07/03 22:23:46 + [sshconnect.c] + when rekeying, skip file/DNS lookup if it is the same as the key sent + during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@ -commit 1f0311c7c7d10c94ff7f823de9c5b2ed79368b14 +commit d2c3cd5f2e47ee24cf7093ce8e948c2e79dfc3fd Author: Damien Miller -Date: Thu May 15 14:24:09 2014 +1000 +Date: Fri Jul 4 08:59:01 2014 +1000 - - markus@cvs.openbsd.org 2014/04/29 18:01:49 - [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] - [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] - [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] - [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] - make compiling against OpenSSL optional (make OPENSSL=no); - reduces algorithms to curve25519, aes-ctr, chacha, ed25519; - allows us to explore further options; with and ok djm + - jsing@cvs.openbsd.org 2014/07/03 12:42:16 + [cipher-chachapoly.c] + Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this + makes it easier to verify that chacha_encrypt_bytes() is only called once + per chacha_ivsetup() call. + ok djm@ -commit c5893785564498cea73cb60d2cf199490483e080 +commit 686feb560ec43a06ba04da82b50f3c183c947309 Author: Damien Miller -Date: Thu May 15 13:48:49 2014 +1000 +Date: Thu Jul 3 21:29:38 2014 +1000 - - djm@cvs.openbsd.org 2014/04/29 13:10:30 - [clientloop.c serverloop.c] - bz#1818 - don't send channel success/failre replies on channels that - have sent a close already; analysis and patch from Simon Tatham; - ok markus@ + - djm@cvs.openbsd.org 2014/07/03 11:16:55 + [auth.c auth.h auth1.c auth2.c] + make the "Too many authentication failures" message include the + user, source address, port and protocol in a format similar to the + authentication success / failure messages; bz#2199, ok dtucker -commit 633de33b192d808d87537834c316dc8b75fe1880 +commit 0f12341402e18fd9996ec23189b9418d2722453f Author: Damien Miller -Date: Thu May 15 13:48:26 2014 +1000 +Date: Thu Jul 3 21:28:09 2014 +1000 - - djm@cvs.openbsd.org 2014/04/28 03:09:18 - [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h] - [ssh-keygen.c] - buffer_get_string_ptr's return should be const to remind - callers that futzing with it will futz with the actual buffer - contents + - jmc@cvs.openbsd.org 2014/07/03 07:45:27 + [ssh_config.5] + escape %C since groff thinks it part of an Rs/Re block; -commit 15271907843e4ae50dcfc83b3594014cf5e9607b +commit 9c38643c5cd47a19db2cc28279dcc28abadc22b3 Author: Damien Miller -Date: Thu May 15 13:47:56 2014 +1000 +Date: Thu Jul 3 21:27:46 2014 +1000 - - djm@cvs.openbsd.org 2014/04/23 12:42:34 - [readconf.c] - don't record duplicate IdentityFiles + - djm@cvs.openbsd.org 2014/07/03 06:39:19 + [ssh.c ssh_config.5] + Add a %C escape sequence for LocalCommand and ControlPath that expands + to a unique identifer based on a has of the tuple of (local host, + remote user, hostname, port). + + Helps avoid exceeding sockaddr_un's miserly pathname limits for mux + control paths. + + bz#2220, based on patch from mancha1 AT zoho.com; ok markus@ -commit 798a02568b13a2e46efebd81f08c8f4bb33a6dc7 +commit 49d9bfe2b2f3e90cc158a215dffa7675e57e7830 Author: Damien Miller -Date: Thu May 15 13:47:37 2014 +1000 +Date: Thu Jul 3 21:26:42 2014 +1000 - - jmc@cvs.openbsd.org 2014/04/22 14:16:30 - [sftp.1] - zap eol whitespace; + - djm@cvs.openbsd.org 2014/07/03 05:38:17 + [ssh.1] + document that -g will only work in the multiplexed case if applied to + the mux master -commit d875ff78d2b8436807381051de112f0ebf9b9ae1 +commit ef9f13ba4c58057b2166d1f2e790535da402fbe5 Author: Damien Miller -Date: Thu May 15 13:47:15 2014 +1000 +Date: Thu Jul 3 21:26:21 2014 +1000 - - logan@cvs.openbsd.org 2014/04/22 12:42:04 - [sftp.1] - Document sftp upload resume. - OK from djm@, with feedback from okan@. + - djm@cvs.openbsd.org 2014/07/03 05:32:36 + [ssh_config.5] + mention '%%' escape sequence in HostName directives and how it may + be used to specify IPv6 link-local addresses -commit b15cd7bb097fd80dc99520f45290ef775da1ef19 +commit e6a407789e5432dd2e53336fb73476cc69048c54 Author: Damien Miller -Date: Thu May 15 13:46:52 2014 +1000 +Date: Thu Jul 3 21:25:03 2014 +1000 - - logan@cvs.openbsd.org 2014/04/22 10:07:12 - [sftp.c] - Sort the sftp command list. - OK from djm@ + - djm@cvs.openbsd.org 2014/07/03 04:36:45 + [digest.h] + forward-declare struct sshbuf so consumers don't need to include sshbuf.h -commit d8accc0aa72656ba63d50937165c5ae49db1dcd6 +commit 4a1d3d50f02d0a8a4ef95ea4749293cbfb89f919 Author: Damien Miller -Date: Thu May 15 13:46:25 2014 +1000 +Date: Thu Jul 3 21:24:40 2014 +1000 - - logan@cvs.openbsd.org 2014/04/21 14:36:16 - [sftp-client.c sftp-client.h sftp.c] - Implement sftp upload resume support. - OK from djm@, with input from guenther@, mlarkin@ and - okan@ + - djm@cvs.openbsd.org 2014/07/03 03:47:27 + [ssh-keygen.c] + When hashing or removing hosts using ssh-keygen, don't choke on + @revoked markers and don't remove @cert-authority markers; + bz#2241, reported by mlindgren AT runelind.net -commit 16cd3928a87d20c77b13592a74b60b08621d3ce6 +commit e5c0d52ceb575c3db8c313e0b1aa3845943d7ba8 Author: Damien Miller -Date: Thu May 15 13:45:58 2014 +1000 +Date: Thu Jul 3 21:24:19 2014 +1000 - - logan@cvs.openbsd.org 2014/04/20 09:24:26 - [dns.c dns.h ssh-keygen.c] - Add support for SSHFP DNS records for ED25519 key types. - OK from djm@ + - djm@cvs.openbsd.org 2014/07/03 03:34:09 + [gss-serv.c session.c ssh-keygen.c] + standardise on NI_MAXHOST for gethostname() string lengths; about + 1/2 the cases were using it already. Fixes bz#2239 en passant -commit ec0b67eb3b4e12f296ced1fafa01860c374f7eea +commit c174a3b7c14e0d178c61219de2aa1110e209950c Author: Damien Miller -Date: Thu May 15 13:45:26 2014 +1000 - - - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine - OpenBSD - -commit f028460d0b2e5a584355321015cde69bf6fd933e -Author: Darren Tucker -Date: Thu May 1 02:24:35 2014 +1000 +Date: Thu Jul 3 21:23:24 2014 +1000 - - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already - have it. Only attempt to use __attribute__(__bounded__) for gcc. + - djm@cvs.openbsd.org 2014/07/03 03:26:43 + [digest-openssl.c] + use EVP_Digest() for one-shot hash instead of creating, updating, + finalising and destroying a context. + bz#2231, based on patch from Timo Teras -commit b628cc4c3e4a842bab5e4584d18c2bc5fa4d0edf +commit d7ca2cd31ecc4d63a055e2dcc4bf35c13f2db4c5 Author: Damien Miller -Date: Sun Apr 20 13:33:58 2014 +1000 +Date: Thu Jul 3 21:23:01 2014 +1000 - - djm@cvs.openbsd.org 2014/04/20 02:49:32 - [compat.c] - add a canonical 6.6 + curve25519 bignum fix fake version that I can - recommend people use ahead of the openssh-6.7 release + - djm@cvs.openbsd.org 2014/07/03 03:15:01 + [ssh-add.c] + make stdout line-buffered; saves partial output getting lost when + ssh-add fatal()s part-way through (e.g. when listing keys from an + agent that supports key types that ssh-add doesn't); + bz#2234, reported by Phil Pennock -commit 888566913933a802f3a329ace123ebcb7154cf78 +commit b1e967c8d7c7578dd0c172d85b3046cf54ea42ba Author: Damien Miller -Date: Sun Apr 20 13:33:19 2014 +1000 +Date: Thu Jul 3 21:22:40 2014 +1000 - - djm@cvs.openbsd.org 2014/04/20 02:30:25 - [misc.c misc.h umac.c] - use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on - strict-alignment architectures; reported by and ok stsp@ + - djm@cvs.openbsd.org 2014/07/03 03:11:03 + [ssh-agent.c] + Only cleanup agent socket in the main agent process and not in any + subprocesses it may have started (e.g. forked askpass). Fixes + agent sockets being zapped when askpass processes fatal(); + bz#2236 patch from Dmitry V. Levin -commit 16f85cbc7e5139950e6a38317e7c8b368beafa5d +commit 61e28e55c3438d796b02ef878bcd28620d452670 Author: Damien Miller -Date: Sun Apr 20 13:29:28 2014 +1000 +Date: Thu Jul 3 21:22:22 2014 +1000 - - tedu@cvs.openbsd.org 2014/04/19 18:42:19 - [ssh.1] - delete .xr to hosts.equiv. there's still an unfortunate amount of - documentation referring to rhosts equivalency in here. + - djm@cvs.openbsd.org 2014/07/03 01:45:38 + [sshkey.c] + make Ed25519 keys' title fit properly in the randomart border; bz#2247 + based on patch from Christian Hesse -commit 69cb24b7356ec3f0fc5ff04a68f98f2c55c766f4 +commit 9eb4cd9a32c32d40d36450b68ed93badc6a94c68 Author: Damien Miller -Date: Sun Apr 20 13:29:06 2014 +1000 +Date: Thu Jul 3 13:29:50 2014 +1000 - - tedu@cvs.openbsd.org 2014/04/19 18:15:16 - [sshd.8] - remove some really old rsh references + - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist; + bz#2237 -commit 84c1e7bca8c4ceaccf4d5557e39a833585a3c77e +commit 8da0fa24934501909408327298097b1629b89eaa Author: Damien Miller -Date: Sun Apr 20 13:27:53 2014 +1000 +Date: Thu Jul 3 11:54:19 2014 +1000 - - tedu@cvs.openbsd.org 2014/04/19 14:53:48 - [ssh-keysign.c sshd.c] - Delete futile calls to RAND_seed. ok djm - NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon + - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto + doesn't support it. -commit 0e6b67423b8662f9ca4c92750309e144fd637ef1 +commit 81309c857dd0dbc0a1245a16d621c490ad48cfbb Author: Damien Miller -Date: Sun Apr 20 13:27:01 2014 +1000 +Date: Wed Jul 2 17:45:55 2014 +1000 - - djm@cvs.openbsd.org 2014/04/19 05:54:59 - [compat.c] - missing wildcard; pointed out by naddy@ + - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test -commit 9395b28223334826837c15e8c1bb4dfb3b0d2ca5 +commit 82b2482ce68654815ee049b9bf021bb362a35ff2 Author: Damien Miller -Date: Sun Apr 20 13:25:30 2014 +1000 +Date: Wed Jul 2 17:43:41 2014 +1000 - - djm@cvs.openbsd.org 2014/04/18 23:52:25 - [compat.c compat.h sshconnect2.c sshd.c version.h] - OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections - using the curve25519-sha256@libssh.org KEX exchange method to fail - when connecting with something that implements the spec properly. - - Disable this KEX method when speaking to one of the affected - versions. - - reported by Aris Adamantiadis; ok markus@ + - (djm) [sshkey.c] Conditionalise inclusion of util.h -commit 8c492da58f8ceb85cf5f7066f23e26fb813a963d +commit dd8b1dd7933eb6f5652641b0cdced34a387f2e80 Author: Damien Miller -Date: Sun Apr 20 13:25:09 2014 +1000 +Date: Wed Jul 2 17:38:31 2014 +1000 - - djm@cvs.openbsd.org 2014/04/16 23:28:12 - [ssh-agent.1] - remove the identity files from this manpage - ssh-agent doesn't deal - with them at all and the same information is duplicated in ssh-add.1 - (which does deal with them); prodded by deraadt@ + - djm@cvs.openbsd.org 2014/06/24 01:14:17 + [Makefile.in regress/Makefile regress/unittests/Makefile] + [regress/unittests/sshkey/Makefile] + [regress/unittests/sshkey/common.c] + [regress/unittests/sshkey/common.h] + [regress/unittests/sshkey/mktestdata.sh] + [regress/unittests/sshkey/test_file.c] + [regress/unittests/sshkey/test_fuzz.c] + [regress/unittests/sshkey/test_sshkey.c] + [regress/unittests/sshkey/tests.c] + [regress/unittests/sshkey/testdata/dsa_1] + [regress/unittests/sshkey/testdata/dsa_1-cert.fp] + [regress/unittests/sshkey/testdata/dsa_1-cert.pub] + [regress/unittests/sshkey/testdata/dsa_1.fp] + [regress/unittests/sshkey/testdata/dsa_1.fp.bb] + [regress/unittests/sshkey/testdata/dsa_1.param.g] + [regress/unittests/sshkey/testdata/dsa_1.param.priv] + [regress/unittests/sshkey/testdata/dsa_1.param.pub] + [regress/unittests/sshkey/testdata/dsa_1.pub] + [regress/unittests/sshkey/testdata/dsa_1_pw] + [regress/unittests/sshkey/testdata/dsa_2] + [regress/unittests/sshkey/testdata/dsa_2.fp] + [regress/unittests/sshkey/testdata/dsa_2.fp.bb] + [regress/unittests/sshkey/testdata/dsa_2.pub] + [regress/unittests/sshkey/testdata/dsa_n] + [regress/unittests/sshkey/testdata/dsa_n_pw] + [regress/unittests/sshkey/testdata/ecdsa_1] + [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp] + [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub] + [regress/unittests/sshkey/testdata/ecdsa_1.fp] + [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb] + [regress/unittests/sshkey/testdata/ecdsa_1.param.curve] + [regress/unittests/sshkey/testdata/ecdsa_1.param.priv] + [regress/unittests/sshkey/testdata/ecdsa_1.param.pub] + [regress/unittests/sshkey/testdata/ecdsa_1.pub] + [regress/unittests/sshkey/testdata/ecdsa_1_pw] + [regress/unittests/sshkey/testdata/ecdsa_2] + [regress/unittests/sshkey/testdata/ecdsa_2.fp] + [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb] + [regress/unittests/sshkey/testdata/ecdsa_2.param.curve] + [regress/unittests/sshkey/testdata/ecdsa_2.param.priv] + [regress/unittests/sshkey/testdata/ecdsa_2.param.pub] + [regress/unittests/sshkey/testdata/ecdsa_2.pub] + [regress/unittests/sshkey/testdata/ecdsa_n] + [regress/unittests/sshkey/testdata/ecdsa_n_pw] + [regress/unittests/sshkey/testdata/ed25519_1] + [regress/unittests/sshkey/testdata/ed25519_1-cert.fp] + [regress/unittests/sshkey/testdata/ed25519_1-cert.pub] + [regress/unittests/sshkey/testdata/ed25519_1.fp] + [regress/unittests/sshkey/testdata/ed25519_1.fp.bb] + [regress/unittests/sshkey/testdata/ed25519_1.pub] + [regress/unittests/sshkey/testdata/ed25519_1_pw] + [regress/unittests/sshkey/testdata/ed25519_2] + [regress/unittests/sshkey/testdata/ed25519_2.fp] + [regress/unittests/sshkey/testdata/ed25519_2.fp.bb] + [regress/unittests/sshkey/testdata/ed25519_2.pub] + [regress/unittests/sshkey/testdata/pw] + [regress/unittests/sshkey/testdata/rsa1_1] + [regress/unittests/sshkey/testdata/rsa1_1.fp] + [regress/unittests/sshkey/testdata/rsa1_1.fp.bb] + [regress/unittests/sshkey/testdata/rsa1_1.param.n] + [regress/unittests/sshkey/testdata/rsa1_1.pub] + [regress/unittests/sshkey/testdata/rsa1_1_pw] + [regress/unittests/sshkey/testdata/rsa1_2] + [regress/unittests/sshkey/testdata/rsa1_2.fp] + [regress/unittests/sshkey/testdata/rsa1_2.fp.bb] + [regress/unittests/sshkey/testdata/rsa1_2.param.n] + [regress/unittests/sshkey/testdata/rsa1_2.pub] + [regress/unittests/sshkey/testdata/rsa_1] + [regress/unittests/sshkey/testdata/rsa_1-cert.fp] + [regress/unittests/sshkey/testdata/rsa_1-cert.pub] + [regress/unittests/sshkey/testdata/rsa_1.fp] + [regress/unittests/sshkey/testdata/rsa_1.fp.bb] + [regress/unittests/sshkey/testdata/rsa_1.param.n] + [regress/unittests/sshkey/testdata/rsa_1.param.p] + [regress/unittests/sshkey/testdata/rsa_1.param.q] + [regress/unittests/sshkey/testdata/rsa_1.pub] + [regress/unittests/sshkey/testdata/rsa_1_pw] + [regress/unittests/sshkey/testdata/rsa_2] + [regress/unittests/sshkey/testdata/rsa_2.fp] + [regress/unittests/sshkey/testdata/rsa_2.fp.bb] + [regress/unittests/sshkey/testdata/rsa_2.param.n] + [regress/unittests/sshkey/testdata/rsa_2.param.p] + [regress/unittests/sshkey/testdata/rsa_2.param.q] + [regress/unittests/sshkey/testdata/rsa_2.pub] + [regress/unittests/sshkey/testdata/rsa_n] + [regress/unittests/sshkey/testdata/rsa_n_pw] + unit and fuzz tests for new key API -commit adbfdbbdccc70c9bd70d81ae096db115445c6e26 +commit c1dc24b71f087f385b92652b9673f52af64e0428 Author: Damien Miller -Date: Sun Apr 20 13:24:49 2014 +1000 +Date: Wed Jul 2 17:02:03 2014 +1000 - - djm@cvs.openbsd.org 2014/04/16 23:22:45 - [bufaux.c] - skip leading zero bytes in buffer_put_bignum2_from_string(); - reported by jan AT mojzis.com; ok markus@ + - djm@cvs.openbsd.org 2014/06/24 01:04:43 + [regress/krl.sh] + regress test for broken consecutive revoked serial number ranges -commit 75c62728dc87af6805696eeb520b9748faa136c8 +commit 43d3ed2dd3feca6d0326c7dc82588d2faa115e92 Author: Damien Miller -Date: Sun Apr 20 13:24:31 2014 +1000 +Date: Wed Jul 2 17:01:08 2014 +1000 - - djm@cvs.openbsd.org 2014/04/12 04:55:53 - [sshd.c] - avoid crash at exit: check that pmonitor!=NULL before dereferencing; - bz#2225, patch from kavi AT juniper.net + - djm@cvs.openbsd.org 2014/05/21 07:04:21 + [regress/integrity.sh] + when failing because of unexpected output, show the offending output -commit 2a328437fb1b0976f2f4522d8645803d5a5d0967 +commit 5a96707ffc8d227c2e7d94fa6b0317f8a152cf4e Author: Damien Miller -Date: Sun Apr 20 13:24:01 2014 +1000 +Date: Wed Jul 2 15:38:05 2014 +1000 - - djm@cvs.openbsd.org 2014/04/01 05:32:57 - [packet.c] - demote a debug3 to PACKET_DEBUG; ok markus@ + - djm@cvs.openbsd.org 2014/04/30 05:32:00 + [regress/Makefile] + unit tests for new buffer API; including basic fuzz testing + NB. Id sync only. -commit 7d6a9fb660c808882d064e152d6070ffc3844c3f +commit 3ff92ba756aee48e4ae3e0aeff7293517b3dd185 Author: Damien Miller -Date: Sun Apr 20 13:23:43 2014 +1000 +Date: Wed Jul 2 15:33:09 2014 +1000 - - djm@cvs.openbsd.org 2014/04/01 03:34:10 - [sshconnect.c] - When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any - certificate keys to plain keys and attempt SSHFP resolution. - - Prevents a server from skipping SSHFP lookup and forcing a new-hostkey - dialog by offering only certificate keys. - - Reported by mcv21 AT cam.ac.uk + - djm@cvs.openbsd.org 2014/06/30 12:54:39 + [key.c] + suppress spurious error message when loading key with a passphrase; + reported by kettenis@ ok markus@ + - djm@cvs.openbsd.org 2014/07/02 04:59:06 + [cipher-3des1.c] + fix ssh protocol 1 on the server that regressed with the sshkey change + (sometimes fatal() after auth completed), make file return useful status + codes. + NB. Id sync only for these two. They were bundled into the sshkey merge + above, since it was easier to sync the entire file and then apply + portable-specific changed atop it. -commit fcd62c0b66b8415405ed0af29c236329eb88cc0f +commit ec3d0e24a1e46873d80507f5cd8ee6d0d03ac5dc Author: Damien Miller -Date: Sun Apr 20 13:23:21 2014 +1000 +Date: Wed Jul 2 15:30:00 2014 +1000 - - djm@cvs.openbsd.org 2014/04/01 02:05:27 - [ssh-keysign.c] - include fingerprint of key not found - use arc4random_buf() instead of loop+arc4random() + - markus@cvs.openbsd.org 2014/06/27 18:50:39 + [ssh-add.c] + fix loading of private keys -commit 43b156cf72f900f88065b0a1c1ebd09ab733ca46 +commit 4b3ed647d5b328cf68e6a8ffbee490d8e0683e82 Author: Damien Miller -Date: Sun Apr 20 13:23:03 2014 +1000 +Date: Wed Jul 2 15:29:40 2014 +1000 - - jmc@cvs.openbsd.org 2014/03/31 13:39:34 - [ssh-keygen.1] - the text for the -K option was inserted in the wrong place in -r1.108; - fix From: Matthew Clarke + - markus@cvs.openbsd.org 2014/06/27 16:41:56 + [channels.c channels.h clientloop.c ssh.c] + fix remote fwding with same listen port but different listen address + with gerhard@, ok djm@ -commit c1621c84f2dc1279065ab9fde2aa9327af418900 +commit 9e01ff28664921ce9b6500681333e42fb133b4d0 Author: Damien Miller -Date: Sun Apr 20 13:22:46 2014 +1000 +Date: Wed Jul 2 15:29:21 2014 +1000 - - naddy@cvs.openbsd.org 2014/03/28 05:17:11 - [ssh_config.5 sshd_config.5] - sync available and default algorithms, improve algorithm list formatting - help from jmc@ and schwarze@, ok deraadt@ + - deraadt@cvs.openbsd.org 2014/06/25 14:16:09 + [sshbuf.c] + unblock SIGSEGV before raising it + ok djm -commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 +commit 1845fe6bda0729e52f4c645137f4fc3070b5438a Author: Damien Miller -Date: Sun Apr 20 13:22:18 2014 +1000 +Date: Wed Jul 2 15:29:01 2014 +1000 - - tedu@cvs.openbsd.org 2014/03/26 19:58:37 - [sshd.8 sshd.c] - remove libwrap support. ok deraadt djm mfriedl + - djm@cvs.openbsd.org 2014/06/24 02:21:01 + [scp.c] + when copying local->remote fails during read, don't send uninitialised + heap to the remote end. Reported by Jann Horn -commit 4f40209aa4060b9c066a2f0d9332ace7b8dfb391 +commit 19439e9a2a0ac0b4b3b1210e89695418beb1c883 Author: Damien Miller -Date: Sun Apr 20 13:21:22 2014 +1000 +Date: Wed Jul 2 15:28:40 2014 +1000 - - djm@cvs.openbsd.org 2014/03/26 04:55:35 - [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c - [misc.h poly1305.h ssh-pkcs11.c] - use __bounded(...) attribute recently added to sys/cdefs.h instead of - longform __attribute__(__bounded(...)); - - for brevity and a warning free compilation with llvm/clang + - djm@cvs.openbsd.org 2014/06/24 02:19:48 + [ssh.c] + don't fatal() when hostname canonicalisation fails with a + ProxyCommand in use; continue and allow the ProxyCommand to + connect anyway (e.g. to a host with a name outside the DNS + behind a bastion) -commit 9235a030ad1b16903fb495d81544e0f7c7449523 +commit 8668706d0f52654fe64c0ca41a96113aeab8d2b8 Author: Damien Miller -Date: Sun Apr 20 13:17:20 2014 +1000 +Date: Wed Jul 2 15:28:02 2014 +1000 - Three commits in one (since they touch the same heavily-diverged file - repeatedly): + - djm@cvs.openbsd.org 2014/06/24 01:13:21 + [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c + [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c + [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h + [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h + [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h + [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c + [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c + [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c + [sshconnect2.c sshd.c sshkey.c sshkey.h + [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] + New key API: refactor key-related functions to be more library-like, + existing API is offered as a set of wrappers. - - markus@cvs.openbsd.org 2014/03/25 09:40:03 - [myproposal.h] - trimm default proposals. + with and ok markus@ - This commit removes the weaker pre-SHA2 hashes, the broken ciphers - (arcfour), and the broken modes (CBC) from the default configuration - (the patch only changes the default, all the modes are still available - for the config files). + Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew + Dempsky and Ron Bowes for a detailed review a few months ago. - ok djm@, reminded by tedu@ & naddy@ and discussed with many - - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 - [myproposal.h] - The current sharing of myproposal[] between both client and server code - makes the previous diff highly unpallatable. We want to go in that - direction for the server, but not for the client. Sigh. - Brought up by naddy. - - markus@cvs.openbsd.org 2014/03/27 23:01:27 - [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] - disable weak proposals in sshd, but keep them in ssh; ok djm@ - -commit 6e1777f592f15f4559728c78204617537b1ac076 -Author: Damien Miller -Date: Sun Apr 20 13:02:58 2014 +1000 - - - tedu@cvs.openbsd.org 2014/03/19 14:42:44 - [scp.1] - there is no need for rcp anymore - ok deraadt millert - -commit eb1b7c514d2a7b1802ccee8cd50e565a4d419887 -Author: Damien Miller -Date: Sun Apr 20 13:02:26 2014 +1000 - - - tedu@cvs.openbsd.org 2014/03/17 19:44:10 - [ssh.1] - old descriptions of des and blowfish are old. maybe ok deraadt - -commit f0858de6e1324ec730752387074b111b8551081e -Author: Damien Miller -Date: Sun Apr 20 13:01:30 2014 +1000 - - - deraadt@cvs.openbsd.org 2014/03/15 17:28:26 - [ssh-agent.c ssh-keygen.1 ssh-keygen.c] - Improve usage() and documentation towards the standard form. - In particular, this line saves a lot of man page reading time. - usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] - [-N new_passphrase] [-C comment] [-f output_keyfile] - ok schwarze jmc + NB. This commit also removes portable OpenSSH support for OpenSSL + <0.9.8e. -commit 94bfe0fbd6e91a56b5b0ab94ac955d2a67d101aa +commit 2cd7929250cf9e9f658d70dcd452f529ba08c942 Author: Damien Miller -Date: Sun Apr 20 13:00:51 2014 +1000 +Date: Wed Jul 2 12:48:30 2014 +1000 - - naddy@cvs.openbsd.org 2014/03/12 13:06:59 - [ssh-keyscan.1] - scan for Ed25519 keys by default too + - djm@cvs.openbsd.org 2014/06/24 00:52:02 + [krl.c] + fix bug in KRL generation: multiple consecutive revoked certificate + serial number ranges could be serialised to an invalid format. + + Readers of a broken KRL caused by this bug will fail closed, so no + should-have-been-revoked key will be accepted. -commit 3819519288b2b3928c6882f5883b0f55148f4fc0 +commit 99db840ee8dbbd2b3fbc6c45d0ee2f6a65e96898 Author: Damien Miller -Date: Sun Apr 20 13:00:28 2014 +1000 +Date: Wed Jul 2 12:48:04 2014 +1000 - - djm@cvs.openbsd.org 2014/03/12 04:51:12 - [authfile.c] - correct test that kdf name is not "none" or "bcrypt" + - naddy@cvs.openbsd.org 2014/06/18 15:42:09 + [sshbuf-getput-crypto.c] + The ssh_get_bignum functions must accept the same range of bignums + the corresponding ssh_put_bignum functions create. This fixes the + use of 16384-bit RSA keys (bug reported by Eivind Evensen). + ok djm@ -commit 8f9cd709c7cf0655d414306a0ed28306b33802be +commit 84a89161a9629239b64171ef3e22ef6a3e462d51 Author: Damien Miller -Date: Sun Apr 20 13:00:11 2014 +1000 +Date: Wed Jul 2 12:47:48 2014 +1000 - - djm@cvs.openbsd.org 2014/03/12 04:50:32 - [auth-bsdauth.c ssh-keygen.c] - don't count on things that accept arguments by reference to clear - things for us on error; most things do, but it's unsafe form. + - matthew@cvs.openbsd.org 2014/06/18 02:59:13 + [sandbox-systrace.c] + Now that we have a dedicated getentropy(2) system call for + arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace + sandbox. + + ok djm -commit 1c7ef4be83f6dec84509a312518b9df00ab491d9 +commit 51504ceec627c0ad57b9f75585c7b3d277f326be Author: Damien Miller -Date: Sun Apr 20 12:59:46 2014 +1000 +Date: Wed Jul 2 12:47:25 2014 +1000 - - djm@cvs.openbsd.org 2014/03/12 04:44:58 - [ssh-keyscan.c] - scan for Ed25519 keys by default too + - deraadt@cvs.openbsd.org 2014/06/13 08:26:29 + [sandbox-systrace.c] + permit SYS_getentropy + from matthew -commit c10bf4d051c97939b30a1616c0499310057d07da -Author: Damien Miller -Date: Sun Apr 20 12:58:04 2014 +1000 +commit a261b8df59117f7dc52abb3a34b35a40c2c9fa88 +Author: Tim Rice +Date: Wed Jun 18 16:17:28 2014 -0700 - - djm@cvs.openbsd.org 2014/03/03 22:22:30 - [session.c] - ignore enviornment variables with embedded '=' or '\0' characters; - spotted by Jann Horn; ok deraadt@ - Id sync only - portable already has this. + - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare -commit c2e49062faccbcd7135c40d1c78c5c329c58fc2e -Author: Damien Miller -Date: Tue Apr 1 14:42:46 2014 +1100 +commit 316fac6f18f87262a315c79bcf68b9f92c9337e4 +Author: Darren Tucker +Date: Tue Jun 17 23:06:07 2014 +1000 - - (djm) Use full release (e.g. 6.5p1) in debug output rather than just - version. From des@des.no + - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h} + openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}] + Move the OpenSSL header/library version test into its own function and add + tests for it. Fix it to allow fix version upgrades (but not downgrades). + Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150). + ok djm@ chl@ -commit 14928b7492abec82afa4c2b778fc03f78cd419b6 -Author: Damien Miller -Date: Tue Apr 1 14:38:07 2014 +1100 +commit af665bb7b092a59104db1e65577851cf35b86e32 +Author: Darren Tucker +Date: Mon Jun 16 22:50:55 2014 +1000 - - (djm) On platforms that support it, use prctl() to prevent sftp-server - from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net + - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via + OpenSMTPD and chl@ -commit 48abc47e60048461fe9117e108a7e99ea1ac2bb8 -Author: Damien Miller -Date: Mon Mar 17 14:45:56 2014 +1100 +commit f9696566fb41320820f3b257ab564fa321bb3751 +Author: Darren Tucker +Date: Fri Jun 13 11:06:04 2014 +1000 - - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to - remind myself to add sandbox violation logging via the log socket. + - (dtucker) [configure.ac] Remove tcpwrappers support, support has already + been removed from sshd.c. -commit 9c36698ca2f554ec221dc7ef29c7a89e97c88705 +commit 5e2b8894b0b24af4ad0a2f7aa33ebf255df7a8bc Author: Tim Rice -Date: Fri Mar 14 12:45:01 2014 -0700 +Date: Wed Jun 11 18:31:10 2014 -0700 - 20140314 - - (tim) [opensshd.init.in] Add support for ed25519 + - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for + u_intXX_t types. -commit 19158b2447e35838d69b2b735fb640d1e86061ea -Author: Damien Miller -Date: Thu Mar 13 13:14:21 2014 +1100 +commit 985ee2cbc3e43bc65827c3c0d4df3faa99160c37 +Author: Darren Tucker +Date: Thu Jun 12 05:32:29 2014 +1000 - - (djm) Release OpenSSH 6.6 + - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*] + Wrap stdlib.h include an ifdef for platforms that don't have it. -commit 8569eba5d7f7348ce3955eeeb399f66f25c52ece -Author: Damien Miller -Date: Tue Mar 4 09:35:17 2014 +1100 +commit cf5392c2db2bb1dbef9818511d34056404436109 +Author: Darren Tucker +Date: Thu Jun 12 05:22:49 2014 +1000 - - djm@cvs.openbsd.org 2014/03/03 22:22:30 - [session.c] - ignore enviornment variables with embedded '=' or '\0' characters; - spotted by Jann Horn; ok deraadt@ + - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from + openbsd-compat/bsd-asprintf.c. -commit 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7 -Author: Damien Miller -Date: Sun Mar 2 04:01:00 2014 +1100 +commit 58538d795e0b662f2f4e5a7193f1204bbe992ddd +Author: Darren Tucker +Date: Wed Jun 11 13:39:24 2014 +1000 - - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when - no moduli file exists at the expected location. + - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for + compat stuff, specifically whether or not OpenSSL has ECC. -commit c83fdf30e9db865575b2521b1fe46315cf4c70ae -Author: Damien Miller -Date: Fri Feb 28 10:34:03 2014 +1100 +commit eb012ac581fd0abc16ee86ee3a68cf07c8ce4d08 +Author: Darren Tucker +Date: Wed Jun 11 13:10:00 2014 +1000 - - (djm) [regress/host-expand.sh] Add RCS Id + - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an + assigment that might get optimized out. ok djm@ -commit 834aeac3555e53f7d29a6fcf3db010dfb99681c7 -Author: Damien Miller -Date: Fri Feb 28 10:25:16 2014 +1100 +commit b9609fd86c623d6d440e630f5f9a63295f7aea20 +Author: Darren Tucker +Date: Wed Jun 11 08:04:02 2014 +1000 - - djm@cvs.openbsd.org 2014/02/27 21:21:25 - [agent-ptrace.sh agent.sh] - keep return values that are printed in error messages; - from portable - (Id sync only) + - (dtucker) [sshbuf.h] Only declare ECC functions if building without + OpenSSL or if OpenSSL has ECC. -commit 4f7f1a9a0de24410c30952c7e16d433240422182 -Author: Damien Miller -Date: Fri Feb 28 10:24:11 2014 +1100 +commit a54a040f66944c6e8913df8635a01a2327219be9 +Author: Darren Tucker +Date: Wed Jun 11 07:58:35 2014 +1000 - - djm@cvs.openbsd.org 2014/02/27 20:04:16 - [login-timeout.sh] - remove any existing LoginGraceTime from sshd_config before adding - a specific one for the test back in + - dtucker@cvs.openbsd.org 2014/06/10 21:46:11 + [sshbuf.h] + Group ECC functions together to make things a little easier in -portable. + "doesn't bother me" deraadt@ -commit d705d987c27f68080c8798eeb5262adbdd6b4ffd -Author: Damien Miller -Date: Fri Feb 28 10:23:26 2014 +1100 +commit 9f92c53bad04a89067756be8198d4ec2d8a08875 +Author: Darren Tucker +Date: Wed Jun 11 07:57:58 2014 +1000 - - djm@cvs.openbsd.org 2014/01/26 10:49:17 - [scp-ssh-wrapper.sh scp.sh] - make sure $SCP is tested on the remote end rather than whichever one - happens to be in $PATH; from portable - (Id sync only) + - djm@cvs.openbsd.org 2014/06/05 22:17:50 + [sshconnect2.c] + fix inverted test that caused PKCS#11 keys that were explicitly listed + not to be preferred. Reported by Dirk-Willem van Gulik -commit 624a3ca376e3955a4b9d936c9e899e241b65d357 -Author: Damien Miller -Date: Fri Feb 28 10:22:37 2014 +1100 +commit 15c254a25394f96643da2ad0f674acdc51e89856 +Author: Darren Tucker +Date: Wed Jun 11 07:38:49 2014 +1000 - - djm@cvs.openbsd.org 2014/01/26 10:22:10 - [regress/cert-hostkey.sh] - automatically generate revoked keys from listed keys rather than - manually specifying each type; from portable - (Id sync only) + - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef + ECC variable too. -commit b84392328425e4b9a71f8bde5fe6a4a4c48d3ec4 -Author: Damien Miller -Date: Fri Feb 28 10:21:26 2014 +1100 +commit d7af0cc5bf273eeed0897a99420bc26841d07d8f +Author: Darren Tucker +Date: Wed Jun 11 07:37:25 2014 +1000 - - dtucker@cvs.openbsd.org 2014/01/25 04:35:32 - [regress/Makefile regress/dhgex.sh] - Add a test for DH GEX sizes + - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in + the proposal if the version of OpenSSL we're using doesn't support ECC. -commit 1e2aa3d90472293ea19008f02336d6d68aa05793 -Author: Damien Miller -Date: Fri Feb 28 10:19:51 2014 +1100 +commit 67508ac2563c33d582be181a3e777c65f549d22f +Author: Darren Tucker +Date: Wed Jun 11 06:27:16 2014 +1000 - - dtucker@cvs.openbsd.org 2014/01/20 00:00:30 - [sftp-chroot.sh] - append to rather than truncating the log file + - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c + regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256 + curve tests if OpenSSL has them. -commit f483cc16fe7314e24a37aa3a4422b03c013c3213 +commit 6482d90a65459a88c18c925368525855832272b3 Author: Damien Miller -Date: Fri Feb 28 10:19:11 2014 +1100 +Date: Tue May 27 14:34:42 2014 +1000 - - dtucker@cvs.openbsd.org 2014/01/19 23:43:02 - [regress/sftp-chroot.sh] - Don't use -q on sftp as it suppresses logging, instead redirect the - output to the regress logfile. + - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c] + [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege + separation user at runtime, since it may need to be a domain account. + Patch from Corinna Vinschen. -commit 6486f16f1c0ebd6f39286f6ab5e08286d90a994a +commit f9eb5e0734f7a7f6e975809eb54684d2a06a7ffc Author: Damien Miller -Date: Fri Feb 28 10:03:52 2014 +1100 +Date: Tue May 27 14:31:58 2014 +1000 - - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Crank version numbers + - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config + from Corinna Vinschen, fixing a number of bugs and preparing for + Cygwin 1.7.30. -commit 92cf5adea194140380e6af6ec32751f9ad540794 +commit eae88744662e6b149f43ef071657727f1a157d95 Author: Damien Miller -Date: Fri Feb 28 10:01:53 2014 +1100 +Date: Tue May 27 14:27:02 2014 +1000 - - djm@cvs.openbsd.org 2014/02/27 22:57:40 - [version.h] - openssh-6.6 + - (djm) [cipher.c] Fix merge botch. -commit fc5d6759aba71eb205b296b5f148010ffc828583 +commit 564b5e253c1d95c26a00e8288f0089a2571661c3 Author: Damien Miller -Date: Fri Feb 28 10:01:28 2014 +1100 +Date: Thu May 22 08:23:59 2014 +1000 - - djm@cvs.openbsd.org 2014/02/27 22:47:07 - [sshd_config.5] - bz#2184 clarify behaviour of a keyword that appears in multiple - matching Match blocks; ok dtucker@ + - (djm) [Makefile.in] typo in path -commit 172ec7e0af1a5f1d682f6a2dca335c6c186153d5 +commit e84d10302aeaf7a1acb05c451f8718143656856a Author: Damien Miller -Date: Fri Feb 28 10:00:57 2014 +1100 +Date: Wed May 21 17:13:36 2014 +1000 - - djm@cvs.openbsd.org 2014/02/27 08:25:09 - [bufbn.c] - off by one in range check + revert a diff I didn't mean to commit -commit f9a9aaba437c2787e40cf7cc928281950e161678 +commit 795b86313f1f1aab9691666c4f2d5dae6e4acd50 Author: Damien Miller -Date: Fri Feb 28 10:00:27 2014 +1100 +Date: Wed May 21 17:12:53 2014 +1000 - - djm@cvs.openbsd.org 2014/02/27 00:41:49 - [bufbn.c] - fix unsigned overflow that could lead to reading a short ssh protocol - 1 bignum value; found by Ben Hawkes; ok deraadt@ + - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC + when it is available. It takes into account time spent suspended, + thereby ensuring timeouts (e.g. for expiring agent keys) fire + correctly. bz#2228 reported by John Haxby -commit fb3423b612713d9cde67c8a75f6f51188d6a3de3 +commit 18912775cb97c0b1e75e838d3c7d4b56648137b5 Author: Damien Miller -Date: Thu Feb 27 10:20:07 2014 +1100 +Date: Wed May 21 17:06:46 2014 +1000 - - markus@cvs.openbsd.org 2014/02/26 21:53:37 - [sshd.c] - ssh_gssapi_prepare_supported_oids needs GSSAPI + - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use + vhangup on Linux. It doens't work for non-root users, and for them + it just messes up the tty settings. -commit 1348129a34f0f7728c34d86c100a32dcc8d1f922 +commit 7f1c264d3049cd95234e91970ccb5406e1d15b27 Author: Damien Miller -Date: Thu Feb 27 10:18:32 2014 +1100 +Date: Thu May 15 18:01:52 2014 +1000 - - djm@cvs.openbsd.org 2014/02/26 20:29:29 - [channels.c] - don't assume that the socks4 username is \0 terminated; - spotted by Ben Hawkes; ok markus@ + - (djm) [sshbuf.c] need __predict_false -commit e6a74aeeacd01d885262ff8e50eb28faee8c8039 +commit e7429f2be8643e1100380a8a7389d85cc286c8fe Author: Damien Miller -Date: Thu Feb 27 10:17:49 2014 +1100 +Date: Thu May 15 18:01:01 2014 +1000 - - djm@cvs.openbsd.org 2014/02/26 20:28:44 - [auth2-gss.c gss-serv.c ssh-gss.h sshd.c] - bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep - sandboxing, as running this code in the sandbox can cause violations; - ok markus@ + - (djm) [regress/Makefile Makefile.in] + [regress/unittests/sshbuf/test_sshbuf.c + [regress/unittests/sshbuf/test_sshbuf_fixed.c] + [regress/unittests/sshbuf/test_sshbuf_fuzz.c] + [regress/unittests/sshbuf/test_sshbuf_getput_basic.c] + [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] + [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] + [regress/unittests/sshbuf/test_sshbuf_misc.c] + [regress/unittests/sshbuf/tests.c] + [regress/unittests/test_helper/fuzz.c] + [regress/unittests/test_helper/test_helper.c] + Hook new unit tests into the build and "make tests" -commit 08b57c67f3609340ff703fe2782d7058acf2529e +commit def1de086707b0e6b046fe7e115c60aca0227a99 Author: Damien Miller -Date: Thu Feb 27 10:17:13 2014 +1100 +Date: Thu May 15 15:17:15 2014 +1000 - - djm@cvs.openbsd.org 2014/02/26 20:18:37 - [ssh.c] - bz#2205: avoid early hostname lookups unless canonicalisation is enabled; - ok dtucker@ markus@ + - (djm) [regress/unittests/Makefile] + [regress/unittests/Makefile.inc] + [regress/unittests/sshbuf/Makefile] + [regress/unittests/sshbuf/test_sshbuf.c] + [regress/unittests/sshbuf/test_sshbuf_fixed.c] + [regress/unittests/sshbuf/test_sshbuf_fuzz.c] + [regress/unittests/sshbuf/test_sshbuf_getput_basic.c] + [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] + [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] + [regress/unittests/sshbuf/test_sshbuf_misc.c] + [regress/unittests/sshbuf/tests.c] + [regress/unittests/test_helper/Makefile] + [regress/unittests/test_helper/fuzz.c] + [regress/unittests/test_helper/test_helper.c] + [regress/unittests/test_helper/test_helper.h] + Import new unit tests from OpenBSD; not yet hooked up to build. -commit 13f97b2286142fd0b8eab94e4ce84fe124eeb752 +commit 167685756fde8bc213a8df2c8e1848e312db0f46 Author: Damien Miller -Date: Mon Feb 24 15:57:55 2014 +1100 +Date: Thu May 15 15:08:40 2014 +1000 - - djm@cvs.openbsd.org 2014/02/23 20:11:36 - [readconf.c readconf.h ssh.c ssh_config.5] - reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes - the hostname. This allows users to write configurations that always - refer to canonical hostnames, e.g. - - CanonicalizeHostname yes - CanonicalDomains int.example.org example.org - CanonicalizeFallbackLocal no - - Host *.int.example.org - Compression off - Host *.example.org - User djm + - logan@cvs.openbsd.org 2014/05/04 10:40:59 + [connect-privsep.sh] + Remove the Z flag from the list of malloc options as it + was removed from malloc.c 10 days ago. - ok markus@ - -commit bee3a234f3d1ad4244952bcff1b4b7c525330dc2 -Author: Damien Miller -Date: Mon Feb 24 15:57:22 2014 +1100 - - - djm@cvs.openbsd.org 2014/02/23 20:03:42 - [ssh-ed25519.c] - check for unsigned overflow; not reachable in OpenSSH but others might - copy our code... - -commit 0628780abe61e7e50cba48cdafb1837f49ff23b2 -Author: Damien Miller -Date: Mon Feb 24 15:56:45 2014 +1100 - - - djm@cvs.openbsd.org 2014/02/22 01:32:19 - [readconf.c] - when processing Match blocks, skip 'exec' clauses if previous predicates - failed to match; ok markus@ - -commit 0890dc8191bb201eb01c3429feec0300a9d3a930 -Author: Damien Miller -Date: Mon Feb 24 15:56:07 2014 +1100 - - - djm@cvs.openbsd.org 2014/02/15 23:05:36 - [channels.c] - avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W; - bz#2200, debian#738692 via Colin Watson; ok dtucker@ + OK from miod@ -commit d3cf67e1117c25d151d0f86396e77ee3a827045a +commit d0b69fe90466920d69c96069312e24b581771bd7 Author: Damien Miller -Date: Mon Feb 24 15:55:36 2014 +1100 - - - djm@cvs.openbsd.org 2014/02/07 06:55:54 - [cipher.c mac.c] - remove some logging that makes ssh debugging output very verbose; - ok markus - -commit 03ae081aeaa118361c81ece76eb7cc1aaa2b40c5 -Author: Tim Rice -Date: Fri Feb 21 09:09:34 2014 -0800 - - 20140221 - - (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery. - -commit 4a20959d2e3c90e9d66897c0b4032c785672d815 -Author: Darren Tucker -Date: Thu Feb 13 16:38:32 2014 +1100 +Date: Thu May 15 15:08:19 2014 +1000 - - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat - code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex. + - dtucker@cvs.openbsd.org 2014/05/03 18:46:14 + [proxy-connect.sh] + Add tests for with and without compression, with and without privsep. -commit d1a7a9c0fd1ac2e3314cceb2891959fd2cd9eabb +commit edb1af50441d19fb2dd9ccb4d75bf14473fca584 Author: Damien Miller -Date: Fri Feb 7 09:24:33 2014 +1100 +Date: Thu May 15 15:07:53 2014 +1000 - - djm@cvs.openbsd.org 2014/02/06 22:21:01 - [sshconnect.c] - in ssh_create_socket(), only do the getaddrinfo for BindAddress when - BindAddress is actually specified. Fixes regression in 6.5 for - UsePrivilegedPort=yes; patch from Corinna Vinschen + - djm@cvs.openbsd.org 2014/04/21 22:15:37 + [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh] + repair regress tests broken by server-side default cipher/kex/mac changes + by ensuring that the option under test is included in the server's + algorithm list -commit 6ce35b6cc4ead1bf98abec34cb2e2d6ca0abb15e +commit 54343e95c70994695f8842fb22836321350198d3 Author: Damien Miller -Date: Fri Feb 7 09:24:14 2014 +1100 +Date: Thu May 15 15:07:33 2014 +1000 - - naddy@cvs.openbsd.org 2014/02/05 20:13:25 - [ssh-keygen.1 ssh-keygen.c] - tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@ - while here, fix ordering in usage(); requested by jmc@ + - djm@cvs.openbsd.org 2014/03/13 20:44:49 + [login-timeout.sh] + this test is a sorry mess of race conditions; add another sleep + to avoid a failure on slow machines (at least until I find a + better way) -commit 6434cb2cfbbf0a46375d2d22f2ff9927feb5e478 +commit e5b9f0f2ee6e133894307e44e862b66426990733 Author: Damien Miller -Date: Thu Feb 6 11:17:50 2014 +1100 - - - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define - __NR_shutdown; some go via the socketcall(2) multiplexer. - -commit 8d36f9ac71eff2e9f5770c0518b73d875f270647 -Author: Darren Tucker -Date: Thu Feb 6 10:44:13 2014 +1100 +Date: Thu May 15 14:58:07 2014 +1000 - - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL - before freeing since free(NULL) is a no-op. ok djm. + - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c] + [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes -commit a0959da3680b4ce8cf911caf3293a6d90f88eeb7 +commit b9c566788a9ebd6a9d466f47a532124f111f0542 Author: Damien Miller -Date: Wed Feb 5 10:33:45 2014 +1100 +Date: Thu May 15 14:43:37 2014 +1000 - - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by - headers/libc but not supported by the kernel. Patch from Loganaden - Velvindron @ AfriNIC + - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write + portability glue to support building without libcrypto -commit 9c449bc183b256c84d8f740727b0bc54d247b15e +commit 3dc27178b42234b653a32f7a87292d7994045ee3 Author: Damien Miller -Date: Tue Feb 4 11:38:28 2014 +1100 +Date: Thu May 15 14:37:59 2014 +1000 - - (djm) [regress/setuid-allowed.c] Missing string.h for strerror() + - logan@cvs.openbsd.org 2014/05/05 07:02:30 + [sftp.c] + Zap extra whitespace. + + OK from djm@ and dtucker@ -commit bf7e0f03be661b6f5b3bfe325135ce19391f9c4d +commit c31a0cd5b31961f01c5b731f62a6cb9d4f767472 Author: Damien Miller -Date: Tue Feb 4 11:37:50 2014 +1100 +Date: Thu May 15 14:37:39 2014 +1000 - - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o + - markus@cvs.openbsd.org 2014/05/03 17:20:34 + [monitor.c packet.c packet.h] + unbreak compression, by re-init-ing the compression code in the + post-auth child. the new buffer code is more strict, and requires + buffer_init() while the old code was happy after a bzero(); + originally from djm@ -commit eb6d870a0ea8661299bb2ea8f013d3ace04e2024 +commit 686c7d9ee6f44b2be4128d7860b6b37adaeba733 Author: Damien Miller -Date: Tue Feb 4 11:26:34 2014 +1100 +Date: Thu May 15 14:37:03 2014 +1000 - - djm@cvs.openbsd.org 2014/02/04 00:24:29 - [ssh.c] - delay lowercasing of hostname until right before hostname - canonicalisation to unbreak case-sensitive matching of ssh_config; - reported by Ike Devolder; ok markus@ + - djm@cvs.openbsd.org 2014/05/02 03:27:54 + [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c] + [misc.h poly1305.h ssh-pkcs11.c defines.h] + revert __bounded change; it causes way more problems for portable than + it solves; pointed out by dtucker@ -commit d56b44d2dfa093883a5c4e91be3f72d99946b170 +commit 294c58a007cfb2f3bddc4fc3217e255857ffb9bf Author: Damien Miller -Date: Tue Feb 4 11:26:04 2014 +1100 +Date: Thu May 15 14:35:03 2014 +1000 - - djm@cvs.openbsd.org 2014/02/04 00:24:29 - [ssh.c] - delay lowercasing of hostname until right before hostname - canonicalisation to unbreak case-sensitive matching of ssh_config; - reported by Ike Devolder; ok markus@ + - naddy@cvs.openbsd.org 2014/04/30 19:07:48 + [mac.c myproposal.h umac.c] + UMAC can use our local fallback implementation of AES when OpenSSL isn't + available. Glue code straight from Ted Krovetz's original umac.c. + ok markus@ -commit db3c595ea74ea9ccd5aa644d7e1f8dc675710731 +commit 05e82c3b963c33048128baf72a6f6b3a1c10b4c1 Author: Damien Miller -Date: Tue Feb 4 11:25:45 2014 +1100 +Date: Thu May 15 14:33:43 2014 +1000 - - djm@cvs.openbsd.org 2014/02/02 03:44:31 - [digest-libc.c digest-openssl.c] - convert memset of potentially-private data to explicit_bzero() + - djm@cvs.openbsd.org 2014/04/30 05:29:56 + [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c] + [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c] + [ssherr.h] + New buffer API; the first installment of the conversion/replacement + of OpenSSH's internals to make them usable as a standalone library. + + This includes a set of wrappers to make it compatible with the + existing buffer API so replacement can occur incrementally. + + With and ok markus@ + + Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew + Dempsky and Ron Bowes for a detailed review. -commit aae07e2e2000dd318418fd7fd4597760904cae32 +commit 380948180f847a26f2d0c85b4dad3dca2ed2fd8b Author: Damien Miller -Date: Tue Feb 4 11:20:40 2014 +1100 +Date: Thu May 15 14:25:18 2014 +1000 - - djm@cvs.openbsd.org 2014/02/03 23:28:00 - [ssh-ecdsa.c] - fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike - DSA_SIG_new. Reported by Batz Spear; ok markus@ + - dtucker@cvs.openbsd.org 2014/04/29 20:36:51 + [sftp.c] + Don't attempt to append a nul quote char to the filename. Should prevent + fatal'ing with "el_insertstr failed" when there's a single quote char + somewhere in the string. bz#2238, ok markus@ -commit a5103f413bde6f31bff85d6e1fd29799c647d765 +commit d7fd8bedd4619a2ec7fd02aae4c4e1db4431ad9f Author: Damien Miller -Date: Tue Feb 4 11:20:14 2014 +1100 +Date: Thu May 15 14:24:59 2014 +1000 - - djm@cvs.openbsd.org 2014/02/02 03:44:32 - [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c] - [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c] - [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c] - [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c] - [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c] - [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c] - [sshd.c] - convert memset of potentially-private data to explicit_bzero() + - dtucker@cvs.openbsd.org 2014/04/29 19:58:50 + [sftp.c] + Move nulling of variable next to where it's freed. ok markus@ -commit 1d2c4564265ee827147af246a16f3777741411ed +commit 1f0311c7c7d10c94ff7f823de9c5b2ed79368b14 Author: Damien Miller -Date: Tue Feb 4 11:18:20 2014 +1100 +Date: Thu May 15 14:24:09 2014 +1000 - - tedu@cvs.openbsd.org 2014/01/31 16:39:19 - [auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] - [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] - [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] - [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] - [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] - replace most bzero with explicit_bzero, except a few that cna be memset - ok djm dtucker + - markus@cvs.openbsd.org 2014/04/29 18:01:49 + [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] + [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] + [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] + [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] + make compiling against OpenSSL optional (make OPENSSL=no); + reduces algorithms to curve25519, aes-ctr, chacha, ed25519; + allows us to explore further options; with and ok djm -commit 3928de067c286683a95fbdbdb5fdb3c78a0e5efd +commit c5893785564498cea73cb60d2cf199490483e080 Author: Damien Miller -Date: Tue Feb 4 11:13:54 2014 +1100 +Date: Thu May 15 13:48:49 2014 +1000 - - djm@cvs.openbsd.org 2014/01/30 22:26:14 - [sandbox-systrace.c] - allow shutdown(2) syscall in sandbox - it may be called by packet_close() - from portable - (Id sync only; change is already in portable) + - djm@cvs.openbsd.org 2014/04/29 13:10:30 + [clientloop.c serverloop.c] + bz#1818 - don't send channel success/failre replies on channels that + have sent a close already; analysis and patch from Simon Tatham; + ok markus@ -commit e1e480aee8a9af6cfbe7188667b7b940d6b57f9f +commit 633de33b192d808d87537834c316dc8b75fe1880 Author: Damien Miller -Date: Tue Feb 4 11:13:17 2014 +1100 +Date: Thu May 15 13:48:26 2014 +1000 - - jmc@cvs.openbsd.org 2014/01/29 14:04:51 - [sshd_config.5] - document kbdinteractiveauthentication; - requested From: Ross L Richardson - - dtucker/markus helped explain its workings; + - djm@cvs.openbsd.org 2014/04/28 03:09:18 + [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h] + [ssh-keygen.c] + buffer_get_string_ptr's return should be const to remind + callers that futzing with it will futz with the actual buffer + contents -commit 7cc194f70d4a5ec9a82d19422eaf18db4a6624c6 +commit 15271907843e4ae50dcfc83b3594014cf5e9607b Author: Damien Miller -Date: Tue Feb 4 11:12:56 2014 +1100 +Date: Thu May 15 13:47:56 2014 +1000 - - djm@cvs.openbsd.org 2014/01/29 06:18:35 - [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c] - [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h] - [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c] - remove experimental, never-enabled JPAKE code; ok markus@ + - djm@cvs.openbsd.org 2014/04/23 12:42:34 + [readconf.c] + don't record duplicate IdentityFiles -commit b0f26544cf6f4feeb1a4f6db09fca834f5c9867d +commit 798a02568b13a2e46efebd81f08c8f4bb33a6dc7 Author: Damien Miller -Date: Tue Feb 4 11:10:01 2014 +1100 +Date: Thu May 15 13:47:37 2014 +1000 - - djm@cvs.openbsd.org 2014/01/29 00:19:26 - [sshd.c] - use kill(0, ...) instead of killpg(0, ...); on most operating systems - they are equivalent, but SUSv2 describes the latter as having undefined - behaviour; from portable; ok dtucker - (Id sync only; change is already in portable) + - jmc@cvs.openbsd.org 2014/04/22 14:16:30 + [sftp.1] + zap eol whitespace; -commit f8f35bc471500348bb262039fb1fc43175d251b0 +commit d875ff78d2b8436807381051de112f0ebf9b9ae1 Author: Damien Miller -Date: Tue Feb 4 11:09:12 2014 +1100 +Date: Thu May 15 13:47:15 2014 +1000 - - jmc@cvs.openbsd.org 2014/01/28 14:13:39 - [ssh-keyscan.1] - kill some bad Pa; - From: Jan Stary + - logan@cvs.openbsd.org 2014/04/22 12:42:04 + [sftp.1] + Document sftp upload resume. + OK from djm@, with feedback from okan@. -commit 0ba85d696ae9daf66002c2e4ab0d6bb111e1a787 +commit b15cd7bb097fd80dc99520f45290ef775da1ef19 Author: Damien Miller -Date: Tue Feb 4 11:08:38 2014 +1100 +Date: Thu May 15 13:46:52 2014 +1000 - ignore a few more regress droppings + - logan@cvs.openbsd.org 2014/04/22 10:07:12 + [sftp.c] + Sort the sftp command list. + OK from djm@ -commit ec93d15170b7a6ddf63fd654bd0f6a752acc19dd +commit d8accc0aa72656ba63d50937165c5ae49db1dcd6 Author: Damien Miller -Date: Tue Feb 4 11:07:13 2014 +1100 +Date: Thu May 15 13:46:25 2014 +1000 - - markus@cvs.openbsd.org 2014/01/27 20:13:46 - [digest.c digest-openssl.c digest-libc.c Makefile.in] - rename digest.c to digest-openssl.c and add libc variant; ok djm@ + - logan@cvs.openbsd.org 2014/04/21 14:36:16 + [sftp-client.c sftp-client.h sftp.c] + Implement sftp upload resume support. + OK from djm@, with input from guenther@, mlarkin@ and + okan@ -commit 4a1c7aa640fb97d3472d51b215b6a0ec0fd025c7 +commit 16cd3928a87d20c77b13592a74b60b08621d3ce6 Author: Damien Miller -Date: Tue Feb 4 11:03:36 2014 +1100 +Date: Thu May 15 13:45:58 2014 +1000 - - markus@cvs.openbsd.org 2014/01/27 19:18:54 - [auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c] - replace openssl MD5 with our ssh_digest_*; ok djm@ + - logan@cvs.openbsd.org 2014/04/20 09:24:26 + [dns.c dns.h ssh-keygen.c] + Add support for SSHFP DNS records for ED25519 key types. + OK from djm@ -commit 4e8d937af79ce4e253f77ec93489d098b25becc3 +commit ec0b67eb3b4e12f296ced1fafa01860c374f7eea Author: Damien Miller -Date: Tue Feb 4 11:02:42 2014 +1100 - - - markus@cvs.openbsd.org 2014/01/27 18:58:14 - [Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h] - replace openssl HMAC with an implementation based on our ssh_digest_* - ok and feedback djm@ - -commit 69d0d09f76bab5aec86fbf78489169f63bd16475 -Author: Tim Rice -Date: Fri Jan 31 14:25:18 2014 -0800 +Date: Thu May 15 13:45:26 2014 +1000 - - (tim) [Makefile.in] build regress/setuid-allow. + - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine + OpenBSD -commit 0eeafcd76b972a3d159f3118227c149a4d7817fe +commit f028460d0b2e5a584355321015cde69bf6fd933e Author: Darren Tucker -Date: Fri Jan 31 14:18:51 2014 +1100 +Date: Thu May 1 02:24:35 2014 +1000 - - (dtucker) [readconf.c] Include for the hton macros. Fixes - build with HP-UX's compiler. Patch from Kevin Brott. + - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already + have it. Only attempt to use __attribute__(__bounded__) for gcc. -commit 7e5cec6070673e9f9785ffc749837ada22fbe99f +commit b628cc4c3e4a842bab5e4584d18c2bc5fa4d0edf Author: Damien Miller -Date: Fri Jan 31 09:25:34 2014 +1100 +Date: Sun Apr 20 13:33:58 2014 +1000 - - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2) - syscall from sandboxes; it may be called by packet_close. + - djm@cvs.openbsd.org 2014/04/20 02:49:32 + [compat.c] + add a canonical 6.6 + curve25519 bignum fix fake version that I can + recommend people use ahead of the openssh-6.7 release -commit cdb6c90811caa5df2df856be9b0b16db020fe31d +commit 888566913933a802f3a329ace123ebcb7154cf78 Author: Damien Miller -Date: Thu Jan 30 12:50:17 2014 +1100 +Date: Sun Apr 20 13:33:19 2014 +1000 - - (djm) Release openssh-6.5p1 + - djm@cvs.openbsd.org 2014/04/20 02:30:25 + [misc.c misc.h umac.c] + use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on + strict-alignment architectures; reported by and ok stsp@ -commit 996ea80b1884b676a901439f1f2681eb6ff68501 +commit 16f85cbc7e5139950e6a38317e7c8b368beafa5d Author: Damien Miller -Date: Thu Jan 30 12:49:55 2014 +1100 +Date: Sun Apr 20 13:29:28 2014 +1000 - trim entries prior to openssh-6.0p1 + - tedu@cvs.openbsd.org 2014/04/19 18:42:19 + [ssh.1] + delete .xr to hosts.equiv. there's still an unfortunate amount of + documentation referring to rhosts equivalency in here. -commit f5bbd3b657b6340551c8a95f74a70857ff8fac79 +commit 69cb24b7356ec3f0fc5ff04a68f98f2c55c766f4 Author: Damien Miller -Date: Thu Jan 30 11:26:46 2014 +1100 +Date: Sun Apr 20 13:29:06 2014 +1000 - - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering - different symbols for 'read' when various compiler flags are - in use, causing atomicio.c comparisons against it to break and - read/write operations to hang; ok dtucker + - tedu@cvs.openbsd.org 2014/04/19 18:15:16 + [sshd.8] + remove some really old rsh references -commit c2868192ddc4e1420a50389e18c05db20b0b1f32 +commit 84c1e7bca8c4ceaccf4d5557e39a833585a3c77e Author: Damien Miller -Date: Thu Jan 30 10:21:19 2014 +1100 +Date: Sun Apr 20 13:27:53 2014 +1000 - - (djm) [configure.ac] Only check for width-specified integer types - in headers that actually exist. patch from Tom G. Christensen; - ok dtucker@ + - tedu@cvs.openbsd.org 2014/04/19 14:53:48 + [ssh-keysign.c sshd.c] + Delete futile calls to RAND_seed. ok djm + NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon -commit c161fc90fc86e2035710570238a9e1ca7a68d2a5 +commit 0e6b67423b8662f9ca4c92750309e144fd637ef1 Author: Damien Miller -Date: Wed Jan 29 21:01:33 2014 +1100 - - - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from - Tom G. Christensen - -commit 6f917ad376481995ab7d29fb53b08ec8d507eb9e -Author: Tim Rice -Date: Tue Jan 28 10:26:25 2014 -0800 +Date: Sun Apr 20 13:27:01 2014 +1000 - - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable - when used as an error message inside an if statement so we display the - correct into. agent.sh patch from Petr Lautrbach. + - djm@cvs.openbsd.org 2014/04/19 05:54:59 + [compat.c] + missing wildcard; pointed out by naddy@ -commit ab16ef4152914d44ce6f76e48167d26d22f66a06 +commit 9395b28223334826837c15e8c1bb4dfb3b0d2ca5 Author: Damien Miller -Date: Tue Jan 28 15:08:12 2014 +1100 +Date: Sun Apr 20 13:25:30 2014 +1000 - - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the - latter being specified to have undefined behaviour in SUSv3; - ok dtucker + - djm@cvs.openbsd.org 2014/04/18 23:52:25 + [compat.c compat.h sshconnect2.c sshd.c version.h] + OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections + using the curve25519-sha256@libssh.org KEX exchange method to fail + when connecting with something that implements the spec properly. + + Disable this KEX method when speaking to one of the affected + versions. + + reported by Aris Adamantiadis; ok markus@ -commit ab0394905884dc6e58c3721211c6b38fb8fc2ca8 +commit 8c492da58f8ceb85cf5f7066f23e26fb813a963d Author: Damien Miller -Date: Tue Jan 28 15:07:10 2014 +1100 - - - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl; - ok dtucker - -commit 4ab20a82d4d4168d62318923f62382f6ef242fcd -Author: Darren Tucker -Date: Mon Jan 27 17:35:04 2014 +1100 - - - (dtucker) [Makefile.in] Remove trailing backslash which some make - implementations (eg older Solaris) do not cope with. - -commit e7e8b3cfe9f8665faaf0e68b33df5bbb431bd129 -Author: Darren Tucker -Date: Mon Jan 27 17:32:50 2014 +1100 +Date: Sun Apr 20 13:25:09 2014 +1000 - Welcome to 2014 + - djm@cvs.openbsd.org 2014/04/16 23:28:12 + [ssh-agent.1] + remove the identity files from this manpage - ssh-agent doesn't deal + with them at all and the same information is duplicated in ssh-add.1 + (which does deal with them); prodded by deraadt@ -commit 5b447c0aac0dd444251e276f6bb3bbbe1c05331c +commit adbfdbbdccc70c9bd70d81ae096db115445c6e26 Author: Damien Miller -Date: Sun Jan 26 09:46:53 2014 +1100 +Date: Sun Apr 20 13:24:49 2014 +1000 - - (djm) [configure.ac] correct AC_DEFINE for previous. + - djm@cvs.openbsd.org 2014/04/16 23:22:45 + [bufaux.c] + skip leading zero bytes in buffer_put_bignum2_from_string(); + reported by jan AT mojzis.com; ok markus@ -commit 2035b2236d3b1f76c749c642a43e03c85eae76e6 +commit 75c62728dc87af6805696eeb520b9748faa136c8 Author: Damien Miller -Date: Sun Jan 26 09:39:53 2014 +1100 +Date: Sun Apr 20 13:24:31 2014 +1000 - - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable - RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, - libc will attempt to open additional file descriptors for crypto - offload and crash if they cannot be opened. + - djm@cvs.openbsd.org 2014/04/12 04:55:53 + [sshd.c] + avoid crash at exit: check that pmonitor!=NULL before dereferencing; + bz#2225, patch from kavi AT juniper.net -commit a92ac7410475fbb00383c7402aa954dc0a75ae19 +commit 2a328437fb1b0976f2f4522d8645803d5a5d0967 Author: Damien Miller -Date: Sun Jan 26 09:38:03 2014 +1100 +Date: Sun Apr 20 13:24:01 2014 +1000 - - markus@cvs.openbsd.org 2014/01/25 20:35:37 - [kex.c] - dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) - ok dtucker@, noted by mancha + - djm@cvs.openbsd.org 2014/04/01 05:32:57 + [packet.c] + demote a debug3 to PACKET_DEBUG; ok markus@ -commit 76eea4ab4e658670ca6e76dd1e6d17f262208b57 +commit 7d6a9fb660c808882d064e152d6070ffc3844c3f Author: Damien Miller -Date: Sun Jan 26 09:37:25 2014 +1100 +Date: Sun Apr 20 13:23:43 2014 +1000 - - dtucker@cvs.openbsd.org 2014/01/25 10:12:50 - [cipher.c cipher.h kex.c kex.h kexgexc.c] - Add a special case for the DH group size for 3des-cbc, which has an - effective strength much lower than the key size. This causes problems - with some cryptlib implementations, which don't support group sizes larger - than 4k but also don't use the largest group size it does support as - specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, - reduced by me with input from Markus. ok djm@ markus@ + - djm@cvs.openbsd.org 2014/04/01 03:34:10 + [sshconnect.c] + When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any + certificate keys to plain keys and attempt SSHFP resolution. + + Prevents a server from skipping SSHFP lookup and forcing a new-hostkey + dialog by offering only certificate keys. + + Reported by mcv21 AT cam.ac.uk -commit 603b8f47f1cd9ed95a2017447db8e60ca6704594 +commit fcd62c0b66b8415405ed0af29c236329eb88cc0f Author: Damien Miller -Date: Sat Jan 25 13:16:59 2014 +1100 +Date: Sun Apr 20 13:23:21 2014 +1000 - - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test - against the correct thing. + - djm@cvs.openbsd.org 2014/04/01 02:05:27 + [ssh-keysign.c] + include fingerprint of key not found + use arc4random_buf() instead of loop+arc4random() -commit c96d85376d779b6ac61525b5440010d344d2f23f +commit 43b156cf72f900f88065b0a1c1ebd09ab733ca46 Author: Damien Miller -Date: Sat Jan 25 13:12:28 2014 +1100 +Date: Sun Apr 20 13:23:03 2014 +1000 - - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless - sys/capability.h exists and cap_rights_limit is in libc. Fixes - build on FreeBSD9x which provides the header but not the libc - support. + - jmc@cvs.openbsd.org 2014/03/31 13:39:34 + [ssh-keygen.1] + the text for the -K option was inserted in the wrong place in -r1.108; + fix From: Matthew Clarke -commit f62ecef9939cb3dbeb10602fd705d4db3976d822 +commit c1621c84f2dc1279065ab9fde2aa9327af418900 Author: Damien Miller -Date: Sat Jan 25 12:34:38 2014 +1100 +Date: Sun Apr 20 13:22:46 2014 +1000 - - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD + - naddy@cvs.openbsd.org 2014/03/28 05:17:11 + [ssh_config.5 sshd_config.5] + sync available and default algorithms, improve algorithm list formatting + help from jmc@ and schwarze@, ok deraadt@ -commit b0e0f760b861676a3fe5c40133b270713d5321a9 +commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 Author: Damien Miller -Date: Fri Jan 24 14:27:04 2014 +1100 - - - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make - the scp regress test actually test the built scp rather than the one - in $PATH. ok dtucker@ - -commit 42a092530159637da9cb7f9e1b5f4679e34a85e6 -Author: Darren Tucker -Date: Thu Jan 23 23:14:39 2014 +1100 - - - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously - incompatible with OpenBSD's despite post-dating it by more than a decade. - Declare it as broken, and document FreeBSD's as the same. ok djm@ - -commit 617da33c20cb59f9ea6c99c881d92493371ef7b8 -Author: Tim Rice -Date: Wed Jan 22 19:16:10 2014 -0800 +Date: Sun Apr 20 13:22:18 2014 +1000 - - (tim) [session.c] Improve error reporting on set_id(). + - tedu@cvs.openbsd.org 2014/03/26 19:58:37 + [sshd.8 sshd.c] + remove libwrap support. ok deraadt djm mfriedl -commit 5c2ff5e31f57d303ebb414d84a934c02728fa568 +commit 4f40209aa4060b9c066a2f0d9332ace7b8dfb391 Author: Damien Miller -Date: Wed Jan 22 21:30:12 2014 +1100 +Date: Sun Apr 20 13:21:22 2014 +1000 - - (djm) [configure.ac aclocal.m4] More tests to detect fallout from - platform hardening options: include some long long int arithmatic - to detect missing support functions for -ftrapv in libgcc and - equivalents, actually test linking when -ftrapv is supplied and - set either both -pie/-fPIE or neither. feedback and ok dtucker@ + - djm@cvs.openbsd.org 2014/03/26 04:55:35 + [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c + [misc.h poly1305.h ssh-pkcs11.c] + use __bounded(...) attribute recently added to sys/cdefs.h instead of + longform __attribute__(__bounded(...)); + + for brevity and a warning free compilation with llvm/clang -commit 852472a54b8a0dc3e53786b313baaa86850a4273 +commit 9235a030ad1b16903fb495d81544e0f7c7449523 Author: Damien Miller -Date: Wed Jan 22 16:31:18 2014 +1100 +Date: Sun Apr 20 13:17:20 2014 +1000 - - (djm) [configure.ac] Unless specifically requested, only attempt - to build Position Independent Executables on gcc >= 4.x; ok dtucker + Three commits in one (since they touch the same heavily-diverged file + repeatedly): + + - markus@cvs.openbsd.org 2014/03/25 09:40:03 + [myproposal.h] + trimm default proposals. + + This commit removes the weaker pre-SHA2 hashes, the broken ciphers + (arcfour), and the broken modes (CBC) from the default configuration + (the patch only changes the default, all the modes are still available + for the config files). + + ok djm@, reminded by tedu@ & naddy@ and discussed with many + - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 + [myproposal.h] + The current sharing of myproposal[] between both client and server code + makes the previous diff highly unpallatable. We want to go in that + direction for the server, but not for the client. Sigh. + Brought up by naddy. + - markus@cvs.openbsd.org 2014/03/27 23:01:27 + [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] + disable weak proposals in sshd, but keep them in ssh; ok djm@ -commit ee87838786cef0194db36ae0675b3e7c4e8ec661 +commit 6e1777f592f15f4559728c78204617537b1ac076 Author: Damien Miller -Date: Wed Jan 22 16:30:15 2014 +1100 +Date: Sun Apr 20 13:02:58 2014 +1000 - - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a - platform that is expected to use the reuse-argv style setproctitle - hack surprises us by providing a setproctitle in libc; ok dtucker + - tedu@cvs.openbsd.org 2014/03/19 14:42:44 + [scp.1] + there is no need for rcp anymore + ok deraadt millert -commit 5c96a154c7940fa67b1f11c421e390dbbc159f27 +commit eb1b7c514d2a7b1802ccee8cd50e565a4d419887 Author: Damien Miller -Date: Tue Jan 21 13:10:26 2014 +1100 - - - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE - and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of - detecting toolchain-related problems; ok dtucker - -commit 9464ba6fb34bb42eb3501ec3c5143662e75674bf -Author: Tim Rice -Date: Mon Jan 20 17:59:28 2014 -0800 - - - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced - with sftp chroot support. Move set_id call after chroot. - -commit a6d573caa14d490e6c42fb991bcb5c6860ec704b -Author: Darren Tucker -Date: Tue Jan 21 12:50:46 2014 +1100 - - - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time - tests in the configure output. ok djm. - -commit 096118dc73ab14810b3c12785c0b5acb01ad6123 -Author: Darren Tucker -Date: Tue Jan 21 12:48:51 2014 +1100 +Date: Sun Apr 20 13:02:26 2014 +1000 - - (dtucker) [configure.ac] Make PIE a configure-time option which defaults - to on platforms where it's known to be reliably detected and off elsewhere. - Works around platforms such as FreeBSD 9.1 where it does not interop with - -ftrapv (it seems to work but fails when trying to link ssh). ok djm@ + - tedu@cvs.openbsd.org 2014/03/17 19:44:10 + [ssh.1] + old descriptions of des and blowfish are old. maybe ok deraadt -commit f9df7f6f477792254eab33cdef71a6d66488cb88 +commit f0858de6e1324ec730752387074b111b8551081e Author: Damien Miller -Date: Mon Jan 20 20:07:15 2014 +1100 - - - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that - skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@ - -commit c74e70eb52ccc0082bd5a70b5798bb01c114d138 -Author: Darren Tucker -Date: Mon Jan 20 13:18:09 2014 +1100 +Date: Sun Apr 20 13:01:30 2014 +1000 - - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos - implementation does not have krb5_cc_new_unique, similar to what we do - in auth-krb5.c. + - deraadt@cvs.openbsd.org 2014/03/15 17:28:26 + [ssh-agent.c ssh-keygen.1 ssh-keygen.c] + Improve usage() and documentation towards the standard form. + In particular, this line saves a lot of man page reading time. + usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] + [-N new_passphrase] [-C comment] [-f output_keyfile] + ok schwarze jmc -commit 3510979e83b6a18ec8773c64c3fa04aa08b2e783 +commit 94bfe0fbd6e91a56b5b0ab94ac955d2a67d101aa Author: Damien Miller -Date: Mon Jan 20 12:41:53 2014 +1100 +Date: Sun Apr 20 13:00:51 2014 +1000 - - djm@cvs.openbsd.org 2014/01/20 00:08:48 - [digest.c] - memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@ + - naddy@cvs.openbsd.org 2014/03/12 13:06:59 + [ssh-keyscan.1] + scan for Ed25519 keys by default too -commit 7eee358d7a6580479bee5cd7e52810ebfd03e5b2 -Author: Darren Tucker -Date: Sun Jan 19 22:37:02 2014 +1100 +commit 3819519288b2b3928c6882f5883b0f55148f4fc0 +Author: Damien Miller +Date: Sun Apr 20 13:00:28 2014 +1000 - - dtucker@cvs.openbsd.org 2014/01/19 11:21:51 - [addrmatch.c] - Cast the sizeof to socklen_t so it'll work even if the supplied len is - negative. Suggested by and ok djm, ok deraadt. + - djm@cvs.openbsd.org 2014/03/12 04:51:12 + [authfile.c] + correct test that kdf name is not "none" or "bcrypt" -commit b7e01c09b56ab26e8fac56bbce0fd25e36d12bb0 -Author: Darren Tucker -Date: Sun Jan 19 22:36:13 2014 +1100 +commit 8f9cd709c7cf0655d414306a0ed28306b33802be +Author: Damien Miller +Date: Sun Apr 20 13:00:11 2014 +1000 - - djm@cvs.openbsd.org 2014/01/19 04:48:08 - [ssh_config.5] - fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal + - djm@cvs.openbsd.org 2014/03/12 04:50:32 + [auth-bsdauth.c ssh-keygen.c] + don't count on things that accept arguments by reference to clear + things for us on error; most things do, but it's unsafe form. -commit 7b1ded04adce42efa25ada7c3a39818d3109b724 -Author: Darren Tucker -Date: Sun Jan 19 15:30:02 2014 +1100 +commit 1c7ef4be83f6dec84509a312518b9df00ab491d9 +Author: Damien Miller +Date: Sun Apr 20 12:59:46 2014 +1000 - - dtucker@cvs.openbsd.org 2014/01/19 04:17:29 - [canohost.c addrmatch.c] - Cast socklen_t when comparing to size_t and use socklen_t to iterate over - the ip options, both to prevent signed/unsigned comparison warnings. - Patch from vinschen at redhat via portable openssh, begrudging ok deraadt. + - djm@cvs.openbsd.org 2014/03/12 04:44:58 + [ssh-keyscan.c] + scan for Ed25519 keys by default too -commit 293ee3c9f0796d99ebb033735f0e315f2e0180bf -Author: Darren Tucker -Date: Sun Jan 19 15:28:01 2014 +1100 +commit c10bf4d051c97939b30a1616c0499310057d07da +Author: Damien Miller +Date: Sun Apr 20 12:58:04 2014 +1000 - - dtucker@cvs.openbsd.org 2014/01/18 09:36:26 + - djm@cvs.openbsd.org 2014/03/03 22:22:30 [session.c] - explicitly define USE_PIPES to 1 to prevent redefinition warnings in - portable on platforms that use pipes for everything. From redhat @ - redhat. - -commit 2aca159d05f9e7880d1d8f1ce49a218840057f53 -Author: Darren Tucker -Date: Sun Jan 19 15:25:34 2014 +1100 - - - dtucker@cvs.openbsd.org 2014/01/17 06:23:24 - [sftp-server.c] - fix log message statvfs. ok djm - -commit 841f7da89ae8b367bb502d61c5c41916c6e7ae4c -Author: Darren Tucker -Date: Sat Jan 18 22:12:15 2014 +1100 - - - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the - return value check for cap_enter() consistent with the other uses in - FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140. - -commit fdce3731660699b2429e93e822f2ccbaccd163ae -Author: Darren Tucker -Date: Sat Jan 18 21:12:42 2014 +1100 - - - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs, - optind) are defined in getopt.h already. Unfortunately they are defined as - "declspec(dllimport)" for historical reasons, because the GNU linker didn't - allow auto-import on PE/COFF targets way back when. The problem is the - dllexport attributes collide with the definitions in the various source - files in OpenSSH, which obviousy define the variables without - declspec(dllimport). The least intrusive way to get rid of these warnings - is to disable warnings for GCC compiler attributes when building on Cygwin. - Patch from vinschen at redhat.com. - -commit 1411c9263f46e1ee49d0d302bf7258ebe69ce827 -Author: Darren Tucker -Date: Sat Jan 18 21:03:59 2014 +1100 - - - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function - declarations that stopped being included when we stopped including - from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at - redhat.com. - -commit 89c532d843c95a085777c66365067d64d1937eb9 -Author: Darren Tucker -Date: Sat Jan 18 20:43:49 2014 +1100 - - - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch - from vinschen at redhat.com - -commit 355f861022be7b23d3009fae8f3c9f6f7fc685f7 -Author: Darren Tucker -Date: Sat Jan 18 00:12:38 2014 +1100 - - - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after - they're defined if we have to define them ourselves. Fixes builds on old - AIX. - -commit a3357661ee1d5d553294f36e4940e8285c7f1332 -Author: Darren Tucker -Date: Sat Jan 18 00:03:57 2014 +1100 - - - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on - Solaris. - -commit 9edcbff46ff01c8d5dee9c1aa843f09e9ad8a80e -Author: Darren Tucker -Date: Fri Jan 17 21:54:32 2014 +1100 - - - (dtucker) [configure.ac] Have --without-toolchain-hardening not turn off - stack-protector since that has a separate flag that's been around a while. - -commit 6d725687c490d4ba957a1bbc0ba0a2956c09fa69 -Author: Darren Tucker -Date: Fri Jan 17 19:17:34 2014 +1100 - - - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types. - -commit 5055699c7f7c7ef21703a443ec73117da392f6ae -Author: Darren Tucker -Date: Fri Jan 17 18:48:22 2014 +1100 - - - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we - need them to cut down on the name collisions. - -commit a5cf1e220def07290260e4125e74f41ac75cf88d -Author: Darren Tucker -Date: Fri Jan 17 18:10:58 2014 +1100 - - - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c - openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs - to be useful (and for the regression tests to pass) on platforms that - have statfs and fstatfs. ok djm@ - -commit 1357d71d7b6d269969520aaa3e84d312ec971d5b -Author: Darren Tucker -Date: Fri Jan 17 18:00:40 2014 +1100 - - - (dtucker) Fix typo in #ifndef. - -commit d23a91ffb289d3553a58b7a60cec39fba9f0f506 -Author: Darren Tucker -Date: Fri Jan 17 17:32:30 2014 +1100 - - - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c - openbsd-compat/openssl-compat.h] Add compatibility layer for older - openssl versions. ok djm@ + ignore enviornment variables with embedded '=' or '\0' characters; + spotted by Jann Horn; ok deraadt@ + Id sync only - portable already has this. -commit 868ea1ea1c1bfdbee5dbad78f81999c5983ecf31 +commit c2e49062faccbcd7135c40d1c78c5c329c58fc2e Author: Damien Miller -Date: Fri Jan 17 16:47:04 2014 +1100 - - - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c] - [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] - [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing - using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling - Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@ - -commit a9d186a8b50d18869a10e9203abf71c83ddb1f79 -Author: Darren Tucker -Date: Fri Jan 17 16:30:49 2014 +1100 - - - dtucker@cvs.openbsd.org 2014/01/17 05:26:41 - [digest.c] - remove unused includes. ok djm@ - -commit 5f1c57a7a7eb39c0e4fee3367712337dbcaef024 -Author: Darren Tucker -Date: Fri Jan 17 16:29:45 2014 +1100 - - - djm@cvs.openbsd.org 2014/01/17 00:21:06 - [sftp-client.c] - signed/unsigned comparison warning fix; from portable (Id sync only) - -commit c548722361d89fb12c108528f96b306a26477b18 -Author: Darren Tucker -Date: Fri Jan 17 15:12:16 2014 +1100 - - - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into - separate lines and alphabetize for easier diffing of changes. - -commit acad351a5b1c37de9130c9c1710445cc45a7f6b9 -Author: Darren Tucker -Date: Fri Jan 17 14:20:05 2014 +1100 - - - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that - don't have them. - -commit c3ed065ce8417aaa46490836648c173a5010f226 -Author: Darren Tucker -Date: Fri Jan 17 14:18:45 2014 +1100 - - - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside - #ifdef HAVE_STDINT_H. - -commit f45f78ae437062c7d9506c5f475b7215f486be44 -Author: Darren Tucker -Date: Fri Jan 17 12:43:43 2014 +1100 - - - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include - includes.h to pull in all of the compatibility stuff. - -commit 99df369d0340caac145d57f700d830147ff18b87 -Author: Darren Tucker -Date: Fri Jan 17 12:42:17 2014 +1100 - - - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. - -commit ac413b62ea1957e80c711acbe0c11b908273fc01 -Author: Darren Tucker -Date: Fri Jan 17 12:31:33 2014 +1100 - - - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H. - -commit 1c4a011e9c939e74815346a560843e1862c300b8 -Author: Darren Tucker -Date: Fri Jan 17 12:23:23 2014 +1100 +Date: Tue Apr 1 14:42:46 2014 +1100 - - (dtucker) [loginrec.c] Cast to the types specfied in the format - specification to prevent warnings. + - (djm) Use full release (e.g. 6.5p1) in debug output rather than just + version. From des@des.no -commit c3d483f9a8275be1113535a1e0d0e384f605f3c4 +commit 14928b7492abec82afa4c2b778fc03f78cd419b6 Author: Damien Miller -Date: Fri Jan 17 11:20:26 2014 +1100 +Date: Tue Apr 1 14:38:07 2014 +1100 - - (djm) [sftp-client.c] signed/unsigned comparison fix + - (djm) On platforms that support it, use prctl() to prevent sftp-server + from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net -commit fd994379dd972417d0491767f7cd9b5bf23f4975 -Author: Darren Tucker -Date: Fri Jan 17 09:53:24 2014 +1100 +commit 48abc47e60048461fe9117e108a7e99ea1ac2bb8 +Author: Damien Miller +Date: Mon Mar 17 14:45:56 2014 +1100 - - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain - hardening flags including -fstack-protector-strong. These default to on - if the toolchain supports them, but there is a configure-time knob - (--without-hardening) to disable them if necessary. ok djm@ + - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to + remind myself to add sandbox violation logging via the log socket. -commit 366224d21768ee8ec28cfbcc5fbade1b32582d58 -Author: Damien Miller -Date: Thu Jan 16 18:51:44 2014 +1100 +commit 9c36698ca2f554ec221dc7ef29c7a89e97c88705 +Author: Tim Rice +Date: Fri Mar 14 12:45:01 2014 -0700 - - (djm) [README] update release notes URL. + 20140314 + - (tim) [opensshd.init.in] Add support for ed25519 -commit 2ae77e64f8fa82cbf25c9755e8e847709b978b40 +commit 19158b2447e35838d69b2b735fb640d1e86061ea Author: Damien Miller -Date: Thu Jan 16 18:51:07 2014 +1100 +Date: Thu Mar 13 13:14:21 2014 +1100 - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Crank RPM spec version numbers. + - (djm) Release OpenSSH 6.6 -commit 0fa29e6d777c73a1b4ddd3b996b06ee20022ae8a +commit 8569eba5d7f7348ce3955eeeb399f66f25c52ece Author: Damien Miller -Date: Thu Jan 16 18:42:31 2014 +1100 +Date: Tue Mar 4 09:35:17 2014 +1100 - - djm@cvs.openbsd.org 2014/01/16 07:32:00 - [version.h] - openssh-6.5 + - djm@cvs.openbsd.org 2014/03/03 22:22:30 + [session.c] + ignore enviornment variables with embedded '=' or '\0' characters; + spotted by Jann Horn; ok deraadt@ -commit 52c371cd6d2598cc73d4e633811b3012119c47e2 +commit 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7 Author: Damien Miller -Date: Thu Jan 16 18:42:10 2014 +1100 +Date: Sun Mar 2 04:01:00 2014 +1100 - - djm@cvs.openbsd.org 2014/01/16 07:31:09 - [sftp-client.c] - needless and incorrect cast to size_t can break resumption of - large download; patch from tobias@ + - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when + no moduli file exists at the expected location. diff --git a/Makefile.in b/Makefile.in index 40cc7aa..d401787 100644 --- a/Makefile.in +++ b/Makefile.in @@ -91,11 +91,11 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ - kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o + kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ + platform-pledge.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ - roaming_common.o roaming_client.o + sshconnect.o sshconnect1.o sshconnect2.o mux.o SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ audit.o audit-bsm.o audit-linux.o platform.o \ @@ -108,9 +108,9 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ - sandbox-seccomp-filter.o sandbox-capsicum.o + sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ + sandbox-solaris.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 @@ -178,14 +178,14 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o - $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o + $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) +ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) @@ -327,10 +327,6 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 - -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 install-sysconf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ @@ -359,41 +355,19 @@ install-sysconf: host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ - if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \ - echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \ - else \ - ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \ - fi ; \ - if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \ - echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ - else \ - ./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \ - fi ; \ - if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \ - echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ - else \ - ./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \ - fi ; \ - if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \ - echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \ - else \ - ./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \ - fi ; \ - if [ -z "@COMMENT_OUT_ECC@" ] ; then \ - if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \ - echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \ - else \ - ./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \ - fi ; \ - fi ; \ - fi ; + ./ssh-keygen -A; \ + fi -host-key-force: ssh-keygen$(EXEEXT) - ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" +host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT) + if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \ + ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \ + fi ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" ./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N "" - test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N "" + if ./ssh -Q key | grep ecdsa >/dev/null ; then \ + ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""; \ + fi uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config @@ -407,7 +381,6 @@ uninstallall: uninstall -rmdir $(DESTDIR)$(libexecdir) uninstall: - -rm -f $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) @@ -430,7 +403,6 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 regress-prep: [ -d `pwd`/regress ] || mkdir -p `pwd`/regress @@ -462,6 +434,10 @@ regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + UNITTESTS_TEST_HELPER_OBJS=\ regress/unittests/test_helper/test_helper.o \ regress/unittests/test_helper/fuzz.o @@ -510,8 +486,7 @@ regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \ UNITTESTS_TEST_KEX_OBJS=\ regress/unittests/kex/tests.o \ - regress/unittests/kex/test_kex.o \ - roaming_dummy.o + regress/unittests/kex/test_kex.o regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \ regress/unittests/test_helper/libtest_helper.a libssh.a @@ -534,6 +509,7 @@ REGRESS_BINARIES=\ regress/modpipe$(EXEEXT) \ regress/setuid-allowed$(EXEEXT) \ regress/netcat$(EXEEXT) \ + regress/check-perm$(EXEEXT) \ regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \ regress/unittests/sshkey/test_sshkey$(EXEEXT) \ regress/unittests/bitmap/test_bitmap$(EXEEXT) \ diff --git a/README b/README index ea6e228..0dd047a 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-7.1p2 for the release notes. +See http://www.openssh.com/txt/release-7.2p1 for the release notes. Please read http://www.openssh.com/report.html for bug reporting instructions and note that we do not use Github for bug reporting or diff --git a/README.platform b/README.platform index d198232..8d75c16 100644 --- a/README.platform +++ b/README.platform @@ -36,6 +36,9 @@ loginrestrictions() function, in particular that the user has the "rlogin" attribute set. This check is not done for the root account, instead the PermitRootLogin setting in sshd_config is used. +If you are using the IBM compiler you probably want to use CC=xlc rather +than the default of cc. + Cygwin ------ diff --git a/auth-bsdauth.c b/auth-bsdauth.c index 37ff893..e00718f 100644 --- a/auth-bsdauth.c +++ b/auth-bsdauth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: auth-bsdauth.c,v 1.14 2015/10/20 23:24:25 mmcc Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -103,7 +103,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses) if (!authctxt->valid) return -1; - if (authctxt->as == 0) + if (authctxt->as == NULL) error("bsdauth_respond: no bsd auth session"); if (numresponses != 1) diff --git a/auth-krb5.c b/auth-krb5.c index 0089b18..d1c5a2f 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -1,8 +1,8 @@ -/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */ +/* $OpenBSD: auth-krb5.c,v 1.21 2016/01/27 06:44:58 djm Exp $ */ /* * Kerberos v5 authentication and ticket-passing routines. * - * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $ + * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar */ /* * Copyright (c) 2002 Daniel Kouril. All rights reserved. diff --git a/auth-options.c b/auth-options.c index e387697..edbaf80 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -75,19 +75,45 @@ auth_clear_options(void) free(ce->s); free(ce); } - if (forced_command) { - free(forced_command); - forced_command = NULL; - } - if (authorized_principals) { - free(authorized_principals); - authorized_principals = NULL; - } + free(forced_command); + forced_command = NULL; + free(authorized_principals); + authorized_principals = NULL; forced_tun_device = -1; channel_clear_permitted_opens(); } /* + * Match flag 'opt' in *optsp, and if allow_negate is set then also match + * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0 + * if negated option matches. + * If the option or negated option matches, then *optsp is updated to + * point to the first character after the option and, if 'msg' is not NULL + * then a message based on it added via auth_debug_add(). + */ +static int +match_flag(const char *opt, int allow_negate, char **optsp, const char *msg) +{ + size_t opt_len = strlen(opt); + char *opts = *optsp; + int negate = 0; + + if (allow_negate && strncasecmp(opts, "no-", 3) == 0) { + opts += 3; + negate = 1; + } + if (strncasecmp(opts, opt, opt_len) == 0) { + *optsp = opts + opt_len; + if (msg != NULL) { + auth_debug_add("%s %s.", msg, + negate ? "disabled" : "enabled"); + } + return negate ? 0 : 1; + } + return -1; +} + +/* * return 1 if access is granted, 0 if not. * side effect: sets key option flags */ @@ -95,7 +121,7 @@ int auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) { const char *cp; - int i; + int i, r; /* reset options */ auth_clear_options(); @@ -104,52 +130,48 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) return 1; while (*opts && *opts != ' ' && *opts != '\t') { - cp = "cert-authority"; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - key_is_cert_authority = 1; - opts += strlen(cp); + if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) { + key_is_cert_authority = r; goto next_option; } - cp = "no-port-forwarding"; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("Port forwarding disabled."); + if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) { + auth_debug_add("Key is restricted."); no_port_forwarding_flag = 1; - opts += strlen(cp); + no_agent_forwarding_flag = 1; + no_x11_forwarding_flag = 1; + no_pty_flag = 1; + no_user_rc = 1; goto next_option; } - cp = "no-agent-forwarding"; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("Agent forwarding disabled."); - no_agent_forwarding_flag = 1; - opts += strlen(cp); + if ((r = match_flag("port-forwarding", 1, &opts, + "Port forwarding")) != -1) { + no_port_forwarding_flag = r != 1; goto next_option; } - cp = "no-X11-forwarding"; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("X11 forwarding disabled."); - no_x11_forwarding_flag = 1; - opts += strlen(cp); + if ((r = match_flag("agent-forwarding", 1, &opts, + "Agent forwarding")) != -1) { + no_agent_forwarding_flag = r != 1; goto next_option; } - cp = "no-pty"; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("Pty allocation disabled."); - no_pty_flag = 1; - opts += strlen(cp); + if ((r = match_flag("x11-forwarding", 1, &opts, + "X11 forwarding")) != -1) { + no_x11_forwarding_flag = r != 1; goto next_option; } - cp = "no-user-rc"; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { - auth_debug_add("User rc file execution disabled."); - no_user_rc = 1; - opts += strlen(cp); + if ((r = match_flag("pty", 1, &opts, + "PTY allocation")) != -1) { + no_pty_flag = r != 1; + goto next_option; + } + if ((r = match_flag("user-rc", 1, &opts, + "User rc execution")) != -1) { + no_user_rc = r != 1; goto next_option; } cp = "command=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); - if (forced_command != NULL) - free(forced_command); + free(forced_command); forced_command = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -179,8 +201,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) cp = "principals=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); - if (authorized_principals != NULL) - free(authorized_principals); + free(authorized_principals); authorized_principals = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -566,8 +587,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, free(*cert_forced_command); *cert_forced_command = NULL; } - if (name != NULL) - free(name); + free(name); sshbuf_free(data); sshbuf_free(c); return ret; @@ -611,8 +631,7 @@ auth_cert_options(struct sshkey *k, struct passwd *pw) no_user_rc |= cert_no_user_rc; /* CA-specified forced command supersedes key option */ if (cert_forced_command != NULL) { - if (forced_command != NULL) - free(forced_command); + free(forced_command); forced_command = cert_forced_command; } return 0; diff --git a/auth-pam.c b/auth-pam.c index d94c828..8425af1 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -45,7 +45,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ +/* Based on FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des */ + #include "includes.h" #include diff --git a/auth.h b/auth.h index 8b27575..2160154 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.84 2015/05/08 06:41:56 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.86 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -209,7 +209,7 @@ Key *get_hostkey_private_by_type(int, int, struct ssh *); int get_hostkey_index(Key *, int, struct ssh *); int ssh1_session_key(BIGNUM *); int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, - const u_char *, size_t, u_int); + const u_char *, size_t, const char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 5aa319c..41b34ae 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -79,19 +79,19 @@ userauth_pubkey(Authctxt *authctxt) { Buffer b; Key *key = NULL; - char *pkalg, *userstyle; + char *pkalg, *userstyle, *fp = NULL; u_char *pkblob, *sig; u_int alen, blen, slen; int have_sig, pktype; int authenticated = 0; if (!authctxt->valid) { - debug2("userauth_pubkey: disabled because of invalid user"); + debug2("%s: disabled because of invalid user", __func__); return 0; } have_sig = packet_get_char(); if (datafellows & SSH_BUG_PKAUTH) { - debug2("userauth_pubkey: SSH_BUG_PKAUTH"); + debug2("%s: SSH_BUG_PKAUTH", __func__); /* no explicit pkalg given */ pkblob = packet_get_string(&blen); buffer_init(&b); @@ -106,18 +106,18 @@ userauth_pubkey(Authctxt *authctxt) pktype = key_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ - logit("userauth_pubkey: unsupported public key algorithm: %s", - pkalg); + logit("%s: unsupported public key algorithm: %s", + __func__, pkalg); goto done; } key = key_from_blob(pkblob, blen); if (key == NULL) { - error("userauth_pubkey: cannot decode key: %s", pkalg); + error("%s: cannot decode key: %s", __func__, pkalg); goto done; } if (key->type != pktype) { - error("userauth_pubkey: type mismatch for decoded key " - "(received %d, expected %d)", key->type, pktype); + error("%s: type mismatch for decoded key " + "(received %d, expected %d)", __func__, key->type, pktype); goto done; } if (key_type_plain(key->type) == KEY_RSA && @@ -126,6 +126,7 @@ userauth_pubkey(Authctxt *authctxt) "signature scheme"); goto done; } + fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); if (auth2_userkey_already_used(authctxt, key)) { logit("refusing previously-used %s key", key_type(key)); goto done; @@ -138,6 +139,8 @@ userauth_pubkey(Authctxt *authctxt) } if (have_sig) { + debug3("%s: have signature for %s %s", + __func__, sshkey_type(key), fp); sig = packet_get_string(&slen); packet_check_eom(); buffer_init(&b); @@ -183,7 +186,8 @@ userauth_pubkey(Authctxt *authctxt) buffer_free(&b); free(sig); } else { - debug("test whether pkalg/pkblob are acceptable"); + debug("%s: test whether pkalg/pkblob are acceptable for %s %s", + __func__, sshkey_type(key), fp); packet_check_eom(); /* XXX fake reply and always send PK_OK ? */ @@ -206,11 +210,12 @@ userauth_pubkey(Authctxt *authctxt) if (authenticated != 1) auth_clear_options(); done: - debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); + debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg); if (key != NULL) key_free(key); free(pkalg); free(pkblob); + free(fp); return authenticated; } @@ -796,8 +801,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) free(fp); continue; } - verbose("Accepted certificate ID \"%s\" " + verbose("Accepted certificate ID \"%s\" (serial %llu) " "signed by %s CA %s via %s", key->cert->key_id, + (unsigned long long)key->cert->serial, key_type(found), fp, file); free(fp); found_key = 1; @@ -875,8 +881,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) if (auth_cert_options(key, pw) != 0) goto out; - verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", - key->cert->key_id, key_type(key->cert->signature_key), ca_fp, + verbose("Accepted certificate ID \"%s\" (serial %llu) signed by " + "%s CA %s via %s", key->cert->key_id, + (unsigned long long)key->cert->serial, + key_type(key->cert->signature_key), ca_fp, options.trusted_user_ca_keys); ret = 1; diff --git a/authfd.c b/authfd.c index eaa1426..a634bcb 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -426,11 +426,24 @@ ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge, } #endif +/* encode signature algoritm in flag bits, so we can keep the msg format */ +static u_int +agent_encode_alg(struct sshkey *key, const char *alg) +{ + if (alg != NULL && key->type == KEY_RSA) { + if (strcmp(alg, "rsa-sha2-256") == 0) + return SSH_AGENT_RSA_SHA2_256; + else if (strcmp(alg, "rsa-sha2-512") == 0) + return SSH_AGENT_RSA_SHA2_512; + } + return 0; +} + /* ask agent to sign data, returns err.h code on error, 0 on success */ int ssh_agent_sign(int sock, struct sshkey *key, u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, u_int compat) + const u_char *data, size_t datalen, const char *alg, u_int compat) { struct sshbuf *msg; u_char *blob = NULL, type; @@ -449,12 +462,13 @@ ssh_agent_sign(int sock, struct sshkey *key, return SSH_ERR_ALLOC_FAIL; if ((r = sshkey_to_blob(key, &blob, &blen)) != 0) goto out; + flags |= agent_encode_alg(key, alg); if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 || (r = sshbuf_put_string(msg, blob, blen)) != 0 || (r = sshbuf_put_string(msg, data, datalen)) != 0 || (r = sshbuf_put_u32(msg, flags)) != 0) goto out; - if ((r = ssh_request_reply(sock, msg, msg) != 0)) + if ((r = ssh_request_reply(sock, msg, msg)) != 0) goto out; if ((r = sshbuf_get_u8(msg, &type)) != 0) goto out; diff --git a/authfd.h b/authfd.h index bea20c2..4b417e3 100644 --- a/authfd.h +++ b/authfd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.38 2015/01/14 20:05:27 djm Exp $ */ +/* $OpenBSD: authfd.h,v 1.39 2015/12/04 16:41:28 markus Exp $ */ /* * Author: Tatu Ylonen @@ -41,7 +41,7 @@ int ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge, u_char session_id[16], u_char response[16]); int ssh_agent_sign(int sock, struct sshkey *key, u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, u_int compat); + const u_char *data, size_t datalen, const char *alg, u_int compat); /* Messages for the authentication agent connection. */ #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1 @@ -86,5 +86,7 @@ int ssh_agent_sign(int sock, struct sshkey *key, #define SSH_COM_AGENT2_FAILURE 102 #define SSH_AGENT_OLD_SIGNATURE 0x01 +#define SSH_AGENT_RSA_SHA2_256 0x02 +#define SSH_AGENT_RSA_SHA2_512 0x04 #endif /* AUTHFD_H */ diff --git a/authfile.c b/authfile.c index 58f589a..d670424 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.116 2015/07/09 09:49:46 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.120 2015/12/11 04:21:11 mmcc Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -243,8 +243,7 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase, /* success */ r = 0; out: - if (buffer != NULL) - sshbuf_free(buffer); + sshbuf_free(buffer); return r; } @@ -272,14 +271,13 @@ sshkey_load_private(const char *filename, const char *passphrase, goto out; } if ((r = sshkey_load_file(fd, buffer)) != 0 || - (r = sshkey_parse_private_fileblob(buffer, passphrase, filename, - keyp, commentp)) != 0) + (r = sshkey_parse_private_fileblob(buffer, passphrase, keyp, + commentp)) != 0) goto out; r = 0; out: close(fd); - if (buffer != NULL) - sshbuf_free(buffer); + sshbuf_free(buffer); return r; } @@ -426,10 +424,8 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp) r = 0; out: - if (file != NULL) - free(file); - if (pub != NULL) - sshkey_free(pub); + free(file); + sshkey_free(pub); return r; } @@ -474,10 +470,8 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, *keyp = key; key = NULL; out: - if (key != NULL) - sshkey_free(key); - if (cert != NULL) - sshkey_free(cert); + sshkey_free(key); + sshkey_free(cert); return r; } @@ -538,8 +532,7 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, } r = SSH_ERR_KEY_NOT_FOUND; out: - if (pub != NULL) - sshkey_free(pub); + sshkey_free(pub); fclose(f); return r; } diff --git a/channels.c b/channels.c index a84b487..c9d2015 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.347 2015/07/01 02:26:31 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.349 2016/02/05 13:28:19 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -662,7 +662,7 @@ channel_open_message(void) case SSH_CHANNEL_INPUT_DRAINING: case SSH_CHANNEL_OUTPUT_DRAINING: snprintf(buf, sizeof buf, - " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n", + " #%d %.300s (t%d r%d i%u/%d o%u/%d fd %d/%d cc %d)\r\n", c->self, c->remote_name, c->type, c->remote_id, c->istate, buffer_len(&c->input), @@ -1896,13 +1896,13 @@ read_mux(Channel *c, u_int need) if (buffer_len(&c->input) < need) { rlen = need - buffer_len(&c->input); len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF)); + if (len < 0 && (errno == EINTR || errno == EAGAIN)) + return buffer_len(&c->input); if (len <= 0) { - if (errno != EINTR && errno != EAGAIN) { - debug2("channel %d: ctl read<=0 rfd %d len %d", - c->self, c->rfd, len); - chan_read_failed(c); - return 0; - } + debug2("channel %d: ctl read<=0 rfd %d len %d", + c->self, c->rfd, len); + chan_read_failed(c); + return 0; } else buffer_append(&c->input, buf, len); } diff --git a/cipher.c b/cipher.c index 02dae6f..13847e5 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.100 2015/01/14 10:29:45 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.101 2015/12/10 17:08:40 mmcc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -353,8 +353,7 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher, if (cipher->discard_len > 0) { if ((junk = malloc(cipher->discard_len)) == NULL || (discard = malloc(cipher->discard_len)) == NULL) { - if (junk != NULL) - free(junk); + free(junk); ret = SSH_ERR_ALLOC_FAIL; goto bad; } diff --git a/clientloop.c b/clientloop.c index 87ceb3d..9820455 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */ +/* $OpenBSD: clientloop.c,v 1.284 2016/02/08 10:57:07 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -111,7 +111,6 @@ #include "sshpty.h" #include "match.h" #include "msg.h" -#include "roaming.h" #include "ssherr.h" #include "hostfile.h" @@ -169,8 +168,6 @@ static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ static void client_init_dispatch(void); int session_ident = -1; -int session_resumed = 0; - /* Track escape per proto2 channel */ struct escape_filter_ctx { int escape_pending; @@ -288,6 +285,9 @@ client_x11_display_valid(const char *display) { size_t i, dlen; + if (display == NULL) + return 0; + dlen = strlen(display); for (i = 0; i < dlen; i++) { if (!isalnum((u_char)display[i]) && @@ -301,35 +301,34 @@ client_x11_display_valid(const char *display) #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" #define X11_TIMEOUT_SLACK 60 -void +int client_x11_get_proto(const char *display, const char *xauth_path, u_int trusted, u_int timeout, char **_proto, char **_data) { - char cmd[1024]; - char line[512]; - char xdisplay[512]; + char cmd[1024], line[512], xdisplay[512]; + char xauthfile[PATH_MAX], xauthdir[PATH_MAX]; static char proto[512], data[512]; FILE *f; - int got_data = 0, generated = 0, do_unlink = 0, i; - char *xauthdir, *xauthfile; + int got_data = 0, generated = 0, do_unlink = 0, i, r; struct stat st; u_int now, x11_timeout_real; - xauthdir = xauthfile = NULL; *_proto = proto; *_data = data; - proto[0] = data[0] = '\0'; + proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0'; - if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { + if (!client_x11_display_valid(display)) { + if (display != NULL) + logit("DISPLAY \"%s\" invalid; disabling X11 forwarding", + display); + return -1; + } + if (xauth_path != NULL && stat(xauth_path, &st) == -1) { debug("No xauth program."); - } else if (!client_x11_display_valid(display)) { - logit("DISPLAY '%s' invalid, falling back to fake xauth data", - display); - } else { - if (display == NULL) { - debug("x11_get_proto: DISPLAY not set"); - return; - } + xauth_path = NULL; + } + + if (xauth_path != NULL) { /* * Handle FamilyLocal case where $DISPLAY does * not match an authorization entry. For this we @@ -338,45 +337,60 @@ client_x11_get_proto(const char *display, const char *xauth_path, * is not perfect. */ if (strncmp(display, "localhost:", 10) == 0) { - snprintf(xdisplay, sizeof(xdisplay), "unix:%s", - display + 10); + if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s", + display + 10)) < 0 || + (size_t)r >= sizeof(xdisplay)) { + error("%s: display name too long", __func__); + return -1; + } display = xdisplay; } if (trusted == 0) { - xauthdir = xmalloc(PATH_MAX); - xauthfile = xmalloc(PATH_MAX); - mktemp_proto(xauthdir, PATH_MAX); /* + * Generate an untrusted X11 auth cookie. + * * The authentication cookie should briefly outlive * ssh's willingness to forward X11 connections to * avoid nasty fail-open behaviour in the X server. */ + mktemp_proto(xauthdir, sizeof(xauthdir)); + if (mkdtemp(xauthdir) == NULL) { + error("%s: mkdtemp: %s", + __func__, strerror(errno)); + return -1; + } + do_unlink = 1; + if ((r = snprintf(xauthfile, sizeof(xauthfile), + "%s/xauthfile", xauthdir)) < 0 || + (size_t)r >= sizeof(xauthfile)) { + error("%s: xauthfile path too long", __func__); + unlink(xauthfile); + rmdir(xauthdir); + return -1; + } + if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK) x11_timeout_real = UINT_MAX; else x11_timeout_real = timeout + X11_TIMEOUT_SLACK; - if (mkdtemp(xauthdir) != NULL) { - do_unlink = 1; - snprintf(xauthfile, PATH_MAX, "%s/xauthfile", - xauthdir); - snprintf(cmd, sizeof(cmd), - "%s -f %s generate %s " SSH_X11_PROTO - " untrusted timeout %u 2>" _PATH_DEVNULL, - xauth_path, xauthfile, display, - x11_timeout_real); - debug2("x11_get_proto: %s", cmd); - if (x11_refuse_time == 0) { - now = monotime() + 1; - if (UINT_MAX - timeout < now) - x11_refuse_time = UINT_MAX; - else - x11_refuse_time = now + timeout; - channel_set_x11_refuse_time( - x11_refuse_time); - } - if (system(cmd) == 0) - generated = 1; + if ((r = snprintf(cmd, sizeof(cmd), + "%s -f %s generate %s " SSH_X11_PROTO + " untrusted timeout %u 2>" _PATH_DEVNULL, + xauth_path, xauthfile, display, + x11_timeout_real)) < 0 || + (size_t)r >= sizeof(cmd)) + fatal("%s: cmd too long", __func__); + debug2("%s: %s", __func__, cmd); + if (x11_refuse_time == 0) { + now = monotime() + 1; + if (UINT_MAX - timeout < now) + x11_refuse_time = UINT_MAX; + else + x11_refuse_time = now + timeout; + channel_set_x11_refuse_time(x11_refuse_time); } + if (system(cmd) == 0) + generated = 1; } /* @@ -398,17 +412,20 @@ client_x11_get_proto(const char *display, const char *xauth_path, got_data = 1; if (f) pclose(f); - } else - error("Warning: untrusted X11 forwarding setup failed: " - "xauth key data not generated"); + } } if (do_unlink) { unlink(xauthfile); rmdir(xauthdir); } - free(xauthdir); - free(xauthfile); + + /* Don't fall back to fake X11 data for untrusted forwarding */ + if (!trusted && !got_data) { + error("Warning: untrusted X11 forwarding setup failed: " + "xauth key data not generated"); + return -1; + } /* * If we didn't get authentication data, just make up some @@ -432,6 +449,8 @@ client_x11_get_proto(const char *display, const char *xauth_path, rnd >>= 8; } } + + return 0; } /* @@ -735,7 +754,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr) static void client_process_net_input(fd_set *readset) { - int len, cont = 0; + int len; char buf[SSH_IOBUFSZ]; /* @@ -744,8 +763,8 @@ client_process_net_input(fd_set *readset) */ if (FD_ISSET(connection_in, readset)) { /* Read as much as possible. */ - len = roaming_read(connection_in, buf, sizeof(buf), &cont); - if (len == 0 && cont == 0) { + len = read(connection_in, buf, sizeof(buf)); + if (len == 0) { /* * Received EOF. The remote host has closed the * connection. @@ -1483,13 +1502,43 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) { fd_set *readset = NULL, *writeset = NULL; double start_time, total_time; - int r, max_fd = 0, max_fd2 = 0, len, rekeying = 0; + int r, max_fd = 0, max_fd2 = 0, len; u_int64_t ibytes, obytes; u_int nalloc = 0; char buf[100]; debug("Entering interactive session."); + if (options.control_master && + ! option_clear_or_none(options.control_path)) { + debug("pledge: id"); + if (pledge("stdio rpath wpath cpath unix inet dns proc exec id tty", + NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else if (options.forward_x11 || options.permit_local_command) { + debug("pledge: exec"); + if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty", + NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else if (options.update_hostkeys) { + debug("pledge: filesystem full"); + if (pledge("stdio rpath wpath cpath unix inet dns proc tty", + NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else if (! option_clear_or_none(options.proxy_command)) { + debug("pledge: proc"); + if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else { + debug("pledge: network"); + if (pledge("stdio unix inet dns tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + } + start_time = get_current_time(); /* Initialize variables. */ @@ -1568,10 +1617,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) if (compat20 && session_closed && !channel_still_open()) break; - rekeying = (active_state->kex != NULL && !active_state->kex->done); - - if (rekeying) { + if (ssh_packet_is_rekeying(active_state)) { debug("rekeying in progress"); + } else if (need_rekeying) { + /* manual rekey request */ + debug("need rekeying"); + if ((r = kex_start_rekex(active_state)) != 0) + fatal("%s: kex_start_rekex: %s", __func__, + ssh_err(r)); + need_rekeying = 0; } else { /* * Make packets of buffered stdin data, and buffer @@ -1602,23 +1656,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) */ max_fd2 = max_fd; client_wait_until_can_do_something(&readset, &writeset, - &max_fd2, &nalloc, rekeying); + &max_fd2, &nalloc, ssh_packet_is_rekeying(active_state)); if (quit_pending) break; /* Do channel operations unless rekeying in progress. */ - if (!rekeying) { + if (!ssh_packet_is_rekeying(active_state)) channel_after_select(readset, writeset); - if (need_rekeying || packet_need_rekeying()) { - debug("need rekeying"); - active_state->kex->done = 0; - if ((r = kex_send_kexinit(active_state)) != 0) - fatal("%s: kex_send_kexinit: %s", - __func__, ssh_err(r)); - need_rekeying = 0; - } - } /* Buffer input from the connection. */ client_process_net_input(readset); @@ -1636,14 +1681,6 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) client_process_output(writeset); } - if (session_resumed) { - connection_in = packet_get_connection_in(); - connection_out = packet_get_connection_out(); - max_fd = MAX(max_fd, connection_out); - max_fd = MAX(max_fd, connection_in); - session_resumed = 0; - } - /* * Send as much buffered packet data as possible to the * sender. @@ -1737,7 +1774,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) } /* Clear and free any buffers. */ - memset(buf, 0, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); buffer_free(&stdin_buffer); buffer_free(&stdout_buffer); buffer_free(&stderr_buffer); diff --git a/clientloop.h b/clientloop.h index 338d451..f4d4c69 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */ +/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */ /* * Author: Tatu Ylonen @@ -39,7 +39,7 @@ /* Client side main loop for the interactive session. */ int client_loop(int, int, int); -void client_x11_get_proto(const char *, const char *, u_int, u_int, +int client_x11_get_proto(const char *, const char *, u_int, u_int, char **, char **); void client_global_request_reply_fwd(int, u_int32_t, void *); void client_session2_setup(int, int, int, const char *, struct termios *, diff --git a/config.h.in b/config.h.in index 7500df5..89bf1b0 100644 --- a/config.h.in +++ b/config.h.in @@ -694,9 +694,6 @@ /* Define to 1 if you have the `network' library (-lnetwork). */ #undef HAVE_LIBNETWORK -/* Define to 1 if you have the `nsl' library (-lnsl). */ -#undef HAVE_LIBNSL - /* Define to 1 if you have the `pam' library (-lpam). */ #undef HAVE_LIBPAM @@ -845,6 +842,9 @@ /* define if you have pid_t data type */ #undef HAVE_PID_T +/* Define to 1 if you have the `pledge' function. */ +#undef HAVE_PLEDGE + /* Define to 1 if you have the `poll' function. */ #undef HAVE_POLL @@ -854,6 +854,12 @@ /* Define to 1 if you have the `prctl' function. */ #undef HAVE_PRCTL +/* Define to 1 if you have the `priv_basicset' function. */ +#undef HAVE_PRIV_BASICSET + +/* Define to 1 if you have the header file. */ +#undef HAVE_PRIV_H + /* Define if you have /proc/$pid/fd */ #undef HAVE_PROC_PID @@ -956,6 +962,9 @@ /* Define to 1 if you have the `setpcred' function. */ #undef HAVE_SETPCRED +/* Define to 1 if you have the `setppriv' function. */ +#undef HAVE_SETPPRIV + /* Define to 1 if you have the `setproctitle' function. */ #undef HAVE_SETPROCTITLE @@ -1444,6 +1453,9 @@ /* Define if you don't want to use lastlog in session.c */ #undef NO_SSH_LASTLOG +/* Define to disable UID restoration test */ +#undef NO_UID_RESTORATION_TEST + /* Define if X11 doesn't support AF_UNIX sockets on that system */ #undef NO_X11_UNIX_SOCKETS @@ -1520,6 +1532,9 @@ /* no privsep sandboxing */ #undef SANDBOX_NULL +/* Sandbox using pledge(2) */ +#undef SANDBOX_PLEDGE + /* Sandbox using setrlimit(2) */ #undef SANDBOX_RLIMIT @@ -1532,6 +1547,9 @@ /* define if setrlimit RLIMIT_NOFILE breaks things */ #undef SANDBOX_SKIP_RLIMIT_NOFILE +/* Sandbox using Solaris/Illumos privileges */ +#undef SANDBOX_SOLARIS + /* Sandbox using systrace(4) */ #undef SANDBOX_SYSTRACE @@ -1638,6 +1656,9 @@ /* Use PIPES instead of a socketpair() */ #undef USE_PIPES +/* Define if you have Solaris privileges */ +#undef USE_SOLARIS_PRIVS + /* Define if you have Solaris process contracts */ #undef USE_SOLARIS_PROCESS_CONTRACTS diff --git a/configure b/configure index 0d7a5b9..2a46ba9 100755 --- a/configure +++ b/configure @@ -1320,7 +1320,7 @@ Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** - --without-ssh1 Enable support for SSH protocol 1 + --with-ssh1 Enable support for SSH protocol 1 --without-stackprotect Don't use compiler's stack protection --without-hardening Don't use toolchain hardening flags --without-rpath Disable auto-added -R linker paths @@ -1331,6 +1331,7 @@ Optional Packages: --with-Werror Build main code with -Werror --with-solaris-contracts Enable Solaris process contracts (experimental) --with-solaris-projects Enable Solaris projects (experimental) + --with-solaris-privs Enable Solaris/Illumos privileges (experimental) --with-osfsia Enable Digital Unix SIA --with-zlib=PATH Use zlib in PATH --without-zlib-version-check Disable zlib version check @@ -1346,7 +1347,7 @@ Optional Packages: --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool) --with-pam Enable PAM support --with-privsep-user=user Specify non-privileged user for privilege separation - --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) + --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge) --with-selinux Enable SELinux support --with-kerberos5=PATH Enable Kerberos 5 support --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) @@ -7972,6 +7973,11 @@ done SIA_MSG="no" SPC_MSG="no" SP_MSG="no" +SPP_MSG="no" + +# Support for Solaris/Illumos privileges (this test is used by both +# the --with-solaris-privs option and --with-sandbox=solaris). +SOLARIS_PRIVS="no" # Check for some target-specific stuff case "$host" in @@ -8960,6 +8966,11 @@ _ACEOF cat >>confdefs.h <<\_ACEOF +#define NO_UID_RESTORATION_TEST 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF #define DISABLE_SHADOW 1 _ACEOF @@ -9491,6 +9502,73 @@ fi done + { echo "$as_me:$LINENO: checking for sandbox_apply in -lsandbox" >&5 +echo $ECHO_N "checking for sandbox_apply in -lsandbox... $ECHO_C" >&6; } +if test "${ac_cv_lib_sandbox_sandbox_apply+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsandbox $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char sandbox_apply (); +int +main () +{ +return sandbox_apply (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_lib_sandbox_sandbox_apply=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_sandbox_sandbox_apply=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_lib_sandbox_sandbox_apply" >&5 +echo "${ECHO_T}$ac_cv_lib_sandbox_sandbox_apply" >&6; } +if test $ac_cv_lib_sandbox_sandbox_apply = yes; then + + SSHDLIBS="$SSHDLIBS -lsandbox" + +fi + ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" @@ -10789,167 +10867,7 @@ _ACEOF echo "${ECHO_T}no" >&6; } fi -# Check whether --with-solaris-contracts was given. -if test "${with_solaris_contracts+set}" = set; then - withval=$with_solaris_contracts; - { echo "$as_me:$LINENO: checking for ct_tmpl_activate in -lcontract" >&5 -echo $ECHO_N "checking for ct_tmpl_activate in -lcontract... $ECHO_C" >&6; } -if test "${ac_cv_lib_contract_ct_tmpl_activate+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcontract $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char ct_tmpl_activate (); -int -main () -{ -return ct_tmpl_activate (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_contract_ct_tmpl_activate=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_contract_ct_tmpl_activate=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_contract_ct_tmpl_activate" >&5 -echo "${ECHO_T}$ac_cv_lib_contract_ct_tmpl_activate" >&6; } -if test $ac_cv_lib_contract_ct_tmpl_activate = yes; then - -cat >>confdefs.h <<\_ACEOF -#define USE_SOLARIS_PROCESS_CONTRACTS 1 -_ACEOF - - SSHDLIBS="$SSHDLIBS -lcontract" - SPC_MSG="yes" -fi - - -fi - - -# Check whether --with-solaris-projects was given. -if test "${with_solaris_projects+set}" = set; then - withval=$with_solaris_projects; - { echo "$as_me:$LINENO: checking for setproject in -lproject" >&5 -echo $ECHO_N "checking for setproject in -lproject... $ECHO_C" >&6; } -if test "${ac_cv_lib_project_setproject+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lproject $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char setproject (); -int -main () -{ -return setproject (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_project_setproject=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_project_setproject=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_project_setproject" >&5 -echo "${ECHO_T}$ac_cv_lib_project_setproject" >&6; } -if test $ac_cv_lib_project_setproject = yes; then - -cat >>confdefs.h <<\_ACEOF -#define USE_SOLARIS_PROJECTS 1 -_ACEOF - - SSHDLIBS="$SSHDLIBS -lproject" - SP_MSG="yes" -fi - - -fi - - TEST_SHELL=$SHELL # let configure find us a capable shell - ;; -*-*-sunos4*) - CPPFLAGS="$CPPFLAGS -DSUNOS4" - -for ac_func in getpwanam +for ac_func in setppriv do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` { echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -11042,57 +10960,37 @@ _ACEOF fi done - cat >>confdefs.h <<\_ACEOF -#define PAM_SUN_CODEBASE 1 -_ACEOF - conf_utmp_location=/etc/utmp - conf_wtmp_location=/var/adm/wtmp - conf_lastlog_location=/var/adm/lastlog - cat >>confdefs.h <<\_ACEOF -#define USE_PIPES 1 -_ACEOF - - ;; -*-ncr-sysv*) - LIBS="$LIBS -lc89" - cat >>confdefs.h <<\_ACEOF -#define USE_PIPES 1 -_ACEOF - - cat >>confdefs.h <<\_ACEOF -#define SSHD_ACQUIRES_CTTY 1 -_ACEOF - - cat >>confdefs.h <<\_ACEOF -#define SETEUID_BREAKS_SETUID 1 -_ACEOF - - cat >>confdefs.h <<\_ACEOF -#define BROKEN_SETREUID 1 -_ACEOF - - cat >>confdefs.h <<\_ACEOF -#define BROKEN_SETREGID 1 -_ACEOF - - ;; -*-sni-sysv*) - # /usr/ucblib MUST NOT be searched on ReliantUNIX - -{ echo "$as_me:$LINENO: checking for dlsym in -ldl" >&5 -echo $ECHO_N "checking for dlsym in -ldl... $ECHO_C" >&6; } -if test "${ac_cv_lib_dl_dlsym+set}" = set; then +for ac_func in priv_basicset +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then echo $ECHO_N "(cached) $ECHO_C" >&6 else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC @@ -11100,11 +10998,556 @@ cat >>conftest.$ac_ext <<_ACEOF #ifdef __cplusplus extern "C" #endif -char dlsym (); +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + int main () { -return dlsym (); +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval echo '${'$as_ac_var'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +for ac_header in priv.h +do +as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { echo "$as_me:$LINENO: checking for $ac_header" >&5 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +ac_res=`eval echo '${'$as_ac_Header'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +else + # Is the header compilable? +{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 +echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6; } + +# Is the header present? +{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 +echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + ( cat <<\_ASBOX +## ------------------------------------------- ## +## Report this to openssh-unix-dev@mindrot.org ## +## ------------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +{ echo "$as_me:$LINENO: checking for $ac_header" >&5 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval echo '${'$as_ac_Header'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } + +fi +if test `eval echo '${'$as_ac_Header'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + +# Check whether --with-solaris-contracts was given. +if test "${with_solaris_contracts+set}" = set; then + withval=$with_solaris_contracts; + { echo "$as_me:$LINENO: checking for ct_tmpl_activate in -lcontract" >&5 +echo $ECHO_N "checking for ct_tmpl_activate in -lcontract... $ECHO_C" >&6; } +if test "${ac_cv_lib_contract_ct_tmpl_activate+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcontract $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ct_tmpl_activate (); +int +main () +{ +return ct_tmpl_activate (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_lib_contract_ct_tmpl_activate=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_contract_ct_tmpl_activate=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_lib_contract_ct_tmpl_activate" >&5 +echo "${ECHO_T}$ac_cv_lib_contract_ct_tmpl_activate" >&6; } +if test $ac_cv_lib_contract_ct_tmpl_activate = yes; then + +cat >>confdefs.h <<\_ACEOF +#define USE_SOLARIS_PROCESS_CONTRACTS 1 +_ACEOF + + LIBS="$LIBS -lcontract" + SPC_MSG="yes" +fi + + +fi + + +# Check whether --with-solaris-projects was given. +if test "${with_solaris_projects+set}" = set; then + withval=$with_solaris_projects; + { echo "$as_me:$LINENO: checking for setproject in -lproject" >&5 +echo $ECHO_N "checking for setproject in -lproject... $ECHO_C" >&6; } +if test "${ac_cv_lib_project_setproject+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lproject $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char setproject (); +int +main () +{ +return setproject (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_lib_project_setproject=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_project_setproject=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_lib_project_setproject" >&5 +echo "${ECHO_T}$ac_cv_lib_project_setproject" >&6; } +if test $ac_cv_lib_project_setproject = yes; then + +cat >>confdefs.h <<\_ACEOF +#define USE_SOLARIS_PROJECTS 1 +_ACEOF + + LIBS="$LIBS -lproject" + SP_MSG="yes" +fi + + +fi + + +# Check whether --with-solaris-privs was given. +if test "${with_solaris_privs+set}" = set; then + withval=$with_solaris_privs; + { echo "$as_me:$LINENO: checking for Solaris/Illumos privilege support" >&5 +echo $ECHO_N "checking for Solaris/Illumos privilege support... $ECHO_C" >&6; } + if test "x$ac_cv_func_setppriv" = "xyes" -a \ + "x$ac_cv_header_priv_h" = "xyes" ; then + SOLARIS_PRIVS=yes + { echo "$as_me:$LINENO: result: found" >&5 +echo "${ECHO_T}found" >&6; } + +cat >>confdefs.h <<\_ACEOF +#define NO_UID_RESTORATION_TEST 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define USE_SOLARIS_PRIVS 1 +_ACEOF + + SPP_MSG="yes" + else + { echo "$as_me:$LINENO: result: not found" >&5 +echo "${ECHO_T}not found" >&6; } + { { echo "$as_me:$LINENO: error: *** must have support for Solaris privileges to use --with-solaris-privs" >&5 +echo "$as_me: error: *** must have support for Solaris privileges to use --with-solaris-privs" >&2;} + { (exit 1); exit 1; }; } + fi + +fi + + TEST_SHELL=$SHELL # let configure find us a capable shell + ;; +*-*-sunos4*) + CPPFLAGS="$CPPFLAGS -DSUNOS4" + +for ac_func in getpwanam +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval echo '${'$as_ac_var'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + cat >>confdefs.h <<\_ACEOF +#define PAM_SUN_CODEBASE 1 +_ACEOF + + conf_utmp_location=/etc/utmp + conf_wtmp_location=/var/adm/wtmp + conf_lastlog_location=/var/adm/lastlog + cat >>confdefs.h <<\_ACEOF +#define USE_PIPES 1 +_ACEOF + + ;; +*-ncr-sysv*) + LIBS="$LIBS -lc89" + cat >>confdefs.h <<\_ACEOF +#define USE_PIPES 1 +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define SSHD_ACQUIRES_CTTY 1 +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define SETEUID_BREAKS_SETUID 1 +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define BROKEN_SETREUID 1 +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define BROKEN_SETREGID 1 +_ACEOF + + ;; +*-sni-sysv*) + # /usr/ucblib MUST NOT be searched on ReliantUNIX + +{ echo "$as_me:$LINENO: checking for dlsym in -ldl" >&5 +echo $ECHO_N "checking for dlsym in -ldl... $ECHO_C" >&6; } +if test "${ac_cv_lib_dl_dlsym+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlsym (); +int +main () +{ +return dlsym (); ; return 0; } @@ -11942,163 +12385,6 @@ fi # Checks for libraries. -{ echo "$as_me:$LINENO: checking for yp_match" >&5 -echo $ECHO_N "checking for yp_match... $ECHO_C" >&6; } -if test "${ac_cv_func_yp_match+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define yp_match to an innocuous variant, in case declares yp_match. - For example, HP-UX 11i declares gettimeofday. */ -#define yp_match innocuous_yp_match - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char yp_match (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef yp_match - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char yp_match (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_yp_match || defined __stub___yp_match -choke me -#endif - -int -main () -{ -return yp_match (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_func_yp_match=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_func_yp_match=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -{ echo "$as_me:$LINENO: result: $ac_cv_func_yp_match" >&5 -echo "${ECHO_T}$ac_cv_func_yp_match" >&6; } -if test $ac_cv_func_yp_match = yes; then - : -else - -{ echo "$as_me:$LINENO: checking for yp_match in -lnsl" >&5 -echo $ECHO_N "checking for yp_match in -lnsl... $ECHO_C" >&6; } -if test "${ac_cv_lib_nsl_yp_match+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lnsl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char yp_match (); -int -main () -{ -return yp_match (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_nsl_yp_match=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_nsl_yp_match=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_yp_match" >&5 -echo "${ECHO_T}$ac_cv_lib_nsl_yp_match" >&6; } -if test $ac_cv_lib_nsl_yp_match = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBNSL 1 -_ACEOF - - LIBS="-lnsl $LIBS" - -fi - -fi - { echo "$as_me:$LINENO: checking for setsockopt" >&5 echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6; } if test "${ac_cv_func_setsockopt+set}" = set; then @@ -14219,7 +14505,256 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && $as_test_x conftest$ac_exeext; then - ac_cv_search_logout=$ac_res + ac_cv_search_logout=$ac_res +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_logout+set}" = set; then + break +fi +done +if test "${ac_cv_search_logout+set}" = set; then + : +else + ac_cv_search_logout=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_search_logout" >&5 +echo "${ECHO_T}$ac_cv_search_logout" >&6; } +ac_res=$ac_cv_search_logout +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ echo "$as_me:$LINENO: checking for library containing logwtmp" >&5 +echo $ECHO_N "checking for library containing logwtmp... $ECHO_C" >&6; } +if test "${ac_cv_search_logwtmp+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_func_search_save_LIBS=$LIBS +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char logwtmp (); +int +main () +{ +return logwtmp (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_search_logwtmp=$ac_res +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_logwtmp+set}" = set; then + break +fi +done +if test "${ac_cv_search_logwtmp+set}" = set; then + : +else + ac_cv_search_logwtmp=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_search_logwtmp" >&5 +echo "${ECHO_T}$ac_cv_search_logwtmp" >&6; } +ac_res=$ac_cv_search_logwtmp +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ echo "$as_me:$LINENO: checking for library containing openpty" >&5 +echo $ECHO_N "checking for library containing openpty... $ECHO_C" >&6; } +if test "${ac_cv_search_openpty+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_func_search_save_LIBS=$LIBS +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char openpty (); +int +main () +{ +return openpty (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_search_openpty=$ac_res +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_openpty+set}" = set; then + break +fi +done +if test "${ac_cv_search_openpty+set}" = set; then + : +else + ac_cv_search_openpty=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_search_openpty" >&5 +echo "${ECHO_T}$ac_cv_search_openpty" >&6; } +ac_res=$ac_cv_search_openpty +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +{ echo "$as_me:$LINENO: checking for library containing updwtmp" >&5 +echo $ECHO_N "checking for library containing updwtmp... $ECHO_C" >&6; } +if test "${ac_cv_search_updwtmp+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_func_search_save_LIBS=$LIBS +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char updwtmp (); +int +main () +{ +return updwtmp (); + ; + return 0; +} +_ACEOF +for ac_lib in '' util bsd; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_search_updwtmp=$ac_res else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -14229,121 +14764,63 @@ fi rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext - if test "${ac_cv_search_logout+set}" = set; then + if test "${ac_cv_search_updwtmp+set}" = set; then break fi done -if test "${ac_cv_search_logout+set}" = set; then +if test "${ac_cv_search_updwtmp+set}" = set; then : else - ac_cv_search_logout=no + ac_cv_search_updwtmp=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_search_logout" >&5 -echo "${ECHO_T}$ac_cv_search_logout" >&6; } -ac_res=$ac_cv_search_logout +{ echo "$as_me:$LINENO: result: $ac_cv_search_updwtmp" >&5 +echo "${ECHO_T}$ac_cv_search_updwtmp" >&6; } +ac_res=$ac_cv_search_updwtmp if test "$ac_res" != no; then test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi -{ echo "$as_me:$LINENO: checking for library containing logwtmp" >&5 -echo $ECHO_N "checking for library containing logwtmp... $ECHO_C" >&6; } -if test "${ac_cv_search_logwtmp+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_func_search_save_LIBS=$LIBS -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char logwtmp (); -int -main () -{ -return logwtmp (); - ; - return 0; -} -_ACEOF -for ac_lib in '' util bsd; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_search_logwtmp=$ac_res -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 -fi -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext - if test "${ac_cv_search_logwtmp+set}" = set; then - break -fi -done -if test "${ac_cv_search_logwtmp+set}" = set; then - : -else - ac_cv_search_logwtmp=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_search_logwtmp" >&5 -echo "${ECHO_T}$ac_cv_search_logwtmp" >&6; } -ac_res=$ac_cv_search_logwtmp -if test "$ac_res" != no; then - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" -fi -{ echo "$as_me:$LINENO: checking for library containing openpty" >&5 -echo $ECHO_N "checking for library containing openpty... $ECHO_C" >&6; } -if test "${ac_cv_search_openpty+set}" = set; then + +for ac_func in fmt_scaled scan_scaled login logout openpty updwtmp logwtmp +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then echo $ECHO_N "(cached) $ECHO_C" >&6 else - ac_func_search_save_LIBS=$LIBS -cat >conftest.$ac_ext <<_ACEOF + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC @@ -14351,23 +14828,23 @@ cat >>conftest.$ac_ext <<_ACEOF #ifdef __cplusplus extern "C" #endif -char openpty (); +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + int main () { -return openpty (); +return $ac_func (); ; return 0; } _ACEOF -for ac_lib in '' util bsd; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - rm -f conftest.$ac_objext conftest$ac_exeext +rm -f conftest.$ac_objext conftest$ac_exeext if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; @@ -14385,39 +14862,34 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && $as_test_x conftest$ac_exeext; then - ac_cv_search_openpty=$ac_res + eval "$as_ac_var=yes" else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - + eval "$as_ac_var=no" fi rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext - if test "${ac_cv_search_openpty+set}" = set; then - break -fi -done -if test "${ac_cv_search_openpty+set}" = set; then - : -else - ac_cv_search_openpty=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS + conftest$ac_exeext conftest.$ac_ext fi -{ echo "$as_me:$LINENO: result: $ac_cv_search_openpty" >&5 -echo "${ECHO_T}$ac_cv_search_openpty" >&6; } -ac_res=$ac_cv_search_openpty -if test "$ac_res" != no; then - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" +ac_res=`eval echo '${'$as_ac_var'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF fi +done -{ echo "$as_me:$LINENO: checking for library containing updwtmp" >&5 -echo $ECHO_N "checking for library containing updwtmp... $ECHO_C" >&6; } -if test "${ac_cv_search_updwtmp+set}" = set; then + +# On some platforms, inet_ntop and gethostbyname may be found in libresolv +# or libnsl. +{ echo "$as_me:$LINENO: checking for library containing inet_ntop" >&5 +echo $ECHO_N "checking for library containing inet_ntop... $ECHO_C" >&6; } +if test "${ac_cv_search_inet_ntop+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else ac_func_search_save_LIBS=$LIBS @@ -14434,16 +14906,16 @@ cat >>conftest.$ac_ext <<_ACEOF #ifdef __cplusplus extern "C" #endif -char updwtmp (); +char inet_ntop (); int main () { -return updwtmp (); +return inet_ntop (); ; return 0; } _ACEOF -for ac_lib in '' util bsd; do +for ac_lib in '' resolv nsl; do if test -z "$ac_lib"; then ac_res="none required" else @@ -14468,7 +14940,7 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && $as_test_x conftest$ac_exeext; then - ac_cv_search_updwtmp=$ac_res + ac_cv_search_inet_ntop=$ac_res else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -14478,131 +14950,29 @@ fi rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext - if test "${ac_cv_search_updwtmp+set}" = set; then + if test "${ac_cv_search_inet_ntop+set}" = set; then break fi done -if test "${ac_cv_search_updwtmp+set}" = set; then +if test "${ac_cv_search_inet_ntop+set}" = set; then : else - ac_cv_search_updwtmp=no + ac_cv_search_inet_ntop=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_search_updwtmp" >&5 -echo "${ECHO_T}$ac_cv_search_updwtmp" >&6; } -ac_res=$ac_cv_search_updwtmp +{ echo "$as_me:$LINENO: result: $ac_cv_search_inet_ntop" >&5 +echo "${ECHO_T}$ac_cv_search_inet_ntop" >&6; } +ac_res=$ac_cv_search_inet_ntop if test "$ac_res" != no; then test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi - - - - - - - -for ac_func in fmt_scaled scan_scaled login logout openpty updwtmp logwtmp -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -{ echo "$as_me:$LINENO: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } -if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define $ac_func to an innocuous variant, in case declares $ac_func. - For example, HP-UX 11i declares gettimeofday. */ -#define $ac_func innocuous_$ac_func - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $ac_func - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $ac_func (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$ac_func || defined __stub___$ac_func -choke me -#endif - -int -main () -{ -return $ac_func (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - eval "$as_ac_var=no" -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -ac_res=`eval echo '${'$as_ac_var'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - -# On some platforms, inet_ntop may be found in libresolv or libnsl. -{ echo "$as_me:$LINENO: checking for library containing inet_ntop" >&5 -echo $ECHO_N "checking for library containing inet_ntop... $ECHO_C" >&6; } -if test "${ac_cv_search_inet_ntop+set}" = set; then +{ echo "$as_me:$LINENO: checking for library containing gethostbyname" >&5 +echo $ECHO_N "checking for library containing gethostbyname... $ECHO_C" >&6; } +if test "${ac_cv_search_gethostbyname+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else ac_func_search_save_LIBS=$LIBS @@ -14619,11 +14989,11 @@ cat >>conftest.$ac_ext <<_ACEOF #ifdef __cplusplus extern "C" #endif -char inet_ntop (); +char gethostbyname (); int main () { -return inet_ntop (); +return gethostbyname (); ; return 0; } @@ -14653,7 +15023,7 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && $as_test_x conftest$ac_exeext; then - ac_cv_search_inet_ntop=$ac_res + ac_cv_search_gethostbyname=$ac_res else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 @@ -14663,21 +15033,21 @@ fi rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext - if test "${ac_cv_search_inet_ntop+set}" = set; then + if test "${ac_cv_search_gethostbyname+set}" = set; then break fi done -if test "${ac_cv_search_inet_ntop+set}" = set; then +if test "${ac_cv_search_gethostbyname+set}" = set; then : else - ac_cv_search_inet_ntop=no + ac_cv_search_gethostbyname=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi -{ echo "$as_me:$LINENO: result: $ac_cv_search_inet_ntop" >&5 -echo "${ECHO_T}$ac_cv_search_inet_ntop" >&6; } -ac_res=$ac_cv_search_inet_ntop +{ echo "$as_me:$LINENO: result: $ac_cv_search_gethostbyname" >&5 +echo "${ECHO_T}$ac_cv_search_gethostbyname" >&6; } +ac_res=$ac_cv_search_gethostbyname if test "$ac_res" != no; then test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" @@ -16524,6 +16894,7 @@ fi + for ac_func in \ Blowfish_initstate \ Blowfish_expandstate \ @@ -16579,6 +16950,7 @@ for ac_func in \ nsleep \ ogetaddrinfo \ openlog_r \ + pledge \ poll \ prctl \ pstat \ @@ -20707,12 +21079,12 @@ openssl_engine=no # Check whether --with-ssl-engine was given. if test "${with_ssl_engine+set}" = set; then withval=$with_ssl_engine; - if test "x$openssl" = "xno" ; then - { { echo "$as_me:$LINENO: error: cannot use --with-ssl-engine when OpenSSL disabled" >&5 + if test "x$withval" != "xno" ; then + if test "x$openssl" = "xno" ; then + { { echo "$as_me:$LINENO: error: cannot use --with-ssl-engine when OpenSSL disabled" >&5 echo "$as_me: error: cannot use --with-ssl-engine when OpenSSL disabled" >&2;} { (exit 1); exit 1; }; } - fi - if test "x$withval" != "xno" ; then + fi openssl_engine=yes fi @@ -20999,6 +21371,7 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ + #include #include #include #include @@ -21015,7 +21388,8 @@ main () if(fd == NULL) exit(1); - if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) + if ((rc = fprintf(fd ,"%08lx (%s)\n", + (unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) exit(1); exit(0); @@ -21184,6 +21558,7 @@ cat >>conftest.$ac_ext <<_ACEOF #include #include + #include int main () @@ -24145,7 +24520,19 @@ fi -if test "x$sandbox_arg" = "xsystrace" || \ +if test "x$sandbox_arg" = "xpledge" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then + test "x$ac_cv_func_pledge" != "xyes" && \ + { { echo "$as_me:$LINENO: error: pledge sandbox requires pledge(2) support" >&5 +echo "$as_me: error: pledge sandbox requires pledge(2) support" >&2;} + { (exit 1); exit 1; }; } + SANDBOX_STYLE="pledge" + +cat >>confdefs.h <<\_ACEOF +#define SANDBOX_PLEDGE 1 +_ACEOF + +elif test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then test "x$have_systr_policy_kill" != "x1" && \ { { echo "$as_me:$LINENO: error: systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" >&5 @@ -24238,6 +24625,14 @@ cat >>confdefs.h <<\_ACEOF #define SANDBOX_RLIMIT 1 _ACEOF +elif test "x$sandbox_arg" = "xsolaris" || \ + ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then + SANDBOX_STYLE="solaris" + +cat >>confdefs.h <<\_ACEOF +#define SANDBOX_SOLARIS 1 +_ACEOF + elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then SANDBOX_STYLE="none" @@ -31719,6 +32114,9 @@ int main () { +struct __res_state *volatile p = &_res; /* force resolution of _res */ +return 0; + ; return 0; } @@ -36811,6 +37209,7 @@ echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" echo " Solaris project support: $SP_MSG" +echo " Solaris privilege support: $SPP_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" diff --git a/configure.ac b/configure.ac index 9b05c30..7258cc0 100644 --- a/configure.ac +++ b/configure.ac @@ -140,7 +140,7 @@ else fi AC_ARG_WITH([ssh1], - [ --without-ssh1 Enable support for SSH protocol 1], + [ --with-ssh1 Enable support for SSH protocol 1], [ if test "x$withval" = "xyes" ; then if test "x$openssl" = "xno" ; then @@ -469,6 +469,11 @@ AC_CHECK_HEADERS([sys/un.h], [], [], [ SIA_MSG="no" SPC_MSG="no" SP_MSG="no" +SPP_MSG="no" + +# Support for Solaris/Illumos privileges (this test is used by both +# the --with-solaris-privs option and --with-sandbox=solaris). +SOLARIS_PRIVS="no" # Check for some target-specific stuff case "$host" in @@ -575,6 +580,8 @@ case "$host" in LIBS="$LIBS /usr/lib/textreadmode.o" AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin]) AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()]) + AC_DEFINE([NO_UID_RESTORATION_TEST], [1], + [Define to disable UID restoration test]) AC_DEFINE([DISABLE_SHADOW], [1], [Define if you want to disable shadow passwords]) AC_DEFINE([NO_X11_UNIX_SOCKETS], [1], @@ -637,6 +644,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) supported by bsd-setproctitle.c]) AC_CHECK_FUNCS([sandbox_init]) AC_CHECK_HEADERS([sandbox.h]) + AC_CHECK_LIB([sandbox], [sandbox_apply], [ + SSHDLIBS="$SSHDLIBS -lsandbox" + ]) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" @@ -889,13 +899,16 @@ mips-sony-bsd|mips-sony-newsos4) else AC_MSG_RESULT([no]) fi + AC_CHECK_FUNCS([setppriv]) + AC_CHECK_FUNCS([priv_basicset]) + AC_CHECK_HEADERS([priv.h]) AC_ARG_WITH([solaris-contracts], [ --with-solaris-contracts Enable Solaris process contracts (experimental)], [ AC_CHECK_LIB([contract], [ct_tmpl_activate], [ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1], [Define if you have Solaris process contracts]) - SSHDLIBS="$SSHDLIBS -lcontract" + LIBS="$LIBS -lcontract" SPC_MSG="yes" ], ) ], ) @@ -905,10 +918,29 @@ mips-sony-bsd|mips-sony-newsos4) AC_CHECK_LIB([project], [setproject], [ AC_DEFINE([USE_SOLARIS_PROJECTS], [1], [Define if you have Solaris projects]) - SSHDLIBS="$SSHDLIBS -lproject" + LIBS="$LIBS -lproject" SP_MSG="yes" ], ) ], ) + AC_ARG_WITH([solaris-privs], + [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)], + [ + AC_MSG_CHECKING([for Solaris/Illumos privilege support]) + if test "x$ac_cv_func_setppriv" = "xyes" -a \ + "x$ac_cv_header_priv_h" = "xyes" ; then + SOLARIS_PRIVS=yes + AC_MSG_RESULT([found]) + AC_DEFINE([NO_UID_RESTORATION_TEST], [1], + [Define to disable UID restoration test]) + AC_DEFINE([USE_SOLARIS_PRIVS], [1], + [Define if you have Solaris privileges]) + SPP_MSG="yes" + else + AC_MSG_RESULT([not found]) + AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs]) + fi + ], + ) TEST_SHELL=$SHELL # let configure find us a capable shell ;; *-*-sunos4*) @@ -1122,7 +1154,6 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ exit(0); ]])], dnl Checks for header files. # Checks for libraries. -AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])]) AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])]) dnl IRIX and Solaris 2.5.1 have dirname() in libgen @@ -1286,8 +1317,10 @@ AC_SEARCH_LIBS([openpty], [util bsd]) AC_SEARCH_LIBS([updwtmp], [util bsd]) AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) -# On some platforms, inet_ntop may be found in libresolv or libnsl. +# On some platforms, inet_ntop and gethostbyname may be found in libresolv +# or libnsl. AC_SEARCH_LIBS([inet_ntop], [resolv nsl]) +AC_SEARCH_LIBS([gethostbyname], [resolv nsl]) AC_FUNC_STRFTIME @@ -1669,6 +1702,7 @@ AC_CHECK_FUNCS([ \ nsleep \ ogetaddrinfo \ openlog_r \ + pledge \ poll \ prctl \ pstat \ @@ -2309,10 +2343,10 @@ openssl_engine=no AC_ARG_WITH([ssl-engine], [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], [ - if test "x$openssl" = "xno" ; then - AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) - fi if test "x$withval" != "xno" ; then + if test "x$openssl" = "xno" ; then + AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) + fi openssl_engine=yes fi ] @@ -2345,6 +2379,7 @@ if test "x$openssl" = "xyes" ; then AC_MSG_CHECKING([OpenSSL header version]) AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ + #include #include #include #include @@ -2357,7 +2392,8 @@ if test "x$openssl" = "xyes" ; then if(fd == NULL) exit(1); - if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) + if ((rc = fprintf(fd ,"%08lx (%s)\n", + (unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) exit(1); exit(0); @@ -2424,6 +2460,7 @@ if test "x$openssl" = "xyes" ; then [AC_LANG_PROGRAM([[ #include #include + #include ]], [[ exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); ]])], @@ -2998,7 +3035,7 @@ fi # Decide which sandbox style to use sandbox_arg="" AC_ARG_WITH([sandbox], - [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], + [ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)], [ if test "x$withval" = "xyes" ; then sandbox_arg="" @@ -3094,7 +3131,13 @@ AC_RUN_IFELSE( [AC_MSG_WARN([cross compiling: assuming yes])] ) -if test "x$sandbox_arg" = "xsystrace" || \ +if test "x$sandbox_arg" = "xpledge" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then + test "x$ac_cv_func_pledge" != "xyes" && \ + AC_MSG_ERROR([pledge sandbox requires pledge(2) support]) + SANDBOX_STYLE="pledge" + AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)]) +elif test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then test "x$have_systr_policy_kill" != "x1" && \ AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support]) @@ -3147,6 +3190,10 @@ elif test "x$sandbox_arg" = "xrlimit" || \ AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit]) SANDBOX_STYLE="rlimit" AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) +elif test "x$sandbox_arg" = "xsolaris" || \ + ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then + SANDBOX_STYLE="solaris" + AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges]) elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then SANDBOX_STYLE="none" @@ -3970,7 +4017,10 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include #include extern struct __res_state _res; - ]], [[ ]])], + ]], [[ +struct __res_state *volatile p = &_res; /* force resolution of _res */ +return 0; + ]],)], [AC_MSG_RESULT([yes]) AC_DEFINE([HAVE__RES_EXTERN], [1], [Define if you have struct __res_state _res as an extern]) @@ -4933,6 +4983,7 @@ echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" echo " Solaris project support: $SP_MSG" +echo " Solaris privilege support: $SPP_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 4c55227..2a55f45 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 7.1p2 +%define ver 7.2p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID @@ -89,7 +89,7 @@ Requires: initscripts >= 5.20 BuildRequires: perl, openssl-devel BuildRequires: /bin/login %if ! %{build6x} -BuildPreReq: glibc-devel, pam +BuildRequires: glibc-devel, pam %else BuildRequires: /usr/include/security/pam_appl.h %endif @@ -184,7 +184,7 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS %endif %if %{kerberos5} -K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` +K5DIR=`rpm -ql krb5-devel | grep 'include/krb5\.h' | sed 's,\/include\/krb5.h,,'` echo K5DIR=$K5DIR %endif @@ -192,7 +192,6 @@ echo K5DIR=$K5DIR --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh \ - --with-rsh=%{_bindir}/rsh \ --with-default-path=/usr/local/bin:/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ --with-privsep-path=%{_var}/empty/sshd \ diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index ae88e99..afde8b1 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -56,10 +56,13 @@ then fi fi -DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) +DEFAULT_PUB_ID_FILE="$HOME/$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)" usage () { - printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 + printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 + printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2 + printf '\t-n: dry run -- no keys are actually copied\n' >&2 + printf '\t-h|-?: print this help\n' >&2 exit 1 } @@ -77,15 +80,18 @@ use_id_file() { PUB_ID_FILE="$L_ID_FILE.pub" fi - PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) + [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) # check that the files are readable - for f in $PUB_ID_FILE $PRIV_ID_FILE ; do - ErrMSG=$( { : < $f ; } 2>&1 ) || { - printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')" + for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do + ErrMSG=$( { : < "$f" ; } 2>&1 ) || { + local L_PRIVMSG="" + [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)" + printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')" exit 1 } done + printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2 GET_ID="cat \"$PUB_ID_FILE\"" } @@ -121,7 +127,7 @@ do } shift ;; - -n|-h|-\?) + -f|-n|-h|-\?) OPT="$1" OPTARG= shift @@ -154,6 +160,9 @@ do -o|-p) SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'" ;; + -f) + FORCED=1 + ;; -n) DRY_RUN=1 ;; @@ -194,27 +203,35 @@ fi populate_new_ids() { local L_SUCCESS="$1" + if [ "$FORCED" ] ; then + NEW_IDS=$(eval $GET_ID) + return + fi + # repopulate "$@" inside this function eval set -- "$SSH_OPTS" umask 0177 local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then - echo "mktemp failed" 1>&2 + printf '%s: ERROR: mktemp failed\n' "$0" >&2 exit 1 fi - trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT + local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\"" + trap "$L_CLEANUP" EXIT TERM INT QUIT printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 NEW_IDS=$( eval $GET_ID | { - while read ID ; do - printf '%s\n' "$ID" > $L_TMP_ID_FILE + while read ID || [ "$ID" ] ; do + printf '%s\n' "$ID" > "$L_TMP_ID_FILE" # the next line assumes $PRIV_ID_FILE only set if using a single id file - this # assumption will break if we implement the possibility of multiple -i options. # The point being that if file based, ssh needs the private key, which it cannot # find if only given the contents of the .pub file in an unrelated tmpfile ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ + -o ControlPath=none \ + -o LogLevel=INFO \ -o PreferredAuthentications=publickey \ -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr /dev/null ; then printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2 exit 1 fi if [ -z "$NEW_IDS" ] ; then - printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2 + printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2 + printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2 exit 0 fi printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 } -REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | +REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 | sed -ne 's/.*remote software version //p') case "$REMOTE_VERSION" in @@ -269,10 +287,9 @@ case "$REMOTE_VERSION" in *) # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect populate_new_ids 0 - [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " - umask 077 ; - mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; - if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \ + # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; 'cd' to be at $HOME; and all on one line, because tcsh. + [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ + ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ || exit 1 ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) ;; diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 index 67a59e4..8850cce 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1 @@ -29,6 +29,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .Nd use locally available keys to authorise logins on a remote machine .Sh SYNOPSIS .Nm +.Op Fl f .Op Fl n .Op Fl i Op Ar identity_file .Op Fl p Ar port @@ -76,6 +77,10 @@ is used. Note that this can be used to ensure that the keys copied have the comment one prefers and/or extra options applied, by ensuring that the key file has these set as preferred before the copy is attempted. +.It Fl f +Forced mode: doesn't check if the keys are present on the remote server. +This means that it does not need the private key. Of course, this can result +in more than one copy of the key being installed on the remote system. .It Fl n do a dry-run. Instead of installing keys on the remote system simply prints the key(s) that would have been installed. diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 3ee5268..53264c1 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 7.1p2 +Version: 7.2p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/defines.h b/defines.h index fa0ccba..a438ddd 100644 --- a/defines.h +++ b/defines.h @@ -850,4 +850,11 @@ struct winsize { # endif /* gcc version */ #endif /* __predict_true */ +#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \ + defined(GLOB_HAS_GL_MATCHC) && defined(GLOB_HAS_GL_STATV) && \ + defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \ + !defined(BROKEN_GLOB) +# define USE_SYSTEM_GLOB +#endif + #endif /* _DEFINES_H */ diff --git a/dh.h b/dh.h index 6546953..e191cfd 100644 --- a/dh.h +++ b/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.13 2015/05/27 23:39:18 dtucker Exp $ */ +/* $OpenBSD: dh.h,v 1.14 2015/10/16 22:32:22 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. @@ -44,8 +44,11 @@ int dh_pub_is_valid(DH *, BIGNUM *); u_int dh_estimate(int); -/* Min and max values from RFC4419. */ -#define DH_GRP_MIN 1024 +/* + * Max value from RFC4419. + * Miniumum increased in light of DH precomputation attacks. + */ +#define DH_GRP_MIN 2048 #define DH_GRP_MAX 8192 /* diff --git a/includes.h b/includes.h index 2893a54..497a038 100644 --- a/includes.h +++ b/includes.h @@ -32,12 +32,6 @@ #ifdef HAVE_BSTRING_H # include #endif -#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \ - defined(GLOB_HAS_GL_MATCHC) && defined(GLOB_HAS_GL_STATV) && \ - defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \ - !defined(BROKEN_GLOB) -# include -#endif #ifdef HAVE_ENDIAN_H # include #endif diff --git a/kex.c b/kex.c index b777b7d..d371f47 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.109 2015/07/30 00:01:34 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.117 2016/02/08 10:57:07 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -49,7 +49,6 @@ #include "misc.h" #include "dispatch.h" #include "monitor.h" -#include "roaming.h" #include "ssherr.h" #include "sshbuf.h" @@ -67,6 +66,19 @@ extern const EVP_MD *evp_ssh_sha256(void); static int kex_choose_conf(struct ssh *); static int kex_input_newkeys(int, u_int32_t, void *); +static const char *proposal_names[PROPOSAL_MAX] = { + "KEX algorithms", + "host key algorithms", + "ciphers ctos", + "ciphers stoc", + "MACs ctos", + "MACs stoc", + "compression ctos", + "compression stoc", + "languages ctos", + "languages stoc", +}; + struct kexalg { char *name; u_int type; @@ -267,7 +279,7 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) for (i = 0; i < PROPOSAL_MAX; i++) { if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) goto out; - debug2("kex_parse_kexinit: %s", proposal[i]); + debug2("%s: %s", proposal_names[i], proposal[i]); } /* first kex follows / reserved */ if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ @@ -302,7 +314,14 @@ kex_prop_free(char **proposal) static int kex_protocol_error(int type, u_int32_t seq, void *ctxt) { - error("Hm, kex protocol error: type %d seq %u", type, seq); + struct ssh *ssh = active_state; /* XXX */ + int r; + + error("kex protocol error: type %d seq %u", type, seq); + if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || + (r = sshpkt_put_u32(ssh, seq)) != 0 || + (r = sshpkt_send(ssh)) != 0) + return r; return 0; } @@ -314,6 +333,20 @@ kex_reset_dispatch(struct ssh *ssh) ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit); } +static int +kex_send_ext_info(struct ssh *ssh) +{ + int r; + + if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || + (r = sshpkt_put_u32(ssh, 1)) != 0 || + (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || + (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 || + (r = sshpkt_send(ssh)) != 0) + return r; + return 0; +} + int kex_send_newkeys(struct ssh *ssh) { @@ -326,9 +359,51 @@ kex_send_newkeys(struct ssh *ssh) debug("SSH2_MSG_NEWKEYS sent"); debug("expecting SSH2_MSG_NEWKEYS"); ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); + if (ssh->kex->ext_info_c) + if ((r = kex_send_ext_info(ssh)) != 0) + return r; return 0; } +int +kex_input_ext_info(int type, u_int32_t seq, void *ctxt) +{ + struct ssh *ssh = ctxt; + struct kex *kex = ssh->kex; + u_int32_t i, ninfo; + char *name, *val, *found; + int r; + + debug("SSH2_MSG_EXT_INFO received"); + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); + if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) + return r; + for (i = 0; i < ninfo; i++) { + if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) + return r; + if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { + free(name); + return r; + } + debug("%s: %s=<%s>", __func__, name, val); + if (strcmp(name, "server-sig-algs") == 0) { + found = match_list("rsa-sha2-256", val, NULL); + if (found) { + kex->rsa_sha2 = 256; + free(found); + } + found = match_list("rsa-sha2-512", val, NULL); + if (found) { + kex->rsa_sha2 = 512; + free(found); + } + } + free(name); + free(val); + } + return sshpkt_get_end(ssh); +} + static int kex_input_newkeys(int type, u_int32_t seq, void *ctxt) { @@ -468,7 +543,7 @@ kex_free_newkeys(struct newkeys *newkeys) newkeys->enc.key = NULL; } if (newkeys->enc.iv) { - explicit_bzero(newkeys->enc.iv, newkeys->enc.block_size); + explicit_bzero(newkeys->enc.iv, newkeys->enc.iv_len); free(newkeys->enc.iv); newkeys->enc.iv = NULL; } @@ -511,6 +586,8 @@ kex_free(struct kex *kex) free(kex->client_version_string); free(kex->server_version_string); free(kex->failed_choice); + free(kex->hostkey_alg); + free(kex->name); free(kex); } @@ -529,6 +606,25 @@ kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX]) return 0; } +/* + * Request key re-exchange, returns 0 on success or a ssherr.h error + * code otherwise. Must not be called if KEX is incomplete or in-progress. + */ +int +kex_start_rekex(struct ssh *ssh) +{ + if (ssh->kex == NULL) { + error("%s: no kex", __func__); + return SSH_ERR_INTERNAL_ERROR; + } + if (ssh->kex->done == 0) { + error("%s: requested twice", __func__); + return SSH_ERR_INTERNAL_ERROR; + } + ssh->kex->done = 0; + return kex_send_kexinit(ssh); +} + static int choose_enc(struct sshenc *enc, char *client, char *server) { @@ -593,6 +689,7 @@ choose_kex(struct kex *k, char *client, char *server) k->name = match_list(client, server, NULL); + debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); if (k->name == NULL) return SSH_ERR_NO_KEX_ALG_MATCH; if ((kexalg = kex_alg_by_name(k->name)) == NULL) @@ -606,15 +703,16 @@ choose_kex(struct kex *k, char *client, char *server) static int choose_hostkeyalg(struct kex *k, char *client, char *server) { - char *hostkeyalg = match_list(client, server, NULL); + k->hostkey_alg = match_list(client, server, NULL); - if (hostkeyalg == NULL) + debug("kex: host key algorithm: %s", + k->hostkey_alg ? k->hostkey_alg : "(no match)"); + if (k->hostkey_alg == NULL) return SSH_ERR_NO_HOSTKEY_ALG_MATCH; - k->hostkey_type = sshkey_type_from_name(hostkeyalg); + k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); if (k->hostkey_type == KEY_UNSPEC) return SSH_ERR_INTERNAL_ERROR; - k->hostkey_nid = sshkey_ecdsa_nid_from_name(hostkeyalg); - free(hostkeyalg); + k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); return 0; } @@ -653,8 +751,11 @@ kex_choose_conf(struct ssh *ssh) u_int mode, ctos, need, dh_need, authlen; int r, first_kex_follows; - if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 || - (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) + debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); + if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) + goto out; + debug2("peer %s KEXINIT proposal", kex->server ? "client" : "server"); + if ((r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) goto out; if (kex->server) { @@ -665,18 +766,30 @@ kex_choose_conf(struct ssh *ssh) sprop=peer; } - /* Check whether server offers roaming */ - if (!kex->server) { - char *roaming = match_list(KEX_RESUME, - peer[PROPOSAL_KEX_ALGS], NULL); + /* Check whether client supports ext_info_c */ + if (kex->server) { + char *ext; - if (roaming) { - kex->roaming = 1; - free(roaming); + ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); + if (ext) { + kex->ext_info_c = 1; + free(ext); } } /* Algorithm Negotiation */ + if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], + sprop[PROPOSAL_KEX_ALGS])) != 0) { + kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; + peer[PROPOSAL_KEX_ALGS] = NULL; + goto out; + } + if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], + sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { + kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; + peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; + goto out; + } for (mode = 0; mode < MODE_MAX; mode++) { if ((newkeys = calloc(1, sizeof(*newkeys))) == NULL) { r = SSH_ERR_ALLOC_FAIL; @@ -709,24 +822,12 @@ kex_choose_conf(struct ssh *ssh) peer[ncomp] = NULL; goto out; } - debug("kex: %s %s %s %s", + debug("kex: %s cipher: %s MAC: %s compression: %s", ctos ? "client->server" : "server->client", newkeys->enc.name, authlen == 0 ? newkeys->mac.name : "", newkeys->comp.name); } - if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], - sprop[PROPOSAL_KEX_ALGS])) != 0) { - kex->failed_choice = peer[PROPOSAL_KEX_ALGS]; - peer[PROPOSAL_KEX_ALGS] = NULL; - goto out; - } - if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], - sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) { - kex->failed_choice = peer[PROPOSAL_SERVER_HOST_KEY_ALGS]; - peer[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL; - goto out; - } need = dh_need = 0; for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; @@ -812,8 +913,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, digest = NULL; r = 0; out: - if (digest) - free(digest); + free(digest); ssh_digest_free(hashctx); return r; } diff --git a/kex.h b/kex.h index d71b532..1c58966 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.73 2015/07/30 00:01:34 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.76 2016/02/08 10:57:07 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -54,7 +54,6 @@ #define KEX_DH14 "diffie-hellman-group14-sha1" #define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" #define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256" -#define KEX_RESUME "resume@appgate.com" #define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256" #define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384" #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" @@ -129,10 +128,12 @@ struct kex { u_int dh_need; int server; char *name; + char *hostkey_alg; int hostkey_type; int hostkey_nid; u_int kex_type; - int roaming; + int rsa_sha2; + int ext_info_c; struct sshbuf *my; struct sshbuf *peer; sig_atomic_t done; @@ -146,8 +147,8 @@ struct kex { struct sshkey *(*load_host_public_key)(int, int, struct ssh *); struct sshkey *(*load_host_private_key)(int, int, struct ssh *); int (*host_key_index)(struct sshkey *, int, struct ssh *); - int (*sign)(struct sshkey *, struct sshkey *, - u_char **, size_t *, const u_char *, size_t, u_int); + int (*sign)(struct sshkey *, struct sshkey *, u_char **, size_t *, + const u_char *, size_t, const char *, u_int); int (*kex[KEX_MAX])(struct ssh *); /* kex specific state */ DH *dh; /* DH */ @@ -174,9 +175,11 @@ void kex_prop_free(char **); int kex_send_kexinit(struct ssh *); int kex_input_kexinit(int, u_int32_t, void *); +int kex_input_ext_info(int, u_int32_t, void *); int kex_derive_keys(struct ssh *, u_char *, u_int, const struct sshbuf *); int kex_derive_keys_bn(struct ssh *, u_char *, u_int, const BIGNUM *); int kex_send_newkeys(struct ssh *); +int kex_start_rekex(struct ssh *); int kexdh_client(struct ssh *); int kexdh_server(struct ssh *); diff --git a/kexc25519s.c b/kexc25519s.c index 2402725..4e77622b 100644 --- a/kexc25519s.c +++ b/kexc25519s.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexc25519s.c,v 1.9 2015/04/27 00:37:53 dtucker Exp $ */ +/* $OpenBSD: kexc25519s.c,v 1.10 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -134,8 +134,8 @@ input_kex_c25519_init(int type, u_int32_t seq, void *ctxt) } /* sign H */ - if ((r = kex->sign(server_host_private, server_host_public, - &signature, &slen, hash, hashlen, ssh->compat)) < 0) + if ((r = kex->sign(server_host_private, server_host_public, &signature, + &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0) goto out; /* send server hostkey, ECDH pubkey 'Q_S' and signed H */ diff --git a/kexdhs.c b/kexdhs.c index de7c05b..bf933e4 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.22 2015/01/26 06:10:03 djm Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.23 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -181,8 +181,8 @@ input_kex_dh_init(int type, u_int32_t seq, void *ctxt) } /* sign H */ - if ((r = kex->sign(server_host_private, server_host_public, - &signature, &slen, hash, hashlen, ssh->compat)) < 0) + if ((r = kex->sign(server_host_private, server_host_public, &signature, + &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0) goto out; /* destroy_sensitive_data(); */ diff --git a/kexecdhs.c b/kexecdhs.c index 0adb80e..ccdbf70 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.14 2015/01/26 06:10:03 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.15 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -169,8 +169,8 @@ input_kex_ecdh_init(int type, u_int32_t seq, void *ctxt) } /* sign H */ - if ((r = kex->sign(server_host_private, server_host_public, - &signature, &slen, hash, hashlen, ssh->compat)) < 0) + if ((r = kex->sign(server_host_private, server_host_public, &signature, + &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0) goto out; /* destroy_sensitive_data(); */ diff --git a/kexgexs.c b/kexgexs.c index ff6c687..8c5adf7 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.25 2015/04/13 02:04:08 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.26 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -220,8 +220,8 @@ input_kex_dh_gex_init(int type, u_int32_t seq, void *ctxt) } /* sign H */ - if ((r = kex->sign(server_host_private, server_host_public, - &signature, &slen, hash, hashlen, ssh->compat)) < 0) + if ((r = kex->sign(server_host_private, server_host_public, &signature, + &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0) goto out; /* destroy_sensitive_data(); */ diff --git a/key.c b/key.c index 0ba98b6..28d7c62 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */ /* * placed in the public domain */ @@ -132,7 +132,7 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) int key_sign(const Key *key, u_char **sigp, u_int *lenp, - const u_char *data, u_int datalen) + const u_char *data, u_int datalen, const char *alg) { int r; u_char *sig; @@ -143,7 +143,7 @@ key_sign(const Key *key, u_char **sigp, u_int *lenp, if (lenp != NULL) *lenp = 0; if ((r = sshkey_sign(key, &sig, &siglen, - data, datalen, datafellows)) != 0) { + data, datalen, alg, datafellows)) != 0) { fatal_on_fatal_errors(r, __func__, 0); error("%s: %s", __func__, ssh_err(r)); return -1; diff --git a/key.h b/key.h index 903bdf6..34c992b 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: key.h,v 1.49 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -84,7 +84,8 @@ int key_ec_validate_private(const EC_KEY *); Key *key_from_blob(const u_char *, u_int); int key_to_blob(const Key *, u_char **, u_int *); -int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int); +int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int, + const char *); int key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); void key_private_serialize(const Key *, struct sshbuf *); diff --git a/krl.c b/krl.c index 4075df8..fff1a3f 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.37 2015/12/31 00:33:52 djm Exp $ */ #include "includes.h" @@ -723,7 +723,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, if ((r = sshbuf_put(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1)) != 0 || (r = sshbuf_put_u32(buf, KRL_FORMAT_VERSION)) != 0 || (r = sshbuf_put_u64(buf, krl->krl_version)) != 0 || - (r = sshbuf_put_u64(buf, krl->generated_date) != 0) || + (r = sshbuf_put_u64(buf, krl->generated_date)) != 0 || (r = sshbuf_put_u64(buf, krl->flags)) != 0 || (r = sshbuf_put_string(buf, NULL, 0)) != 0 || (r = sshbuf_put_cstring(buf, krl->comment)) != 0) @@ -772,7 +772,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, goto out; if ((r = sshkey_sign(sign_keys[i], &sblob, &slen, - sshbuf_ptr(buf), sshbuf_len(buf), 0)) != 0) + sshbuf_ptr(buf), sshbuf_len(buf), NULL, 0)) != 0) goto out; KRL_DBG(("%s: signature sig len %zu", __func__, slen)); if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) @@ -826,10 +826,8 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) goto out; while (sshbuf_len(buf) > 0) { - if (subsect != NULL) { - sshbuf_free(subsect); - subsect = NULL; - } + sshbuf_free(subsect); + subsect = NULL; if ((r = sshbuf_get_u8(buf, &type)) != 0 || (r = sshbuf_froms(buf, &subsect)) != 0) goto out; @@ -1017,7 +1015,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, } /* Check signature over entire KRL up to this point */ if ((r = sshkey_verify(key, blob, blen, - sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) + sshbuf_ptr(buf), sig_off, 0)) != 0) goto out; /* Check if this key has already signed this KRL */ for (i = 0; i < nca_used; i++) { @@ -1038,7 +1036,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, ca_used = tmp_ca_used; ca_used[nca_used++] = key; key = NULL; - break; } if (sshbuf_len(copy) != 0) { @@ -1059,10 +1056,8 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, if ((r = sshbuf_consume(copy, sects_off)) != 0) goto out; while (sshbuf_len(copy) > 0) { - if (sect != NULL) { - sshbuf_free(sect); - sect = NULL; - } + sshbuf_free(sect); + sect = NULL; if ((r = sshbuf_get_u8(copy, &type)) != 0 || (r = sshbuf_froms(copy, §)) != 0) goto out; @@ -1105,7 +1100,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, r = SSH_ERR_INVALID_FORMAT; goto out; } - if (sshbuf_len(sect) > 0) { + if (sect != NULL && sshbuf_len(sect) > 0) { error("KRL section contains unparsed data"); r = SSH_ERR_INVALID_FORMAT; goto out; diff --git a/krl.h b/krl.h index 4e12bef..675496c 100644 --- a/krl.h +++ b/krl.h @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.h,v 1.4 2015/01/13 19:06:49 djm Exp $ */ +/* $OpenBSD: krl.h,v 1.5 2015/12/30 23:46:14 djm Exp $ */ #ifndef _KRL_H #define _KRL_H @@ -43,7 +43,6 @@ struct ssh_krl; struct ssh_krl *ssh_krl_init(void); void ssh_krl_free(struct ssh_krl *krl); void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version); -void ssh_krl_set_sign_key(struct ssh_krl *krl, const struct sshkey *sign_key); int ssh_krl_set_comment(struct ssh_krl *krl, const char *comment); int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const struct sshkey *ca_key, u_int64_t serial); diff --git a/loginrec.c b/loginrec.c index 94ae81d..788553e 100644 --- a/loginrec.c +++ b/loginrec.c @@ -150,6 +150,9 @@ #include #include #include +#ifdef HAVE_SYS_TIME_H +# include +#endif #include diff --git a/misc.c b/misc.c index ddd2b2d..de7e1fa 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.97 2015/04/24 01:36:00 deraadt Exp $ */ +/* $OpenBSD: misc.c,v 1.101 2016/01/20 09:22:39 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -604,6 +605,8 @@ percent_expand(const char *string, ...) /* %% case */ if (*string == '%') goto append; + if (*string == '\0') + fatal("%s: invalid format", __func__); for (j = 0; j < num_keys; j++) { if (strchr(keys[j].key, *string) != NULL) { i = strlcat(buf, keys[j].repl, sizeof(buf)); @@ -653,62 +656,63 @@ tun_open(int tun, int mode) struct ifreq ifr; char name[100]; int fd = -1, sock; + const char *tunbase = "tun"; + + if (mode == SSH_TUNMODE_ETHERNET) + tunbase = "tap"; /* Open the tunnel device */ if (tun <= SSH_TUNID_MAX) { - snprintf(name, sizeof(name), "/dev/tun%d", tun); + snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun); fd = open(name, O_RDWR); } else if (tun == SSH_TUNID_ANY) { for (tun = 100; tun >= 0; tun--) { - snprintf(name, sizeof(name), "/dev/tun%d", tun); + snprintf(name, sizeof(name), "/dev/%s%d", + tunbase, tun); if ((fd = open(name, O_RDWR)) >= 0) break; } } else { debug("%s: invalid tunnel %u", __func__, tun); - return (-1); + return -1; } if (fd < 0) { - debug("%s: %s open failed: %s", __func__, name, strerror(errno)); - return (-1); + debug("%s: %s open: %s", __func__, name, strerror(errno)); + return -1; } debug("%s: %s mode %d fd %d", __func__, name, mode, fd); - /* Set the tunnel device operation mode */ - snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun); + /* Bring interface up if it is not already */ + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun); if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) goto failed; - if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) - goto failed; - - /* Set interface mode */ - ifr.ifr_flags &= ~IFF_UP; - if (mode == SSH_TUNMODE_ETHERNET) - ifr.ifr_flags |= IFF_LINK0; - else - ifr.ifr_flags &= ~IFF_LINK0; - if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) + if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) { + debug("%s: get interface %s flags: %s", __func__, + ifr.ifr_name, strerror(errno)); goto failed; + } - /* Bring interface up */ - ifr.ifr_flags |= IFF_UP; - if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) - goto failed; + if (!(ifr.ifr_flags & IFF_UP)) { + ifr.ifr_flags |= IFF_UP; + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) { + debug("%s: activate interface %s: %s", __func__, + ifr.ifr_name, strerror(errno)); + goto failed; + } + } close(sock); - return (fd); + return fd; failed: if (fd >= 0) close(fd); if (sock >= 0) close(sock); - debug("%s: failed to set %s mode %d: %s", __func__, name, - mode, strerror(errno)); - return (-1); + return -1; #else error("Tunnel interfaces are not supported on this platform"); return (-1); @@ -1107,7 +1111,7 @@ unix_listener(const char *path, int backlog, int unlink_first) void sock_set_v6only(int s) { -#ifdef IPV6_V6ONLY +#if defined(IPV6_V6ONLY) && !defined(__OpenBSD__) int on = 1; debug3("%s: set socket %d IPV6_V6ONLY", __func__, s); diff --git a/moduli.0 b/moduli.0 index 087e596..a74279b 100644 --- a/moduli.0 +++ b/moduli.0 @@ -71,4 +71,4 @@ STANDARDS the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006, 2006. -OpenBSD 5.8 September 26, 2012 OpenBSD 5.8 +OpenBSD 5.9 September 26, 2012 OpenBSD 5.9 diff --git a/monitor.c b/monitor.c index a914209..ac7dd30 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.150 2015/06/22 23:42:16 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.157 2016/02/15 23:32:37 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -100,7 +100,6 @@ #include "monitor_fdpass.h" #include "compat.h" #include "ssh2.h" -#include "roaming.h" #include "authfd.h" #include "match.h" #include "ssherr.h" @@ -487,15 +486,10 @@ monitor_sync(struct monitor *pmonitor) static void * mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { - size_t len = (size_t) size * ncount; - void *address; - - if (len == 0 || ncount > SIZE_MAX / size) + if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size) fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size); - address = mm_malloc(mm, len); - - return (address); + return mm_malloc(mm, size * ncount); } static void @@ -690,17 +684,18 @@ mm_answer_sign(int sock, Buffer *m) struct ssh *ssh = active_state; /* XXX */ extern int auth_sock; /* XXX move to state struct? */ struct sshkey *key; - struct sshbuf *sigbuf; - u_char *p; - u_char *signature; - size_t datlen, siglen; + struct sshbuf *sigbuf = NULL; + u_char *p = NULL, *signature = NULL; + char *alg = NULL; + size_t datlen, siglen, alglen; int r, keyid, is_proof = 0; const char proof_req[] = "hostkeys-prove-00@openssh.com"; debug3("%s", __func__); if ((r = sshbuf_get_u32(m, &keyid)) != 0 || - (r = sshbuf_get_string(m, &p, &datlen)) != 0) + (r = sshbuf_get_string(m, &p, &datlen)) != 0 || + (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); /* @@ -727,7 +722,7 @@ mm_answer_sign(int sock, Buffer *m) fatal("%s: sshbuf_new", __func__); if ((r = sshbuf_put_cstring(sigbuf, proof_req)) != 0 || (r = sshbuf_put_string(sigbuf, session_id2, - session_id2_len) != 0) || + session_id2_len)) != 0 || (r = sshkey_puts(key, sigbuf)) != 0) fatal("%s: couldn't prepare private key " "proof buffer: %s", __func__, ssh_err(r)); @@ -747,14 +742,14 @@ mm_answer_sign(int sock, Buffer *m) } if ((key = get_hostkey_by_index(keyid)) != NULL) { - if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, + if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, datafellows)) != 0) fatal("%s: sshkey_sign failed: %s", __func__, ssh_err(r)); } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && auth_sock > 0) { if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen, - p, datlen, datafellows)) != 0) { + p, datlen, alg, datafellows)) != 0) { fatal("%s: ssh_agent_sign failed: %s", __func__, ssh_err(r)); } @@ -768,6 +763,7 @@ mm_answer_sign(int sock, Buffer *m) if ((r = sshbuf_put_string(m, signature, siglen)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); + free(alg); free(p); free(signature); @@ -971,7 +967,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) char *response; int authok; - if (authctxt->as == 0) + if (authctxt->as == NULL) fatal("%s: no bsd auth session", __func__); response = buffer_get_string(m, NULL); @@ -1040,7 +1036,8 @@ mm_answer_skeyrespond(int sock, Buffer *m) debug3("%s: sending authenticated: %d", __func__, authok); mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m); - auth_method = "skey"; + auth_method = "keyboard-interactive"; + auth_submethod = "skey"; return (authok != 0); } @@ -1449,7 +1446,7 @@ mm_answer_keyverify(int sock, Buffer *m) __func__, key, (verified == 1) ? "verified" : "unverified"); /* If auth was successful then record key to ensure it isn't reused */ - if (verified == 1) + if (verified == 1 && key_blobtype == MM_USERKEY) auth2_record_userkey(authctxt, key); else key_free(key); @@ -1852,7 +1849,7 @@ monitor_apply_keystate(struct monitor *pmonitor) sshbuf_free(child_state); child_state = NULL; - if ((kex = ssh->kex) != 0) { + if ((kex = ssh->kex) != NULL) { /* XXX set callbacks */ #ifdef WITH_OPENSSL kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; diff --git a/monitor_wrap.c b/monitor_wrap.c index eac421b..c5db6df 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.85 2015/05/01 03:23:51 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.87 2016/01/14 16:17:40 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -80,7 +80,6 @@ #include "channels.h" #include "session.h" #include "servconf.h" -#include "roaming.h" #include "ssherr.h" @@ -218,7 +217,7 @@ mm_choose_dh(int min, int nbits, int max) int mm_key_sign(Key *key, u_char **sigp, u_int *lenp, - const u_char *data, u_int datalen) + const u_char *data, u_int datalen, const char *hostkey_alg) { struct kex *kex = *pmonitor->m_pkex; Buffer m; @@ -228,6 +227,7 @@ mm_key_sign(Key *key, u_char **sigp, u_int *lenp, buffer_init(&m); buffer_put_int(&m, kex->host_key_index(key, 0, active_state)); buffer_put_string(&m, data, datalen); + buffer_put_cstring(&m, hostkey_alg); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); diff --git a/monitor_wrap.h b/monitor_wrap.h index de4a08f..eb820ae 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.27 2015/05/01 03:23:51 djm Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.29 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -40,7 +40,7 @@ struct Authctxt; void mm_log_handler(LogLevel, const char *, void *); int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); -int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int); +int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *); void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); diff --git a/mux.c b/mux.c index e6136fd..6bf53eb 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.58 2016/01/13 23:04:47 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success, void *arg) char *proto, *data; /* Get reasonable local authentication information. */ - client_x11_get_proto(display, options.xauth_location, + if (client_x11_get_proto(display, options.xauth_location, options.forward_x11_trusted, options.forward_x11_timeout, - &proto, &data); - /* Request forwarding with authentication spoofing. */ - debug("Requesting X11 forwarding with authentication " - "spoofing."); - x11_request_forwarding_with_spoofing(id, display, proto, - data, 1); - client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN); - /* XXX exit_on_forward_failure */ + &proto, &data) == 0) { + /* Request forwarding with authentication spoofing. */ + debug("Requesting X11 forwarding with authentication " + "spoofing."); + x11_request_forwarding_with_spoofing(id, display, proto, + data, 1); + /* XXX exit_on_forward_failure */ + client_expect_confirm(id, "X11 forwarding", + CONFIRM_WARN); + } } if (cctx->want_agent_fwd && options.forward_agent) { @@ -1744,7 +1746,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd) fwd->connect_host ? fwd->connect_host : "", fwd->connect_port); if (muxclient_command == SSHMUX_COMMAND_FORWARD) - fprintf(stdout, "%u\n", fwd->allocated_port); + fprintf(stdout, "%i\n", fwd->allocated_port); break; case MUX_S_PERMISSION_DENIED: e = buffer_get_string(&m, NULL); @@ -1889,6 +1891,10 @@ mux_client_request_session(int fd) } muxclient_request_id++; + if (pledge("stdio proc tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + platform_pledge_mux(); + signal(SIGHUP, control_client_sighandler); signal(SIGINT, control_client_sighandler); signal(SIGTERM, control_client_sighandler); @@ -1996,6 +2002,10 @@ mux_client_request_stdio_fwd(int fd) mm_send_fd(fd, STDOUT_FILENO) == -1) fatal("%s: send fds failed", __func__); + if (pledge("stdio proc tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + platform_pledge_mux(); + debug3("%s: stdio forward request sent", __func__); /* Read their reply */ @@ -2169,7 +2179,7 @@ muxclient(const char *path) case SSHMUX_COMMAND_ALIVE_CHECK: if ((pid = mux_client_request_alive(sock)) == 0) fatal("%s: master alive check failed", __func__); - fprintf(stderr, "Master running (pid=%d)\r\n", pid); + fprintf(stderr, "Master running (pid=%u)\r\n", pid); exit(0); case SSHMUX_COMMAND_TERMINATE: mux_client_request_terminate(sock); diff --git a/myproposal.h b/myproposal.h index 46e5b98..bdd0596 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.47 2015/07/10 06:21:53 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.50 2016/02/09 05:30:04 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -101,7 +101,9 @@ "ssh-rsa-cert-v01@openssh.com," \ HOSTKEY_ECDSA_METHODS \ "ssh-ed25519," \ - "ssh-rsa" \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" /* the actual algorithms */ @@ -111,9 +113,7 @@ AESGCM_CIPHER_MODES #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ - "arcfour256,arcfour128," \ - "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ - "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" + "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" #define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ @@ -127,18 +127,9 @@ "hmac-sha2-512," \ "hmac-sha1" -#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \ - "hmac-md5-etm@openssh.com," \ - "hmac-ripemd160-etm@openssh.com," \ - "hmac-sha1-96-etm@openssh.com," \ - "hmac-md5-96-etm@openssh.com," \ - "hmac-md5," \ - "hmac-ripemd160," \ - "hmac-ripemd160@openssh.com," \ - "hmac-sha1-96," \ - "hmac-md5-96" +#define KEX_CLIENT_MAC KEX_SERVER_MAC -#else +#else /* WITH_OPENSSL */ #define KEX_SERVER_KEX \ "curve25519-sha256@libssh.org" diff --git a/opacket.c b/opacket.c index b9160d5..5970dd3 100644 --- a/opacket.c +++ b/opacket.c @@ -235,18 +235,6 @@ packet_set_connection(int fd_in, int fd_out) fatal("%s: ssh_packet_set_connection failed", __func__); } -void -packet_backup_state(void) -{ - ssh_packet_backup_state(active_state, backup_state); -} - -void -packet_restore_state(void) -{ - ssh_packet_restore_state(active_state, backup_state); -} - u_int packet_get_char(void) { diff --git a/opacket.h b/opacket.h index a0a60e5..c26ade4 100644 --- a/opacket.h +++ b/opacket.h @@ -39,8 +39,6 @@ do { \ void packet_close(void); u_int packet_get_char(void); u_int packet_get_int(void); -void packet_backup_state(void); -void packet_restore_state(void); void packet_set_connection(int, int); int packet_read_seqnr(u_int32_t *); int packet_read_poll_seqnr(u_int32_t *); @@ -127,8 +125,6 @@ void packet_disconnect(const char *, ...) sshpkt_add_padding(active_state, (pad)) #define packet_send_ignore(nbytes) \ ssh_packet_send_ignore(active_state, (nbytes)) -#define packet_need_rekeying() \ - ssh_packet_need_rekeying(active_state) #define packet_set_server() \ ssh_packet_set_server(active_state) #define packet_set_authenticated() \ diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index f7be415..2a788e4 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -276,3 +276,11 @@ getpgid(pid_t pid) return -1; } #endif + +#ifndef HAVE_PLEDGE +int +pledge(const char *promises, const char *paths[]) +{ + return 0; +} +#endif diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index ff347a2..0d81d17 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -122,4 +122,8 @@ pid_t getpgid(pid_t); # define krb5_free_error_message(a,b) do { } while(0) #endif +#ifndef HAVE_PLEDGE +int pledge(const char *promises, const char *paths[]); +#endif + #endif /* _BSD_MISC_H */ diff --git a/openbsd-compat/bsd-poll.h b/openbsd-compat/bsd-poll.h index dcbb9ca..17945f5 100644 --- a/openbsd-compat/bsd-poll.h +++ b/openbsd-compat/bsd-poll.h @@ -42,11 +42,11 @@ typedef unsigned int nfds_t; #define POLLIN 0x0001 #define POLLOUT 0x0004 #define POLLERR 0x0008 +#define POLLHUP 0x0010 +#define POLLNVAL 0x0020 #if 0 /* the following are currently not implemented */ #define POLLPRI 0x0002 -#define POLLHUP 0x0010 -#define POLLNVAL 0x0020 #define POLLRDNORM 0x0040 #define POLLNORM POLLRDNORM #define POLLWRNORM POLLOUT diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c index 742b4b9..7c97e67 100644 --- a/openbsd-compat/glob.c +++ b/openbsd-compat/glob.c @@ -59,6 +59,7 @@ */ #include "includes.h" +#include "glob.h" #include #include diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h index f8a7fa5..f069a05 100644 --- a/openbsd-compat/glob.h +++ b/openbsd-compat/glob.h @@ -42,11 +42,15 @@ !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0 || \ defined(BROKEN_GLOB) -#ifndef _GLOB_H_ -#define _GLOB_H_ +#ifndef _COMPAT_GLOB_H_ +#define _COMPAT_GLOB_H_ #include +# define glob_t _ssh_compat_glob_t +# define glob(a, b, c, d) _ssh__compat_glob(a, b, c, d) +# define globfree(a) _ssh__compat_globfree(a) + struct stat; typedef struct { int gl_pathc; /* Count of total paths so far. */ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 1ff7114..8cc8a11 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -39,7 +39,6 @@ /* OpenBSD function replacements */ #include "base64.h" #include "sigact.h" -#include "glob.h" #include "readpassphrase.h" #include "vis.h" #include "getrrsetbyname.h" diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c index 25382f1..e36e412 100644 --- a/openbsd-compat/port-solaris.c +++ b/openbsd-compat/port-solaris.c @@ -227,3 +227,139 @@ solaris_set_default_project(struct passwd *pw) } } #endif /* USE_SOLARIS_PROJECTS */ + +#ifdef USE_SOLARIS_PRIVS +# ifdef HAVE_PRIV_H +# include +# endif + +priv_set_t * +solaris_basic_privset(void) +{ + priv_set_t *pset; + +#ifdef HAVE_PRIV_BASICSET + if ((pset = priv_allocset()) == NULL) { + error("priv_allocset: %s", strerror(errno)); + return NULL; + } + priv_basicset(pset); +#else + if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) { + error("priv_str_to_set: %s", strerror(errno)); + return NULL; + } +#endif + return pset; +} + +void +solaris_drop_privs_pinfo_net_fork_exec(void) +{ + priv_set_t *pset = NULL, *npset = NULL; + + /* + * Note: this variant avoids dropping DAC filesystem rights, in case + * the process calling it is running as root and should have the + * ability to read/write/chown any file on the system. + * + * We start with the basic set, then *add* the DAC rights to it while + * taking away other parts of BASIC we don't need. Then we intersect + * this with our existing PERMITTED set. In this way we keep any + * DAC rights we had before, while otherwise reducing ourselves to + * the minimum set of privileges we need to proceed. + * + * This also means we drop any other parts of "root" that we don't + * need (e.g. the ability to kill any process, create new device nodes + * etc etc). + */ + + if ((pset = priv_allocset()) == NULL) + fatal("priv_allocset: %s", strerror(errno)); + if ((npset = solaris_basic_privset()) == NULL) + fatal("solaris_basic_privset: %s", strerror(errno)); + + if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 || + priv_addset(npset, PRIV_FILE_DAC_READ) != 0 || + priv_addset(npset, PRIV_FILE_DAC_SEARCH) != 0 || + priv_addset(npset, PRIV_FILE_DAC_WRITE) != 0 || + priv_addset(npset, PRIV_FILE_OWNER) != 0) + fatal("priv_addset: %s", strerror(errno)); + + if (priv_delset(npset, PRIV_FILE_LINK_ANY) != 0 || +#ifdef PRIV_NET_ACCESS + priv_delset(npset, PRIV_NET_ACCESS) != 0 || +#endif + priv_delset(npset, PRIV_PROC_EXEC) != 0 || + priv_delset(npset, PRIV_PROC_FORK) != 0 || + priv_delset(npset, PRIV_PROC_INFO) != 0 || + priv_delset(npset, PRIV_PROC_SESSION) != 0) + fatal("priv_delset: %s", strerror(errno)); + + if (getppriv(PRIV_PERMITTED, pset) != 0) + fatal("getppriv: %s", strerror(errno)); + + priv_intersect(pset, npset); + + if (setppriv(PRIV_SET, PRIV_PERMITTED, npset) != 0 || + setppriv(PRIV_SET, PRIV_LIMIT, npset) != 0 || + setppriv(PRIV_SET, PRIV_INHERITABLE, npset) != 0) + fatal("setppriv: %s", strerror(errno)); + + priv_freeset(pset); + priv_freeset(npset); +} + +void +solaris_drop_privs_root_pinfo_net(void) +{ + priv_set_t *pset = NULL; + + /* Start with "basic" and drop everything we don't need. */ + if ((pset = solaris_basic_privset()) == NULL) + fatal("solaris_basic_privset: %s", strerror(errno)); + + if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || +#ifdef PRIV_NET_ACCESS + priv_delset(pset, PRIV_NET_ACCESS) != 0 || +#endif + priv_delset(pset, PRIV_PROC_INFO) != 0 || + priv_delset(pset, PRIV_PROC_SESSION) != 0) + fatal("priv_delset: %s", strerror(errno)); + + if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 || + setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 || + setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0) + fatal("setppriv: %s", strerror(errno)); + + priv_freeset(pset); +} + +void +solaris_drop_privs_root_pinfo_net_exec(void) +{ + priv_set_t *pset = NULL; + + + /* Start with "basic" and drop everything we don't need. */ + if ((pset = solaris_basic_privset()) == NULL) + fatal("solaris_basic_privset: %s", strerror(errno)); + + if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || +#ifdef PRIV_NET_ACCESS + priv_delset(pset, PRIV_NET_ACCESS) != 0 || +#endif + priv_delset(pset, PRIV_PROC_EXEC) != 0 || + priv_delset(pset, PRIV_PROC_INFO) != 0 || + priv_delset(pset, PRIV_PROC_SESSION) != 0) + fatal("priv_delset: %s", strerror(errno)); + + if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 || + setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 || + setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0) + fatal("setppriv: %s", strerror(errno)); + + priv_freeset(pset); +} + +#endif diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h index cd442e7..3a41ea8 100644 --- a/openbsd-compat/port-solaris.h +++ b/openbsd-compat/port-solaris.h @@ -26,5 +26,11 @@ void solaris_contract_pre_fork(void); void solaris_contract_post_fork_child(void); void solaris_contract_post_fork_parent(pid_t pid); void solaris_set_default_project(struct passwd *); +# ifdef USE_SOLARIS_PRIVS +priv_set_t *solaris_basic_privset(void); +void solaris_drop_privs_pinfo_net_fork_exec(void); +void solaris_drop_privs_root_pinfo_net(void); +void solaris_drop_privs_root_pinfo_net_exec(void); +# endif /* USE_SOLARIS_PRIVS */ #endif diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c index ba4cea9..a2f090e 100644 --- a/openbsd-compat/realpath.c +++ b/openbsd-compat/realpath.c @@ -1,4 +1,4 @@ -/* $OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */ +/* $OpenBSD: realpath.c,v 1.20 2015/10/13 20:55:37 millert Exp $ */ /* * Copyright (c) 2003 Constantin S. Svintsoff * @@ -42,6 +42,13 @@ #include #include #include +#include + +#ifndef SYMLOOP_MAX +# define SYMLOOP_MAX 32 +#endif + +/* A slightly modified copy of this file exists in libexec/ld.so */ /* * char *realpath(const char *path, char resolved[PATH_MAX]); @@ -51,16 +58,30 @@ * in which case the path which caused trouble is left in (resolved). */ char * -realpath(const char *path, char resolved[PATH_MAX]) +realpath(const char *path, char *resolved) { struct stat sb; char *p, *q, *s; size_t left_len, resolved_len; unsigned symlinks; - int serrno, slen; + int serrno, slen, mem_allocated; char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX]; + if (path[0] == '\0') { + errno = ENOENT; + return (NULL); + } + serrno = errno; + + if (resolved == NULL) { + resolved = malloc(PATH_MAX); + if (resolved == NULL) + return (NULL); + mem_allocated = 1; + } else + mem_allocated = 0; + symlinks = 0; if (path[0] == '/') { resolved[0] = '/'; @@ -71,7 +92,10 @@ realpath(const char *path, char resolved[PATH_MAX]) left_len = strlcpy(left, path + 1, sizeof(left)); } else { if (getcwd(resolved, PATH_MAX) == NULL) { - strlcpy(resolved, ".", PATH_MAX); + if (mem_allocated) + free(resolved); + else + strlcpy(resolved, ".", PATH_MAX); return (NULL); } resolved_len = strlen(resolved); @@ -79,7 +103,7 @@ realpath(const char *path, char resolved[PATH_MAX]) } if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) { errno = ENAMETOOLONG; - return (NULL); + goto err; } /* @@ -94,7 +118,7 @@ realpath(const char *path, char resolved[PATH_MAX]) s = p ? p : left + left_len; if (s - left >= (ptrdiff_t)sizeof(next_token)) { errno = ENAMETOOLONG; - return (NULL); + goto err; } memcpy(next_token, left, s - left); next_token[s - left] = '\0'; @@ -104,7 +128,7 @@ realpath(const char *path, char resolved[PATH_MAX]) if (resolved[resolved_len - 1] != '/') { if (resolved_len + 1 >= PATH_MAX) { errno = ENAMETOOLONG; - return (NULL); + goto err; } resolved[resolved_len++] = '/'; resolved[resolved_len] = '\0'; @@ -135,23 +159,23 @@ realpath(const char *path, char resolved[PATH_MAX]) resolved_len = strlcat(resolved, next_token, PATH_MAX); if (resolved_len >= PATH_MAX) { errno = ENAMETOOLONG; - return (NULL); + goto err; } if (lstat(resolved, &sb) != 0) { if (errno == ENOENT && p == NULL) { errno = serrno; return (resolved); } - return (NULL); + goto err; } if (S_ISLNK(sb.st_mode)) { - if (symlinks++ > MAXSYMLINKS) { + if (symlinks++ > SYMLOOP_MAX) { errno = ELOOP; - return (NULL); + goto err; } slen = readlink(resolved, symlink, sizeof(symlink) - 1); if (slen < 0) - return (NULL); + goto err; symlink[slen] = '\0'; if (symlink[0] == '/') { resolved[1] = 0; @@ -174,15 +198,15 @@ realpath(const char *path, char resolved[PATH_MAX]) if (slen + 1 >= (ptrdiff_t)sizeof(symlink)) { errno = ENAMETOOLONG; - return (NULL); + goto err; } symlink[slen] = '/'; symlink[slen + 1] = 0; } - left_len = strlcat(symlink, left, sizeof(left)); - if (left_len >= sizeof(left)) { + left_len = strlcat(symlink, left, sizeof(symlink)); + if (left_len >= sizeof(symlink)) { errno = ENAMETOOLONG; - return (NULL); + goto err; } } left_len = strlcpy(left, symlink, sizeof(left)); @@ -196,5 +220,10 @@ realpath(const char *path, char resolved[PATH_MAX]) if (resolved_len > 1 && resolved[resolved_len - 1] == '/') resolved[resolved_len - 1] = '\0'; return (resolved); + +err: + if (mem_allocated) + free(resolved); + return (NULL); } #endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */ diff --git a/packet.c b/packet.c index 7b5c419..f406c07 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.214 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: packet.c,v 1.229 2016/02/17 22:20:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -83,7 +83,6 @@ #include "channels.h" #include "ssh.h" #include "packet.h" -#include "roaming.h" #include "ssherr.h" #include "sshbuf.h" @@ -181,8 +180,7 @@ struct session_state { struct packet_state p_read, p_send; /* Volume-based rekeying */ - u_int64_t max_blocks_in, max_blocks_out; - u_int32_t rekey_limit; + u_int64_t max_blocks_in, max_blocks_out, rekey_limit; /* Time-based rekeying */ u_int32_t rekey_interval; /* how often in seconds */ @@ -261,6 +259,14 @@ ssh_alloc_session_state(void) return NULL; } +/* Returns nonzero if rekeying is in progress */ +int +ssh_packet_is_rekeying(struct ssh *ssh) +{ + return compat20 && + (ssh->state->rekeying || (ssh->kex != NULL && ssh->kex->done == 0)); +} + /* * Sets the descriptors used for communication. Disables encryption until * packet_set_encryption_key is called. @@ -338,7 +344,8 @@ ssh_packet_stop_discard(struct ssh *ssh) sshbuf_ptr(state->incoming_packet), PACKET_MAX_SIZE, NULL, 0); } - logit("Finished discarding for %.200s", ssh_remote_ipaddr(ssh)); + logit("Finished discarding for %.200s port %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); return SSH_ERR_MAC_INVALID; } @@ -455,16 +462,30 @@ ssh_packet_get_connection_out(struct ssh *ssh) const char * ssh_remote_ipaddr(struct ssh *ssh) { + const int sock = ssh->state->connection_in; + /* Check whether we have cached the ipaddr. */ - if (ssh->remote_ipaddr == NULL) - ssh->remote_ipaddr = ssh_packet_connection_is_on_socket(ssh) ? - get_peer_ipaddr(ssh->state->connection_in) : - strdup("UNKNOWN"); - if (ssh->remote_ipaddr == NULL) - return "UNKNOWN"; + if (ssh->remote_ipaddr == NULL) { + if (ssh_packet_connection_is_on_socket(ssh)) { + ssh->remote_ipaddr = get_peer_ipaddr(sock); + ssh->remote_port = get_sock_port(sock, 0); + } else { + ssh->remote_ipaddr = strdup("UNKNOWN"); + ssh->remote_port = 0; + } + } return ssh->remote_ipaddr; } +/* Returns the port number of the remote host. */ + +int +ssh_remote_port(struct ssh *ssh) +{ + (void)ssh_remote_ipaddr(ssh); /* Will lookup and cache. */ + return ssh->remote_port; +} + /* Closes the connection and clears and frees internal data structures. */ void @@ -519,10 +540,8 @@ ssh_packet_close(struct ssh *ssh) error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); if ((r = cipher_cleanup(&state->receive_context)) != 0) error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); - if (ssh->remote_ipaddr) { - free(ssh->remote_ipaddr); - ssh->remote_ipaddr = NULL; - } + free(ssh->remote_ipaddr); + ssh->remote_ipaddr = NULL; free(ssh->state); ssh->state = NULL; } @@ -941,7 +960,12 @@ ssh_set_newkeys(struct ssh *ssh, int mode) max_blocks = &state->max_blocks_in; } if (state->newkeys[mode] != NULL) { - debug("set_newkeys: rekeying"); + debug("set_newkeys: rekeying, input %llu bytes %llu blocks, " + "output %llu bytes %llu blocks", + (unsigned long long)state->p_read.bytes, + (unsigned long long)state->p_read.blocks, + (unsigned long long)state->p_send.bytes, + (unsigned long long)state->p_send.blocks); if ((r = cipher_cleanup(cc)) != 0) return r; enc = &state->newkeys[mode]->enc; @@ -1009,9 +1033,55 @@ ssh_set_newkeys(struct ssh *ssh, int mode) if (state->rekey_limit) *max_blocks = MIN(*max_blocks, state->rekey_limit / enc->block_size); + debug("rekey after %llu blocks", (unsigned long long)*max_blocks); return 0; } +#define MAX_PACKETS (1U<<31) +static int +ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +{ + struct session_state *state = ssh->state; + u_int32_t out_blocks; + + /* XXX client can't cope with rekeying pre-auth */ + if (!state->after_authentication) + return 0; + + /* Haven't keyed yet or KEX in progress. */ + if (ssh->kex == NULL || ssh_packet_is_rekeying(ssh)) + return 0; + + /* Peer can't rekey */ + if (ssh->compat & SSH_BUG_NOREKEY) + return 0; + + /* + * Permit one packet in or out per rekey - this allows us to + * make progress when rekey limits are very small. + */ + if (state->p_send.packets == 0 && state->p_read.packets == 0) + return 0; + + /* Time-based rekeying */ + if (state->rekey_interval != 0 && + state->rekey_time + state->rekey_interval <= monotime()) + return 1; + + /* Always rekey when MAX_PACKETS sent in either direction */ + if (state->p_send.packets > MAX_PACKETS || + state->p_read.packets > MAX_PACKETS) + return 1; + + /* Rekey after (cipher-specific) maxiumum blocks */ + out_blocks = roundup(outbound_packet_len, + state->newkeys[MODE_OUT]->enc.block_size); + return (state->max_blocks_out && + (state->p_send.blocks + out_blocks > state->max_blocks_out)) || + (state->max_blocks_in && + (state->p_read.blocks > state->max_blocks_in)); +} + /* * Delayed compression for SSH2 is enabled after authentication: * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, @@ -1050,6 +1120,20 @@ ssh_packet_enable_delayed_compress(struct ssh *ssh) return 0; } +/* Used to mute debug logging for noisy packet types */ +static int +ssh_packet_log_type(u_char type) +{ + switch (type) { + case SSH2_MSG_CHANNEL_DATA: + case SSH2_MSG_CHANNEL_EXTENDED_DATA: + case SSH2_MSG_CHANNEL_WINDOW_ADJUST: + return 0; + default: + return 1; + } +} + /* * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) */ @@ -1078,7 +1162,8 @@ ssh_packet_send2_wrapped(struct ssh *ssh) aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; type = (sshbuf_ptr(state->outgoing_packet))[5]; - + if (ssh_packet_log_type(type)) + debug3("send packet: type %u", type); #ifdef PACKET_DEBUG fprintf(stderr, "plain: "); sshbuf_dump(state->outgoing_packet, stderr); @@ -1200,34 +1285,58 @@ ssh_packet_send2_wrapped(struct ssh *ssh) return r; } +/* returns non-zero if the specified packet type is usec by KEX */ +static int +ssh_packet_type_is_kex(u_char type) +{ + return + type >= SSH2_MSG_TRANSPORT_MIN && + type <= SSH2_MSG_TRANSPORT_MAX && + type != SSH2_MSG_SERVICE_REQUEST && + type != SSH2_MSG_SERVICE_ACCEPT && + type != SSH2_MSG_EXT_INFO; +} + int ssh_packet_send2(struct ssh *ssh) { struct session_state *state = ssh->state; struct packet *p; u_char type; - int r; + int r, need_rekey; + if (sshbuf_len(state->outgoing_packet) < 6) + return SSH_ERR_INTERNAL_ERROR; type = sshbuf_ptr(state->outgoing_packet)[5]; + need_rekey = !ssh_packet_type_is_kex(type) && + ssh_packet_need_rekeying(ssh, sshbuf_len(state->outgoing_packet)); - /* during rekeying we can only send key exchange messages */ - if (state->rekeying) { - if ((type < SSH2_MSG_TRANSPORT_MIN) || - (type > SSH2_MSG_TRANSPORT_MAX) || - (type == SSH2_MSG_SERVICE_REQUEST) || - (type == SSH2_MSG_SERVICE_ACCEPT)) { - debug("enqueue packet: %u", type); - p = calloc(1, sizeof(*p)); - if (p == NULL) - return SSH_ERR_ALLOC_FAIL; - p->type = type; - p->payload = state->outgoing_packet; - TAILQ_INSERT_TAIL(&state->outgoing, p, next); - state->outgoing_packet = sshbuf_new(); - if (state->outgoing_packet == NULL) - return SSH_ERR_ALLOC_FAIL; - return 0; + /* + * During rekeying we can only send key exchange messages. + * Queue everything else. + */ + if ((need_rekey || state->rekeying) && !ssh_packet_type_is_kex(type)) { + if (need_rekey) + debug3("%s: rekex triggered", __func__); + debug("enqueue packet: %u", type); + p = calloc(1, sizeof(*p)); + if (p == NULL) + return SSH_ERR_ALLOC_FAIL; + p->type = type; + p->payload = state->outgoing_packet; + TAILQ_INSERT_TAIL(&state->outgoing, p, next); + state->outgoing_packet = sshbuf_new(); + if (state->outgoing_packet == NULL) + return SSH_ERR_ALLOC_FAIL; + if (need_rekey) { + /* + * This packet triggered a rekey, so send the + * KEXINIT now. + * NB. reenters this function via kex_start_rekex(). + */ + return kex_start_rekex(ssh); } + return 0; } /* rekeying starts with sending KEXINIT */ @@ -1243,10 +1352,22 @@ ssh_packet_send2(struct ssh *ssh) state->rekey_time = monotime(); while ((p = TAILQ_FIRST(&state->outgoing))) { type = p->type; + /* + * If this packet triggers a rekex, then skip the + * remaining packets in the queue for now. + * NB. re-enters this function via kex_start_rekex. + */ + if (ssh_packet_need_rekeying(ssh, + sshbuf_len(p->payload))) { + debug3("%s: queued packet triggered rekex", + __func__); + return kex_start_rekex(ssh); + } debug("dequeue packet: %u", type); sshbuf_free(state->outgoing_packet); state->outgoing_packet = p->payload; TAILQ_REMOVE(&state->outgoing, p, next); + memset(p, 0, sizeof(*p)); free(p); if ((r = ssh_packet_send2_wrapped(ssh)) != 0) return r; @@ -1265,7 +1386,7 @@ int ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) { struct session_state *state = ssh->state; - int len, r, ms_remain, cont; + int len, r, ms_remain; fd_set *setp; char buf[8192]; struct timeval timeout, start, *timeoutp = NULL; @@ -1335,11 +1456,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) if (r == 0) return SSH_ERR_CONN_TIMEOUT; /* Read data from the socket. */ - do { - cont = 0; - len = roaming_read(state->connection_in, buf, - sizeof(buf), &cont); - } while (len == 0 && cont); + len = read(state->connection_in, buf, sizeof(buf)); if (len == 0) { r = SSH_ERR_CONN_CLOSED; goto out; @@ -1734,6 +1851,8 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) */ if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) goto out; + if (ssh_packet_log_type(*typep)) + debug3("receive packet: type %u", *typep); if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) { if ((r = sshpkt_disconnect(ssh, "Invalid ssh2 packet type: %d", *typep)) != 0 || @@ -1753,6 +1872,13 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) #endif /* reset for next packet */ state->packlen = 0; + + /* do we need to rekey? */ + if (ssh_packet_need_rekeying(ssh, 0)) { + debug3("%s: rekex triggered", __func__); + if ((r = kex_start_rekex(ssh)) != 0) + return r; + } out: return r; } @@ -1783,8 +1909,7 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) if ((r = sshpkt_get_u8(ssh, NULL)) != 0 || (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 || (r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { - if (msg) - free(msg); + free(msg); return r; } debug("Remote: %.900s", msg); @@ -1798,8 +1923,9 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) do_log2(ssh->state->server_side && reason == SSH2_DISCONNECT_BY_APPLICATION ? SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, - "Received disconnect from %s: %u: %.400s", - ssh_remote_ipaddr(ssh), reason, msg); + "Received disconnect from %s port %d:" + "%u: %.400s", ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh), reason, msg); free(msg); return SSH_ERR_DISCONNECTED; case SSH2_MSG_UNIMPLEMENTED: @@ -1827,8 +1953,9 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) case SSH_MSG_DISCONNECT: if ((r = sshpkt_get_string(ssh, &msg, NULL)) != 0) return r; - error("Received disconnect from %s: %.400s", - ssh_remote_ipaddr(ssh), msg); + error("Received disconnect from %s port %d: " + "%.400s", ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh), msg); free(msg); return SSH_ERR_DISCONNECTED; default: @@ -1918,19 +2045,22 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r) { switch (r) { case SSH_ERR_CONN_CLOSED: - logit("Connection closed by %.200s", ssh_remote_ipaddr(ssh)); + logit("Connection closed by %.200s port %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); cleanup_exit(255); case SSH_ERR_CONN_TIMEOUT: - logit("Connection to %.200s timed out", ssh_remote_ipaddr(ssh)); + logit("Connection %s %.200s port %d timed out", + ssh->state->server_side ? "from" : "to", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); cleanup_exit(255); case SSH_ERR_DISCONNECTED: - logit("Disconnected from %.200s", - ssh_remote_ipaddr(ssh)); + logit("Disconnected from %.200s port %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); cleanup_exit(255); case SSH_ERR_SYSTEM_ERROR: if (errno == ECONNRESET) { - logit("Connection reset by %.200s", - ssh_remote_ipaddr(ssh)); + logit("Connection reset by %.200s port %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); cleanup_exit(255); } /* FALLTHROUGH */ @@ -1940,15 +2070,17 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r) case SSH_ERR_NO_KEX_ALG_MATCH: case SSH_ERR_NO_HOSTKEY_ALG_MATCH: if (ssh && ssh->kex && ssh->kex->failed_choice) { - fatal("Unable to negotiate with %.200s: %s. " + fatal("Unable to negotiate with %.200s port %d: %s. " "Their offer: %s", ssh_remote_ipaddr(ssh), - ssh_err(r), ssh->kex->failed_choice); + ssh_remote_port(ssh), ssh_err(r), + ssh->kex->failed_choice); } /* FALLTHROUGH */ default: - fatal("%s%sConnection to %.200s: %s", + fatal("%s%sConnection %s %.200s port %d: %s", tag != NULL ? tag : "", tag != NULL ? ": " : "", - ssh_remote_ipaddr(ssh), ssh_err(r)); + ssh->state->server_side ? "from" : "to", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ssh_err(r)); } } @@ -2005,19 +2137,18 @@ ssh_packet_write_poll(struct ssh *ssh) { struct session_state *state = ssh->state; int len = sshbuf_len(state->output); - int cont, r; + int r; if (len > 0) { - cont = 0; - len = roaming_write(state->connection_out, - sshbuf_ptr(state->output), len, &cont); + len = write(state->connection_out, + sshbuf_ptr(state->output), len); if (len == -1) { if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK) return 0; return SSH_ERR_SYSTEM_ERROR; } - if (len == 0 && !cont) + if (len == 0) return SSH_ERR_CONN_CLOSED; if ((r = sshbuf_consume(state->output, len)) != 0) return r; @@ -2041,7 +2172,10 @@ ssh_packet_write_wait(struct ssh *ssh) NFDBITS), sizeof(fd_mask)); if (setp == NULL) return SSH_ERR_ALLOC_FAIL; - ssh_packet_write_poll(ssh); + if ((r = ssh_packet_write_poll(ssh)) != 0) { + free(setp); + return r; + } while (ssh_packet_have_data_to_write(ssh)) { memset(setp, 0, howmany(state->connection_out + 1, NFDBITS) * sizeof(fd_mask)); @@ -2229,29 +2363,10 @@ ssh_packet_send_ignore(struct ssh *ssh, int nbytes) } } -#define MAX_PACKETS (1U<<31) -int -ssh_packet_need_rekeying(struct ssh *ssh) -{ - struct session_state *state = ssh->state; - - if (ssh->compat & SSH_BUG_NOREKEY) - return 0; - return - (state->p_send.packets > MAX_PACKETS) || - (state->p_read.packets > MAX_PACKETS) || - (state->max_blocks_out && - (state->p_send.blocks > state->max_blocks_out)) || - (state->max_blocks_in && - (state->p_read.blocks > state->max_blocks_in)) || - (state->rekey_interval != 0 && state->rekey_time + - state->rekey_interval <= monotime()); -} - void -ssh_packet_set_rekey_limits(struct ssh *ssh, u_int32_t bytes, time_t seconds) +ssh_packet_set_rekey_limits(struct ssh *ssh, u_int64_t bytes, time_t seconds) { - debug3("rekey after %lld bytes, %d seconds", (long long)bytes, + debug3("rekey after %llu bytes, %d seconds", (unsigned long long)bytes, (int)seconds); ssh->state->rekey_limit = bytes; ssh->state->rekey_interval = seconds; @@ -2291,58 +2406,6 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } -/* XXX TODO update roaming to new API (does not work anyway) */ -/* - * Save the state for the real connection, and use a separate state when - * resuming a suspended connection. - */ -void -ssh_packet_backup_state(struct ssh *ssh, - struct ssh *backup_state) -{ - struct ssh *tmp; - - close(ssh->state->connection_in); - ssh->state->connection_in = -1; - close(ssh->state->connection_out); - ssh->state->connection_out = -1; - if (backup_state) - tmp = backup_state; - else - tmp = ssh_alloc_session_state(); - backup_state = ssh; - ssh = tmp; -} - -/* XXX FIXME FIXME FIXME */ -/* - * Swap in the old state when resuming a connecion. - */ -void -ssh_packet_restore_state(struct ssh *ssh, - struct ssh *backup_state) -{ - struct ssh *tmp; - u_int len; - int r; - - tmp = backup_state; - backup_state = ssh; - ssh = tmp; - ssh->state->connection_in = backup_state->state->connection_in; - backup_state->state->connection_in = -1; - ssh->state->connection_out = backup_state->state->connection_out; - backup_state->state->connection_out = -1; - len = sshbuf_len(backup_state->state->input); - if (len > 0) { - if ((r = sshbuf_putb(ssh->state->input, - backup_state->state->input)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); - sshbuf_reset(backup_state->state->input); - add_recv_bytes(len); - } -} - /* Reset after_authentication and reset compression in post-auth privsep */ static int ssh_packet_set_postauth(struct ssh *ssh) @@ -2430,8 +2493,7 @@ newkeys_to_blob(struct sshbuf *m, struct ssh *ssh, int mode) goto out; r = sshbuf_put_stringb(m, b); out: - if (b != NULL) - sshbuf_free(b); + sshbuf_free(b); return r; } @@ -2462,7 +2524,7 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) if ((r = kex_to_blob(m, ssh->kex)) != 0 || (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 || (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 || - (r = sshbuf_put_u32(m, state->rekey_limit)) != 0 || + (r = sshbuf_put_u64(m, state->rekey_limit)) != 0 || (r = sshbuf_put_u32(m, state->rekey_interval)) != 0 || (r = sshbuf_put_u32(m, state->p_send.seqnr)) != 0 || (r = sshbuf_put_u64(m, state->p_send.blocks)) != 0 || @@ -2493,11 +2555,6 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) (r = sshbuf_put_stringb(m, state->output)) != 0) return r; - if (compat20) { - if ((r = sshbuf_put_u64(m, get_sent_bytes())) != 0 || - (r = sshbuf_put_u64(m, get_recv_bytes())) != 0) - return r; - } return 0; } @@ -2566,10 +2623,8 @@ newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode) newkey = NULL; r = 0; out: - if (newkey != NULL) - free(newkey); - if (b != NULL) - sshbuf_free(b); + free(newkey); + sshbuf_free(b); return r; } @@ -2602,10 +2657,8 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp) out: if (r != 0 || kexp == NULL) { if (kex != NULL) { - if (kex->my != NULL) - sshbuf_free(kex->my); - if (kex->peer != NULL) - sshbuf_free(kex->peer); + sshbuf_free(kex->my); + sshbuf_free(kex->peer); free(kex); } if (kexp != NULL) @@ -2628,7 +2681,6 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) size_t ssh1keylen, rlen, slen, ilen, olen; int r; u_int ssh1cipher = 0; - u_int64_t sent_bytes = 0, recv_bytes = 0; if (!compat20) { if ((r = sshbuf_get_u32(m, &state->remote_protocol_flags)) != 0 || @@ -2651,7 +2703,7 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) if ((r = kex_from_blob(m, &ssh->kex)) != 0 || (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 || - (r = sshbuf_get_u32(m, &state->rekey_limit)) != 0 || + (r = sshbuf_get_u64(m, &state->rekey_limit)) != 0 || (r = sshbuf_get_u32(m, &state->rekey_interval)) != 0 || (r = sshbuf_get_u32(m, &state->p_send.seqnr)) != 0 || (r = sshbuf_get_u64(m, &state->p_send.blocks)) != 0 || @@ -2693,12 +2745,6 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) (r = sshbuf_put(state->output, output, olen)) != 0) return r; - if (compat20) { - if ((r = sshbuf_get_u64(m, &sent_bytes)) != 0 || - (r = sshbuf_get_u64(m, &recv_bytes)) != 0) - return r; - roam_set_bytes(sent_bytes, recv_bytes); - } if (sshbuf_len(m)) return SSH_ERR_INVALID_FORMAT; debug3("%s: done", __func__); diff --git a/packet.h b/packet.h index 7b06544..28516a5 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.66 2015/01/30 01:13:33 djm Exp $ */ +/* $OpenBSD: packet.h,v 1.70 2016/02/08 10:57:07 djm Exp $ */ /* * Author: Tatu Ylonen @@ -86,6 +86,7 @@ int ssh_packet_get_connection_in(struct ssh *); int ssh_packet_get_connection_out(struct ssh *); void ssh_packet_close(struct ssh *); void ssh_packet_set_encryption_key(struct ssh *, const u_char *, u_int, int); +int ssh_packet_is_rekeying(struct ssh *); void ssh_packet_set_protocol_flags(struct ssh *, u_int); u_int ssh_packet_get_protocol_flags(struct ssh *); int ssh_packet_start_compression(struct ssh *, int); @@ -143,15 +144,11 @@ int ssh_packet_get_state(struct ssh *, struct sshbuf *); int ssh_packet_set_state(struct ssh *, struct sshbuf *); const char *ssh_remote_ipaddr(struct ssh *); +int ssh_remote_port(struct ssh *); -int ssh_packet_need_rekeying(struct ssh *); -void ssh_packet_set_rekey_limits(struct ssh *, u_int32_t, time_t); +void ssh_packet_set_rekey_limits(struct ssh *, u_int64_t, time_t); time_t ssh_packet_get_rekey_timeout(struct ssh *); -/* XXX FIXME */ -void ssh_packet_backup_state(struct ssh *, struct ssh *); -void ssh_packet_restore_state(struct ssh *, struct ssh *); - void *ssh_packet_get_input(struct ssh *); void *ssh_packet_get_output(struct ssh *); diff --git a/platform-pledge.c b/platform-pledge.c new file mode 100644 index 0000000..4a6ec15 --- /dev/null +++ b/platform-pledge.c @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2015 Joyent, Inc + * Author: Alex Wilson + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include + +#include +#include + +#include "platform.h" + +#include "openbsd-compat/openbsd-compat.h" + +/* + * Drop any fine-grained privileges that are not needed for post-startup + * operation of ssh-agent + * + * Should be as close as possible to pledge("stdio cpath unix id proc exec", ...) + */ +void +platform_pledge_agent(void) +{ +#ifdef USE_SOLARIS_PRIVS + /* + * Note: Solaris priv dropping is closer to tame() than pledge(), but + * we will use what we have. + */ + solaris_drop_privs_root_pinfo_net(); +#endif +} + +/* + * Drop any fine-grained privileges that are not needed for post-startup + * operation of sftp-server + */ +void +platform_pledge_sftp_server(void) +{ +#ifdef USE_SOLARIS_PRIVS + solaris_drop_privs_pinfo_net_fork_exec(); +#endif +} + +/* + * Drop any fine-grained privileges that are not needed for the post-startup + * operation of the SSH client mux + * + * Should be as close as possible to pledge("stdio proc tty", ...) + */ +void +platform_pledge_mux(void) +{ +#ifdef USE_SOLARIS_PRIVS + solaris_drop_privs_root_pinfo_net_exec(); +#endif +} diff --git a/platform.h b/platform.h index 1c7a45d..e687c99 100644 --- a/platform.h +++ b/platform.h @@ -31,3 +31,8 @@ void platform_setusercontext_post_groups(struct passwd *); char *platform_get_krb5_client(const char *); char *platform_krb5_get_principal_name(const char *); int platform_sys_dir_uid(uid_t); + +/* in platform-pledge.c */ +void platform_pledge_agent(void); +void platform_pledge_sftp_server(void); +void platform_pledge_mux(void); diff --git a/readconf.c b/readconf.c index cd01482..69d4553 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.250 2016/02/08 23:40:12 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -135,6 +135,7 @@ typedef enum { oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, + oCertificateFile, oAddKeysToAgent, oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, @@ -151,7 +152,7 @@ typedef enum { oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, - oVisualHostKey, oUseRoaming, + oVisualHostKey, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, @@ -202,6 +203,8 @@ static struct { { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* obsolete */ { "identitiesonly", oIdentitiesOnly }, + { "certificatefile", oCertificateFile }, + { "addkeystoagent", oAddKeysToAgent }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, @@ -260,7 +263,7 @@ static struct { { "localcommand", oLocalCommand }, { "permitlocalcommand", oPermitLocalCommand }, { "visualhostkey", oVisualHostKey }, - { "useroaming", oUseRoaming }, + { "useroaming", oDeprecated }, { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, @@ -366,6 +369,30 @@ clear_forwardings(Options *options) } void +add_certificate_file(Options *options, const char *path, int userprovided) +{ + int i; + + if (options->num_certificate_files >= SSH_MAX_CERTIFICATE_FILES) + fatal("Too many certificate files specified (max %d)", + SSH_MAX_CERTIFICATE_FILES); + + /* Avoid registering duplicates */ + for (i = 0; i < options->num_certificate_files; i++) { + if (options->certificate_file_userprovided[i] == userprovided && + strcmp(options->certificate_files[i], path) == 0) { + debug2("%s: ignoring duplicate key %s", __func__, path); + return; + } + } + + options->certificate_file_userprovided[options->num_certificate_files] = + userprovided; + options->certificate_files[options->num_certificate_files++] = + xstrdup(path); +} + +void add_identity_file(Options *options, const char *dir, const char *filename, int userprovided) { @@ -416,7 +443,7 @@ default_ssh_port(void) static int execute_in_shell(const char *cmd) { - char *shell, *command_string; + char *shell; pid_t pid; int devnull, status; extern uid_t original_real_uid; @@ -424,12 +451,6 @@ execute_in_shell(const char *cmd) if ((shell = getenv("SHELL")) == NULL) shell = _PATH_BSHELL; - /* - * Use "exec" to avoid "sh -c" processes on some platforms - * (e.g. Solaris) - */ - xasprintf(&command_string, "exec %s", cmd); - /* Need this to redirect subprocess stdin/out */ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) fatal("open(/dev/null): %s", strerror(errno)); @@ -454,7 +475,7 @@ execute_in_shell(const char *cmd) argv[0] = shell; argv[1] = "-c"; - argv[2] = command_string; + argv[2] = xstrdup(cmd); argv[3] = NULL; execv(argv[0], argv); @@ -469,7 +490,6 @@ execute_in_shell(const char *cmd) fatal("%s: fork: %.100s", __func__, strerror(errno)); close(devnull); - free(command_string); while (waitpid(pid, &status, 0) == -1) { if (errno != EINTR && errno != EAGAIN) @@ -502,12 +522,15 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, */ port = options->port <= 0 ? default_ssh_port() : options->port; ruser = options->user == NULL ? pw->pw_name : options->user; - if (options->hostname != NULL) { + if (post_canon) { + host = xstrdup(options->hostname); + } else if (options->hostname != NULL) { /* NB. Please keep in sync with ssh.c:main() */ host = percent_expand(options->hostname, "h", host_arg, (char *)NULL); - } else + } else { host = xstrdup(host_arg); + } debug2("checking match for '%s' host %s originally %s", cp, host, original_host); @@ -693,6 +716,15 @@ static const struct multistate multistate_yesnoask[] = { { "ask", 2 }, { NULL, -1 } }; +static const struct multistate multistate_yesnoaskconfirm[] = { + { "true", 1 }, + { "false", 0 }, + { "yes", 1 }, + { "no", 0 }, + { "ask", 2 }, + { "confirm", 3 }, + { NULL, -1 } +}; static const struct multistate multistate_addressfamily[] = { { "inet", AF_INET }, { "inet6", AF_INET6 }, @@ -947,16 +979,12 @@ parse_time: if (scan_scaled(arg, &val64) == -1) fatal("%.200s line %d: Bad number '%s': %s", filename, linenum, arg, strerror(errno)); - /* check for too-large or too-small limits */ - if (val64 > UINT_MAX) - fatal("%.200s line %d: RekeyLimit too large", - filename, linenum); if (val64 != 0 && val64 < 16) fatal("%.200s line %d: RekeyLimit too small", filename, linenum); } if (*activep && options->rekey_limit == -1) - options->rekey_limit = (u_int32_t)val64; + options->rekey_limit = val64; if (s != NULL) { /* optional rekey interval present */ if (strcmp(s, "none") == 0) { (void)strdelim(&s); /* discard */ @@ -981,6 +1009,24 @@ parse_time: } break; + case oCertificateFile: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); + if (*activep) { + intptr = &options->num_certificate_files; + if (*intptr >= SSH_MAX_CERTIFICATE_FILES) { + fatal("%.200s line %d: Too many certificate " + "files specified (max %d).", + filename, linenum, + SSH_MAX_CERTIFICATE_FILES); + } + add_certificate_file(options, arg, + flags & SSHCONF_USERCONF); + } + break; + case oXAuthLocation: charptr=&options->xauth_location; goto parse_string; @@ -1378,10 +1424,6 @@ parse_keytypes: } break; - case oUseRoaming: - intptr = &options->use_roaming; - goto parse_flag; - case oRequestTTY: intptr = &options->request_tty; multistate_ptr = multistate_requesttty; @@ -1496,6 +1538,11 @@ parse_keytypes: charptr = &options->pubkey_key_types; goto parse_keytypes; + case oAddKeysToAgent: + intptr = &options->add_keys_to_agent; + multistate_ptr = multistate_yesnoaskconfirm; + goto parse_multistate; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1625,6 +1672,7 @@ initialize_options(Options * options) options->hostkeyalgorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; + options->num_certificate_files = 0; options->hostname = NULL; options->host_key_alias = NULL; options->proxy_command = NULL; @@ -1660,7 +1708,7 @@ initialize_options(Options * options) options->tun_remote = -1; options->local_command = NULL; options->permit_local_command = -1; - options->use_roaming = 0; + options->add_keys_to_agent = -1; options->visual_host_key = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -1765,6 +1813,8 @@ fill_default_options(Options * options) /* options->hostkeyalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; + if (options->add_keys_to_agent == -1) + options->add_keys_to_agent = 0; if (options->num_identity_files == 0) { if (options->protocol & SSH_PROTO_1) { add_identity_file(options, "~/", @@ -1833,7 +1883,6 @@ fill_default_options(Options * options) options->tun_remote = SSH_TUNID_ANY; if (options->permit_local_command == -1) options->permit_local_command = 0; - options->use_roaming = 0; if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) @@ -2242,6 +2291,10 @@ dump_client_config(Options *o, const char *host) int i; char vbuf[5]; + /* This is normally prepared in ssh_kex2 */ + if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0) + fatal("%s: kex_assemble_names failed", __func__); + /* Most interesting options first: user, host, port */ dump_cfg_string(oUser, o->user); dump_cfg_string(oHostName, host); @@ -2302,7 +2355,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_string(oBindAddress, o->bind_address); dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); dump_cfg_string(oControlPath, o->control_path); - dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); + dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); dump_cfg_string(oHostKeyAlias, o->host_key_alias); dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types); dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); @@ -2313,6 +2366,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); dump_cfg_string(oProxyCommand, o->proxy_command); + dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); dump_cfg_string(oXAuthLocation, o->xauth_location); @@ -2381,8 +2435,8 @@ dump_client_config(Options *o, const char *host) printf("%s\n", iptos2str(o->ip_qos_bulk)); /* oRekeyLimit */ - printf("rekeylimit %lld %d\n", - (long long)o->rekey_limit, o->rekey_interval); + printf("rekeylimit %llu %d\n", + (unsigned long long)o->rekey_limit, o->rekey_interval); /* oStreamLocalBindMask */ printf("streamlocalbindmask 0%o\n", diff --git a/readconf.h b/readconf.h index bb2d552..c84d068 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.110 2015/07/10 06:21:53 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.113 2016/01/14 16:17:40 markus Exp $ */ /* * Author: Tatu Ylonen @@ -95,6 +95,13 @@ typedef struct { int identity_file_userprovided[SSH_MAX_IDENTITY_FILES]; struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES]; + int num_certificate_files; /* Number of extra certificates for ssh. */ + char *certificate_files[SSH_MAX_CERTIFICATE_FILES]; + int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES]; + struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES]; + + int add_keys_to_agent; + /* Local TCP/IP forward requests. */ int num_local_forwards; struct Forward *local_forwards; @@ -130,8 +137,6 @@ typedef struct { int permit_local_command; int visual_host_key; - int use_roaming; - int request_tty; int proxy_use_fdpass; @@ -194,5 +199,6 @@ void dump_client_config(Options *o, const char *host); void add_local_forward(Options *, const struct Forward *); void add_remote_forward(Options *, const struct Forward *); void add_identity_file(Options *, const char *, const char *, int); +void add_certificate_file(Options *, const char *, int); #endif /* READCONF_H */ diff --git a/readpass.c b/readpass.c index 869d864..05c8cac 100644 --- a/readpass.c +++ b/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.50 2014/02/02 03:44:31 djm Exp $ */ +/* $OpenBSD: readpass.c,v 1.51 2015/12/11 00:20:04 mmcc Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -76,7 +76,7 @@ ssh_askpass(char *askpass, const char *msg) close(p[0]); if (dup2(p[1], STDOUT_FILENO) < 0) fatal("ssh_askpass: dup2: %s", strerror(errno)); - execlp(askpass, askpass, msg, (char *) 0); + execlp(askpass, askpass, msg, (char *)NULL); fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); } close(p[1]); diff --git a/regress/Makefile b/regress/Makefile index cba83f4..451909c 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $ +# $OpenBSD: Makefile,v 1.82 2015/09/24 06:16:53 djm Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -74,7 +74,8 @@ LTESTS= connect \ hostkey-agent \ keygen-knownhosts \ hostkey-rotate \ - principals-command + principals-command \ + cert-file # dhgex \ diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 1912ca8..bb676d6 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -12,6 +12,11 @@ if have_prog uname ; then esac fi +if [ "x$USER" = "xroot" ]; then + echo "Skipped: running as root" + exit 0 +fi + if have_prog gdb ; then : ok else diff --git a/regress/cert-file.sh b/regress/cert-file.sh new file mode 100755 index 0000000..bad923a --- /dev/null +++ b/regress/cert-file.sh @@ -0,0 +1,138 @@ +# $OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $ +# Placed in the Public Domain. + +tid="ssh with certificates" + +rm -f $OBJ/user_ca_key* $OBJ/user_key* +rm -f $OBJ/cert_user_key* + +# Create a CA key +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\ + fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\ + fatal "ssh-keygen failed" + +# Make some keys and certificates. +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ + fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ + fatal "ssh-keygen failed" +# Move the certificate to a different address to better control +# when it is offered. +${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ + -z $$ -n ${USER} $OBJ/user_key1 || + fail "couldn't sign user_key1 with user_ca_key1" +mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub +${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ + -z $$ -n ${USER} $OBJ/user_key1 || + fail "couldn't sign user_key1 with user_ca_key2" +mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub + +trace 'try with identity files' +opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" +opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" +echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER + +for p in ${SSH_PROTOCOLS}; do + # Just keys should fail + ${SSH} $opts2 somehost exit 5$p + r=$? + if [ $r -eq 5$p ]; then + fail "ssh succeeded with no certs in protocol $p" + fi + + # Keys with untrusted cert should fail. + opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" + ${SSH} $opts3 somehost exit 5$p + r=$? + if [ $r -eq 5$p ]; then + fail "ssh succeeded with bad cert in protocol $p" + fi + + # Good cert with bad key should fail. + opts3="$opts -i $OBJ/user_key2" + opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" + ${SSH} $opts3 somehost exit 5$p + r=$? + if [ $r -eq 5$p ]; then + fail "ssh succeeded with no matching key in protocol $p" + fi + + # Keys with one trusted cert, should succeed. + opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" + ${SSH} $opts3 somehost exit 5$p + r=$? + if [ $r -ne 5$p ]; then + fail "ssh failed with trusted cert and key in protocol $p" + fi + + # Multiple certs and keys, with one trusted cert, should succeed. + opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" + opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" + ${SSH} $opts3 somehost exit 5$p + r=$? + if [ $r -ne 5$p ]; then + fail "ssh failed with multiple certs in protocol $p" + fi + + #Keys with trusted certificate specified in config options, should succeed. + opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" + ${SSH} $opts3 somehost exit 5$p + r=$? + if [ $r -ne 5$p ]; then + fail "ssh failed with trusted cert in config in protocol $p" + fi +done + +#next, using an agent in combination with the keys +SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 +if [ $? -ne 2 ]; then + fatal "ssh-add -l did not fail with exit code 2" +fi + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fatal "could not start ssh-agent: exit code $r" +fi + +# add private keys to agent +${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1 +if [ $? -ne 0 ]; then + fatal "ssh-add did not succeed with exit code 0" +fi +${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1 +if [ $? -ne 0 ]; then + fatal "ssh-add did not succeed with exit code 0" +fi + +# try ssh with the agent and certificates +# note: ssh agent only uses certificates in protocol 2 +opts="-F $OBJ/ssh_proxy" +# with no certificates, shoud fail +${SSH} -2 $opts somehost exit 52 +if [ $? -eq 52 ]; then + fail "ssh connect with agent in protocol 2 succeeded with no cert" +fi + +#with an untrusted certificate, should fail +opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" +${SSH} -2 $opts somehost exit 52 +if [ $? -eq 52 ]; then + fail "ssh connect with agent in protocol 2 succeeded with bad cert" +fi + +#with an additional trusted certificate, should succeed +opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" +${SSH} -2 $opts somehost exit 52 +if [ $? -ne 52 ]; then + fail "ssh connect with agent in protocol 2 failed with good cert" +fi + +trace "kill agent" +${SSHAGENT} -k > /dev/null + +#cleanup +rm -f $OBJ/user_ca_key* $OBJ/user_key* +rm -f $OBJ/cert_user_key* diff --git a/regress/check-perm.c b/regress/check-perm.c new file mode 100644 index 0000000..dac307d --- /dev/null +++ b/regress/check-perm.c @@ -0,0 +1,205 @@ +/* + * Placed in the public domain + */ + +/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_LIBGEN_H +#include +#endif + +static void +fatal(const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fputc('\n', stderr); + va_end(args); + exit(1); +} +/* Based on session.c. NB. keep tests in sync */ +static void +safely_chroot(const char *path, uid_t uid) +{ + const char *cp; + char component[PATH_MAX]; + struct stat st; + + if (*path != '/') + fatal("chroot path does not begin at root"); + if (strlen(path) >= sizeof(component)) + fatal("chroot path too long"); + + /* + * Descend the path, checking that each component is a + * root-owned directory with strict permissions. + */ + for (cp = path; cp != NULL;) { + if ((cp = strchr(cp, '/')) == NULL) + strlcpy(component, path, sizeof(component)); + else { + cp++; + memcpy(component, path, cp - path); + component[cp - path] = '\0'; + } + + /* debug3("%s: checking '%s'", __func__, component); */ + + if (stat(component, &st) != 0) + fatal("%s: stat(\"%s\"): %s", __func__, + component, strerror(errno)); + if (st.st_uid != 0 || (st.st_mode & 022) != 0) + fatal("bad ownership or modes for chroot " + "directory %s\"%s\"", + cp == NULL ? "" : "component ", component); + if (!S_ISDIR(st.st_mode)) + fatal("chroot path %s\"%s\" is not a directory", + cp == NULL ? "" : "component ", component); + + } + + if (chdir(path) == -1) + fatal("Unable to chdir to chroot path \"%s\": " + "%s", path, strerror(errno)); +} + +/* from platform.c */ +int +platform_sys_dir_uid(uid_t uid) +{ + if (uid == 0) + return 1; +#ifdef PLATFORM_SYS_DIR_UID + if (uid == PLATFORM_SYS_DIR_UID) + return 1; +#endif + return 0; +} + +/* from auth.c */ +int +auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, + uid_t uid, char *err, size_t errlen) +{ + char buf[PATH_MAX], homedir[PATH_MAX]; + char *cp; + int comparehome = 0; + struct stat st; + + if (realpath(name, buf) == NULL) { + snprintf(err, errlen, "realpath %s failed: %s", name, + strerror(errno)); + return -1; + } + if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL) + comparehome = 1; + + if (!S_ISREG(stp->st_mode)) { + snprintf(err, errlen, "%s is not a regular file", buf); + return -1; + } + if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || + (stp->st_mode & 022) != 0) { + snprintf(err, errlen, "bad ownership or modes for file %s", + buf); + return -1; + } + + /* for each component of the canonical path, walking upwards */ + for (;;) { + if ((cp = dirname(buf)) == NULL) { + snprintf(err, errlen, "dirname() failed"); + return -1; + } + strlcpy(buf, cp, sizeof(buf)); + + if (stat(buf, &st) < 0 || + (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || + (st.st_mode & 022) != 0) { + snprintf(err, errlen, + "bad ownership or modes for directory %s", buf); + return -1; + } + + /* If are past the homedir then we can stop */ + if (comparehome && strcmp(homedir, buf) == 0) + break; + + /* + * dirname should always complete with a "/" path, + * but we can be paranoid and check for "." too + */ + if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0)) + break; + } + return 0; +} + +static void +usage(void) +{ + fprintf(stderr, "check-perm -m [chroot | keys-command] [path]\n"); + exit(1); +} + +int +main(int argc, char **argv) +{ + const char *path = "."; + char errmsg[256]; + int ch, mode = -1; + extern char *optarg; + extern int optind; + struct stat st; + + while ((ch = getopt(argc, argv, "hm:")) != -1) { + switch (ch) { + case 'm': + if (strcasecmp(optarg, "chroot") == 0) + mode = 1; + else if (strcasecmp(optarg, "keys-command") == 0) + mode = 2; + else { + fprintf(stderr, "Invalid -m option\n"), + usage(); + } + break; + default: + usage(); + } + } + argc -= optind; + argv += optind; + + if (argc > 1) + usage(); + else if (argc == 1) + path = argv[0]; + + if (mode == 1) + safely_chroot(path, getuid()); + else if (mode == 2) { + if (stat(path, &st) < 0) + fatal("Could not stat %s: %s", path, strerror(errno)); + if (auth_secure_path(path, &st, NULL, 0, + errmsg, sizeof(errmsg)) != 0) + fatal("Unsafe %s: %s", path, errmsg); + } else { + fprintf(stderr, "Invalid mode\n"); + usage(); + } + return 0; +} diff --git a/regress/dhgex.sh b/regress/dhgex.sh index 57fca4a..e7c5733 100755 --- a/regress/dhgex.sh +++ b/regress/dhgex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dhgex.sh,v 1.2 2014/04/21 22:15:37 djm Exp $ +# $OpenBSD: dhgex.sh,v 1.3 2015/10/23 02:22:01 dtucker Exp $ # Placed in the Public Domain. tid="dhgex" @@ -20,7 +20,9 @@ ssh_test_dhgex() echo "Ciphers=$cipher" >> $OBJ/sshd_proxy rm -f ${LOG} opts="-oKexAlgorithms=$kex -oCiphers=$cipher" - groupsz="1024<$bits<8192" + min=2048 + max=8192 + groupsz="$min<$bits<$max" verbose "$tid bits $bits $kex $cipher" ${SSH} ${opts} $@ -vvv -F ${OBJ}/ssh_proxy somehost true if [ $? -ne 0 ]; then diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index 3aa8c40..d69de32 100755 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh @@ -1,4 +1,4 @@ -# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ +# $OpenBSD: hostkey-rotate.sh,v 1.5 2015/09/04 04:23:10 djm Exp $ # Placed in the Public Domain. tid="hostkey rotate" @@ -108,21 +108,3 @@ verbose "check rotate primary hostkey" dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa expect_nkeys 1 "learn hostkeys" check_key_present ssh-rsa || fail "didn't learn changed key" - -# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ -# Placed in the Public Domain. - -tid="hostkey rotate" - -# Prepare hostkeys file with one key - -# Connect to sshd - -# Check that other keys learned - -# Change one hostkey (non primary) - -# Connect to sshd - -# Check that the key was replaced - diff --git a/regress/keys-command.sh b/regress/keys-command.sh index 700273b..af68cf1 100755 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh @@ -36,6 +36,12 @@ exec cat "$OBJ/authorized_keys_${LOGNAME}" _EOF $SUDO chmod 0755 "$KEY_COMMAND" +if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then + echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand" + $SUDO rm -f $KEY_COMMAND + exit 0 +fi + if [ -x $KEY_COMMAND ]; then cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 886f329..f97364b 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keyscan.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $ # Placed in the Public Domain. tid="keyscan" @@ -8,7 +8,7 @@ rm -f ${OBJ}/host.dsa start_sshd -KEYTYPES="rsa dsa" +KEYTYPES=`${SSH} -Q key-plain` if ssh_version 1; then KEYTYPES="${KEYTYPES} rsa1" fi diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 2de037b..c0cf2fe 100755 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $ +# $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $ # Placed in the Public Domain. tid="restrict pubkey type" @@ -20,18 +20,19 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \ fatal "ssh-keygen failed" ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \ fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t dsa -f $OBJ/user_key4 || \ + fatal "ssh-keygen failed" ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || fatal "couldn't sign user_key1" # Copy the private key alongside the cert to allow better control of when # it is offered. mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub -cp -p $OBJ/user_key3 $OBJ/cert_user_key3 grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" -fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2" +certopts="$opts -i $OBJ/user_key3 -oCertificateFile=$OBJ/cert_user_key3.pub" echo mekmitasdigoat > $OBJ/authorized_principals_$USER cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER @@ -53,28 +54,44 @@ prepare_config() { prepare_config # Check we can log in with all key types. -${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed" +${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow plain Ed25519 and RSA. The certificate should fail. -verbose "privsep=$privsep allow rsa,ed25519" +verbose "allow rsa,ed25519" prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" -${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded" +${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" # Allow Ed25519 only. -verbose "privsep=$privsep allow ed25519" +verbose "allow ed25519" prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519" -${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded" +${SSH} $certopts proxy true && fatal "cert succeeded" ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" # Allow all certs. Plain keys should fail. -verbose "privsep=$privsep allow cert only" +verbose "allow cert only" prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" -${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed" +${SSH} $certopts proxy true || fatal "cert failed" ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" +# Allow RSA in main config, Ed25519 for non-existent user. +verbose "match w/ no match" +prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \ + "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" +${SSH} $certopts proxy true && fatal "cert succeeded" +${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" +${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" + +# Allow only DSA in main config, Ed25519 for user. +verbose "match w/ matching" +prepare_config "PubkeyAcceptedKeyTypes ssh-dss" \ + "Match user $USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" +${SSH} $certopts proxy true || fatal "cert failed" +${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" +${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded" + diff --git a/regress/principals-command.sh b/regress/principals-command.sh index b90a8cf..c0be7e7 100755 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -24,6 +24,13 @@ _EOF test $? -eq 0 || fatal "couldn't prepare principals command" $SUDO chmod 0755 "$PRINCIPALS_CMD" +if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then + echo "skipping: $PRINCIPALS_CMD is unsuitable as " \ + "AuthorizedPrincipalsCommand" + $SUDO rm -f $PRINCIPALS_CMD + exit 0 +fi + # Create a CA key and a user certificate. ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ fatal "ssh-keygen of user_ca_key failed" diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh index f816962..b7a43fa 100644 --- a/regress/proxy-connect.sh +++ b/regress/proxy-connect.sh @@ -1,4 +1,4 @@ -# $OpenBSD: proxy-connect.sh,v 1.8 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $ # Placed in the Public Domain. tid="proxy connect" @@ -18,7 +18,8 @@ for ps in no yes; do fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed" fi if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then - fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c" + fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \ + "$SSH_CONNECTION" fi done done diff --git a/regress/rekey.sh b/regress/rekey.sh index 0d4444d..ae145bc 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.16 2015/02/14 12:43:16 markus Exp $ +# $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -137,13 +137,15 @@ for s in 5 10; do done verbose "rekeylimit parsing" -for size in 16 1k 1K 1m 1M 1g 1G; do +for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do case $size in 16) bytes=16 ;; 1k|1K) bytes=1024 ;; 1m|1M) bytes=1048576 ;; 1g|1G) bytes=1073741824 ;; + 4g|4G) bytes=4294967296 ;; + 8g|8G) bytes=8589934592 ;; esac case $time in 1) seconds=1 ;; diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c index 676d266..7a0527f 100644 --- a/regress/setuid-allowed.c +++ b/regress/setuid-allowed.c @@ -26,7 +26,7 @@ #include #include -void +static void usage(void) { fprintf(stderr, "check-setuid [path]\n"); diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 23f7456..9c26eb6 100755 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -12,6 +12,11 @@ if [ -z "$SUDO" ]; then exit 0 fi +if ! $OBJ/check-perm -m chroot "$CHROOT" ; then + echo "skipped: $CHROOT is unsuitable as ChrootDirectory" + exit 0 +fi + $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ fatal "create $PRIVDATA failed" diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c index c8a2369..906491f 100644 --- a/regress/unittests/sshkey/test_file.c +++ b/regress/unittests/sshkey/test_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_file.c,v 1.4 2015/07/07 14:53:30 markus Exp $ */ +/* $OpenBSD: test_file.c,v 1.5 2015/10/06 01:20:59 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -54,8 +54,7 @@ sshkey_file_tests(void) #ifdef WITH_SSH1 TEST_START("parse RSA1 from private"); buf = load_file("rsa1_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa1_1", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k1, NULL); a = load_bignum("rsa1_1.param.n"); @@ -66,7 +65,7 @@ sshkey_file_tests(void) TEST_START("parse RSA1 from private w/ passphrase"); buf = load_file("rsa1_1_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "rsa1_1_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -104,8 +103,7 @@ sshkey_file_tests(void) TEST_START("parse RSA from private"); buf = load_file("rsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa_1", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k1, NULL); a = load_bignum("rsa_1.param.n"); @@ -122,7 +120,7 @@ sshkey_file_tests(void) TEST_START("parse RSA from private w/ passphrase"); buf = load_file("rsa_1_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "rsa_1_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -131,8 +129,7 @@ sshkey_file_tests(void) TEST_START("parse RSA from new-format"); buf = load_file("rsa_n"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - "", "rsa_n", &k2, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -142,7 +139,7 @@ sshkey_file_tests(void) TEST_START("parse RSA from new-format w/ passphrase"); buf = load_file("rsa_n_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "rsa_n_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -197,8 +194,7 @@ sshkey_file_tests(void) TEST_START("parse DSA from private"); buf = load_file("dsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "dsa_1", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k1, NULL); a = load_bignum("dsa_1.param.g"); @@ -215,7 +211,7 @@ sshkey_file_tests(void) TEST_START("parse DSA from private w/ passphrase"); buf = load_file("dsa_1_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "dsa_1_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -224,8 +220,7 @@ sshkey_file_tests(void) TEST_START("parse DSA from new-format"); buf = load_file("dsa_n"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - "", "dsa_n", &k2, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -235,7 +230,7 @@ sshkey_file_tests(void) TEST_START("parse DSA from new-format w/ passphrase"); buf = load_file("dsa_n_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "dsa_n_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -291,8 +286,7 @@ sshkey_file_tests(void) #ifdef OPENSSL_HAS_ECC TEST_START("parse ECDSA from private"); buf = load_file("ecdsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ecdsa_1", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k1, NULL); buf = load_text_file("ecdsa_1.param.curve"); @@ -315,7 +309,7 @@ sshkey_file_tests(void) TEST_START("parse ECDSA from private w/ passphrase"); buf = load_file("ecdsa_1_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "ecdsa_1_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -324,8 +318,7 @@ sshkey_file_tests(void) TEST_START("parse ECDSA from new-format"); buf = load_file("ecdsa_n"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - "", "ecdsa_n", &k2, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -335,7 +328,7 @@ sshkey_file_tests(void) TEST_START("parse ECDSA from new-format w/ passphrase"); buf = load_file("ecdsa_n_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "ecdsa_n_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); @@ -391,8 +384,7 @@ sshkey_file_tests(void) TEST_START("parse Ed25519 from private"); buf = load_file("ed25519_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ed25519_1", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k1, NULL); ASSERT_INT_EQ(k1->type, KEY_ED25519); @@ -402,7 +394,7 @@ sshkey_file_tests(void) TEST_START("parse Ed25519 from private w/ passphrase"); buf = load_file("ed25519_1_pw"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, - (const char *)sshbuf_ptr(pw), "ed25519_1_pw", &k2, NULL), 0); + (const char *)sshbuf_ptr(pw), &k2, NULL), 0); sshbuf_free(buf); ASSERT_PTR_NE(k2, NULL); ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c index 1f08a2e4..1f414e0 100644 --- a/regress/unittests/sshkey/test_fuzz.c +++ b/regress/unittests/sshkey/test_fuzz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_fuzz.c,v 1.4 2015/03/04 23:22:35 djm Exp $ */ +/* $OpenBSD: test_fuzz.c,v 1.6 2015/12/07 02:20:46 djm Exp $ */ /* * Fuzz tests for key parsing * @@ -72,13 +72,13 @@ public_fuzz(struct sshkey *k) } static void -sig_fuzz(struct sshkey *k) +sig_fuzz(struct sshkey *k, const char *sig_alg) { struct fuzz *fuzz; u_char *sig, c[] = "some junk to be signed"; size_t l; - ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), 0), 0); + ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), sig_alg, 0), 0); ASSERT_SIZE_T_GT(l, 0); fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */ FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | @@ -110,8 +110,7 @@ sshkey_fuzz_tests(void) fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -119,8 +118,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -154,8 +152,7 @@ sshkey_fuzz_tests(void) buf = load_file("rsa_1"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -163,8 +160,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -176,8 +172,7 @@ sshkey_fuzz_tests(void) buf = load_file("rsa_n"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -185,8 +180,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -198,8 +192,7 @@ sshkey_fuzz_tests(void) buf = load_file("dsa_1"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -207,8 +200,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -220,8 +212,7 @@ sshkey_fuzz_tests(void) buf = load_file("dsa_n"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -229,8 +220,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -243,8 +233,7 @@ sshkey_fuzz_tests(void) buf = load_file("ecdsa_1"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -252,8 +241,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -265,8 +253,7 @@ sshkey_fuzz_tests(void) buf = load_file("ecdsa_n"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -274,8 +261,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -288,8 +274,7 @@ sshkey_fuzz_tests(void) buf = load_file("ed25519_1"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshkey_free(k1); sshbuf_free(buf); ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); @@ -297,8 +282,7 @@ sshkey_fuzz_tests(void) for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); ASSERT_INT_EQ(r, 0); - if (sshkey_parse_private_fileblob(fuzzed, "", "key", - &k1, NULL) == 0) + if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) sshkey_free(k1); sshbuf_reset(fuzzed); } @@ -308,8 +292,7 @@ sshkey_fuzz_tests(void) TEST_START("fuzz RSA public"); buf = load_file("rsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); public_fuzz(k1); sshkey_free(k1); @@ -323,8 +306,7 @@ sshkey_fuzz_tests(void) TEST_START("fuzz DSA public"); buf = load_file("dsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); public_fuzz(k1); sshkey_free(k1); @@ -339,8 +321,7 @@ sshkey_fuzz_tests(void) #ifdef OPENSSL_HAS_ECC TEST_START("fuzz ECDSA public"); buf = load_file("ecdsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); public_fuzz(k1); sshkey_free(k1); @@ -355,8 +336,7 @@ sshkey_fuzz_tests(void) TEST_START("fuzz Ed25519 public"); buf = load_file("ed25519_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); public_fuzz(k1); sshkey_free(k1); @@ -370,39 +350,51 @@ sshkey_fuzz_tests(void) TEST_START("fuzz RSA sig"); buf = load_file("rsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); - sig_fuzz(k1); + sig_fuzz(k1, "ssh-rsa"); + sshkey_free(k1); + TEST_DONE(); + + TEST_START("fuzz RSA SHA256 sig"); + buf = load_file("rsa_1"); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); + sshbuf_free(buf); + sig_fuzz(k1, "rsa-sha2-256"); + sshkey_free(k1); + TEST_DONE(); + + TEST_START("fuzz RSA SHA512 sig"); + buf = load_file("rsa_1"); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); + sshbuf_free(buf); + sig_fuzz(k1, "rsa-sha2-512"); sshkey_free(k1); TEST_DONE(); TEST_START("fuzz DSA sig"); buf = load_file("dsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); - sig_fuzz(k1); + sig_fuzz(k1, NULL); sshkey_free(k1); TEST_DONE(); #ifdef OPENSSL_HAS_ECC TEST_START("fuzz ECDSA sig"); buf = load_file("ecdsa_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); - sig_fuzz(k1); + sig_fuzz(k1, NULL); sshkey_free(k1); TEST_DONE(); #endif TEST_START("fuzz Ed25519 sig"); buf = load_file("ed25519_1"); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", - &k1, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); sshbuf_free(buf); - sig_fuzz(k1); + sig_fuzz(k1, NULL); sshkey_free(k1); TEST_DONE(); diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 9b3ce7e..1f160d1 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_sshkey.c,v 1.7 2015/08/05 05:27:33 djm Exp $ */ +/* $OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -52,7 +52,8 @@ put_opt(struct sshbuf *b, const char *name, const char *value) static void build_cert(struct sshbuf *b, const struct sshkey *k, const char *type, - const struct sshkey *sign_key, const struct sshkey *ca_key) + const struct sshkey *sign_key, const struct sshkey *ca_key, + const char *sig_alg) { struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts; u_char *sigblob; @@ -99,7 +100,7 @@ build_cert(struct sshbuf *b, const struct sshkey *k, const char *type, ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */ ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */ ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen, - sshbuf_ptr(b), sshbuf_len(b), 0), 0); + sshbuf_ptr(b), sshbuf_len(b), sig_alg, 0), 0); ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ free(sigblob); @@ -111,12 +112,13 @@ build_cert(struct sshbuf *b, const struct sshkey *k, const char *type, } static void -signature_test(struct sshkey *k, struct sshkey *bad, const u_char *d, size_t l) +signature_test(struct sshkey *k, struct sshkey *bad, const char *sig_alg, + const u_char *d, size_t l) { size_t len; u_char *sig; - ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, 0), 0); + ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, 0), 0); ASSERT_SIZE_T_GT(len, 8); ASSERT_PTR_NE(sig, NULL); ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, 0), 0); @@ -143,7 +145,7 @@ banana(u_char *s, size_t l) } static void -signature_tests(struct sshkey *k, struct sshkey *bad) +signature_tests(struct sshkey *k, struct sshkey *bad, const char *sig_alg) { u_char i, buf[2049]; size_t lens[] = { @@ -155,7 +157,7 @@ signature_tests(struct sshkey *k, struct sshkey *bad) test_subtest_info("%s key, banana length %zu", sshkey_type(k), lens[i]); banana(buf, lens[i]); - signature_test(k, bad, buf, lens[i]); + signature_test(k, bad, sig_alg, buf, lens[i]); } } @@ -166,7 +168,7 @@ get_private(const char *n) struct sshkey *ret; b = load_file(n); - ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", n, &ret, NULL), 0); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", &ret, NULL), 0); sshbuf_free(b); return ret; } @@ -469,7 +471,25 @@ sshkey_tests(void) k1 = get_private("rsa_1"); ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2, NULL), 0); - signature_tests(k1, k2); + signature_tests(k1, k2, "ssh-rsa"); + sshkey_free(k1); + sshkey_free(k2); + TEST_DONE(); + + TEST_START("sign and verify RSA-SHA256"); + k1 = get_private("rsa_1"); + ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2, + NULL), 0); + signature_tests(k1, k2, "rsa-sha2-256"); + sshkey_free(k1); + sshkey_free(k2); + TEST_DONE(); + + TEST_START("sign and verify RSA-SHA512"); + k1 = get_private("rsa_1"); + ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2, + NULL), 0); + signature_tests(k1, k2, "rsa-sha2-512"); sshkey_free(k1); sshkey_free(k2); TEST_DONE(); @@ -478,7 +498,7 @@ sshkey_tests(void) k1 = get_private("dsa_1"); ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2, NULL), 0); - signature_tests(k1, k2); + signature_tests(k1, k2, NULL); sshkey_free(k1); sshkey_free(k2); TEST_DONE(); @@ -488,7 +508,7 @@ sshkey_tests(void) k1 = get_private("ecdsa_1"); ASSERT_INT_EQ(sshkey_load_public(test_data_file("ecdsa_2.pub"), &k2, NULL), 0); - signature_tests(k1, k2); + signature_tests(k1, k2, NULL); sshkey_free(k1); sshkey_free(k2); TEST_DONE(); @@ -498,7 +518,7 @@ sshkey_tests(void) k1 = get_private("ed25519_1"); ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_2.pub"), &k2, NULL), 0); - signature_tests(k1, k2); + signature_tests(k1, k2, NULL); sshkey_free(k1); sshkey_free(k2); TEST_DONE(); @@ -508,7 +528,7 @@ sshkey_tests(void) ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, NULL), 0); k3 = get_private("rsa_1"); - build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1); + build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, NULL); ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); ASSERT_PTR_EQ(k4, NULL); diff --git a/roaming.h b/roaming.h index da069f8..e69de29 100644 --- a/roaming.h +++ b/roaming.h @@ -1,45 +0,0 @@ -/* $OpenBSD: roaming.h,v 1.6 2011/12/07 05:44:38 djm Exp $ */ -/* - * Copyright (c) 2004-2009 AppGate Network Security AB - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef ROAMING_H -#define ROAMING_H - -#define DEFAULT_ROAMBUF 65536 -#define MAX_ROAMBUF (2*1024*1024) /* XXX arbitrary */ -#define ROAMING_REQUEST "roaming@appgate.com" - -extern int roaming_enabled; -extern int resume_in_progress; - -void request_roaming(void); -int get_snd_buf_size(void); -int get_recv_buf_size(void); -void add_recv_bytes(u_int64_t); -int wait_for_roaming_reconnect(void); -void roaming_reply(int, u_int32_t, void *); -void set_out_buffer_size(size_t); -ssize_t roaming_write(int, const void *, size_t, int *); -ssize_t roaming_read(int, void *, size_t, int *); -size_t roaming_atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t); -u_int64_t get_recv_bytes(void); -u_int64_t get_sent_bytes(void); -void roam_set_bytes(u_int64_t, u_int64_t); -void resend_bytes(int, u_int64_t *); -void calculate_new_key(u_int64_t *, u_int64_t, u_int64_t); -int resume_kex(void); - -#endif /* ROAMING */ diff --git a/roaming_client.c b/roaming_client.c deleted file mode 100644 index cb13285..0000000 --- a/roaming_client.c +++ /dev/null @@ -1,271 +0,0 @@ -/* $OpenBSD: roaming_client.c,v 1.9 2015/01/27 12:54:06 okan Exp $ */ -/* - * Copyright (c) 2004-2009 AppGate Network Security AB - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "includes.h" - -#include "openbsd-compat/sys-queue.h" -#include -#include - -#include -#include -#include - -#include "xmalloc.h" -#include "buffer.h" -#include "channels.h" -#include "cipher.h" -#include "dispatch.h" -#include "clientloop.h" -#include "log.h" -#include "match.h" -#include "misc.h" -#include "packet.h" -#include "ssh.h" -#include "key.h" -#include "kex.h" -#include "readconf.h" -#include "roaming.h" -#include "ssh2.h" -#include "sshconnect.h" -#include "digest.h" - -/* import */ -extern Options options; -extern char *host; -extern struct sockaddr_storage hostaddr; -extern int session_resumed; - -static u_int32_t roaming_id; -static u_int64_t cookie; -static u_int64_t lastseenchall; -static u_int64_t key1, key2, oldkey1, oldkey2; - -void -roaming_reply(int type, u_int32_t seq, void *ctxt) -{ - if (type == SSH2_MSG_REQUEST_FAILURE) { - logit("Server denied roaming"); - return; - } - verbose("Roaming enabled"); - roaming_id = packet_get_int(); - cookie = packet_get_int64(); - key1 = oldkey1 = packet_get_int64(); - key2 = oldkey2 = packet_get_int64(); - set_out_buffer_size(packet_get_int() + get_snd_buf_size()); - roaming_enabled = 1; -} - -void -request_roaming(void) -{ - packet_start(SSH2_MSG_GLOBAL_REQUEST); - packet_put_cstring(ROAMING_REQUEST); - packet_put_char(1); - packet_put_int(get_recv_buf_size()); - packet_send(); - client_register_global_confirm(roaming_reply, NULL); -} - -static void -roaming_auth_required(void) -{ - u_char digest[SSH_DIGEST_MAX_LENGTH]; - Buffer b; - u_int64_t chall, oldchall; - - chall = packet_get_int64(); - oldchall = packet_get_int64(); - if (oldchall != lastseenchall) { - key1 = oldkey1; - key2 = oldkey2; - } - lastseenchall = chall; - - buffer_init(&b); - buffer_put_int64(&b, cookie); - buffer_put_int64(&b, chall); - if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0) - fatal("%s: ssh_digest_buffer failed", __func__); - buffer_free(&b); - - packet_start(SSH2_MSG_KEX_ROAMING_AUTH); - packet_put_int64(key1 ^ get_recv_bytes()); - packet_put_raw(digest, ssh_digest_bytes(SSH_DIGEST_SHA1)); - packet_send(); - - oldkey1 = key1; - oldkey2 = key2; - calculate_new_key(&key1, cookie, chall); - calculate_new_key(&key2, cookie, chall); - - debug("Received %llu bytes", (unsigned long long)get_recv_bytes()); - debug("Sent roaming_auth packet"); -} - -int -resume_kex(void) -{ - /* - * This should not happen - if the client sends the kex method - * resume@appgate.com then the kex is done in roaming_resume(). - */ - return 1; -} - -static int -roaming_resume(void) -{ - u_int64_t recv_bytes; - char *str = NULL, *kexlist = NULL, *c; - int i, type; - int timeout_ms = options.connection_timeout * 1000; - u_int len; - u_int32_t rnd = 0; - - resume_in_progress = 1; - - /* Exchange banners */ - ssh_exchange_identification(timeout_ms); - packet_set_nonblocking(); - - /* Send a kexinit message with resume@appgate.com as only kex algo */ - packet_start(SSH2_MSG_KEXINIT); - for (i = 0; i < KEX_COOKIE_LEN; i++) { - if (i % 4 == 0) - rnd = arc4random(); - packet_put_char(rnd & 0xff); - rnd >>= 8; - } - packet_put_cstring(KEX_RESUME); - for (i = 1; i < PROPOSAL_MAX; i++) { - /* kex algorithm added so start with i=1 and not 0 */ - packet_put_cstring(""); /* Not used when we resume */ - } - packet_put_char(1); /* first kex_packet follows */ - packet_put_int(0); /* reserved */ - packet_send(); - - /* Assume that resume@appgate.com will be accepted */ - packet_start(SSH2_MSG_KEX_ROAMING_RESUME); - packet_put_int(roaming_id); - packet_send(); - - /* Read the server's kexinit and check for resume@appgate.com */ - if ((type = packet_read()) != SSH2_MSG_KEXINIT) { - debug("expected kexinit on resume, got %d", type); - goto fail; - } - for (i = 0; i < KEX_COOKIE_LEN; i++) - (void)packet_get_char(); - kexlist = packet_get_string(&len); - if (!kexlist - || (str = match_list(KEX_RESUME, kexlist, NULL)) == NULL) { - debug("server doesn't allow resume"); - goto fail; - } - free(str); - for (i = 1; i < PROPOSAL_MAX; i++) { - /* kex algorithm taken care of so start with i=1 and not 0 */ - free(packet_get_string(&len)); - } - i = packet_get_char(); /* first_kex_packet_follows */ - if (i && (c = strchr(kexlist, ','))) - *c = 0; - if (i && strcmp(kexlist, KEX_RESUME)) { - debug("server's kex guess (%s) was wrong, skipping", kexlist); - (void)packet_read(); /* Wrong guess - discard packet */ - } - - /* - * Read the ROAMING_AUTH_REQUIRED challenge from the server and - * send ROAMING_AUTH - */ - if ((type = packet_read()) != SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED) { - debug("expected roaming_auth_required, got %d", type); - goto fail; - } - roaming_auth_required(); - - /* Read ROAMING_AUTH_OK from the server */ - if ((type = packet_read()) != SSH2_MSG_KEX_ROAMING_AUTH_OK) { - debug("expected roaming_auth_ok, got %d", type); - goto fail; - } - recv_bytes = packet_get_int64() ^ oldkey2; - debug("Peer received %llu bytes", (unsigned long long)recv_bytes); - resend_bytes(packet_get_connection_out(), &recv_bytes); - - resume_in_progress = 0; - - session_resumed = 1; /* Tell clientloop */ - - return 0; - -fail: - free(kexlist); - if (packet_get_connection_in() == packet_get_connection_out()) - close(packet_get_connection_in()); - else { - close(packet_get_connection_in()); - close(packet_get_connection_out()); - } - return 1; -} - -int -wait_for_roaming_reconnect(void) -{ - static int reenter_guard = 0; - int timeout_ms = options.connection_timeout * 1000; - int c; - - if (reenter_guard != 0) - fatal("Server refused resume, roaming timeout may be exceeded"); - reenter_guard = 1; - - fprintf(stderr, "[connection suspended, press return to resume]"); - fflush(stderr); - packet_backup_state(); - /* TODO Perhaps we should read from tty here */ - while ((c = fgetc(stdin)) != EOF) { - if (c == 'Z' - 64) { - kill(getpid(), SIGTSTP); - continue; - } - if (c != '\n' && c != '\r') - continue; - - if (ssh_connect(host, NULL, &hostaddr, options.port, - options.address_family, 1, &timeout_ms, - options.tcp_keep_alive, options.use_privileged_port) == 0 && - roaming_resume() == 0) { - packet_restore_state(); - reenter_guard = 0; - fprintf(stderr, "[connection resumed]\n"); - fflush(stderr); - return 0; - } - - fprintf(stderr, "[reconnect failed, press return to retry]"); - fflush(stderr); - } - fprintf(stderr, "[exiting]\n"); - fflush(stderr); - exit(0); -} diff --git a/roaming_common.c b/roaming_common.c deleted file mode 100644 index ea06460..0000000 --- a/roaming_common.c +++ /dev/null @@ -1,241 +0,0 @@ -/* $OpenBSD: roaming_common.c,v 1.13 2015/01/27 12:54:06 okan Exp $ */ -/* - * Copyright (c) 2004-2009 AppGate Network Security AB - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "includes.h" - -#include -#include -#include - -#include -#include -#include -#include - -#include "atomicio.h" -#include "log.h" -#include "packet.h" -#include "xmalloc.h" -#include "cipher.h" -#include "buffer.h" -#include "roaming.h" -#include "digest.h" - -static size_t out_buf_size = 0; -static char *out_buf = NULL; -static size_t out_start; -static size_t out_last; - -static u_int64_t write_bytes = 0; -static u_int64_t read_bytes = 0; - -int roaming_enabled = 0; -int resume_in_progress = 0; - -int -get_snd_buf_size(void) -{ - int fd = packet_get_connection_out(); - int optval; - socklen_t optvallen = sizeof(optval); - - if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &optval, &optvallen) != 0) - optval = DEFAULT_ROAMBUF; - return optval; -} - -int -get_recv_buf_size(void) -{ - int fd = packet_get_connection_in(); - int optval; - socklen_t optvallen = sizeof(optval); - - if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &optval, &optvallen) != 0) - optval = DEFAULT_ROAMBUF; - return optval; -} - -void -set_out_buffer_size(size_t size) -{ - if (size == 0 || size > MAX_ROAMBUF) - fatal("%s: bad buffer size %lu", __func__, (u_long)size); - /* - * The buffer size can only be set once and the buffer will live - * as long as the session lives. - */ - if (out_buf == NULL) { - out_buf_size = size; - out_buf = xmalloc(size); - out_start = 0; - out_last = 0; - } -} - -u_int64_t -get_recv_bytes(void) -{ - return read_bytes; -} - -void -add_recv_bytes(u_int64_t num) -{ - read_bytes += num; -} - -u_int64_t -get_sent_bytes(void) -{ - return write_bytes; -} - -void -roam_set_bytes(u_int64_t sent, u_int64_t recvd) -{ - read_bytes = recvd; - write_bytes = sent; -} - -static void -buf_append(const char *buf, size_t count) -{ - if (count > out_buf_size) { - buf += count - out_buf_size; - count = out_buf_size; - } - if (count < out_buf_size - out_last) { - memcpy(out_buf + out_last, buf, count); - if (out_start > out_last) - out_start += count; - out_last += count; - } else { - /* data will wrap */ - size_t chunk = out_buf_size - out_last; - memcpy(out_buf + out_last, buf, chunk); - memcpy(out_buf, buf + chunk, count - chunk); - out_last = count - chunk; - out_start = out_last + 1; - } -} - -ssize_t -roaming_write(int fd, const void *buf, size_t count, int *cont) -{ - ssize_t ret; - - ret = write(fd, buf, count); - if (ret > 0 && !resume_in_progress) { - write_bytes += ret; - if (out_buf_size > 0) - buf_append(buf, ret); - } - if (out_buf_size > 0 && - (ret == 0 || (ret == -1 && errno == EPIPE))) { - if (wait_for_roaming_reconnect() != 0) { - ret = 0; - *cont = 1; - } else { - ret = -1; - errno = EAGAIN; - } - } - return ret; -} - -ssize_t -roaming_read(int fd, void *buf, size_t count, int *cont) -{ - ssize_t ret = read(fd, buf, count); - if (ret > 0) { - if (!resume_in_progress) { - read_bytes += ret; - } - } else if (out_buf_size > 0 && - (ret == 0 || (ret == -1 && (errno == ECONNRESET - || errno == ECONNABORTED || errno == ETIMEDOUT - || errno == EHOSTUNREACH)))) { - debug("roaming_read failed for %d ret=%ld errno=%d", - fd, (long)ret, errno); - ret = 0; - if (wait_for_roaming_reconnect() == 0) - *cont = 1; - } - return ret; -} - -size_t -roaming_atomicio(ssize_t(*f)(int, void*, size_t), int fd, void *buf, - size_t count) -{ - size_t ret = atomicio(f, fd, buf, count); - - if (f == vwrite && ret > 0 && !resume_in_progress) { - write_bytes += ret; - } else if (f == read && ret > 0 && !resume_in_progress) { - read_bytes += ret; - } - return ret; -} - -void -resend_bytes(int fd, u_int64_t *offset) -{ - size_t available, needed; - - if (out_start < out_last) - available = out_last - out_start; - else - available = out_buf_size; - needed = write_bytes - *offset; - debug3("resend_bytes: resend %lu bytes from %llu", - (unsigned long)needed, (unsigned long long)*offset); - if (needed > available) - fatal("Needed to resend more data than in the cache"); - if (out_last < needed) { - int chunkend = needed - out_last; - atomicio(vwrite, fd, out_buf + out_buf_size - chunkend, - chunkend); - atomicio(vwrite, fd, out_buf, out_last); - } else { - atomicio(vwrite, fd, out_buf + (out_last - needed), needed); - } -} - -/* - * Caclulate a new key after a reconnect - */ -void -calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) -{ - u_char hash[SSH_DIGEST_MAX_LENGTH]; - Buffer b; - - buffer_init(&b); - buffer_put_int64(&b, *key); - buffer_put_int64(&b, cookie); - buffer_put_int64(&b, challenge); - - if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0) - fatal("%s: digest_buffer failed", __func__); - - buffer_clear(&b); - buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); - *key = buffer_get_int64(&b); - buffer_free(&b); -} diff --git a/roaming_dummy.c b/roaming_dummy.c deleted file mode 100644 index 837de69..0000000 --- a/roaming_dummy.c +++ /dev/null @@ -1,72 +0,0 @@ -/* $OpenBSD: roaming_dummy.c,v 1.4 2015/01/19 19:52:16 markus Exp $ */ -/* - * Copyright (c) 2004-2009 AppGate Network Security AB - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * This file is included in the client programs which should not - * support roaming. - */ - -#include "includes.h" - -#include -#include - -#include "roaming.h" - -int resume_in_progress = 0; - -u_int64_t -get_recv_bytes(void) -{ - return 0; -} - -u_int64_t -get_sent_bytes(void) -{ - return 0; -} - -void -roam_set_bytes(u_int64_t sent, u_int64_t recvd) -{ -} - -ssize_t -roaming_write(int fd, const void *buf, size_t count, int *cont) -{ - return write(fd, buf, count); -} - -ssize_t -roaming_read(int fd, void *buf, size_t count, int *cont) -{ - if (cont) - *cont = 0; - return read(fd, buf, count); -} - -void -add_recv_bytes(u_int64_t num) -{ -} - -int -resume_kex(void) -{ - return 1; -} diff --git a/roaming_serv.c b/roaming_serv.c deleted file mode 100644 index 511ca84..0000000 --- a/roaming_serv.c +++ /dev/null @@ -1,31 +0,0 @@ -/* $OpenBSD: roaming_serv.c,v 1.1 2009/10/24 11:18:23 andreas Exp $ */ -/* - * Copyright (c) 2004-2009 AppGate Network Security AB - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "includes.h" - -#include - -#include "roaming.h" - -/* - * Wait for the roaming client to reconnect. Returns 0 if a connect ocurred. - */ -int -wait_for_roaming_reconnect(void) -{ - return 1; -} diff --git a/sandbox-pledge.c b/sandbox-pledge.c new file mode 100644 index 0000000..d28fc27 --- /dev/null +++ b/sandbox-pledge.c @@ -0,0 +1,77 @@ +/* $OpenBSD: sandbox-pledge.c,v 1.1 2015/10/09 01:37:08 deraadt Exp $ */ +/* + * Copyright (c) 2015 Theo de Raadt + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_PLEDGE + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "ssh-sandbox.h" +#include "xmalloc.h" + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(struct monitor *m) +{ + struct ssh_sandbox *box; + + debug3("%s: preparing pledge sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + if (pledge("stdio", NULL) == -1) + fatal("%s: pledge()", __func__); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; + /* Nothing to do here */ +} + +#endif /* SANDBOX_PLEDGE */ diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 2462bcc..d132e26 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -147,6 +147,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_getpid SC_ALLOW(getpid), #endif +#ifdef __NR_getrandom + SC_ALLOW(getrandom), +#endif #ifdef __NR_gettimeofday SC_ALLOW(gettimeofday), #endif diff --git a/sandbox-solaris.c b/sandbox-solaris.c new file mode 100644 index 0000000..343a010 --- /dev/null +++ b/sandbox-solaris.c @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2015 Joyent, Inc + * Author: Alex Wilson + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_SOLARIS +#ifndef USE_SOLARIS_PRIVS +# error "--with-solaris-privs must be used with the Solaris sandbox" +#endif + +#include + +#include +#include +#include +#include +#include +#include +#ifdef HAVE_PRIV_H +# include +#endif + +#include "log.h" +#include "ssh-sandbox.h" +#include "xmalloc.h" + +struct ssh_sandbox { + priv_set_t *pset; +}; + +struct ssh_sandbox * +ssh_sandbox_init(struct monitor *monitor) +{ + struct ssh_sandbox *box = NULL; + + box = xcalloc(1, sizeof(*box)); + + /* Start with "basic" and drop everything we don't need. */ + box->pset = solaris_basic_privset(); + + if (box->pset == NULL) { + free(box); + return NULL; + } + + /* Drop everything except the ability to use already-opened files */ + if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 || +#ifdef PRIV_NET_ACCESS + priv_delset(box->pset, PRIV_NET_ACCESS) != 0 || +#endif + priv_delset(box->pset, PRIV_PROC_EXEC) != 0 || + priv_delset(box->pset, PRIV_PROC_FORK) != 0 || + priv_delset(box->pset, PRIV_PROC_INFO) != 0 || + priv_delset(box->pset, PRIV_PROC_SESSION) != 0) { + free(box); + return NULL; + } + + /* These may not be available on older Solaris-es */ +# if defined(PRIV_FILE_READ) && defined(PRIV_FILE_WRITE) + if (priv_delset(box->pset, PRIV_FILE_READ) != 0 || + priv_delset(box->pset, PRIV_FILE_WRITE) != 0) { + free(box); + return NULL; + } +# endif + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + if (setppriv(PRIV_SET, PRIV_PERMITTED, box->pset) != 0 || + setppriv(PRIV_SET, PRIV_LIMIT, box->pset) != 0 || + setppriv(PRIV_SET, PRIV_INHERITABLE, box->pset) != 0) + fatal("setppriv: %s", strerror(errno)); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + priv_freeset(box->pset); + box->pset = NULL; + free(box); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + /* Nothing to do here */ +} + +#endif /* SANDBOX_SOLARIS */ diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 3830ed1..b4d8d04 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.17 2015/07/27 16:29:23 guenther Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.18 2015/10/02 01:39:26 deraadt Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -50,9 +50,17 @@ struct sandbox_policy { /* Permitted syscalls in preauth. Unlisted syscalls get SYSTR_POLICY_KILL */ static const struct sandbox_policy preauth_policy[] = { - { SYS_clock_gettime, SYSTR_POLICY_PERMIT }, - { SYS_close, SYSTR_POLICY_PERMIT }, { SYS_exit, SYSTR_POLICY_PERMIT }, +#ifdef SYS_kbind + { SYS_kbind, SYSTR_POLICY_PERMIT }, +#endif + + { SYS_getpid, SYSTR_POLICY_PERMIT }, + { SYS_getpgid, SYSTR_POLICY_PERMIT }, + { SYS_clock_gettime, SYSTR_POLICY_PERMIT }, + { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, + { SYS_sigprocmask, SYSTR_POLICY_PERMIT }, + #ifdef SYS_getentropy /* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */ { SYS_getentropy, SYSTR_POLICY_PERMIT }, @@ -60,27 +68,25 @@ static const struct sandbox_policy preauth_policy[] = { /* Previous releases used sysctl(3)'s kern.arnd variable. */ { SYS___sysctl, SYSTR_POLICY_PERMIT }, #endif - { SYS_getpid, SYSTR_POLICY_PERMIT }, - { SYS_getpgid, SYSTR_POLICY_PERMIT }, - { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, -#ifdef SYS_kbind - { SYS_kbind, SYSTR_POLICY_PERMIT }, +#ifdef SYS_sendsyslog + { SYS_sendsyslog, SYSTR_POLICY_PERMIT }, #endif + { SYS_madvise, SYSTR_POLICY_PERMIT }, { SYS_mmap, SYSTR_POLICY_PERMIT }, { SYS_mprotect, SYSTR_POLICY_PERMIT }, { SYS_mquery, SYSTR_POLICY_PERMIT }, { SYS_munmap, SYSTR_POLICY_PERMIT }, - { SYS_open, SYSTR_POLICY_NEVER }, + { SYS_poll, SYSTR_POLICY_PERMIT }, - { SYS_read, SYSTR_POLICY_PERMIT }, { SYS_select, SYSTR_POLICY_PERMIT }, -#ifdef SYS_sendsyslog - { SYS_sendsyslog, SYSTR_POLICY_PERMIT }, -#endif - { SYS_shutdown, SYSTR_POLICY_PERMIT }, - { SYS_sigprocmask, SYSTR_POLICY_PERMIT }, + { SYS_read, SYSTR_POLICY_PERMIT }, { SYS_write, SYSTR_POLICY_PERMIT }, + { SYS_shutdown, SYSTR_POLICY_PERMIT }, + { SYS_close, SYSTR_POLICY_PERMIT }, + + { SYS_open, SYSTR_POLICY_NEVER }, + { -1, -1 } }; diff --git a/scp.0 b/scp.0 index 8f41f61..6b70e4e 100644 --- a/scp.0 +++ b/scp.0 @@ -72,6 +72,7 @@ DESCRIPTION CanonicalizeHostname CanonicalizeMaxDots CanonicalizePermittedCNAMEs + CertificateFile ChallengeResponseAuthentication CheckHostIP Cipher @@ -162,4 +163,4 @@ AUTHORS Timo Rinne Tatu Ylonen -OpenBSD 5.8 July 10, 2015 OpenBSD 5.8 +OpenBSD 5.9 September 25, 2015 OpenBSD 5.9 diff --git a/scp.1 b/scp.1 index 279b0d7..54ea352 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.67 2015/07/10 06:21:53 markus Exp $ +.\" $OpenBSD: scp.1,v 1.68 2015/09/25 18:19:54 jmc Exp $ .\" -.Dd $Mdocdate: July 10 2015 $ +.Dd $Mdocdate: September 25 2015 $ .Dt SCP 1 .Os .Sh NAME @@ -133,6 +133,7 @@ For full details of the options listed below, and their possible values, see .It CanonicalizeHostname .It CanonicalizeMaxDots .It CanonicalizePermittedCNAMEs +.It CertificateFile .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher diff --git a/scp.c b/scp.c index 593fe89..0bdd7cb 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.182 2015/04/24 01:36:00 deraadt Exp $ */ +/* $OpenBSD: scp.c,v 1.184 2015/11/27 00:49:31 deraadt Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -484,6 +484,16 @@ main(int argc, char **argv) if (!isatty(STDOUT_FILENO)) showprogress = 0; + if (pflag) { + /* Cannot pledge: -p allows setuid/setgid files... */ + } else { + if (pledge("stdio rpath wpath cpath fattr tty proc exec", + NULL) == -1) { + perror("pledge"); + exit(1); + } + } + remin = STDIN_FILENO; remout = STDOUT_FILENO; @@ -866,7 +876,7 @@ rsource(char *name, struct stat *statp) return; } last = strrchr(name, '/'); - if (last == 0) + if (last == NULL) last = name; else last++; diff --git a/servconf.c b/servconf.c index 6c7a91e..b19d30e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ +/* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -178,6 +178,20 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } +static void +assemble_algorithms(ServerOptions *o) +{ + if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || + kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || + kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &o->hostkeyalgorithms) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &o->hostbased_key_types) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) + fatal("kex_assemble_names failed"); +} + void fill_default_server_options(ServerOptions *options) { @@ -259,8 +273,6 @@ fill_default_server_options(ServerOptions *options) options->hostbased_authentication = 0; if (options->hostbased_uses_name_from_packet_only == -1) options->hostbased_uses_name_from_packet_only = 0; - if (options->hostkeyalgorithms == NULL) - options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); if (options->rsa_authentication == -1) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) @@ -342,18 +354,11 @@ fill_default_server_options(ServerOptions *options) if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; - if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || - kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || - kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->hostbased_key_types) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->pubkey_key_types) != 0) - fatal("%s: kex_assemble_names failed", __func__); + assemble_algorithms(options); - /* Turn privilege separation on by default */ + /* Turn privilege separation and sandboxing on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; + use_privsep = PRIVSEP_ON; #define CLEAR_ON_NONE(v) \ do { \ @@ -368,6 +373,8 @@ fill_default_server_options(ServerOptions *options) CLEAR_ON_NONE(options->trusted_user_ca_keys); CLEAR_ON_NONE(options->revoked_keys_file); CLEAR_ON_NONE(options->authorized_principals_file); + CLEAR_ON_NONE(options->adm_forced_command); + CLEAR_ON_NONE(options->chroot_directory); for (i = 0; i < options->num_host_key_files; i++) CLEAR_ON_NONE(options->host_key_files[i]); for (i = 0; i < options->num_host_cert_files; i++) @@ -499,7 +506,11 @@ static struct { { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, +#ifdef DISABLE_LASTLOG + { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, +#else { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, +#endif { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, @@ -1319,16 +1330,12 @@ process_server_config_line(ServerOptions *options, char *line, if (scan_scaled(arg, &val64) == -1) fatal("%.200s line %d: Bad number '%s': %s", filename, linenum, arg, strerror(errno)); - /* check for too-large or too-small limits */ - if (val64 > UINT_MAX) - fatal("%.200s line %d: RekeyLimit too large", - filename, linenum); if (val64 != 0 && val64 < 16) fatal("%.200s line %d: RekeyLimit too small", filename, linenum); } if (*activep && options->rekey_limit == -1) - options->rekey_limit = (u_int32_t)val64; + options->rekey_limit = val64; if (cp != NULL) { /* optional rekey interval present */ if (strcmp(cp, "none") == 0) { (void)strdelim(&cp); /* discard */ @@ -2015,6 +2022,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); + /* Arguments that accept '+...' need to be expanded */ + assemble_algorithms(dst); + /* * The only things that should be below this point are string options * which are only used after authentication. @@ -2022,8 +2032,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) if (preauth) return; + /* These options may be "none" to clear a global setting */ M_CP_STROPT(adm_forced_command); + if (option_clear_or_none(dst->adm_forced_command)) { + free(dst->adm_forced_command); + dst->adm_forced_command = NULL; + } M_CP_STROPT(chroot_directory); + if (option_clear_or_none(dst->chroot_directory)) { + free(dst->chroot_directory); + dst->chroot_directory = NULL; + } } #undef M_CP_INTOPT @@ -2254,7 +2273,9 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sChallengeResponseAuthentication, o->challenge_response_authentication); dump_cfg_fmtint(sPrintMotd, o->print_motd); +#ifndef DISABLE_LASTLOG dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); +#endif dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); dump_cfg_fmtint(sPermitTTY, o->permit_tty); @@ -2338,7 +2359,7 @@ dump_config(ServerOptions *o) printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); printf("%s\n", iptos2str(o->ip_qos_bulk)); - printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, + printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, o->rekey_interval); channel_print_adm_permitted_opens(); diff --git a/serverloop.c b/serverloop.c index 306ac36..80d1db5 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.178 2015/02/20 22:17:21 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.182 2016/02/08 10:57:07 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -78,7 +78,6 @@ #include "dispatch.h" #include "auth-options.h" #include "serverloop.h" -#include "roaming.h" #include "ssherr.h" extern ServerOptions options; @@ -399,11 +398,8 @@ process_input(fd_set *readset) /* Read and buffer any input data from the client. */ if (FD_ISSET(connection_in, readset)) { - int cont = 0; - len = roaming_read(connection_in, buf, sizeof(buf), &cont); + len = read(connection_in, buf, sizeof(buf)); if (len == 0) { - if (cont) - return; verbose("Connection closed by %.100s", get_remote_ipaddr()); connection_closed = 1; @@ -824,7 +820,7 @@ void server_loop2(Authctxt *authctxt) { fd_set *readset = NULL, *writeset = NULL; - int rekeying = 0, max_fd; + int max_fd; u_int nalloc = 0; u_int64_t rekey_timeout_ms = 0; @@ -851,11 +847,11 @@ server_loop2(Authctxt *authctxt) for (;;) { process_buffered_input_packets(); - rekeying = (active_state->kex != NULL && !active_state->kex->done); - - if (!rekeying && packet_not_very_much_data_to_write()) + if (!ssh_packet_is_rekeying(active_state) && + packet_not_very_much_data_to_write()) channel_output_poll(); - if (options.rekey_interval > 0 && compat20 && !rekeying) + if (options.rekey_interval > 0 && compat20 && + !ssh_packet_is_rekeying(active_state)) rekey_timeout_ms = packet_get_rekey_timeout() * 1000; else rekey_timeout_ms = 0; @@ -870,14 +866,8 @@ server_loop2(Authctxt *authctxt) } collect_children(); - if (!rekeying) { + if (!ssh_packet_is_rekeying(active_state)) channel_after_select(readset, writeset); - if (packet_need_rekeying()) { - debug("need rekeying"); - active_state->kex->done = 0; - kex_send_kexinit(active_state); - } - } process_input(readset); if (connection_closed) break; @@ -1201,7 +1191,7 @@ server_input_hostkeys_prove(struct sshbuf **respp) ssh->kex->session_id, ssh->kex->session_id_len)) != 0 || (r = sshkey_puts(key, sigbuf)) != 0 || (r = ssh->kex->sign(key_prv, key_pub, &sig, &slen, - sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), 0)) != 0 || + sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), NULL, 0)) != 0 || (r = sshbuf_put_string(resp, sig, slen)) != 0) { error("%s: couldn't prepare signature: %s", __func__, ssh_err(r)); @@ -1265,7 +1255,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) free(fwd.listen_host); if ((resp = sshbuf_new()) == NULL) fatal("%s: sshbuf_new", __func__); - if ((r = sshbuf_put_u32(resp, allocated_listen_port)) != 0) + if (allocated_listen_port != 0 && + (r = sshbuf_put_u32(resp, allocated_listen_port)) != 0) fatal("%s: sshbuf_put_u32: %s", __func__, ssh_err(r)); } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { struct Forward fwd; diff --git a/session.c b/session.c index 5a64715..7a02500 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.278 2015/04/24 01:36:00 deraadt Exp $ */ +/* $OpenBSD: session.c,v 1.280 2016/02/16 03:37:48 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -160,6 +160,7 @@ login_cap_t *lc; #endif static int is_child = 0; +static int in_chroot = 0; /* Name and directory of socket for authentication agent forwarding. */ static char *auth_sock_name = NULL; @@ -778,8 +779,8 @@ int do_exec(Session *s, const char *command) { int ret; - const char *forced = NULL; - char session_type[1024], *tty = NULL; + const char *forced = NULL, *tty = NULL; + char session_type[1024]; if (options.adm_forced_command) { original_command = command; @@ -814,13 +815,14 @@ do_exec(Session *s, const char *command) tty += 5; } - verbose("Starting session: %s%s%s for %s from %.200s port %d", + verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", session_type, tty == NULL ? "" : " on ", tty == NULL ? "" : tty, s->pw->pw_name, get_remote_ipaddr(), - get_remote_port()); + get_remote_port(), + s->self); #ifdef SSH_AUDIT_EVENTS if (command != NULL) @@ -1490,9 +1492,6 @@ void do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; -#ifdef USE_LIBIAF - int doing_chroot = 0; -#endif platform_setusercontext(pw); @@ -1520,7 +1519,7 @@ do_setusercontext(struct passwd *pw) platform_setusercontext_post_groups(pw); - if (options.chroot_directory != NULL && + if (!in_chroot && options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { tmp = tilde_expand_filename(options.chroot_directory, pw->pw_uid); @@ -1532,9 +1531,7 @@ do_setusercontext(struct passwd *pw) /* Make sure we don't attempt to chroot again */ free(options.chroot_directory); options.chroot_directory = NULL; -#ifdef USE_LIBIAF - doing_chroot = 1; -#endif + in_chroot = 1; } #ifdef HAVE_LOGIN_CAP @@ -1549,16 +1546,16 @@ do_setusercontext(struct passwd *pw) (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); #else # ifdef USE_LIBIAF -/* In a chroot environment, the set_id() will always fail; typically - * because of the lack of necessary authentication services and runtime - * such as ./usr/lib/libiaf.so, ./usr/lib/libpam.so.1, and ./etc/passwd - * We skip it in the internal sftp chroot case. - * We'll lose auditing and ACLs but permanently_set_uid will - * take care of the rest. - */ - if ((doing_chroot == 0) && set_id(pw->pw_name) != 0) { - fatal("set_id(%s) Failed", pw->pw_name); - } + /* + * In a chroot environment, the set_id() will always fail; + * typically because of the lack of necessary authentication + * services and runtime such as ./usr/lib/libiaf.so, + * ./usr/lib/libpam.so.1, and ./etc/passwd We skip it in the + * internal sftp chroot case. We'll lose auditing and ACLs but + * permanently_set_uid will take care of the rest. + */ + if (!in_chroot && set_id(pw->pw_name) != 0) + fatal("set_id(%s) Failed", pw->pw_name); # endif /* USE_LIBIAF */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); @@ -1790,11 +1787,11 @@ do_child(Session *s, const char *command) #ifdef HAVE_LOGIN_CAP r = login_getcapbool(lc, "requirehome", 0); #endif - if (r || options.chroot_directory == NULL || - strcasecmp(options.chroot_directory, "none") == 0) + if (r || !in_chroot) { fprintf(stderr, "Could not chdir to home " "directory %s: %s\n", pw->pw_dir, strerror(errno)); + } if (r) exit(1); } @@ -2503,7 +2500,12 @@ session_close(Session *s) { u_int i; - debug("session_close: session %d pid %ld", s->self, (long)s->pid); + verbose("Close session: user %s from %.200s port %d id %d", + s->pw->pw_name, + get_remote_ipaddr(), + get_remote_port(), + s->self); + if (s->ttyfd != -1) session_pty_cleanup(s); free(s->term); diff --git a/sftp-client.c b/sftp-client.c index 5dbeb47..d49bfaa 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.120 2015/05/28 04:50:53 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.121 2016/02/11 02:21:34 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1760,7 +1760,7 @@ do_upload(struct sftp_conn *conn, const char *local_path, if (fsync_flag) (void)do_fsync(conn, handle, handle_len); - if (do_close(conn, handle, handle_len) != SSH2_FX_OK) + if (do_close(conn, handle, handle_len) != 0) status = SSH2_FX_FAILURE; free(handle); @@ -1773,12 +1773,11 @@ upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth, int preserve_flag, int print_flag, int resume, int fsync_flag) { int ret = 0; - u_int status; DIR *dirp; struct dirent *dp; char *filename, *new_src, *new_dst; struct stat sb; - Attrib a; + Attrib a, *dirattrib; if (depth >= MAX_DIR_DEPTH) { error("Maximum directory depth exceeded: %d levels", depth); @@ -1805,17 +1804,18 @@ upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, if (!preserve_flag) a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; - status = do_mkdir(conn, dst, &a, 0); /* - * we lack a portable status for errno EEXIST, - * so if we get a SSH2_FX_FAILURE back we must check - * if it was created successfully. + * sftp lacks a portable status value to match errno EEXIST, + * so if we get a failure back then we must check whether + * the path already existed and is a directory. */ - if (status != SSH2_FX_OK) { - if (status != SSH2_FX_FAILURE) + if (do_mkdir(conn, dst, &a, 0) != 0) { + if ((dirattrib = do_stat(conn, dst, 0)) == NULL) return -1; - if (do_stat(conn, dst, 0) == NULL) + if (!S_ISDIR(dirattrib->perm)) { + error("\"%s\" exists but is not a directory", dst); return -1; + } } if ((dirp = opendir(src)) == NULL) { diff --git a/sftp-client.h b/sftp-client.h index f814b07..14a3b81 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -21,6 +21,12 @@ #ifndef _SFTP_CLIENT_H #define _SFTP_CLIENT_H +#ifdef USE_SYSTEM_GLOB +# include +#else +# include "openbsd-compat/glob.h" +#endif + typedef struct SFTP_DIRENT SFTP_DIRENT; struct SFTP_DIRENT { diff --git a/sftp-server-main.c b/sftp-server-main.c index 7e644ab..c6ccd62 100644 --- a/sftp-server-main.c +++ b/sftp-server-main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server-main.c,v 1.4 2009/02/21 19:32:04 tobias Exp $ */ +/* $OpenBSD: sftp-server-main.c,v 1.5 2016/02/15 09:47:49 dtucker Exp $ */ /* * Copyright (c) 2008 Markus Friedl. All rights reserved. * @@ -26,6 +26,7 @@ #include "log.h" #include "sftp.h" #include "misc.h" +#include "xmalloc.h" void cleanup_exit(int i) @@ -38,6 +39,7 @@ main(int argc, char **argv) { struct passwd *user_pw; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); diff --git a/sftp-server.0 b/sftp-server.0 index b971cef..3b22ed2 100644 --- a/sftp-server.0 +++ b/sftp-server.0 @@ -93,4 +93,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 5.8 December 11, 2014 OpenBSD 5.8 +OpenBSD 5.9 December 11, 2014 OpenBSD 5.9 diff --git a/sftp-server.c b/sftp-server.c index eac11d7..e11a1b8 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.107 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.109 2016/02/15 09:47:49 dtucker Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1513,6 +1513,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) extern char *optarg; extern char *__progname; + ssh_malloc_init(); /* must be called before any mallocs */ __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); @@ -1598,6 +1599,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) fatal("unable to make the process undumpable"); #endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */ + /* Drop any fine-grained privileges we don't need */ + platform_pledge_sftp_server(); + if ((cp = getenv("SSH_CONNECTION")) != NULL) { client_addr = xstrdup(cp); if ((cp = strchr(client_addr, ' ')) == NULL) { @@ -1631,9 +1635,8 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) if ((oqueue = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __func__); - set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); - rset = xmalloc(set_size); - wset = xmalloc(set_size); + rset = xcalloc(howmany(max + 1, NFDBITS), sizeof(fd_mask)); + wset = xcalloc(howmany(max + 1, NFDBITS), sizeof(fd_mask)); if (homedir != NULL) { if (chdir(homedir) != 0) { @@ -1642,6 +1645,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) } } + set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); for (;;) { memset(rset, 0, set_size); memset(wset, 0, set_size); diff --git a/sftp.0 b/sftp.0 index 550f276..ce48de9 100644 --- a/sftp.0 +++ b/sftp.0 @@ -108,6 +108,7 @@ DESCRIPTION CanonicalizeHostname CanonicalizeMaxDots CanonicalizePermittedCNAMEs + CertificateFile ChallengeResponseAuthentication CheckHostIP Cipher @@ -380,4 +381,4 @@ SEE ALSO T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -OpenBSD 5.8 January 30, 2015 OpenBSD 5.8 +OpenBSD 5.9 September 25, 2015 OpenBSD 5.9 diff --git a/sftp.1 b/sftp.1 index 214f011..edc5a85 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.101 2015/01/30 11:43:14 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.102 2015/09/25 18:19:54 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 30 2015 $ +.Dd $Mdocdate: September 25 2015 $ .Dt SFTP 1 .Os .Sh NAME @@ -198,6 +198,7 @@ For full details of the options listed below, and their possible values, see .It CanonicalizeHostname .It CanonicalizeMaxDots .It CanonicalizePermittedCNAMEs +.It CertificateFile .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher diff --git a/sftp.c b/sftp.c index 788601a..2077219 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.171 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: sftp.c,v 1.172 2016/02/15 09:47:49 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2248,6 +2248,7 @@ main(int argc, char **argv) size_t num_requests = DEFAULT_NUM_REQUESTS; long long limit_kbps = 0; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); setlocale(LC_CTYPE, ""); diff --git a/ssh-add.0 b/ssh-add.0 index 29db710..cc56b00 100644 --- a/ssh-add.0 +++ b/ssh-add.0 @@ -126,4 +126,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 March 30, 2015 OpenBSD 5.8 +OpenBSD 5.9 March 30, 2015 OpenBSD 5.9 diff --git a/ssh-add.c b/ssh-add.c index d6271d7..fb9a53e 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.128 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -93,7 +93,7 @@ static int lifetime = 0; /* User has to confirm key use */ static int confirm = 0; -/* we keep a cache of one passphrases */ +/* we keep a cache of one passphrase */ static char *pass = NULL; static void clear_pass(void) @@ -150,10 +150,8 @@ delete_file(int agent_fd, const char *filename, int key_only) certpath, ssh_err(r)); out: - if (cert != NULL) - sshkey_free(cert); - if (public != NULL) - sshkey_free(public); + sshkey_free(cert); + sshkey_free(public); free(certpath); free(comment); @@ -218,35 +216,32 @@ add_file(int agent_fd, const char *filename, int key_only) close(fd); /* At first, try empty passphrase */ - if ((r = sshkey_parse_private_fileblob(keyblob, "", filename, - &private, &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE) { + if ((r = sshkey_parse_private_fileblob(keyblob, "", &private, + &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE) { fprintf(stderr, "Error loading key \"%s\": %s\n", filename, ssh_err(r)); goto fail_load; } /* try last */ if (private == NULL && pass != NULL) { - if ((r = sshkey_parse_private_fileblob(keyblob, pass, filename, - &private, &comment)) != 0 && - r != SSH_ERR_KEY_WRONG_PASSPHRASE) { + if ((r = sshkey_parse_private_fileblob(keyblob, pass, &private, + &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE) { fprintf(stderr, "Error loading key \"%s\": %s\n", filename, ssh_err(r)); goto fail_load; } } - if (comment == NULL) - comment = xstrdup(filename); if (private == NULL) { /* clear passphrase since it did not work */ clear_pass(); - snprintf(msg, sizeof msg, "Enter passphrase for %.200s%s: ", - comment, confirm ? " (will confirm each use)" : ""); + snprintf(msg, sizeof msg, "Enter passphrase for %s%s: ", + filename, confirm ? " (will confirm each use)" : ""); for (;;) { pass = read_passphrase(msg, RP_ALLOW_STDIN); if (strcmp(pass, "") == 0) goto fail_load; if ((r = sshkey_parse_private_fileblob(keyblob, pass, - filename, &private, NULL)) == 0) + &private, &comment)) == 0) break; else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) { fprintf(stderr, @@ -254,16 +249,17 @@ add_file(int agent_fd, const char *filename, int key_only) filename, ssh_err(r)); fail_load: clear_pass(); - free(comment); sshbuf_free(keyblob); return -1; } clear_pass(); snprintf(msg, sizeof msg, - "Bad passphrase, try again for %.200s%s: ", comment, + "Bad passphrase, try again for %s%s: ", filename, confirm ? " (will confirm each use)" : ""); } } + if (comment == NULL || *comment == '\0') + comment = xstrdup(filename); sshbuf_free(keyblob); if ((r = ssh_add_identity_constrained(agent_fd, private, comment, @@ -386,7 +382,7 @@ list_identities(int agent_fd, int do_fp) if (do_fp) { fp = sshkey_fingerprint(idlist->keys[i], fingerprint_hash, SSH_FP_DEFAULT); - printf("%d %s %s (%s)\n", + printf("%u %s %s (%s)\n", sshkey_size(idlist->keys[i]), fp == NULL ? "(null)" : fp, idlist->comments[i], @@ -485,6 +481,7 @@ main(int argc, char **argv) int r, i, ch, deleting = 0, ret = 0, key_only = 0; int xflag = 0, lflag = 0, Dflag = 0; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); diff --git a/ssh-agent.0 b/ssh-agent.0 index 65bf6e7..2cc5ac6 100644 --- a/ssh-agent.0 +++ b/ssh-agent.0 @@ -18,10 +18,10 @@ DESCRIPTION using ssh(1). The agent initially does not have any private keys. Keys are added using - ssh-add(1). Multiple identities may be stored in ssh-agent concurrently - and ssh(1) will automatically use them if present. ssh-add(1) is also - used to remove keys from ssh-agent and to query the keys that are held in - one. + ssh(1) (see AddKeysToAgent in ssh_config(5) for details) or ssh-add(1). + Multiple identities may be stored in ssh-agent concurrently and ssh(1) + will automatically use them if present. ssh-add(1) is also used to + remove keys from ssh-agent and to query the keys that are held in one. The options are as follows: @@ -56,8 +56,8 @@ DESCRIPTION for an identity with ssh-add(1) overrides this value. Without this option the default maximum lifetime is forever. - If a commandline is given, this is executed as a subprocess of the agent. - When the command dies, so does the agent. + If a command line is given, this is executed as a subprocess of the + agent. When the command dies, so does the agent. The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, @@ -109,4 +109,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 April 24, 2015 OpenBSD 5.8 +OpenBSD 5.9 November 15, 2015 OpenBSD 5.9 diff --git a/ssh-agent.1 b/ssh-agent.1 index d0aa712..c4b50bb 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.59 2015/04/24 06:26:49 jmc Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 24 2015 $ +.Dd $Mdocdate: November 15 2015 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s -.Op Fl Dd +.Op Fl \&Dd .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash .Op Fl t Ar life @@ -66,6 +66,13 @@ machines using .Pp The agent initially does not have any private keys. Keys are added using +.Xr ssh 1 +(see +.Cm AddKeysToAgent +in +.Xr ssh_config 5 +for details) +or .Xr ssh-add 1 . Multiple identities may be stored in .Nm @@ -130,7 +137,7 @@ overrides this value. Without this option the default maximum lifetime is forever. .El .Pp -If a commandline is given, this is executed as a subprocess of the agent. +If a command line is given, this is executed as a subprocess of the agent. When the command dies, so does the agent. .Pp The idea is that the agent is run in the user's local PC, laptop, or diff --git a/ssh-agent.c b/ssh-agent.c index a335ea3..c38906d 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.204 2015/07/08 20:24:02 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.212 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -368,6 +368,18 @@ process_authentication_challenge1(SocketEntry *e) } #endif +static char * +agent_decode_alg(struct sshkey *key, u_int flags) +{ + if (key->type == KEY_RSA) { + if (flags & SSH_AGENT_RSA_SHA2_256) + return "rsa-sha2-256"; + else if (flags & SSH_AGENT_RSA_SHA2_512) + return "rsa-sha2-512"; + } + return NULL; +} + /* ssh2 only */ static void process_sign_request2(SocketEntry *e) @@ -389,7 +401,7 @@ process_sign_request2(SocketEntry *e) if (flags & SSH_AGENT_OLD_SIGNATURE) compat = SSH_BUG_SIGBLOB; if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { - error("%s: cannot parse key blob: %s", __func__, ssh_err(ok)); + error("%s: cannot parse key blob: %s", __func__, ssh_err(r)); goto send; } if ((id = lookup_identity(key, 2)) == NULL) { @@ -401,8 +413,8 @@ process_sign_request2(SocketEntry *e) goto send; } if ((r = sshkey_sign(id->key, &signature, &slen, - data, dlen, compat)) != 0) { - error("%s: sshkey_sign: %s", __func__, ssh_err(ok)); + data, dlen, agent_decode_alg(key, flags), compat)) != 0) { + error("%s: sshkey_sign: %s", __func__, ssh_err(r)); goto send; } /* Success */ @@ -1188,6 +1200,7 @@ main(int ac, char **av) size_t len; mode_t prev_mask; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -1330,6 +1343,7 @@ main(int ac, char **av) printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, SSH_AUTHSOCKET_ENV_NAME); printf("echo Agent pid %ld;\n", (long)parent_pid); + fflush(stdout); goto skip; } pid = fork(); @@ -1402,6 +1416,10 @@ skip: signal(SIGTERM, cleanup_handler); nalloc = 0; + if (pledge("stdio cpath unix id proc exec", NULL) == -1) + fatal("%s: pledge: %s", __progname, strerror(errno)); + platform_pledge_agent(); + while (1) { prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp); result = select(max_fd + 1, readsetp, writesetp, NULL, tvp); diff --git a/ssh-dss.c b/ssh-dss.c index 8ed19d8..cc47dcf 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.32 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.34 2015/12/11 04:21:12 mmcc Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -122,8 +122,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, explicit_bzero(digest, sizeof(digest)); if (sig != NULL) DSA_SIG_free(sig); - if (b != NULL) - sshbuf_free(b); + sshbuf_free(b); return ret; } @@ -209,10 +208,8 @@ ssh_dss_verify(const struct sshkey *key, explicit_bzero(digest, sizeof(digest)); if (sig != NULL) DSA_SIG_free(sig); - if (b != NULL) - sshbuf_free(b); - if (ktype != NULL) - free(ktype); + sshbuf_free(b); + free(ktype); if (sigblob != NULL) { explicit_bzero(sigblob, len); free(sigblob); diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 2c76f8b..74912df 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa.c,v 1.11 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.12 2015/12/11 04:21:12 mmcc Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -99,10 +99,8 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, ret = 0; out: explicit_bzero(digest, sizeof(digest)); - if (b != NULL) - sshbuf_free(b); - if (bb != NULL) - sshbuf_free(bb); + sshbuf_free(b); + sshbuf_free(bb); if (sig != NULL) ECDSA_SIG_free(sig); return ret; @@ -179,10 +177,8 @@ ssh_ecdsa_verify(const struct sshkey *key, out: explicit_bzero(digest, sizeof(digest)); - if (sigbuf != NULL) - sshbuf_free(sigbuf); - if (b != NULL) - sshbuf_free(b); + sshbuf_free(sigbuf); + sshbuf_free(b); if (sig != NULL) ECDSA_SIG_free(sig); free(ktype); diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 07a45b3..2b749ae 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -31,8 +31,11 @@ SYNOPSIS DESCRIPTION ssh-keygen generates, manages and converts authentication keys for - ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 - and DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2. + ssh(1). ssh-keygen can create keys for use by SSH protocol versions 1 + and 2. Protocol 1 should not be used and is only offered to support + legacy devices. It suffers from a number of cryptographic weaknesses and + doesn't support many of the advanced features available for protocol 2. + The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2 connections. @@ -194,7 +197,7 @@ DESCRIPTION file or using the format described in the KEY REVOCATION LISTS section. - -L Prints the contents of a certificate. + -L Prints the contents of one or more certificates. -l Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to @@ -275,11 +278,11 @@ DESCRIPTION At present, no options are valid for host keys. - -o Causes ssh-keygen to save SSH protocol 2 private keys using the - new OpenSSH format rather than the more compatible PEM format. - The new format has increased resistance to brute-force password - cracking but is not supported by versions of OpenSSH prior to - 6.5. Ed25519 keys always use the new private key format. + -o Causes ssh-keygen to save private keys using the new OpenSSH + format rather than the more compatible PEM format. The new + format has increased resistance to brute-force password cracking + but is not supported by versions of OpenSSH prior to 6.5. + Ed25519 keys always use the new private key format. -P passphrase Provides the (old) passphrase. @@ -502,7 +505,7 @@ KEY REVOCATION LISTS It is also possible, given a KRL, to test whether it revokes a particular key (or keys). The -Q flag will query an existing KRL, testing each key - specified on the commandline. If any key listed on the command line has + specified on the command line. If any key listed on the command line has been revoked (or an error encountered) then ssh-keygen will exit with a non-zero exit status. A zero exit status will only be returned if no key was revoked. @@ -563,4 +566,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 August 20, 2015 OpenBSD 5.8 +OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 diff --git a/ssh-keygen.1 b/ssh-keygen.1 index ed17a08..37a4fc2 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.130 2016/02/17 07:38:19 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2015 $ +.Dd $Mdocdate: February 17 2016 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -141,8 +141,12 @@ generates, manages and converts authentication keys for .Xr ssh 1 . .Nm -can create RSA keys for use by SSH protocol version 1 and -DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2. +can create keys for use by SSH protocol versions 1 and 2. +Protocol 1 should not be used +and is only offered to support legacy devices. +It suffers from a number of cryptographic weaknesses +and doesn't support many of the advanced features available for protocol 2. +.Pp The type of key to be generated is specified with the .Fl t option. @@ -376,7 +380,7 @@ using the format described in the .Sx KEY REVOCATION LISTS section. .It Fl L -Prints the contents of a certificate. +Prints the contents of one or more certificates. .It Fl l Show fingerprint of specified public key file. Private RSA1 keys are also supported. @@ -474,7 +478,7 @@ At present, no options are valid for host keys. .It Fl o Causes .Nm -to save SSH protocol 2 private keys using the new OpenSSH format rather than +to save private keys using the new OpenSSH format rather than the more compatible PEM format. The new format has increased resistance to brute-force password cracking but is not supported by versions of OpenSSH prior to 6.5. @@ -781,7 +785,7 @@ It is also possible, given a KRL, to test whether it revokes a particular key (or keys). The .Fl Q -flag will query an existing KRL, testing each key specified on the commandline. +flag will query an existing KRL, testing each key specified on the command line. If any key listed on the command line has been revoked (or an error encountered) then .Nm diff --git a/ssh-keygen.c b/ssh-keygen.c index 4e0a855..4785201 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.288 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -523,7 +523,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) sshbuf_free(b); /* try the key */ - if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 || + if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 || sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) { sshkey_free(key); free(sig); @@ -808,116 +808,162 @@ do_download(struct passwd *pw) #endif /* ENABLE_PKCS11 */ } +static struct sshkey * +try_read_key(char **cpp) +{ + struct sshkey *ret; + int r; + + if ((ret = sshkey_new(KEY_RSA1)) == NULL) + fatal("sshkey_new failed"); + /* Try RSA1 */ + if ((r = sshkey_read(ret, cpp)) == 0) + return ret; + /* Try modern */ + sshkey_free(ret); + if ((ret = sshkey_new(KEY_UNSPEC)) == NULL) + fatal("sshkey_new failed"); + if ((r = sshkey_read(ret, cpp)) == 0) + return ret; + /* Not a key */ + sshkey_free(ret); + return NULL; +} + static void -do_fingerprint(struct passwd *pw) +fingerprint_one_key(const struct sshkey *public, const char *comment) { - FILE *f; - struct sshkey *public; - char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; - int r, i, skip = 0, num = 0, invalid = 1; + char *fp = NULL, *ra = NULL; enum sshkey_fp_rep rep; int fptype; - struct stat st; fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; - if (!have_identity) - ask_filename(pw, "Enter file in which the key is"); + fp = sshkey_fingerprint(public, fptype, rep); + ra = sshkey_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART); + if (fp == NULL || ra == NULL) + fatal("%s: sshkey_fingerprint failed", __func__); + printf("%u %s %s (%s)\n", sshkey_size(public), fp, + comment ? comment : "no comment", sshkey_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); + free(ra); + free(fp); +} + +static void +fingerprint_private(const char *path) +{ + struct stat st; + char *comment = NULL; + struct sshkey *public = NULL; + int r; + if (stat(identity_file, &st) < 0) - fatal("%s: %s", identity_file, strerror(errno)); - if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0) - debug2("Error loading public key \"%s\": %s", - identity_file, ssh_err(r)); - else { - fp = sshkey_fingerprint(public, fptype, rep); - ra = sshkey_fingerprint(public, fingerprint_hash, - SSH_FP_RANDOMART); - if (fp == NULL || ra == NULL) - fatal("%s: sshkey_fingerprint fail", __func__); - printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment, - sshkey_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) - printf("%s\n", ra); - sshkey_free(public); - free(comment); - free(ra); - free(fp); - exit(0); - } - if (comment) { - free(comment); - comment = NULL; + fatal("%s: %s", path, strerror(errno)); + if ((r = sshkey_load_public(path, &public, &comment)) != 0) { + debug("load public \"%s\": %s", path, ssh_err(r)); + if ((r = sshkey_load_private(path, NULL, + &public, &comment)) != 0) { + debug("load private \"%s\": %s", path, ssh_err(r)); + fatal("%s is not a key file.", path); + } } - if ((f = fopen(identity_file, "r")) == NULL) - fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); + fingerprint_one_key(public, comment); + sshkey_free(public); + free(comment); +} - while (fgets(line, sizeof(line), f)) { - if ((cp = strchr(line, '\n')) == NULL) { - error("line %d too long: %.40s...", - num + 1, line); - skip = 1; +static void +do_fingerprint(struct passwd *pw) +{ + FILE *f; + struct sshkey *public = NULL; + char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES]; + int i, invalid = 1; + const char *path; + long int lnum = 0; + + if (!have_identity) + ask_filename(pw, "Enter file in which the key is"); + path = identity_file; + + if (strcmp(identity_file, "-") == 0) { + f = stdin; + path = "(stdin)"; + } else if ((f = fopen(path, "r")) == NULL) + fatal("%s: %s: %s", __progname, path, strerror(errno)); + + while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) { + cp = line; + cp[strcspn(cp, "\n")] = '\0'; + /* Trim leading space and comments */ + cp = line + strspn(line, " \t"); + if (*cp == '#' || *cp == '\0') continue; + + /* + * Input may be plain keys, private keys, authorized_keys + * or known_hosts. + */ + + /* + * Try private keys first. Assume a key is private if + * "SSH PRIVATE KEY" appears on the first line and we're + * not reading from stdin (XXX support private keys on stdin). + */ + if (lnum == 1 && strcmp(identity_file, "-") != 0 && + strstr(cp, "PRIVATE KEY") != NULL) { + fclose(f); + fingerprint_private(path); + exit(0); } - num++; - if (skip) { - skip = 0; + + /* + * If it's not a private key, then this must be prepared to + * accept a public key prefixed with a hostname or options. + * Try a bare key first, otherwise skip the leading stuff. + */ + if ((public = try_read_key(&cp)) == NULL) { + i = strtol(cp, &ep, 10); + if (i == 0 || ep == NULL || + (*ep != ' ' && *ep != '\t')) { + int quoted = 0; + + comment = cp; + for (; *cp && (quoted || (*cp != ' ' && + *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + if (!*cp) + continue; + *cp++ = '\0'; + } + } + /* Retry after parsing leading hostname/key options */ + if (public == NULL && (public = try_read_key(&cp)) == NULL) { + debug("%s:%ld: not a public key", path, lnum); continue; } - *cp = '\0'; - /* Skip leading whitespace, empty and comment lines. */ - for (cp = line; *cp == ' ' || *cp == '\t'; cp++) + /* Find trailing comment, if any */ + for (; *cp == ' ' || *cp == '\t'; cp++) ; - if (!*cp || *cp == '\n' || *cp == '#') - continue; - i = strtol(cp, &ep, 10); - if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { - int quoted = 0; + if (*cp != '\0' && *cp != '#') comment = cp; - for (; *cp && (quoted || (*cp != ' ' && - *cp != '\t')); cp++) { - if (*cp == '\\' && cp[1] == '"') - cp++; /* Skip both */ - else if (*cp == '"') - quoted = !quoted; - } - if (!*cp) - continue; - *cp++ = '\0'; - } - ep = cp; - if ((public = sshkey_new(KEY_RSA1)) == NULL) - fatal("sshkey_new failed"); - if ((r = sshkey_read(public, &cp)) != 0) { - cp = ep; - sshkey_free(public); - if ((public = sshkey_new(KEY_UNSPEC)) == NULL) - fatal("sshkey_new failed"); - if ((r = sshkey_read(public, &cp)) != 0) { - sshkey_free(public); - continue; - } - } - comment = *cp ? cp : comment; - fp = sshkey_fingerprint(public, fptype, rep); - ra = sshkey_fingerprint(public, fingerprint_hash, - SSH_FP_RANDOMART); - if (fp == NULL || ra == NULL) - fatal("%s: sshkey_fingerprint fail", __func__); - printf("%u %s %s (%s)\n", sshkey_size(public), fp, - comment ? comment : "no comment", sshkey_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) - printf("%s\n", ra); - free(ra); - free(fp); + + fingerprint_one_key(public, comment); sshkey_free(public); - invalid = 0; + invalid = 0; /* One good key in the file is sufficient */ } fclose(f); if (invalid) - fatal("%s is not a public key file.", identity_file); + fatal("%s is not a public key file.", path); exit(0); } @@ -1185,8 +1231,11 @@ do_known_hosts(struct passwd *pw, const char *name) foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0; if ((r = hostkeys_foreach(identity_file, hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx, - name, NULL, foreach_options)) != 0) + name, NULL, foreach_options)) != 0) { + if (inplace) + unlink(tmp); fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); + } if (inplace) fclose(ctx.out); @@ -1383,9 +1432,11 @@ do_change_comment(struct passwd *pw) identity_file, ssh_err(r)); } } - /* XXX what about new-format keys? */ - if (private->type != KEY_RSA1) { - error("Comments are only supported for RSA1 keys."); + + if (private->type != KEY_RSA1 && private->type != KEY_ED25519 && + !use_new_format) { + error("Comments are only supported for RSA1 or keys stored in " + "the new format (-o)."); explicit_bzero(passphrase, strlen(passphrase)); sshkey_free(private); exit(1); @@ -1441,44 +1492,6 @@ do_change_comment(struct passwd *pw) exit(0); } -static const char * -fmt_validity(u_int64_t valid_from, u_int64_t valid_to) -{ - char from[32], to[32]; - static char ret[64]; - time_t tt; - struct tm *tm; - - *from = *to = '\0'; - if (valid_from == 0 && valid_to == 0xffffffffffffffffULL) - return "forever"; - - if (valid_from != 0) { - /* XXX revisit INT_MAX in 2038 :) */ - tt = valid_from > INT_MAX ? INT_MAX : valid_from; - tm = localtime(&tt); - strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); - } - if (valid_to != 0xffffffffffffffffULL) { - /* XXX revisit INT_MAX in 2038 :) */ - tt = valid_to > INT_MAX ? INT_MAX : valid_to; - tm = localtime(&tt); - strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); - } - - if (valid_from == 0) { - snprintf(ret, sizeof(ret), "before %s", to); - return ret; - } - if (valid_to == 0xffffffffffffffffULL) { - snprintf(ret, sizeof(ret), "after %s", from); - return ret; - } - - snprintf(ret, sizeof(ret), "from %s to %s", from, to); - return ret; -} - static void add_flag_option(struct sshbuf *c, const char *name) { @@ -1572,7 +1585,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) int r, i, fd; u_int n; struct sshkey *ca, *public; - char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; + char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL; FILE *f; #ifdef ENABLE_PKCS11 @@ -1647,13 +1660,15 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) fclose(f); if (!quiet) { + sshkey_format_cert_validity(public->cert, + valid, sizeof(valid)); logit("Signed %s key %s: id \"%s\" serial %llu%s%s " - "valid %s", sshkey_cert_type(public), + "valid %s", sshkey_cert_type(public), out, public->cert->key_id, (unsigned long long)public->cert->serial, cert_principals != NULL ? " for " : "", cert_principals != NULL ? cert_principals : "", - fmt_validity(cert_valid_from, cert_valid_to)); + valid); } sshkey_free(public); @@ -1687,7 +1702,7 @@ parse_absolute_time(const char *s) char buf[32], *fmt; /* - * POSIX strptime says "The application shall ensure that there + * POSIX strptime says "The application shall ensure that there * is white-space or other non-alphanumeric characters between * any two conversion specifications" so arrange things this way. */ @@ -1851,31 +1866,18 @@ show_options(struct sshbuf *optbuf, int in_critical) } static void -do_show_cert(struct passwd *pw) +print_cert(struct sshkey *key) { - struct sshkey *key; - struct stat st; - char *key_fp, *ca_fp; + char valid[64], *key_fp, *ca_fp; u_int i; - int r; - - if (!have_identity) - ask_filename(pw, "Enter file in which the key is"); - if (stat(identity_file, &st) < 0) - fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); - if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0) - fatal("Cannot load public key \"%s\": %s", - identity_file, ssh_err(r)); - if (!sshkey_is_cert(key)) - fatal("%s is not a certificate", identity_file); key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); ca_fp = sshkey_fingerprint(key->cert->signature_key, fingerprint_hash, SSH_FP_DEFAULT); if (key_fp == NULL || ca_fp == NULL) fatal("%s: sshkey_fingerprint fail", __func__); + sshkey_format_cert_validity(key->cert, valid, sizeof(valid)); - printf("%s:\n", identity_file); printf(" Type: %s %s certificate\n", sshkey_ssh_name(key), sshkey_cert_type(key)); printf(" Public key: %s %s\n", sshkey_type(key), key_fp); @@ -1883,8 +1885,7 @@ do_show_cert(struct passwd *pw) sshkey_type(key->cert->signature_key), ca_fp); printf(" Key ID: \"%s\"\n", key->cert->key_id); printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); - printf(" Valid: %s\n", - fmt_validity(key->cert->valid_after, key->cert->valid_before)); + printf(" Valid: %s\n", valid); printf(" Principals: "); if (key->cert->nprincipals == 0) printf("(none)\n"); @@ -1908,7 +1909,60 @@ do_show_cert(struct passwd *pw) printf("\n"); show_options(key->cert->extensions, 0); } - exit(0); +} + +static void +do_show_cert(struct passwd *pw) +{ + struct sshkey *key = NULL; + struct stat st; + int r, is_stdin = 0, ok = 0; + FILE *f; + char *cp, line[SSH_MAX_PUBKEY_BYTES]; + const char *path; + long int lnum = 0; + + if (!have_identity) + ask_filename(pw, "Enter file in which the key is"); + if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0) + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); + + path = identity_file; + if (strcmp(path, "-") == 0) { + f = stdin; + path = "(stdin)"; + is_stdin = 1; + } else if ((f = fopen(identity_file, "r")) == NULL) + fatal("fopen %s: %s", identity_file, strerror(errno)); + + while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) { + sshkey_free(key); + key = NULL; + /* Trim leading space and comments */ + cp = line + strspn(line, " \t"); + if (*cp == '#' || *cp == '\0') + continue; + if ((key = sshkey_new(KEY_UNSPEC)) == NULL) + fatal("key_new"); + if ((r = sshkey_read(key, &cp)) != 0) { + error("%s:%lu: invalid key: %s", path, + lnum, ssh_err(r)); + continue; + } + if (!sshkey_is_cert(key)) { + error("%s:%lu is not a certificate", path, lnum); + continue; + } + ok = 1; + if (!is_stdin && lnum == 1) + printf("%s:\n", path); + else + printf("%s:%lu:\n", path, lnum); + print_cert(key); + } + sshkey_free(key); + fclose(f); + exit(ok ? 0 : 1); } static void @@ -2112,8 +2166,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) close(fd); sshbuf_free(kbuf); ssh_krl_free(krl); - if (ca != NULL) - sshkey_free(ca); + sshkey_free(ca); } static void @@ -2208,6 +2261,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index 500c1dd..5578cc5 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 @@ -4,7 +4,7 @@ NAME ssh-keyscan M-bM-^@M-^S gather ssh public keys SYNOPSIS - ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type] + ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type] [host | addrlist namelist] ... DESCRIPTION @@ -26,6 +26,8 @@ DESCRIPTION -6 Forces ssh-keyscan to use IPv6 addresses only. + -c Request certificates from target hosts instead of plain keys. + -f file Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line. If - is supplied instead of a filename, ssh-keyscan will read @@ -106,4 +108,4 @@ BUGS This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -OpenBSD 5.8 August 30, 2014 OpenBSD 5.8 +OpenBSD 5.9 November 8, 2015 OpenBSD 5.9 diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index 6bbc480..d29d9d9 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.38 2015/11/08 23:24:03 jmc Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: August 30 2014 $ +.Dd $Mdocdate: November 8 2015 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -15,7 +15,7 @@ .Sh SYNOPSIS .Nm ssh-keyscan .Bk -words -.Op Fl 46Hv +.Op Fl 46cHv .Op Fl f Ar file .Op Fl p Ar port .Op Fl T Ar timeout @@ -54,6 +54,8 @@ to use IPv4 addresses only. Forces .Nm to use IPv6 addresses only. +.It Fl c +Request certificates from target hosts instead of plain keys. .It Fl f Ar file Read hosts or .Dq addrlist namelist diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 57d8842..7fe61e4 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.101 2015/04/10 00:08:55 djm Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.105 2016/02/15 09:47:49 dtucker Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT; #define KT_ECDSA 8 #define KT_ED25519 16 +int get_cert = 0; int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; int hash_hosts = 0; /* Hash hostname on output */ @@ -267,11 +268,32 @@ keygrab_ssh2(con *c) int r; enable_compat20(); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - c->c_keytype == KT_DSA ? "ssh-dss" : - (c->c_keytype == KT_RSA ? "ssh-rsa" : - (c->c_keytype == KT_ED25519 ? "ssh-ed25519" : - "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")); + switch (c->c_keytype) { + case KT_DSA: + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? + "ssh-dss-cert-v01@openssh.com" : "ssh-dss"; + break; + case KT_RSA: + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? + "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa"; + break; + case KT_ED25519: + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? + "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519"; + break; + case KT_ECDSA: + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? + "ecdsa-sha2-nistp256-cert-v01@openssh.com," + "ecdsa-sha2-nistp384-cert-v01@openssh.com," + "ecdsa-sha2-nistp521-cert-v01@openssh.com" : + "ecdsa-sha2-nistp256," + "ecdsa-sha2-nistp384," + "ecdsa-sha2-nistp521"; + break; + default: + fatal("unknown key type %d", c->c_keytype); + break; + } if ((r = kex_setup(c->c_ssh, myproposal)) != 0) { free(c->c_ssh); fprintf(stderr, "kex_setup: %s\n", ssh_err(r)); @@ -296,23 +318,39 @@ keygrab_ssh2(con *c) } static void -keyprint(con *c, struct sshkey *key) +keyprint_one(char *host, struct sshkey *key) { - char *host = c->c_output_name ? c->c_output_name : c->c_name; - char *hostport = NULL; + char *hostport; - if (!key) - return; if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL) fatal("host_hash failed"); hostport = put_host_port(host, ssh_port); - fprintf(stdout, "%s ", hostport); + if (!get_cert) + fprintf(stdout, "%s ", hostport); sshkey_write(key, stdout); fputs("\n", stdout); free(hostport); } +static void +keyprint(con *c, struct sshkey *key) +{ + char *hosts = c->c_output_name ? c->c_output_name : c->c_name; + char *host, *ohosts; + + if (key == NULL) + return; + if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) { + keyprint_one(hosts, key); + return; + } + ohosts = hosts = xstrdup(hosts); + while ((host = strsep(&hosts, ",")) != NULL) + keyprint_one(host, key); + free(ohosts); +} + static int tcpconnect(char *host) { @@ -369,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype) if (fdcon[s].c_status) fatal("conalloc: attempt to reuse fdno %d", s); + debug3("%s: oname %s kt %d", __func__, oname, keytype); fdcon[s].c_fd = s; fdcon[s].c_status = CS_CON; fdcon[s].c_namebase = namebase; @@ -639,7 +678,7 @@ static void usage(void) { fprintf(stderr, - "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n" + "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n" "\t\t [host | addrlist namelist] ...\n", __progname); exit(1); @@ -657,6 +696,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; + ssh_malloc_init(); /* must be called before any mallocs */ __progname = ssh_get_progname(argv[0]); seed_rng(); TAILQ_INIT(&tq); @@ -667,11 +707,14 @@ main(int argc, char **argv) if (argc <= 1) usage(); - while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) { + while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) { switch (opt) { case 'H': hash_hosts = 1; break; + case 'c': + get_cert = 1; + break; case 'p': ssh_port = a2port(optarg); if (ssh_port <= 0) { diff --git a/ssh-keysign.0 b/ssh-keysign.0 index 7db72c7..65d75f3 100644 --- a/ssh-keysign.0 +++ b/ssh-keysign.0 @@ -8,8 +8,7 @@ SYNOPSIS DESCRIPTION ssh-keysign is used by ssh(1) to access the local host keys and generate - the digital signature required during host-based authentication with SSH - protocol version 2. + the digital signature required during host-based authentication. ssh-keysign is disabled by default and can only be enabled in the global client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign @@ -50,4 +49,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 5.8 December 7, 2013 OpenBSD 5.8 +OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 69d0829..19b0dbc 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.14 2013/12/07 11:58:46 naddy Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.15 2016/02/17 07:38:19 jmc Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 7 2013 $ +.Dd $Mdocdate: February 17 2016 $ .Dt SSH-KEYSIGN 8 .Os .Sh NAME @@ -35,7 +35,7 @@ is used by .Xr ssh 1 to access the local host keys and generate the digital signature -required during host-based authentication with SSH protocol version 2. +required during host-based authentication. .Pp .Nm is disabled by default and can only be enabled in the diff --git a/ssh-keysign.c b/ssh-keysign.c index 1dca3e2..ac5034d 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.49 2015/07/03 03:56:25 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.52 2016/02/15 09:47:49 dtucker Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -34,6 +34,7 @@ #include #include #include +#include #ifdef WITH_OPENSSL #include @@ -59,6 +60,8 @@ struct ssh *active_state = NULL; /* XXX needed for linking */ +extern char *__progname; + /* XXX readconf.c needs these */ uid_t original_real_uid; @@ -179,6 +182,10 @@ main(int argc, char **argv) u_int32_t rnd[256]; #endif + ssh_malloc_init(); /* must be called before any mallocs */ + if (pledge("stdio rpath getpw dns id", NULL) != 0) + fatal("%s: pledge: %s", __progname, strerror(errno)); + /* Ensure that stdin and stdout are connected */ if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) exit(1); @@ -245,23 +252,26 @@ main(int argc, char **argv) if (!found) fatal("no hostkey found"); + if (pledge("stdio dns", NULL) != 0) + fatal("%s: pledge: %s", __progname, strerror(errno)); + if ((b = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal("%s: sshbuf_new failed", __progname); if (ssh_msg_recv(STDIN_FILENO, b) < 0) fatal("ssh_msg_recv failed"); if ((r = sshbuf_get_u8(b, &rver)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal("%s: buffer error: %s", __progname, ssh_err(r)); if (rver != version) fatal("bad version: received %d, expected %d", rver, version); if ((r = sshbuf_get_u32(b, (u_int *)&fd)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal("%s: buffer error: %s", __progname, ssh_err(r)); if (fd < 0 || fd == STDIN_FILENO || fd == STDOUT_FILENO) fatal("bad fd"); if ((host = get_local_name(fd)) == NULL) fatal("cannot get local name for fd"); if ((r = sshbuf_get_string(b, &data, &dlen)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal("%s: buffer error: %s", __progname, ssh_err(r)); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); free(host); @@ -277,19 +287,20 @@ main(int argc, char **argv) if (!found) { if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint failed", __func__); + fatal("%s: sshkey_fingerprint failed", __progname); fatal("no matching hostkey found for key %s %s", sshkey_type(key), fp ? fp : ""); } - if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, 0)) != 0) + if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, NULL, 0)) + != 0) fatal("sshkey_sign failed: %s", ssh_err(r)); free(data); /* send reply */ sshbuf_reset(b); if ((r = sshbuf_put_string(b, signature, slen)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal("%s: buffer error: %s", __progname, ssh_err(r)); if (ssh_msg_send(STDOUT_FILENO, version, b) == -1) fatal("ssh_msg_send failed"); diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index 8c74864..fac0167 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-client.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11-client.c,v 1.6 2015/12/11 00:20:04 mmcc Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -173,7 +173,7 @@ pkcs11_start_helper(void) close(pair[0]); close(pair[1]); execlp(_PATH_SSH_PKCS11_HELPER, _PATH_SSH_PKCS11_HELPER, - (char *) 0); + (char *)NULL); fprintf(stderr, "exec: %s: %s\n", _PATH_SSH_PKCS11_HELPER, strerror(errno)); _exit(1); diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 index 7fac805..47aa7bd 100644 --- a/ssh-pkcs11-helper.0 +++ b/ssh-pkcs11-helper.0 @@ -22,4 +22,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 5.8 July 16, 2013 OpenBSD 5.8 +OpenBSD 5.9 July 16, 2013 OpenBSD 5.9 diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index f2d5863..53f41c5 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.11 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.12 2016/02/15 09:47:49 dtucker Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -280,6 +280,7 @@ main(int argc, char **argv) extern char *__progname; + ssh_malloc_init(); /* must be called before any mallocs */ TAILQ_INIT(&pkcs11_keylist); pkcs11_init(0); diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 92614a5..d1f750d 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.21 2015/07/18 08:02:17 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.22 2016/02/12 00:20:30 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -322,8 +322,10 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, k11->slotidx = slotidx; /* identify key object on smartcard */ k11->keyid_len = keyid_attrib->ulValueLen; - k11->keyid = xmalloc(k11->keyid_len); - memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); + if (k11->keyid_len > 0) { + k11->keyid = xmalloc(k11->keyid_len); + memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); + } k11->orig_finish = def->finish; memcpy(&k11->rsa_method, def, sizeof(k11->rsa_method)); k11->rsa_method.name = "pkcs11"; diff --git a/ssh-rsa.c b/ssh-rsa.c index cdc18a4..53d44d1 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.53 2015/06/15 01:32:50 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.58 2015/12/11 04:21:12 mmcc Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -36,16 +36,56 @@ static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *); +static const char * +rsa_hash_alg_ident(int hash_alg) +{ + switch (hash_alg) { + case SSH_DIGEST_SHA1: + return "ssh-rsa"; + case SSH_DIGEST_SHA256: + return "rsa-sha2-256"; + case SSH_DIGEST_SHA512: + return "rsa-sha2-512"; + } + return NULL; +} + +static int +rsa_hash_alg_from_ident(const char *ident) +{ + if (strcmp(ident, "ssh-rsa") == 0) + return SSH_DIGEST_SHA1; + if (strcmp(ident, "rsa-sha2-256") == 0) + return SSH_DIGEST_SHA256; + if (strcmp(ident, "rsa-sha2-512") == 0) + return SSH_DIGEST_SHA512; + return -1; +} + +static int +rsa_hash_alg_nid(int type) +{ + switch (type) { + case SSH_DIGEST_SHA1: + return NID_sha1; + case SSH_DIGEST_SHA256: + return NID_sha256; + case SSH_DIGEST_SHA512: + return NID_sha512; + default: + return -1; + } +} + /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ int ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, u_int compat) + const u_char *data, size_t datalen, const char *alg_ident) { - int hash_alg; u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL; size_t slen; u_int dlen, len; - int nid, ret = SSH_ERR_INTERNAL_ERROR; + int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR; struct sshbuf *b = NULL; if (lenp != NULL) @@ -53,16 +93,21 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, if (sigp != NULL) *sigp = NULL; - if (key == NULL || key->rsa == NULL || - sshkey_type_plain(key->type) != KEY_RSA) + if (alg_ident == NULL || strlen(alg_ident) == 0 || + strncmp(alg_ident, "ssh-rsa-cert", strlen("ssh-rsa-cert")) == 0) + hash_alg = SSH_DIGEST_SHA1; + else + hash_alg = rsa_hash_alg_from_ident(alg_ident); + if (key == NULL || key->rsa == NULL || hash_alg == -1 || + sshkey_type_plain(key->type) != KEY_RSA || + BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) return SSH_ERR_INVALID_ARGUMENT; slen = RSA_size(key->rsa); if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) return SSH_ERR_INVALID_ARGUMENT; /* hash the data */ - hash_alg = SSH_DIGEST_SHA1; - nid = NID_sha1; + nid = rsa_hash_alg_nid(hash_alg); if ((dlen = ssh_digest_bytes(hash_alg)) == 0) return SSH_ERR_INTERNAL_ERROR; if ((ret = ssh_digest_memory(hash_alg, data, datalen, @@ -91,7 +136,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, ret = SSH_ERR_ALLOC_FAIL; goto out; } - if ((ret = sshbuf_put_cstring(b, "ssh-rsa")) != 0 || + if ((ret = sshbuf_put_cstring(b, rsa_hash_alg_ident(hash_alg))) != 0 || (ret = sshbuf_put_string(b, sig, slen)) != 0) goto out; len = sshbuf_len(b); @@ -111,15 +156,13 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, explicit_bzero(sig, slen); free(sig); } - if (b != NULL) - sshbuf_free(b); + sshbuf_free(b); return ret; } int ssh_rsa_verify(const struct sshkey *key, - const u_char *signature, size_t signaturelen, - const u_char *data, size_t datalen, u_int compat) + const u_char *sig, size_t siglen, const u_char *data, size_t datalen) { char *ktype = NULL; int hash_alg, ret = SSH_ERR_INTERNAL_ERROR; @@ -132,13 +175,13 @@ ssh_rsa_verify(const struct sshkey *key, BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) return SSH_ERR_INVALID_ARGUMENT; - if ((b = sshbuf_from(signature, signaturelen)) == NULL) + if ((b = sshbuf_from(sig, siglen)) == NULL) return SSH_ERR_ALLOC_FAIL; if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } - if (strcmp("ssh-rsa", ktype) != 0) { + if ((hash_alg = rsa_hash_alg_from_ident(ktype)) == -1) { ret = SSH_ERR_KEY_TYPE_MISMATCH; goto out; } @@ -167,7 +210,6 @@ ssh_rsa_verify(const struct sshkey *key, explicit_bzero(sigblob, diff); len = modlen; } - hash_alg = SSH_DIGEST_SHA1; if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { ret = SSH_ERR_INTERNAL_ERROR; goto out; @@ -183,10 +225,8 @@ ssh_rsa_verify(const struct sshkey *key, explicit_bzero(sigblob, len); free(sigblob); } - if (ktype != NULL) - free(ktype); - if (b != NULL) - sshbuf_free(b); + free(ktype); + sshbuf_free(b); explicit_bzero(digest, sizeof(digest)); return ret; } @@ -196,6 +236,7 @@ ssh_rsa_verify(const struct sshkey *key, * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/ * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn */ + /* * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) * oiw(14) secsig(3) algorithms(2) 26 } @@ -209,25 +250,71 @@ static const u_char id_sha1[] = { 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */ }; +/* + * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html + * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) + * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) + * id-sha256(1) } + */ +static const u_char id_sha256[] = { + 0x30, 0x31, /* type Sequence, length 0x31 (49) */ + 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ + 0x06, 0x09, /* type OID, length 0x09 */ + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */ + 0x05, 0x00, /* NULL */ + 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */ +}; + +/* + * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html + * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) + * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) + * id-sha256(3) } + */ +static const u_char id_sha512[] = { + 0x30, 0x51, /* type Sequence, length 0x51 (81) */ + 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ + 0x06, 0x09, /* type OID, length 0x09 */ + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */ + 0x05, 0x00, /* NULL */ + 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */ +}; + +static int +rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp) +{ + switch (hash_alg) { + case SSH_DIGEST_SHA1: + *oidp = id_sha1; + *oidlenp = sizeof(id_sha1); + break; + case SSH_DIGEST_SHA256: + *oidp = id_sha256; + *oidlenp = sizeof(id_sha256); + break; + case SSH_DIGEST_SHA512: + *oidp = id_sha512; + *oidlenp = sizeof(id_sha512); + break; + default: + return SSH_ERR_INVALID_ARGUMENT; + } + return 0; +} + static int openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen, u_char *sigbuf, size_t siglen, RSA *rsa) { - size_t ret, rsasize = 0, oidlen = 0, hlen = 0; - int len, oidmatch, hashmatch; + size_t rsasize = 0, oidlen = 0, hlen = 0; + int ret, len, oidmatch, hashmatch; const u_char *oid = NULL; u_char *decrypted = NULL; + if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0) + return ret; ret = SSH_ERR_INTERNAL_ERROR; - switch (hash_alg) { - case SSH_DIGEST_SHA1: - oid = id_sha1; - oidlen = sizeof(id_sha1); - hlen = 20; - break; - default: - goto done; - } + hlen = ssh_digest_bytes(hash_alg); if (hashlen != hlen) { ret = SSH_ERR_INVALID_ARGUMENT; goto done; diff --git a/ssh.0 b/ssh.0 index ad4817a..9aaf436 100644 --- a/ssh.0 +++ b/ssh.0 @@ -8,22 +8,19 @@ SYNOPSIS [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] - [-Q cipher | cipher-auth | mac | kex | key | protocol-version] - [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] - [user@]hostname [command] + [-Q query_option] [-R address] [-S ctl_path] [-W host:port] + [-w local_tun[:remote_tun]] [user@]hostname [command] DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for - executing commands on a remote machine. It is intended to replace rlogin - and rsh, and provide secure encrypted communications between two - untrusted hosts over an insecure network. X11 connections, arbitrary TCP - ports and UNIX-domain sockets can also be forwarded over the secure - channel. + executing commands on a remote machine. It is intended to provide secure + encrypted communications between two untrusted hosts over an insecure + network. X11 connections, arbitrary TCP ports and UNIX-domain sockets + can also be forwarded over the secure channel. ssh connects and logs into the specified hostname (with optional user name). The user must prove his/her identity to the remote machine using - one of several methods depending on the protocol version used (see - below). + one of several methods (see below). If command is specified, it is executed on the remote host instead of a login shell. @@ -144,9 +141,11 @@ DESCRIPTION ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options - (and multiple identities specified in configuration files). ssh - will also try to load certificate information from the filename - obtained by appending -cert.pub to identity filenames. + (and multiple identities specified in configuration files). If + no certificates have been explicitly specified by the + CertificateFile directive, ssh will also try to load certificate + information from the filename obtained by appending -cert.pub to + identity filenames. -K Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server. @@ -190,12 +189,12 @@ DESCRIPTION details. -m mac_spec - Additionally, for protocol version 2 a comma-separated list of - MAC (message authentication code) algorithms can be specified in - order of preference. See the MACs keyword for more information. + A comma-separated list of MAC (message authentication code) + algorithms, specified in order of preference. See the MACs + keyword for more information. -N Do not execute a remote command. This is useful for just - forwarding ports (protocol version 2 only). + forwarding ports. -n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A @@ -224,6 +223,7 @@ DESCRIPTION of the options listed below, and their possible values, see ssh_config(5). + AddKeysToAgent AddressFamily BatchMode BindAddress @@ -232,6 +232,7 @@ DESCRIPTION CanonicalizeHostname CanonicalizeMaxDots CanonicalizePermittedCNAMEs + CertificateFile ChallengeResponseAuthentication CheckHostIP Cipher @@ -312,13 +313,14 @@ DESCRIPTION Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. - -Q cipher | cipher-auth | mac | kex | key | protocol-version + -Q query_option Queries ssh for the algorithms supported for the specified version 2. The available features are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenticated encryption), mac (supported message - integrity codes), kex (key exchange algorithms), key (key types) - and protocol-version (supported SSH protocol versions). + integrity codes), kex (key exchange algorithms), key (key types), + key-cert (certificate key types), key-plain (non-certificate key + types), and protocol-version (supported SSH protocol versions). -q Quiet mode. Causes most warning and diagnostic messages to be suppressed. @@ -361,10 +363,9 @@ DESCRIPTION ssh_config(5) for details. -s May be used to request invocation of a subsystem on the remote - system. Subsystems are a feature of the SSH2 protocol which - facilitate the use of SSH as a secure transport for other - applications (eg. sftp(1)). The subsystem is specified as the - remote command. + system. Subsystems facilitate the use of SSH as a secure + transport for other applications (e.g. sftp(1)). The subsystem + is specified as the remote command. -T Disable pseudo-terminal allocation. @@ -383,8 +384,7 @@ DESCRIPTION -W host:port Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, - -T, ExitOnForwardFailure and ClearAllForwardings. Works with - Protocol version 2 only. + -T, ExitOnForwardFailure and ClearAllForwardings. -w local_tun[:remote_tun] Requests tunnel device forwarding with the specified tun(4) @@ -427,20 +427,16 @@ DESCRIPTION AUTHENTICATION The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to use protocol 2 only, though this can be changed via the Protocol option - in ssh_config(5) or the -1 and -2 options (see above). Both protocols - support similar authentication methods, but protocol 2 is the default - since it provides additional mechanisms for confidentiality (the traffic - is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and - integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64, - umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for - ensuring the integrity of the connection. + in ssh_config(5) or the -1 and -2 options (see above). Protocol 1 should + not be used and is only offered to support legacy devices. It suffers + from a number of cryptographic weaknesses and doesn't support many of the + advanced features available for protocol 2. The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, challenge-response authentication, and password authentication. Authentication methods are tried in the order specified above, though - protocol 2 has a configuration option to change the default order: - PreferredAuthentications. + PreferredAuthentications can be used to change the default order. Host-based authentication works as follows: If the machine the user logs in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote @@ -463,10 +459,8 @@ AUTHENTICATION creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically, using - one of the DSA, ECDSA, Ed25519 or RSA algorithms. Protocol 1 is - restricted to using only RSA keys, but protocol 2 may use any. The - HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA - algorithms. + one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of + ssl(8) contains a brief discussion of the DSA and RSA algorithms. The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server @@ -475,13 +469,12 @@ AUTHENTICATION the corresponding public key is authorized to accept the account. The user creates his/her key pair by running ssh-keygen(1). This stores - the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol - 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2 - Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in - ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), - ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2 - Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home - directory. The user should then copy the public key to + the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (DSA), + ~/.ssh/id_ecdsa (ECDSA), ~/.ssh/id_ed25519 (Ed25519), or ~/.ssh/id_rsa + (RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1), + ~/.ssh/id_dsa.pub (DSA), ~/.ssh/id_ecdsa.pub (ECDSA), + ~/.ssh/id_ed25519.pub (Ed25519), or ~/.ssh/id_rsa.pub (RSA) in the user's + home directory. The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine. The authorized_keys file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long. After this, @@ -495,15 +488,13 @@ AUTHENTICATION more information. The most convenient way to use public key or certificate authentication - may be with an authentication agent. See ssh-agent(1) for more - information. + may be with an authentication agent. See ssh-agent(1) and (optionally) + the AddKeysToAgent directive in ssh_config(5) for more information. Challenge-response authentication works as follows: The server sends an - arbitrary "challenge" text, and prompts for a response. Protocol 2 - allows multiple challenges and responses; protocol 1 is restricted to - just one challenge/response. Examples of challenge-response - authentication include BSD Authentication (see login.conf(5)) and PAM - (some non-OpenBSD systems). + arbitrary "challenge" text, and prompts for a response. Examples of + challenge-response authentication include BSD Authentication (see + login.conf(5)) and PAM (some non-OpenBSD systems). Finally, if other authentication methods fail, ssh prompts the user for a password. The password is sent to the remote host for checking; however, @@ -565,8 +556,8 @@ ESCAPE CHARACTERS ~? Display a list of escape characters. - ~B Send a BREAK to the remote system (only useful for SSH protocol - version 2 and if the peer supports it). + ~B Send a BREAK to the remote system (only useful if the peer + supports it). ~C Open command line. Currently this allows the addition of port forwardings using the -L, -R and -D options (see above). It also @@ -577,8 +568,8 @@ ESCAPE CHARACTERS PermitLocalCommand option is enabled in ssh_config(5). Basic help is available, using the -h option. - ~R Request rekeying of the connection (only useful for SSH protocol - version 2 and if the peer supports it). + ~R Request rekeying of the connection (only useful if the peer + supports it). ~V Decrease the verbosity (LogLevel) when errors are being written to stderr. @@ -892,12 +883,7 @@ FILES /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys and are - used for host-based authentication. If protocol version 1 is - used, ssh must be setuid root, since the host key is readable - only by root. For protocol version 2, ssh uses ssh-keysign(8) to - access the host keys, eliminating the requirement that ssh be - setuid root when host-based authentication is used. By default - ssh is not setuid root. + used for host-based authentication. /etc/ssh/ssh_known_hosts Systemwide list of known host keys. This file should be prepared @@ -969,4 +955,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 July 20, 2015 OpenBSD 5.8 +OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 diff --git a/ssh.1 b/ssh.1 index 2ea0a20..cc53343 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.361 2015/07/20 18:44:12 millert Exp $ -.Dd $Mdocdate: July 20 2015 $ +.\" $OpenBSD: ssh.1,v 1.369 2016/02/17 07:38:19 jmc Exp $ +.Dd $Mdocdate: February 17 2016 $ .Dt SSH 1 .Os .Sh NAME @@ -58,7 +58,7 @@ .Op Fl O Ar ctl_cmd .Op Fl o Ar option .Op Fl p Ar port -.Op Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version +.Op Fl Q Ar query_option .Op Fl R Ar address .Op Fl S Ar ctl_path .Op Fl W Ar host : Ns Ar port @@ -70,8 +70,7 @@ .Nm (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. -It is intended to replace rlogin and rsh, -and provide secure encrypted communications between +It is intended to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections, arbitrary TCP ports and .Ux Ns -domain @@ -85,7 +84,7 @@ connects and logs into the specified name). The user must prove his/her identity to the remote machine using one of several methods -depending on the protocol version used (see below). +(see below). .Pp If .Ar command @@ -304,6 +303,9 @@ It is possible to have multiple .Fl i options (and multiple identities specified in configuration files). +If no certificates have been explicitly specified by the +.Cm CertificateFile +directive, .Nm will also try to load certificate information from the filename obtained by appending @@ -400,17 +402,15 @@ in for details. .Pp .It Fl m Ar mac_spec -Additionally, for protocol version 2 a comma-separated list of MAC -(message authentication code) algorithms can -be specified in order of preference. +A comma-separated list of MAC (message authentication code) algorithms, +specified in order of preference. See the .Cm MACs keyword for more information. .Pp .It Fl N Do not execute a remote command. -This is useful for just forwarding ports -(protocol version 2 only). +This is useful for just forwarding ports. .Pp .It Fl n Redirects stdin from @@ -460,6 +460,7 @@ For full details of the options listed below, and their possible values, see .Xr ssh_config 5 . .Pp .Bl -tag -width Ds -offset indent -compact +.It AddKeysToAgent .It AddressFamily .It BatchMode .It BindAddress @@ -468,6 +469,7 @@ For full details of the options listed below, and their possible values, see .It CanonicalizeHostname .It CanonicalizeMaxDots .It CanonicalizePermittedCNAMEs +.It CertificateFile .It ChallengeResponseAuthentication .It CheckHostIP .It Cipher @@ -550,7 +552,7 @@ Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. .Pp -.It Fl Q Cm cipher | cipher-auth | mac | kex | key | protocol-version +.It Fl Q Ar query_option Queries .Nm for the algorithms supported for the specified version 2. @@ -564,7 +566,11 @@ The available features are: .Ar kex (key exchange algorithms), .Ar key -(key types) and +(key types), +.Ar key-cert +(certificate key types), +.Ar key-plain +(non-certificate key types), and .Ar protocol-version (supported SSH protocol versions). .Pp @@ -656,8 +662,8 @@ for details. .Pp .It Fl s May be used to request invocation of a subsystem on the remote system. -Subsystems are a feature of the SSH2 protocol which facilitate the use -of SSH as a secure transport for other applications (eg.\& +Subsystems facilitate the use of SSH +as a secure transport for other applications (e.g.\& .Xr sftp 1 ) . The subsystem is specified as the remote command. .Pp @@ -702,7 +708,6 @@ Implies .Cm ExitOnForwardFailure and .Cm ClearAllForwardings . -Works with Protocol version 2 only. .Pp .It Fl w Xo .Ar local_tun Ns Op : Ns Ar remote_tun @@ -787,15 +792,10 @@ or the and .Fl 2 options (see above). -Both protocols support similar authentication methods, -but protocol 2 is the default since -it provides additional mechanisms for confidentiality -(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) -and integrity (hmac-md5, hmac-sha1, -hmac-sha2-256, hmac-sha2-512, -umac-64, umac-128, hmac-ripemd160). -Protocol 1 lacks a strong mechanism for ensuring the -integrity of the connection. +Protocol 1 should not be used +and is only offered to support legacy devices. +It suffers from a number of cryptographic weaknesses +and doesn't support many of the advanced features available for protocol 2. .Pp The methods available for authentication are: GSSAPI-based authentication, @@ -804,8 +804,9 @@ public key authentication, challenge-response authentication, and password authentication. Authentication methods are tried in the order specified above, -though protocol 2 has a configuration option to change the default order: -.Cm PreferredAuthentications . +though +.Cm PreferredAuthentications +can be used to change the default order. .Pp Host-based authentication works as follows: If the machine the user logs in from is listed in @@ -849,8 +850,6 @@ The server knows the public key, and only the user knows the private key. .Nm implements public key authentication protocol automatically, using one of the DSA, ECDSA, Ed25519 or RSA algorithms. -Protocol 1 is restricted to using only RSA keys, -but protocol 2 may use any. The HISTORY section of .Xr ssl 8 contains a brief discussion of the DSA and RSA algorithms. @@ -872,26 +871,26 @@ This stores the private key in .Pa ~/.ssh/identity (protocol 1), .Pa ~/.ssh/id_dsa -(protocol 2 DSA), +(DSA), .Pa ~/.ssh/id_ecdsa -(protocol 2 ECDSA), +(ECDSA), .Pa ~/.ssh/id_ed25519 -(protocol 2 Ed25519), +(Ed25519), or .Pa ~/.ssh/id_rsa -(protocol 2 RSA) +(RSA) and stores the public key in .Pa ~/.ssh/identity.pub (protocol 1), .Pa ~/.ssh/id_dsa.pub -(protocol 2 DSA), +(DSA), .Pa ~/.ssh/id_ecdsa.pub -(protocol 2 ECDSA), +(ECDSA), .Pa ~/.ssh/id_ed25519.pub -(protocol 2 Ed25519), +(Ed25519), or .Pa ~/.ssh/id_rsa.pub -(protocol 2 RSA) +(RSA) in the user's home directory. The user should then copy the public key to @@ -919,14 +918,16 @@ The most convenient way to use public key or certificate authentication may be with an authentication agent. See .Xr ssh-agent 1 +and (optionally) the +.Cm AddKeysToAgent +directive in +.Xr ssh_config 5 for more information. .Pp Challenge-response authentication works as follows: The server sends an arbitrary .Qq challenge text, and prompts for a response. -Protocol 2 allows multiple challenges and responses; -protocol 1 is restricted to just one challenge/response. Examples of challenge-response authentication include .Bx Authentication (see @@ -1025,7 +1026,7 @@ at logout when waiting for forwarded connection / X11 sessions to terminate. Display a list of escape characters. .It Cm ~B Send a BREAK to the remote system -(only useful for SSH protocol version 2 and if the peer supports it). +(only useful if the peer supports it). .It Cm ~C Open command line. Currently this allows the addition of port forwardings using the @@ -1058,7 +1059,7 @@ Basic help is available, using the option. .It Cm ~R Request rekeying of the connection -(only useful for SSH protocol version 2 and if the peer supports it). +(only useful if the peer supports it). .It Cm ~V Decrease the verbosity .Pq Ic LogLevel @@ -1526,20 +1527,6 @@ The file format and configuration options are described in .It Pa /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys and are used for host-based authentication. -If protocol version 1 is used, -.Nm -must be setuid root, since the host key is readable only by root. -For protocol version 2, -.Nm -uses -.Xr ssh-keysign 8 -to access the host keys, -eliminating the requirement that -.Nm -be setuid root when host-based authentication is used. -By default -.Nm -is not setuid root. .Pp .It Pa /etc/ssh/ssh_known_hosts Systemwide list of known host keys. diff --git a/ssh.c b/ssh.c index 67c1ebf..f9ff91f 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.436 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -105,7 +105,6 @@ #include "match.h" #include "msg.h" #include "uidswap.h" -#include "roaming.h" #include "version.h" #include "ssherr.h" #include "myproposal.h" @@ -203,11 +202,9 @@ usage(void) fprintf(stderr, "usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" -" [-F configfile] [-I pkcs11] [-i identity_file]\n" -" [-L address] [-l login_name] [-m mac_spec]\n" -" [-O ctl_cmd] [-o option] [-p port]\n" -" [-Q cipher | cipher-auth | mac | kex | key]\n" -" [-R address] [-S ctl_path] [-W host:port]\n" +" [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n" +" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" +" [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" " [-w local_tun[:remote_tun]] [user@]hostname [command]\n" ); exit(255); @@ -252,7 +249,7 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen) if (port <= 0) port = default_ssh_port(); - snprintf(strport, sizeof strport, "%u", port); + snprintf(strport, sizeof strport, "%d", port); memset(&hints, 0, sizeof(hints)); hints.ai_family = options.address_family == -1 ? AF_UNSPEC : options.address_family; @@ -406,6 +403,17 @@ resolve_canonicalize(char **hostp, int port) return addrs; } + /* If domain name is anchored, then resolve it now */ + if ((*hostp)[strlen(*hostp) - 1] == '.') { + debug3("%s: name is fully qualified", __func__); + fullhost = xstrdup(*hostp); + if ((addrs = resolve_host(fullhost, port, 0, + newname, sizeof(newname))) != NULL) + goto found; + free(fullhost); + goto notfound; + } + /* Don't apply canonicalization to sufficiently-qualified hostnames */ ndots = 0; for (cp = *hostp; *cp != '\0'; cp++) { @@ -429,6 +437,7 @@ resolve_canonicalize(char **hostp, int port) free(fullhost); continue; } + found: /* Remove trailing '.' */ fullhost[strlen(fullhost) - 1] = '\0'; /* Follow CNAME if requested */ @@ -440,6 +449,7 @@ resolve_canonicalize(char **hostp, int port) *hostp = fullhost; return addrs; } + notfound: if (!options.canonicalize_fallback_local) fatal("%s: Could not resolve host \"%s\"", __progname, *hostp); debug2("%s: host %s not found in any suffix", __func__, *hostp); @@ -506,7 +516,7 @@ main(int ac, char **av) int i, r, opt, exit_status, use_syslog, config_test = 0; char *p, *cp, *line, *argv0, buf[PATH_MAX], *host_arg, *logfile; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; - char cname[NI_MAXHOST]; + char cname[NI_MAXHOST], uidstr[32], *conn_hash_hex; struct stat st; struct passwd *pw; int timeout_ms; @@ -516,8 +526,8 @@ main(int ac, char **av) struct addrinfo *addrs = NULL; struct ssh_digest_ctx *md; u_char conn_hash[SSH_DIGEST_MAX_LENGTH]; - char *conn_hash_hex; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -627,7 +637,7 @@ main(int ac, char **av) use_syslog = 1; break; case 'E': - logfile = xstrdup(optarg); + logfile = optarg; break; case 'G': config_test = 1; @@ -704,16 +714,18 @@ main(int ac, char **av) options.gss_deleg_creds = 1; break; case 'i': - if (stat(optarg, &st) < 0) { + p = tilde_expand_filename(optarg, original_real_uid); + if (stat(p, &st) < 0) fprintf(stderr, "Warning: Identity file %s " - "not accessible: %s.\n", optarg, + "not accessible: %s.\n", p, strerror(errno)); - break; - } - add_identity_file(&options, NULL, optarg, 1); + else + add_identity_file(&options, NULL, p, 1); + free(p); break; case 'I': #ifdef ENABLE_PKCS11 + free(options.pkcs11_provider); options.pkcs11_provider = xstrdup(optarg); #else fprintf(stderr, "no support for PKCS#11.\n"); @@ -798,6 +810,7 @@ main(int ac, char **av) if (ciphers_valid(*optarg == '+' ? optarg + 1 : optarg)) { /* SSH2 only */ + free(options.ciphers); options.ciphers = xstrdup(optarg); options.cipher = SSH_CIPHER_INVALID; break; @@ -817,9 +830,10 @@ main(int ac, char **av) options.ciphers = xstrdup(KEX_CLIENT_ENCRYPT); break; case 'm': - if (mac_valid(optarg)) + if (mac_valid(optarg)) { + free(options.macs); options.macs = xstrdup(optarg); - else { + } else { fprintf(stderr, "Unknown mac type '%s'\n", optarg); exit(255); @@ -897,8 +911,7 @@ main(int ac, char **av) subsystem_flag = 1; break; case 'S': - if (options.control_path != NULL) - free(options.control_path); + free(options.control_path); options.control_path = xstrdup(optarg); break; case 'b': @@ -980,10 +993,8 @@ main(int ac, char **av) */ if (use_syslog && logfile != NULL) fatal("Can't specify both -y and -E"); - if (logfile != NULL) { + if (logfile != NULL) log_redirect_stderr_to(logfile); - free(logfile); - } log_init(argv0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, SYSLOG_FACILITY_USER, !use_syslog); @@ -1084,6 +1095,8 @@ main(int ac, char **av) "disabling"); options.update_hostkeys = 0; } + if (options.connection_attempts <= 0) + fatal("Invalid number of ConnectionAttempts"); #ifndef HAVE_CYGWIN if (original_effective_uid != 0) options.use_privileged_port = 0; @@ -1122,6 +1135,7 @@ main(int ac, char **av) strlcpy(shorthost, thishost, sizeof(shorthost)); shorthost[strcspn(thishost, ".")] = '\0'; snprintf(portstr, sizeof(portstr), "%d", options.port); + snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid); if ((md = ssh_digest_start(SSH_DIGEST_SHA1)) == NULL || ssh_digest_update(md, thishost, strlen(thishost)) < 0 || @@ -1164,6 +1178,7 @@ main(int ac, char **av) "p", portstr, "r", options.user, "u", pw->pw_name, + "i", uidstr, (char *)NULL); free(cp); } @@ -1184,6 +1199,7 @@ main(int ac, char **av) * have yet resolved the hostname. Do so now. */ if (addrs == NULL && options.proxy_command == NULL) { + debug2("resolving \"%s\" port %d", host, options.port); if ((addrs = resolve_host(host, options.port, 1, cname, sizeof(cname))) == NULL) cleanup_exit(255); /* resolve_host logs the error */ @@ -1227,8 +1243,10 @@ main(int ac, char **av) sensitive_data.keys[i] = NULL; PRIV_START; +#if WITH_SSH1 sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, _PATH_HOST_KEY_FILE, "", NULL, NULL); +#endif #ifdef OPENSSL_HAS_ECC sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, "", NULL); @@ -1353,6 +1371,10 @@ main(int ac, char **av) options.identity_keys[i] = NULL; } } + for (i = 0; i < options.num_certificate_files; i++) { + free(options.certificate_files[i]); + options.certificate_files[i] = NULL; + } exit_status = compat20 ? ssh_session2() : ssh_session(); packet_close(); @@ -1604,6 +1626,7 @@ ssh_session(void) struct winsize ws; char *cp; const char *display; + char *proto = NULL, *data = NULL; /* Enable compression if requested. */ if (options.compression) { @@ -1674,13 +1697,9 @@ ssh_session(void) display = getenv("DISPLAY"); if (display == NULL && options.forward_x11) debug("X11 forwarding requested but DISPLAY not set"); - if (options.forward_x11 && display != NULL) { - char *proto, *data; - /* Get reasonable local authentication information. */ - client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, - options.forward_x11_timeout, - &proto, &data); + if (options.forward_x11 && client_x11_get_proto(display, + options.xauth_location, options.forward_x11_trusted, + options.forward_x11_timeout, &proto, &data) == 0) { /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication " "spoofing."); @@ -1770,6 +1789,7 @@ ssh_session2_setup(int id, int success, void *arg) extern char **environ; const char *display; int interactive = tty_flag; + char *proto = NULL, *data = NULL; if (!success) return; /* No need for error message, channels code sens one */ @@ -1777,12 +1797,9 @@ ssh_session2_setup(int id, int success, void *arg) display = getenv("DISPLAY"); if (display == NULL && options.forward_x11) debug("X11 forwarding requested but DISPLAY not set"); - if (options.forward_x11 && display != NULL) { - char *proto, *data; - /* Get reasonable local authentication information. */ - client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, - options.forward_x11_timeout, &proto, &data); + if (options.forward_x11 && client_x11_get_proto(display, + options.xauth_location, options.forward_x11_trusted, + options.forward_x11_timeout, &proto, &data) == 0) { /* Request forwarding with authentication spoofing. */ debug("Requesting X11 forwarding with authentication " "spoofing."); @@ -1936,25 +1953,30 @@ ssh_session2(void) options.escape_char : SSH_ESCAPECHAR_NONE, id); } +/* Loads all IdentityFile and CertificateFile keys */ static void load_public_identity_files(void) { char *filename, *cp, thishost[NI_MAXHOST]; char *pwdir = NULL, *pwname = NULL; - int i = 0; Key *public; struct passwd *pw; - u_int n_ids; + int i; + u_int n_ids, n_certs; char *identity_files[SSH_MAX_IDENTITY_FILES]; Key *identity_keys[SSH_MAX_IDENTITY_FILES]; + char *certificate_files[SSH_MAX_CERTIFICATE_FILES]; + struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES]; #ifdef ENABLE_PKCS11 Key **keys; int nkeys; #endif /* PKCS11 */ - n_ids = 0; + n_ids = n_certs = 0; memset(identity_files, 0, sizeof(identity_files)); memset(identity_keys, 0, sizeof(identity_keys)); + memset(certificate_files, 0, sizeof(certificate_files)); + memset(certificates, 0, sizeof(certificates)); #ifdef ENABLE_PKCS11 if (options.pkcs11_provider != NULL && @@ -1986,6 +2008,7 @@ load_public_identity_files(void) if (n_ids >= SSH_MAX_IDENTITY_FILES || strcasecmp(options.identity_files[i], "none") == 0) { free(options.identity_files[i]); + options.identity_files[i] = NULL; continue; } cp = tilde_expand_filename(options.identity_files[i], @@ -2004,7 +2027,12 @@ load_public_identity_files(void) if (++n_ids >= SSH_MAX_IDENTITY_FILES) continue; - /* Try to add the certificate variant too */ + /* + * If no certificates have been explicitly listed then try + * to add the default certificate variant too. + */ + if (options.num_certificate_files != 0) + continue; xasprintf(&cp, "%s-cert", filename); public = key_load_public(cp, NULL); debug("identity file %s type %d", cp, @@ -2021,14 +2049,50 @@ load_public_identity_files(void) continue; } identity_keys[n_ids] = public; - /* point to the original path, most likely the private key */ - identity_files[n_ids] = xstrdup(filename); + identity_files[n_ids] = cp; n_ids++; } + + if (options.num_certificate_files > SSH_MAX_CERTIFICATE_FILES) + fatal("%s: too many certificates", __func__); + for (i = 0; i < options.num_certificate_files; i++) { + cp = tilde_expand_filename(options.certificate_files[i], + original_real_uid); + filename = percent_expand(cp, "d", pwdir, + "u", pwname, "l", thishost, "h", host, + "r", options.user, (char *)NULL); + free(cp); + + public = key_load_public(filename, NULL); + debug("certificate file %s type %d", filename, + public ? public->type : -1); + free(options.certificate_files[i]); + options.certificate_files[i] = NULL; + if (public == NULL) { + free(filename); + continue; + } + if (!key_is_cert(public)) { + debug("%s: key %s type %s is not a certificate", + __func__, filename, key_type(public)); + key_free(public); + free(filename); + continue; + } + certificate_files[n_certs] = filename; + certificates[n_certs] = public; + ++n_certs; + } + options.num_identity_files = n_ids; memcpy(options.identity_files, identity_files, sizeof(identity_files)); memcpy(options.identity_keys, identity_keys, sizeof(identity_keys)); + options.num_certificate_files = n_certs; + memcpy(options.certificate_files, + certificate_files, sizeof(certificate_files)); + memcpy(options.certificates, certificates, sizeof(certificates)); + explicit_bzero(pwname, strlen(pwname)); free(pwname); explicit_bzero(pwdir, strlen(pwdir)); diff --git a/ssh.h b/ssh.h index 39c7e18..50467a7 100644 --- a/ssh.h +++ b/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.81 2015/08/04 05:23:06 djm Exp $ */ +/* $OpenBSD: ssh.h,v 1.83 2015/12/11 03:19:09 djm Exp $ */ /* * Author: Tatu Ylonen @@ -19,6 +19,12 @@ #define SSH_DEFAULT_PORT 22 /* + * Maximum number of certificate files that can be specified + * in configuration files or on the command line. + */ +#define SSH_MAX_CERTIFICATE_FILES 100 + +/* * Maximum number of RSA authentication identity files that can be specified * in configuration files or on the command line. */ @@ -29,7 +35,7 @@ * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with * some room for options and comments. */ -#define SSH_MAX_PUBKEY_BYTES 8192 +#define SSH_MAX_PUBKEY_BYTES 16384 /* * Major protocol version. Different version indicates major incompatibility diff --git a/ssh2.h b/ssh2.h index 59417e6..5d1918b 100644 --- a/ssh2.h +++ b/ssh2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh2.h,v 1.15 2014/01/29 06:18:35 djm Exp $ */ +/* $OpenBSD: ssh2.h,v 1.17 2016/01/14 16:17:40 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -80,6 +80,7 @@ #define SSH2_MSG_DEBUG 4 #define SSH2_MSG_SERVICE_REQUEST 5 #define SSH2_MSG_SERVICE_ACCEPT 6 +#define SSH2_MSG_EXT_INFO 7 /* transport layer: alg negotiation */ @@ -164,13 +165,6 @@ #define SSH2_EXTENDED_DATA_STDERR 1 -/* kex messages for resume@appgate.com */ -#define SSH2_MSG_KEX_ROAMING_RESUME 30 -#define SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED 31 -#define SSH2_MSG_KEX_ROAMING_AUTH 32 -#define SSH2_MSG_KEX_ROAMING_AUTH_OK 33 -#define SSH2_MSG_KEX_ROAMING_AUTH_FAIL 34 - /* Certificate types for OpenSSH certificate keys extension */ #define SSH2_CERT_TYPE_USER 1 #define SSH2_CERT_TYPE_HOST 2 diff --git a/ssh_api.c b/ssh_api.c index 6c71258..f544f00 100644 --- a/ssh_api.c +++ b/ssh_api.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh_api.c,v 1.4 2015/02/16 22:13:32 djm Exp $ */ +/* $OpenBSD: ssh_api.c,v 1.5 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2012 Markus Friedl. All rights reserved. * @@ -40,8 +40,8 @@ int _ssh_order_hostkeyalgs(struct ssh *); int _ssh_verify_host_key(struct sshkey *, struct ssh *); struct sshkey *_ssh_host_public_key(int, int, struct ssh *); struct sshkey *_ssh_host_private_key(int, int, struct ssh *); -int _ssh_host_key_sign(struct sshkey *, struct sshkey *, u_char **, - size_t *, const u_char *, size_t, u_int); +int _ssh_host_key_sign(struct sshkey *, struct sshkey *, + u_char **, size_t *, const u_char *, size_t, const char *, u_int); /* * stubs for the server side implementation of kex. @@ -49,7 +49,7 @@ int _ssh_host_key_sign(struct sshkey *, struct sshkey *, u_char **, */ int use_privsep = 0; int mm_sshkey_sign(struct sshkey *, u_char **, u_int *, - u_char *, u_int, u_int); + u_char *, u_int, char *, u_int); DH *mm_choose_dh(int, int, int); /* Define these two variables here so that they are part of the library */ @@ -58,7 +58,7 @@ u_int session_id2_len = 0; int mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen, u_int compat) + u_char *data, u_int datalen, char *alg, u_int compat) { return (-1); } @@ -530,8 +530,8 @@ _ssh_order_hostkeyalgs(struct ssh *ssh) int _ssh_host_key_sign(struct sshkey *privkey, struct sshkey *pubkey, - u_char **signature, size_t *slen, - const u_char *data, size_t dlen, u_int compat) + u_char **signature, size_t *slen, const u_char *data, size_t dlen, + const char *alg, u_int compat) { - return sshkey_sign(privkey, signature, slen, data, dlen, compat); + return sshkey_sign(privkey, signature, slen, data, dlen, alg, compat); } diff --git a/ssh_config b/ssh_config index 03a228f..90fb63f 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -34,8 +34,10 @@ # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 +# Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 diff --git a/ssh_config.0 b/ssh_config.0 index 67133cd..b823c02 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -59,7 +59,7 @@ DESCRIPTION Match Restricts the following declarations (up to the next Host or Match keyword) to be used only when the conditions following the Match keyword are satisfied. Match conditions are specified - using one or more critera or the single token all which always + using one or more criteria or the single token all which always matches. The available criteria keywords are: canonical, exec, host, originalhost, user, and localuser. The all criteria must appear alone or immediately after canonical. Other criteria may @@ -94,10 +94,23 @@ DESCRIPTION matches against the name of the local user running ssh(1) (this keyword may be useful in system-wide ssh_config files). + AddKeysToAgent + Specifies whether keys should be automatically added to a running + ssh-agent(1). If this option is set to M-bM-^@M-^\yesM-bM-^@M-^] and a key is loaded + from a file, the key and its passphrase are added to the agent + with the default lifetime, as if by ssh-add(1). If this option + is set to M-bM-^@M-^\askM-bM-^@M-^], ssh will require confirmation using the + SSH_ASKPASS program before adding a key (see ssh-add(1) for + details). If this option is set to M-bM-^@M-^\confirmM-bM-^@M-^], each use of the + key must be confirmed, as if the -c option was specified to + ssh-add(1). If this option is set to M-bM-^@M-^\noM-bM-^@M-^], no keys are added to + the agent. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\confirmM-bM-^@M-^], M-bM-^@M-^\askM-bM-^@M-^], or + M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + AddressFamily Specifies which address family to use when connecting. Valid arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 - only). + only). The default is M-bM-^@M-^\anyM-bM-^@M-^]. BatchMode If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. @@ -157,6 +170,22 @@ DESCRIPTION canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. + CertificateFile + Specifies a file from which the user's certificate is read. A + corresponding private key must be provided separately in order to + use this certificate either from an IdentityFile directive or -i + flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider. + + The file name may use the tilde syntax to refer to a user's home + directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local + user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host + name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). + + It is possible to have multiple certificate files specified in + configuration files; these certificates will be tried in + sequence. Multiple CertificateFile directives will add to the + list of certificates used for authentication. + ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is @@ -208,9 +237,7 @@ DESCRIPTION chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, - arcfour256,arcfour128, - aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, - aes192-cbc,aes256-cbc,arcfour + aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc The list of available ciphers may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. @@ -282,13 +309,13 @@ DESCRIPTION any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by - the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username of the user - running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: - %l%h%p%r. It is recommended that any ControlPath used for - opportunistic connection sharing include at least %h, %p, and %r - (or alternatively %C) and be placed in a directory that is not - writable by other users. This ensures that shared connections - are uniquely identified. + the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username and M-bM-^@M-^X%iM-bM-^@M-^Y by the + numeric user ID (uid) of the user running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a + hash of the concatenation: %l%h%p%r. It is recommended that any + ControlPath used for opportunistic connection sharing include at + least %h, %p, and %r (or alternatively %C) and be placed in a + directory that is not writable by other users. This ensures that + shared connections are uniquely identified. ControlPersist When used in conjunction with ControlMaster, specifies that the @@ -342,8 +369,12 @@ DESCRIPTION ExitOnForwardFailure Specifies whether ssh(1) should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote - port forwardings. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The - default is M-bM-^@M-^\noM-bM-^@M-^]. + port forwardings, (e.g. if either end is unable to bind and + listen on a specified port). Note that ExitOnForwardFailure does + not apply to connections made over port forwardings and will not, + for example, cause ssh(1) to exit if TCP connections to the + ultimate forwarding destination fail. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] + or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. FingerprintHash Specifies the hash algorithm used when displaying key @@ -415,12 +446,11 @@ DESCRIPTION GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. - The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol - version 2 only. + The default is M-bM-^@M-^\noM-bM-^@M-^]. GSSAPIDelegateCredentials Forward (delegate) credentials to the server. The default is - M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 only. + M-bM-^@M-^\noM-bM-^@M-^]. HashKnownHosts Indicates that ssh(1) should hash host names and addresses when @@ -434,8 +464,7 @@ DESCRIPTION HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The - default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only - and is similar to RhostsRSAAuthentication. + default is M-bM-^@M-^\noM-bM-^@M-^]. HostbasedKeyTypes Specifies the key types that will be used for hostbased @@ -455,11 +484,11 @@ DESCRIPTION The -Q option of ssh(1) may be used to list supported key types. HostKeyAlgorithms - Specifies the protocol version 2 host key algorithms that the - client wants to use in order of preference. Alternately if the - specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified - key types will be appended to the default set instead of - replacing them. The default for this option is: + Specifies the host key algorithms that the client wants to use in + order of preference. Alternately if the specified value begins + with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified key types will be + appended to the default set instead of replacing them. The + default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, @@ -496,8 +525,9 @@ DESCRIPTION IdentitiesOnly Specifies that ssh(1) should only use the authentication identity - files configured in the ssh_config files, even if ssh-agent(1) or - a PKCS11Provider offers more identities. The argument to this + and certificate files explicitly configured in the ssh_config + files or passed on the ssh(1) command-line, even if ssh-agent(1) + or a PKCS11Provider offers more identities. The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for situations where ssh-agent offers many different identities. The default is M-bM-^@M-^\noM-bM-^@M-^]. @@ -509,9 +539,10 @@ DESCRIPTION ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication unless IdentitiesOnly is - set. ssh(1) will try to load certificate information from the - filename obtained by appending -cert.pub to the path of a - specified IdentityFile. + set. If no certificates have been explicitly specified by + CertificateFile, ssh(1) will try to load certificate information + from the filename obtained by appending -cert.pub to the path of + a specified IdentityFile. The file name may use the tilde syntax to refer to a user's home directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local @@ -526,7 +557,9 @@ DESCRIPTION IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during - authentication. + authentication. IdentityFile may also be used in conjunction + with CertificateFile in order to provide any certificate also + needed for authentication with the identity. IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they @@ -620,11 +653,11 @@ DESCRIPTION higher levels of verbose output. MACs Specifies the MAC (message authentication code) algorithms in - order of preference. The MAC algorithm is used in protocol - version 2 for data integrity protection. Multiple algorithms - must be comma-separated. If the specified value begins with a - M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be appended to - the default set instead of replacing them. + order of preference. The MAC algorithm is used for data + integrity protection. Multiple algorithms must be comma- + separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified algorithms will be appended to the default set + instead of replacing them. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after encryption (encrypt-then-mac). These are considered safer and @@ -634,13 +667,9 @@ DESCRIPTION umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, + hmac-sha1-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com, - hmac-sha2-256,hmac-sha2-512, - hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, - hmac-ripemd160-etm@openssh.com, - hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, - hmac-md5,hmac-sha1,hmac-ripemd160, - hmac-sha1-96,hmac-md5-96 + hmac-sha2-256,hmac-sha2-512,hmac-sha1 The list of available MAC algorithms may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. @@ -677,10 +706,10 @@ DESCRIPTION default is 22. PreferredAuthentications - Specifies the order in which the client should try protocol 2 - authentication methods. This allows a client to prefer one - method (e.g. keyboard-interactive) over another method (e.g. - password). The default is: + Specifies the order in which the client should try authentication + methods. This allows a client to prefer one method (e.g. + keyboard-interactive) over another method (e.g. password). The + default is: gssapi-with-mic,hostbased,publickey, keyboard-interactive,password @@ -690,7 +719,9 @@ DESCRIPTION preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma-separated. When this option is set to M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if - version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. + version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Protocol 1 + suffers from a number of cryptographic weaknesses and should not + be used. It is only offered to support legacy devices. ProxyCommand Specifies the command to use to connect to the server. The @@ -740,7 +771,6 @@ DESCRIPTION PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. - This option applies to protocol version 2 only. RekeyLimit Specifies the maximum amount of data that may be transmitted @@ -755,7 +785,6 @@ DESCRIPTION default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done. - This option applies to protocol version 2 only. RemoteForward Specifies that a TCP port on the remote machine be forwarded over @@ -808,8 +837,7 @@ DESCRIPTION SendEnv Specifies what variables from the local environ(7) should be sent - to the server. Note that environment passing is only supported - for protocol 2. The server must also support it, and the server + to the server. The server must also support it, and the server must be configured to accept these environment variables. Note that the TERM environment variable is always sent whenever a pseudo-terminal is requested as it is required by the protocol. @@ -838,15 +866,14 @@ DESCRIPTION The default value is 3. If, for example, ServerAliveInterval (see below) is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect - after approximately 45 seconds. This option applies to protocol - version 2 only. + after approximately 45 seconds. ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to - the server. This option applies to protocol version 2 only. + the server. StreamLocalBindMask Sets the octal file creation mode mask (umask) used when creating @@ -924,7 +951,7 @@ DESCRIPTION graceful key rotation by allowing a server to send replacement public keys before old ones are removed. Additional hostkeys are only accepted if the key used to authenticate the host was - already trusted or explicity accepted by the user. If + already trusted or explicitly accepted by the user. If UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm the modifications to the known_hosts file. Confirmation is currently incompatible with ControlPersist, and will be disabled @@ -960,8 +987,7 @@ DESCRIPTION fingerprint match will be displayed, but the user will still need to confirm new host keys according to the StrictHostKeyChecking option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default - is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol version 2 - only. + is M-bM-^@M-^\noM-bM-^@M-^]. See also VERIFYING HOST KEYS in ssh(1). @@ -1023,4 +1049,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 +OpenBSD 5.9 February 20, 2016 OpenBSD 5.9 diff --git a/ssh_config.5 b/ssh_config.5 index a47f3ca..caf13a6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $ -.Dd $Mdocdate: August 14 2015 $ +.\" $OpenBSD: ssh_config.5,v 1.228 2016/02/20 23:01:46 sobrado Exp $ +.Dd $Mdocdate: February 20 2016 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -139,7 +139,7 @@ or keyword) to be used only when the conditions following the .Cm Match keyword are satisfied. -Match conditions are specified using one or more critera +Match conditions are specified using one or more criteria or the single token .Cm all which always matches. @@ -221,6 +221,39 @@ keyword matches against the name of the local user running (this keyword may be useful in system-wide .Nm files). +.It Cm AddKeysToAgent +Specifies whether keys should be automatically added to a running +.Xr ssh-agent 1 . +If this option is set to +.Dq yes +and a key is loaded from a file, the key and its passphrase are added to +the agent with the default lifetime, as if by +.Xr ssh-add 1 . +If this option is set to +.Dq ask , +.Nm ssh +will require confirmation using the +.Ev SSH_ASKPASS +program before adding a key (see +.Xr ssh-add 1 +for details). +If this option is set to +.Dq confirm , +each use of the key must be confirmed, as if the +.Fl c +option was specified to +.Xr ssh-add 1 . +If this option is set to +.Dq no , +no keys are added to the agent. +The argument must be +.Dq yes , +.Dq confirm , +.Dq ask , +or +.Dq no . +The default is +.Dq no . .It Cm AddressFamily Specifies which address family to use when connecting. Valid arguments are @@ -229,6 +262,8 @@ Valid arguments are (use IPv4 only), or .Dq inet6 (use IPv6 only). +The default is +.Dq any . .It Cm BatchMode If set to .Dq yes , @@ -325,6 +360,41 @@ to be canonicalized to names in the or .Dq *.c.example.com domains. +.It Cm CertificateFile +Specifies a file from which the user's certificate is read. +A corresponding private key must be provided separately in order +to use this certificate either +from an +.Cm IdentityFile +directive or +.Fl i +flag to +.Xr ssh 1 , +via +.Xr ssh-agent 1 , +or via a +.Cm PKCS11Provider . +.Pp +The file name may use the tilde +syntax to refer to a user's home directory or one of the following +escape characters: +.Ql %d +(local user's home directory), +.Ql %u +(local user name), +.Ql %l +(local host name), +.Ql %h +(remote host name) or +.Ql %r +(remote user name). +.Pp +It is possible to have multiple certificate files specified in +configuration files; these certificates will be tried in sequence. +Multiple +.Cm CertificateFile +directives will add to the list of certificates used for +authentication. .It Cm ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. The argument to this keyword must be @@ -418,9 +488,7 @@ The default is: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, -arcfour256,arcfour128, -aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, -aes192-cbc,aes256-cbc,arcfour +aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc .Ed .Pp The list of available ciphers may also be obtained using the @@ -538,8 +606,11 @@ the destination port, .Ql %r by the remote login username, .Ql %u -by the username of the user running -.Xr ssh 1 , and +by the username and +.Ql %i +by the numeric user ID (uid) of the user running +.Xr ssh 1 , +and .Ql \&%C by a hash of the concatenation: %l%h%p%r. It is recommended that any @@ -639,7 +710,14 @@ data). Specifies whether .Xr ssh 1 should terminate the connection if it cannot set up all requested -dynamic, tunnel, local, and remote port forwardings. +dynamic, tunnel, local, and remote port forwardings, (e.g.\& +if either end is unable to bind and listen on a specified port). +Note that +.Cm ExitOnForwardFailure +does not apply to connections made over port forwardings and will not, +for example, cause +.Xr ssh 1 +to exit if TCP connections to the ultimate forwarding destination fail. The argument must be .Dq yes or @@ -748,12 +826,10 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . -Note that this option applies to protocol version 2 only. .It Cm GSSAPIDelegateCredentials Forward (delegate) credentials to the server. The default is .Dq no . -Note that this option applies to protocol version 2 only. .It Cm HashKnownHosts Indicates that .Xr ssh 1 @@ -780,9 +856,6 @@ or .Dq no . The default is .Dq no . -This option applies to protocol version 2 only and -is similar to -.Cm RhostsRSAAuthentication . .It Cm HostbasedKeyTypes Specifies the key types that will be used for hostbased authentication as a comma-separated pattern list. @@ -807,7 +880,7 @@ option of .Xr ssh 1 may be used to list supported key types. .It Cm HostKeyAlgorithms -Specifies the protocol version 2 host key algorithms +Specifies the host key algorithms that the client wants to use in order of preference. Alternately if the specified value begins with a .Sq + @@ -859,9 +932,13 @@ specifications). .It Cm IdentitiesOnly Specifies that .Xr ssh 1 -should only use the authentication identity files configured in the +should only use the authentication identity and certificate files explicitly +configured in the .Nm -files, +files +or passed on the +.Xr ssh 1 +command-line, even if .Xr ssh-agent 1 or a @@ -891,6 +968,8 @@ Additionally, any identities represented by the authentication agent will be used for authentication unless .Cm IdentitiesOnly is set. +If no certificates have been explicitly specified by +.Cm CertificateFile , .Xr ssh 1 will try to load certificate information from the filename obtained by appending @@ -924,6 +1003,11 @@ differs from that of other configuration directives). may be used in conjunction with .Cm IdentitiesOnly to select which identities in an agent are offered during authentication. +.Cm IdentityFile +may also be used in conjunction with +.Cm CertificateFile +in order to provide any certificate also needed for authentication with +the identity. .It Cm IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. @@ -1083,8 +1167,7 @@ DEBUG2 and DEBUG3 each specify higher levels of verbose output. .It Cm MACs Specifies the MAC (message authentication code) algorithms in order of preference. -The MAC algorithm is used in protocol version 2 -for data integrity protection. +The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a .Sq + @@ -1100,13 +1183,9 @@ The default is: .Bd -literal -offset indent umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-sha1-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com, -hmac-sha2-256,hmac-sha2-512, -hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, -hmac-ripemd160-etm@openssh.com, -hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, -hmac-md5,hmac-sha1,hmac-ripemd160, -hmac-sha1-96,hmac-md5-96 +hmac-sha2-256,hmac-sha2-512,hmac-sha1 .Ed .Pp The list of available MAC algorithms may also be obtained using the @@ -1160,8 +1239,7 @@ private RSA key. Specifies the port number to connect on the remote host. The default is 22. .It Cm PreferredAuthentications -Specifies the order in which the client should try protocol 2 -authentication methods. +Specifies the order in which the client should try authentication methods. This allows a client to prefer one method (e.g.\& .Cm keyboard-interactive ) over another method (e.g.\& @@ -1187,6 +1265,9 @@ will try version 2 and fall back to version 1 if version 2 is not available. The default is .Sq 2 . +Protocol 1 suffers from a number of cryptographic weaknesses and should +not be used. +It is only offered to support legacy devices. .It Cm ProxyCommand Specifies the command to use to connect to the server. The command @@ -1267,7 +1348,6 @@ or .Dq no . The default is .Dq yes . -This option applies to protocol version 2 only. .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of @@ -1293,7 +1373,6 @@ is .Dq default none , which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done. -This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. @@ -1386,7 +1465,6 @@ Note that this option applies to protocol version 1 only. Specifies what variables from the local .Xr environ 7 should be sent to the server. -Note that environment passing is only supported for protocol 2. The server must also support it, and the server must be configured to accept these environment variables. Note that the @@ -1434,7 +1512,6 @@ If, for example, .Cm ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. -This option applies to protocol version 2 only. .It Cm ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, @@ -1443,7 +1520,6 @@ will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server. -This option applies to protocol version 2 only. .It Cm StreamLocalBindMask Sets the octal file creation mode mask .Pq umask @@ -1575,7 +1651,7 @@ Enabling this option allows learning alternate hostkeys for a server and supports graceful key rotation by allowing a server to send replacement public keys before old ones are removed. Additional hostkeys are only accepted if the key used to authenticate the -host was already trusted or explicity accepted by the user. +host was already trusted or explicitly accepted by the user. If .Cm UpdateHostKeys is set to @@ -1640,7 +1716,6 @@ or .Dq ask . The default is .Dq no . -Note that this option applies to protocol version 2 only. .Pp See also VERIFYING HOST KEYS in .Xr ssh 1 . diff --git a/sshbuf-getput-basic.c b/sshbuf-getput-basic.c index 8ff8a0a..23e0fd7 100644 --- a/sshbuf-getput-basic.c +++ b/sshbuf-getput-basic.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf-getput-basic.c,v 1.4 2015/01/14 15:02:39 djm Exp $ */ +/* $OpenBSD: sshbuf-getput-basic.c,v 1.5 2015/10/20 23:24:25 mmcc Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -131,7 +131,7 @@ sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp, size_t *lenp) *lenp = 0; if ((r = sshbuf_peek_string_direct(buf, &p, &len)) < 0) return r; - if (valp != 0) + if (valp != NULL) *valp = p; if (lenp != NULL) *lenp = len; @@ -168,7 +168,7 @@ sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp, SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE")); return SSH_ERR_MESSAGE_INCOMPLETE; } - if (valp != 0) + if (valp != NULL) *valp = p + 4; if (lenp != NULL) *lenp = len; @@ -448,7 +448,7 @@ sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf, d++; len--; } - if (valp != 0) + if (valp != NULL) *valp = d; if (lenp != NULL) *lenp = len; diff --git a/sshbuf.c b/sshbuf.c index 19e162c..4d6e0ea 100644 --- a/sshbuf.c +++ b/sshbuf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.c,v 1.4 2015/10/05 17:11:21 djm Exp $ */ +/* $OpenBSD: sshbuf.c,v 1.6 2016/01/12 23:42:54 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -163,10 +163,8 @@ sshbuf_free(struct sshbuf *buf) * If we are a child, the free our parent to decrement its reference * count and possibly free it. */ - if (buf->parent != NULL) { - sshbuf_free(buf->parent); - buf->parent = NULL; - } + sshbuf_free(buf->parent); + buf->parent = NULL; /* * If we are a parent with still-extant children, then don't free just * yet. The last child's call to sshbuf_free should decrement our diff --git a/sshbuf.h b/sshbuf.h index eb0d92e..63495fb 100644 --- a/sshbuf.h +++ b/sshbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.h,v 1.4 2015/01/14 15:02:39 djm Exp $ */ +/* $OpenBSD: sshbuf.h,v 1.6 2015/12/10 07:01:35 mmcc Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -120,12 +120,12 @@ size_t sshbuf_len(const struct sshbuf *buf); size_t sshbuf_avail(const struct sshbuf *buf); /* - * Returns a read-only pointer to the start of the the data in buf + * Returns a read-only pointer to the start of the data in buf */ const u_char *sshbuf_ptr(const struct sshbuf *buf); /* - * Returns a mutable pointer to the start of the the data in buf, or + * Returns a mutable pointer to the start of the data in buf, or * NULL if the buffer is read-only. */ u_char *sshbuf_mutable_ptr(const struct sshbuf *buf); @@ -241,45 +241,48 @@ int sshbuf_b64tod(struct sshbuf *buf, const char *b64); /* Macros for decoding/encoding integers */ #define PEEK_U64(p) \ - (((u_int64_t)(((u_char *)(p))[0]) << 56) | \ - ((u_int64_t)(((u_char *)(p))[1]) << 48) | \ - ((u_int64_t)(((u_char *)(p))[2]) << 40) | \ - ((u_int64_t)(((u_char *)(p))[3]) << 32) | \ - ((u_int64_t)(((u_char *)(p))[4]) << 24) | \ - ((u_int64_t)(((u_char *)(p))[5]) << 16) | \ - ((u_int64_t)(((u_char *)(p))[6]) << 8) | \ - (u_int64_t)(((u_char *)(p))[7])) + (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \ + ((u_int64_t)(((const u_char *)(p))[1]) << 48) | \ + ((u_int64_t)(((const u_char *)(p))[2]) << 40) | \ + ((u_int64_t)(((const u_char *)(p))[3]) << 32) | \ + ((u_int64_t)(((const u_char *)(p))[4]) << 24) | \ + ((u_int64_t)(((const u_char *)(p))[5]) << 16) | \ + ((u_int64_t)(((const u_char *)(p))[6]) << 8) | \ + (u_int64_t)(((const u_char *)(p))[7])) #define PEEK_U32(p) \ - (((u_int32_t)(((u_char *)(p))[0]) << 24) | \ - ((u_int32_t)(((u_char *)(p))[1]) << 16) | \ - ((u_int32_t)(((u_char *)(p))[2]) << 8) | \ - (u_int32_t)(((u_char *)(p))[3])) + (((u_int32_t)(((const u_char *)(p))[0]) << 24) | \ + ((u_int32_t)(((const u_char *)(p))[1]) << 16) | \ + ((u_int32_t)(((const u_char *)(p))[2]) << 8) | \ + (u_int32_t)(((const u_char *)(p))[3])) #define PEEK_U16(p) \ - (((u_int16_t)(((u_char *)(p))[0]) << 8) | \ - (u_int16_t)(((u_char *)(p))[1])) + (((u_int16_t)(((const u_char *)(p))[0]) << 8) | \ + (u_int16_t)(((const u_char *)(p))[1])) #define POKE_U64(p, v) \ do { \ - ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 56) & 0xff; \ - ((u_char *)(p))[1] = (((u_int64_t)(v)) >> 48) & 0xff; \ - ((u_char *)(p))[2] = (((u_int64_t)(v)) >> 40) & 0xff; \ - ((u_char *)(p))[3] = (((u_int64_t)(v)) >> 32) & 0xff; \ - ((u_char *)(p))[4] = (((u_int64_t)(v)) >> 24) & 0xff; \ - ((u_char *)(p))[5] = (((u_int64_t)(v)) >> 16) & 0xff; \ - ((u_char *)(p))[6] = (((u_int64_t)(v)) >> 8) & 0xff; \ - ((u_char *)(p))[7] = ((u_int64_t)(v)) & 0xff; \ + const u_int64_t __v = (v); \ + ((u_char *)(p))[0] = (__v >> 56) & 0xff; \ + ((u_char *)(p))[1] = (__v >> 48) & 0xff; \ + ((u_char *)(p))[2] = (__v >> 40) & 0xff; \ + ((u_char *)(p))[3] = (__v >> 32) & 0xff; \ + ((u_char *)(p))[4] = (__v >> 24) & 0xff; \ + ((u_char *)(p))[5] = (__v >> 16) & 0xff; \ + ((u_char *)(p))[6] = (__v >> 8) & 0xff; \ + ((u_char *)(p))[7] = __v & 0xff; \ } while (0) #define POKE_U32(p, v) \ do { \ - ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 24) & 0xff; \ - ((u_char *)(p))[1] = (((u_int64_t)(v)) >> 16) & 0xff; \ - ((u_char *)(p))[2] = (((u_int64_t)(v)) >> 8) & 0xff; \ - ((u_char *)(p))[3] = ((u_int64_t)(v)) & 0xff; \ + const u_int32_t __v = (v); \ + ((u_char *)(p))[0] = (__v >> 24) & 0xff; \ + ((u_char *)(p))[1] = (__v >> 16) & 0xff; \ + ((u_char *)(p))[2] = (__v >> 8) & 0xff; \ + ((u_char *)(p))[3] = __v & 0xff; \ } while (0) #define POKE_U16(p, v) \ do { \ - ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 8) & 0xff; \ - ((u_char *)(p))[1] = ((u_int64_t)(v)) & 0xff; \ + const u_int16_t __v = (v); \ + ((u_char *)(p))[0] = (__v >> 8) & 0xff; \ + ((u_char *)(p))[1] = __v & 0xff; \ } while (0) /* Internal definitions follow. Exposed for regress tests */ diff --git a/sshconnect.c b/sshconnect.c index 17fbe39..356ec79 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.271 2016/01/14 22:56:56 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -59,12 +59,12 @@ #include "readconf.h" #include "atomicio.h" #include "dns.h" -#include "roaming.h" #include "monitor_fdpass.h" #include "ssh2.h" #include "version.h" #include "authfile.h" #include "ssherr.h" +#include "authfd.h" char *client_version_string = NULL; char *server_version_string = NULL; @@ -167,6 +167,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port, if ((sock = mm_receive_fd(sp[1])) == -1) fatal("proxy dialer did not pass back a connection"); + close(sp[1]); while (waitpid(pid, NULL, 0) == -1) if (errno != EINTR) @@ -432,7 +433,9 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo *ai; - debug2("ssh_connect: needpriv %d", needpriv); + debug2("%s: needpriv %d", __func__, needpriv); + memset(ntop, 0, sizeof(ntop)); + memset(strport, 0, sizeof(strport)); for (attempt = 0; attempt < connection_attempts; attempt++) { if (attempt > 0) { @@ -451,7 +454,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - error("ssh_connect: getnameinfo failed"); + error("%s: getnameinfo failed", __func__); continue; } debug("Connecting to %.200s [%.100s] port %s.", @@ -529,7 +532,7 @@ send_client_banner(int connection_out, int minor1) xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", PROTOCOL_MAJOR_1, minor1, SSH_VERSION); } - if (roaming_atomicio(vwrite, connection_out, client_version_string, + if (atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) fatal("write: %.100s", strerror(errno)); chop(client_version_string); @@ -589,7 +592,7 @@ ssh_exchange_identification(int timeout_ms) } } - len = roaming_atomicio(read, connection_in, &buf[i], 1); + len = atomicio(read, connection_in, &buf[i], 1); if (len != 1 && errno == EPIPE) fatal("ssh_exchange_identification: " @@ -925,7 +928,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, options.fingerprint_hash, SSH_FP_RANDOMART); if (fp == NULL || ra == NULL) fatal("%s: sshkey_fingerprint fail", __func__); - logit("Host key fingerprint is %s\n%s\n", fp, ra); + logit("Host key fingerprint is %s\n%s", fp, ra); free(ra); free(fp); } @@ -1236,8 +1239,9 @@ fail: int verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { + u_int i; int r = -1, flags = 0; - char *fp = NULL; + char valid[64], *fp = NULL, *cafp = NULL; struct sshkey *plain = NULL; if ((fp = sshkey_fingerprint(host_key, @@ -1247,8 +1251,31 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) goto out; } - debug("Server host key: %s %s", - compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); + if (sshkey_is_cert(host_key)) { + if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, + options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { + error("%s: fingerprint CA key: %s", + __func__, ssh_err(r)); + r = -1; + goto out; + } + sshkey_format_cert_validity(host_key->cert, + valid, sizeof(valid)); + debug("Server host certificate: %s %s, serial %llu " + "ID \"%s\" CA %s %s valid %s", + sshkey_ssh_name(host_key), fp, + (unsigned long long)host_key->cert->serial, + host_key->cert->key_id, + sshkey_ssh_name(host_key->cert->signature_key), cafp, + valid); + for (i = 0; i < host_key->cert->nprincipals; i++) { + debug2("Server host certificate hostname: %s", + host_key->cert->principals[i]); + } + } else { + debug("Server host key: %s %s", compat20 ? + sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); + } if (sshkey_equal(previous_host_key, host_key)) { debug2("%s: server host key %s %s matches cached key", @@ -1313,6 +1340,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) out: sshkey_free(plain); free(fp); + free(cafp); if (r == 0 && host_key != NULL) { key_free(previous_host_key); previous_host_key = key_from_private(host_key); @@ -1487,3 +1515,30 @@ ssh_local_cmd(const char *args) return (WEXITSTATUS(status)); } + +void +maybe_add_key_to_agent(char *authfile, Key *private, char *comment, + char *passphrase) +{ + int auth_sock = -1, r; + + if (options.add_keys_to_agent == 0) + return; + + if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { + debug3("no authentication agent, not adding key"); + return; + } + + if (options.add_keys_to_agent == 2 && + !ask_permission("Add key %s (%s) to agent?", authfile, comment)) { + debug3("user denied adding this key"); + return; + } + + if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0, + (options.add_keys_to_agent == 3))) == 0) + debug("identity added to agent: %s", authfile); + else + debug("could not add identity to agent: %s (%d)", authfile, r); +} diff --git a/sshconnect.h b/sshconnect.h index 0ea6e99..cf1851a 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.28 2013/10/16 02:31:47 djm Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.29 2015/11/15 22:26:49 jcs Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -55,6 +55,8 @@ void ssh_userauth2(const char *, const char *, char *, Sensitive *); void ssh_put_password(char *); int ssh_local_cmd(const char *); +void maybe_add_key_to_agent(char *, Key *, char *, char *); + /* * Macros to raise/lower permissions. */ diff --git a/sshconnect1.c b/sshconnect1.c index 016abbc..bfc523b 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.77 2015/01/14 20:05:27 djm Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.78 2015/11/15 22:26:49 jcs Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -221,7 +221,7 @@ try_rsa_authentication(int idx) { BIGNUM *challenge; Key *public, *private; - char buf[300], *passphrase, *comment, *authfile; + char buf[300], *passphrase = NULL, *comment, *authfile; int i, perm_ok = 1, type, quit; public = options.identity_keys[idx]; @@ -283,13 +283,20 @@ try_rsa_authentication(int idx) debug2("no passphrase given, try next key"); quit = 1; } - explicit_bzero(passphrase, strlen(passphrase)); - free(passphrase); if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); } } + + if (private != NULL) + maybe_add_key_to_agent(authfile, private, comment, passphrase); + + if (passphrase != NULL) { + explicit_bzero(passphrase, strlen(passphrase)); + free(passphrase); + } + /* We no longer need the comment. */ free(comment); diff --git a/sshconnect2.c b/sshconnect2.c index 7751031..f79c96b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -157,14 +157,16 @@ void ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) { char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *s; struct kex *kex; int r; xxx_host = host; xxx_hostaddr = hostaddr; - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - options.kex_algorithms); + if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + fatal("%s: kex_names_cat", __func__); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(options.ciphers); myproposal[PROPOSAL_ENC_ALGS_STOC] = @@ -217,10 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); - if (options.use_roaming && !kex->roaming) { - debug("Roaming not allowed by server"); - options.use_roaming = 0; - } + /* remove ext-info from the KEX proposals for rekeying */ + myproposal[PROPOSAL_KEX_ALGS] = + compat_kex_proposal(options.kex_algorithms); + if ((r = kex_prop2buf(kex->my, myproposal)) != 0) + fatal("kex_prop2buf: %s", ssh_err(r)); session_id2 = kex->session_id; session_id2_len = kex->session_id_len; @@ -284,6 +287,8 @@ struct cauthmethod { int *batch_flag; /* flag in option struct that disables method */ }; +int input_userauth_service_accept(int, u_int32_t, void *); +int input_userauth_ext_info(int, u_int32_t, void *); int input_userauth_success(int, u_int32_t, void *); int input_userauth_success_unexpected(int, u_int32_t, void *); int input_userauth_failure(int, u_int32_t, void *); @@ -313,7 +318,7 @@ void userauth(Authctxt *, char *); static int sign_and_send_pubkey(Authctxt *, Identity *); static void pubkey_prepare(Authctxt *); static void pubkey_cleanup(Authctxt *); -static Key *load_identity_file(char *, int); +static Key *load_identity_file(Identity *); static Authmethod *authmethod_get(char *authlist); static Authmethod *authmethod_lookup(const char *name); @@ -359,30 +364,12 @@ void ssh_userauth2(const char *local_user, const char *server_user, char *host, Sensitive *sensitive) { + struct ssh *ssh = active_state; Authctxt authctxt; - int type; + int r; if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - - packet_start(SSH2_MSG_SERVICE_REQUEST); - packet_put_cstring("ssh-userauth"); - packet_send(); - debug("SSH2_MSG_SERVICE_REQUEST sent"); - packet_write_wait(); - type = packet_read(); - if (type != SSH2_MSG_SERVICE_ACCEPT) - fatal("Server denied authentication request: %d", type); - if (packet_remaining() > 0) { - char *reply = packet_get_string(NULL); - debug2("service_accept: %s", reply); - free(reply); - } else { - debug2("buggy server: service_accept w/o service"); - } - packet_check_eom(); - debug("SSH2_MSG_SERVICE_ACCEPT received"); - if (options.preferred_authentications == NULL) options.preferred_authentications = authmethods_get(); @@ -404,21 +391,63 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, if (authctxt.method == NULL) fatal("ssh_userauth2: internal error: cannot send userauth none request"); - /* initial userauth request */ - userauth_none(&authctxt); + if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_REQUEST)) != 0 || + (r = sshpkt_put_cstring(ssh, "ssh-userauth")) != 0 || + (r = sshpkt_send(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); - dispatch_init(&input_userauth_error); - dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); - dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure); - dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner); - dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */ + ssh_dispatch_init(ssh, &input_userauth_error); + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info); + ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept); + ssh_dispatch_run(ssh, DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */ pubkey_cleanup(&authctxt); - dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); + ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); debug("Authentication succeeded (%s).", authctxt.method->name); } +/* ARGSUSED */ +int +input_userauth_service_accept(int type, u_int32_t seqnr, void *ctxt) +{ + Authctxt *authctxt = ctxt; + struct ssh *ssh = active_state; + int r; + + if (ssh_packet_remaining(ssh) > 0) { + char *reply; + + if ((r = sshpkt_get_cstring(ssh, &reply, NULL)) != 0) + goto out; + debug2("service_accept: %s", reply); + free(reply); + } else { + debug2("buggy server: service_accept w/o service"); + } + if ((r = sshpkt_get_end(ssh)) != 0) + goto out; + debug("SSH2_MSG_SERVICE_ACCEPT received"); + + /* initial userauth request */ + userauth_none(authctxt); + + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_error); + ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success); + ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure); + ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner); + r = 0; + out: + return r; +} + +/* ARGSUSED */ +int +input_userauth_ext_info(int type, u_int32_t seqnr, void *ctxt) +{ + return kex_input_ext_info(type, seqnr, active_state); +} + void userauth(Authctxt *authctxt, char *authlist) { @@ -970,29 +999,48 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) return 0; } +static const char * +identity_sign_encode(struct identity *id) +{ + struct ssh *ssh = active_state; + + if (id->key->type == KEY_RSA) { + switch (ssh->kex->rsa_sha2) { + case 256: + return "rsa-sha2-256"; + case 512: + return "rsa-sha2-512"; + } + } + return key_ssh_name(id->key); +} + static int identity_sign(struct identity *id, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat) { Key *prv; int ret; + const char *alg; + + alg = identity_sign_encode(id); /* the agent supports this key */ - if (id->agent_fd) + if (id->agent_fd != -1) return ssh_agent_sign(id->agent_fd, id->key, sigp, lenp, - data, datalen, compat); + data, datalen, alg, compat); /* * we have already loaded the private key or * the private key is stored in external hardware */ if (id->isprivate || (id->key->flags & SSHKEY_FLAG_EXT)) - return (sshkey_sign(id->key, sigp, lenp, data, datalen, + return (sshkey_sign(id->key, sigp, lenp, data, datalen, alg, compat)); /* load the private key from the file */ - if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL) - return (-1); /* XXX return decent error code */ - ret = sshkey_sign(prv, sigp, lenp, data, datalen, compat); + if ((prv = load_identity_file(id)) == NULL) + return SSH_ERR_KEY_NOT_FOUND; + ret = sshkey_sign(prv, sigp, lenp, data, datalen, alg, compat); sshkey_free(prv); return (ret); } @@ -1001,18 +1049,17 @@ static int sign_and_send_pubkey(Authctxt *authctxt, Identity *id) { Buffer b; + Identity *private_id; u_char *blob, *signature; - u_int bloblen; size_t slen; - u_int skip = 0; - int ret = -1; - int have_sig = 1; + u_int bloblen, skip = 0; + int matched, ret = -1, have_sig = 1; char *fp; if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) return 0; - debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); + debug3("%s: %s %s", __func__, key_type(id->key), fp); free(fp); if (key_to_blob(id->key, &blob, &bloblen) == 0) { @@ -1040,14 +1087,46 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) } else { buffer_put_cstring(&b, authctxt->method->name); buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, key_ssh_name(id->key)); + buffer_put_cstring(&b, identity_sign_encode(id)); } buffer_put_string(&b, blob, bloblen); + /* + * If the key is an certificate, try to find a matching private key + * and use it to complete the signature. + * If no such private key exists, return failure and continue with + * other methods of authentication. + */ + if (key_is_cert(id->key)) { + matched = 0; + TAILQ_FOREACH(private_id, &authctxt->keys, next) { + if (sshkey_equal_public(id->key, private_id->key) && + id->key->type != private_id->key->type) { + id = private_id; + matched = 1; + break; + } + } + if (matched) { + debug2("%s: using private key \"%s\"%s for " + "certificate", __func__, id->filename, + id->agent_fd != -1 ? " from agent" : ""); + } else { + /* XXX maybe verbose/error? */ + debug("%s: no private key for certificate " + "\"%s\"", __func__, id->filename); + free(blob); + buffer_free(&b); + return 0; + } + } + /* generate signature */ ret = identity_sign(id, &signature, &slen, buffer_ptr(&b), buffer_len(&b), datafellows); if (ret != 0) { + if (ret != SSH_ERR_KEY_NOT_FOUND) + error("%s: signing failed: %s", __func__, ssh_err(ret)); free(blob); buffer_free(&b); return 0; @@ -1110,7 +1189,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) packet_put_cstring(authctxt->method->name); packet_put_char(have_sig); if (!(datafellows & SSH_BUG_PKAUTH)) - packet_put_cstring(key_ssh_name(id->key)); + packet_put_cstring(identity_sign_encode(id)); packet_put_string(blob, bloblen); free(blob); packet_send(); @@ -1118,20 +1197,20 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) } static Key * -load_identity_file(char *filename, int userprovided) +load_identity_file(Identity *id) { - Key *private; - char prompt[300], *passphrase; + Key *private = NULL; + char prompt[300], *passphrase, *comment; int r, perm_ok = 0, quit = 0, i; struct stat st; - if (stat(filename, &st) < 0) { - (userprovided ? logit : debug3)("no such identity: %s: %s", - filename, strerror(errno)); + if (stat(id->filename, &st) < 0) { + (id->userprovided ? logit : debug3)("no such identity: %s: %s", + id->filename, strerror(errno)); return NULL; } snprintf(prompt, sizeof prompt, - "Enter passphrase for key '%.100s': ", filename); + "Enter passphrase for key '%.100s': ", id->filename); for (i = 0; i <= options.number_of_password_prompts; i++) { if (i == 0) passphrase = ""; @@ -1143,8 +1222,8 @@ load_identity_file(char *filename, int userprovided) break; } } - switch ((r = sshkey_load_private_type(KEY_UNSPEC, filename, - passphrase, &private, NULL, &perm_ok))) { + switch ((r = sshkey_load_private_type(KEY_UNSPEC, id->filename, + passphrase, &private, &comment, &perm_ok))) { case 0: break; case SSH_ERR_KEY_WRONG_PASSPHRASE: @@ -1158,20 +1237,25 @@ load_identity_file(char *filename, int userprovided) case SSH_ERR_SYSTEM_ERROR: if (errno == ENOENT) { debug2("Load key \"%s\": %s", - filename, ssh_err(r)); + id->filename, ssh_err(r)); quit = 1; break; } /* FALLTHROUGH */ default: - error("Load key \"%s\": %s", filename, ssh_err(r)); + error("Load key \"%s\": %s", id->filename, ssh_err(r)); quit = 1; break; } + if (!quit && private != NULL && id->agent_fd == -1 && + !(id->key && id->isprivate)) + maybe_add_key_to_agent(id->filename, private, comment, + passphrase); if (i > 0) { explicit_bzero(passphrase, strlen(passphrase)); free(passphrase); } + free(comment); if (private != NULL || quit) break; } @@ -1180,9 +1264,11 @@ load_identity_file(char *filename, int userprovided) /* * try keys in the following order: - * 1. agent keys that are found in the config file - * 2. other agent keys - * 3. keys that are only listed in the config file + * 1. certificates listed in the config file + * 2. other input certificates + * 3. agent keys that are found in the config file + * 4. other agent keys + * 5. keys that are only listed in the config file */ static void pubkey_prepare(Authctxt *authctxt) @@ -1190,7 +1276,7 @@ pubkey_prepare(Authctxt *authctxt) struct identity *id, *id2, *tmp; struct idlist agent, files, *preferred; struct sshkey *key; - int agent_fd, i, r, found; + int agent_fd = -1, i, r, found; size_t j; struct ssh_identitylist *idlist; @@ -1208,6 +1294,7 @@ pubkey_prepare(Authctxt *authctxt) continue; options.identity_keys[i] = NULL; id = xcalloc(1, sizeof(*id)); + id->agent_fd = -1; id->key = key; id->filename = xstrdup(options.identity_files[i]); id->userprovided = options.identity_file_userprovided[i]; @@ -1236,6 +1323,19 @@ pubkey_prepare(Authctxt *authctxt) free(id); } } + /* list of certificates specified by user */ + for (i = 0; i < options.num_certificate_files; i++) { + key = options.certificates[i]; + if (!key_is_cert(key) || key->cert == NULL || + key->cert->type != SSH2_CERT_TYPE_USER) + continue; + id = xcalloc(1, sizeof(*id)); + id->agent_fd = -1; + id->key = key; + id->filename = xstrdup(options.certificate_files[i]); + id->userprovided = options.certificate_file_userprovided[i]; + TAILQ_INSERT_TAIL(preferred, id, next); + } /* list of keys supported by the agent */ if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { if (r != SSH_ERR_AGENT_NOT_PRESENT) @@ -1245,6 +1345,7 @@ pubkey_prepare(Authctxt *authctxt) if (r != SSH_ERR_AGENT_NO_IDENTITIES) debug("%s: ssh_fetch_identitylist: %s", __func__, ssh_err(r)); + close(agent_fd); } else { for (j = 0; j < idlist->nkeys; j++) { found = 0; @@ -1285,9 +1386,23 @@ pubkey_prepare(Authctxt *authctxt) TAILQ_REMOVE(&files, id, next); TAILQ_INSERT_TAIL(preferred, id, next); } - TAILQ_FOREACH(id, preferred, next) { - debug2("key: %s (%p),%s", id->filename, id->key, - id->userprovided ? " explicit" : ""); + /* finally, filter by PubkeyAcceptedKeyTypes */ + TAILQ_FOREACH_SAFE(id, preferred, next, id2) { + if (id->key != NULL && + match_pattern_list(sshkey_ssh_name(id->key), + options.pubkey_key_types, 0) != 1) { + debug("Skipping %s key %s - " + "not in PubkeyAcceptedKeyTypes", + sshkey_ssh_name(id->key), id->filename); + TAILQ_REMOVE(preferred, id, next); + sshkey_free(id->key); + free(id->filename); + memset(id, 0, sizeof(*id)); + continue; + } + debug2("key: %s (%p)%s%s", id->filename, id->key, + id->userprovided ? ", explicit" : "", + id->agent_fd != -1 ? ", agent" : ""); } } @@ -1301,8 +1416,7 @@ pubkey_cleanup(Authctxt *authctxt) for (id = TAILQ_FIRST(&authctxt->keys); id; id = TAILQ_FIRST(&authctxt->keys)) { TAILQ_REMOVE(&authctxt->keys, id, next); - if (id->key) - sshkey_free(id->key); + sshkey_free(id->key); free(id->filename); free(id); } @@ -1313,12 +1427,6 @@ try_identity(Identity *id) { if (!id->key) return (0); - if (match_pattern_list(sshkey_ssh_name(id->key), - options.pubkey_key_types, 0) != 1) { - debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", - sshkey_ssh_name(id->key), id->filename); - return (0); - } if (key_type_plain(id->key->type) == KEY_RSA && (datafellows & SSH_BUG_RSASIGMD5) != 0) { debug("Skipped %s key %s for RSA/MD5 server", @@ -1353,8 +1461,7 @@ userauth_pubkey(Authctxt *authctxt) } } else { debug("Trying private key: %s", id->filename); - id->key = load_identity_file(id->filename, - id->userprovided); + id->key = load_identity_file(id); if (id->key != NULL) { if (try_identity(id)) { id->isprivate = 1; @@ -1513,7 +1620,7 @@ ssh_keysign(struct sshkey *key, u_char **sigp, size_t *lenp, closefrom(sock + 1); debug3("%s: [child] pid=%ld, exec %s", __func__, (long)getpid(), _PATH_SSH_KEY_SIGN); - execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0); + execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL); fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN, strerror(errno)); } @@ -1685,7 +1792,7 @@ userauth_hostbased(Authctxt *authctxt) r = ssh_keysign(private, &sig, &siglen, sshbuf_ptr(b), sshbuf_len(b)); else if ((r = sshkey_sign(private, &sig, &siglen, - sshbuf_ptr(b), sshbuf_len(b), datafellows)) != 0) + sshbuf_ptr(b), sshbuf_len(b), NULL, datafellows)) != 0) debug("%s: sshkey_sign: %s", __func__, ssh_err(r)); if (r != 0) { error("sign using hostkey %s %s failed", diff --git a/sshd.0 b/sshd.0 index 7980225..7eb0531 100644 --- a/sshd.0 +++ b/sshd.0 @@ -146,11 +146,11 @@ DESCRIPTION AUTHENTICATION The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to use protocol 2 only, though this can be changed via the Protocol option - in sshd_config(5). Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; - protocol 1 only supports RSA keys. For both protocols, each host has a - host-specific key, normally 2048 bits, used to identify the host. + in sshd_config(5). Protocol 1 should not be used and is only offered to + support legacy devices. - Forward security for protocol 1 is provided through an additional server + Each host has a host-specific key, used to identify the host. Partial + forward security for protocol 1 is provided through an additional server key, normally 1024 bits, generated when the server starts. This key is normally regenerated every hour if it has been used, and is never stored on disk. Whenever a client connects, the daemon responds with its public @@ -268,7 +268,7 @@ SSHRC AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the files containing public keys for public - key authentication; if none is specified, the default is + key authentication; if this option is not specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are ignored as comments). Protocol 1 public keys consist of the following @@ -298,6 +298,10 @@ AUTHORIZED_KEYS FILE FORMAT The following option specifications are supported (note that option keywords are case-insensitive): + agent-forwarding + Enable authentication agent forwarding previously disabled by the + restrict option. + cert-authority Specifies that the listed key is a certification authority (CA) that is trusted to validate signed certificates for user @@ -378,6 +382,9 @@ AUTHORIZED_KEYS FILE FORMAT must be literal domains or addresses. A port specification of * matches any port. + port-forwarding + Enable port forwarding previously disabled by the restrict + principals="principals" On a cert-authority line, specifies allowed principals for certificate authentication as a comma-separated list. At least @@ -386,11 +393,28 @@ AUTHORIZED_KEYS FILE FORMAT ignored for keys that are not marked as trusted certificate signers using the cert-authority option. + pty Permits tty allocation previously disabled by the restrict + option. + + restrict + Enable all restrictions, i.e. disable port, agent and X11 + forwarding, as well as disabling PTY allocation and execution of + ~/.ssh/rc. If any future restriction capabilities are added to + authorized_keys files they will be included in this set. + tunnel="n" Force a tun(4) device on the server. Without this option, the next available device will be used if the client requests a tunnel. + user-rc + Enables execution of ~/.ssh/rc previously disabled by the + restrict option. + + X11-forwarding + Permits X11 forwarding previously disabled by the restrict + option. + An example authorized_keys file: # Comments allowed at start of line @@ -403,6 +427,10 @@ AUTHORIZED_KEYS FILE FORMAT AAAAB5...21S== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== jane@example.net + restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== + user@example.net + restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== + user@example.net SSH_KNOWN_HOSTS FILE FORMAT The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host @@ -552,7 +580,9 @@ FILES /etc/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group - Exchange". The file format is described in moduli(5). + Exchange" key exchange method. The file format is described in + moduli(5). If no usable groups are found in this file then fixed + internal groups will be used. /etc/motd See motd(5). @@ -632,4 +662,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 +OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 diff --git a/sshd.8 b/sshd.8 index 213b5fc..6c521f2 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $ -.Dd $Mdocdate: July 3 2015 $ +.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $ +.Dd $Mdocdate: February 17 2016 $ .Dt SSHD 8 .Os .Sh NAME @@ -275,14 +275,12 @@ though this can be changed via the .Cm Protocol option in .Xr sshd_config 5 . -Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; -protocol 1 only supports RSA keys. -For both protocols, -each host has a host-specific key, -normally 2048 bits, -used to identify the host. +Protocol 1 should not be used +and is only offered to support legacy devices. .Pp -Forward security for protocol 1 is provided through +Each host has a host-specific key, +used to identify the host. +Partial forward security for protocol 1 is provided through an additional server key, normally 1024 bits, generated when the server starts. @@ -470,7 +468,7 @@ does not exist either, xauth is used to add the cookie. .Cm AuthorizedKeysFile specifies the files containing public keys for public key authentication; -if none is specified, the default is +if this option is not specified, the default is .Pa ~/.ssh/authorized_keys and .Pa ~/.ssh/authorized_keys2 . @@ -522,6 +520,10 @@ No spaces are permitted, except within double quotes. The following option specifications are supported (note that option keywords are case-insensitive): .Bl -tag -width Ds +.It Cm agent-forwarding +Enable authentication agent forwarding previously disabled by the +.Cm restrict +option. .It Cm cert-authority Specifies that the listed key is a certification authority (CA) that is trusted to validate signed certificates for user authentication. @@ -616,6 +618,9 @@ they must be literal domains or addresses. A port specification of .Cm * matches any port. +.It Cm port-forwarding +Enable port forwarding previously disabled by the +.Cm restrict .It Cm principals="principals" On a .Cm cert-authority @@ -627,12 +632,33 @@ This option is ignored for keys that are not marked as trusted certificate signers using the .Cm cert-authority option. +.It Cm pty +Permits tty allocation previously disabled by the +.Cm restrict +option. +.It Cm restrict +Enable all restrictions, i.e. disable port, agent and X11 forwarding, +as well as disabling PTY allocation +and execution of +.Pa ~/.ssh/rc . +If any future restriction capabilities are added to authorized_keys files +they will be included in this set. .It Cm tunnel="n" Force a .Xr tun 4 device on the server. Without this option, the next available device will be used if the client requests a tunnel. +.It Cm user-rc +Enables execution of +.Pa ~/.ssh/rc +previously disabled by the +.Cm restrict +option. +.It Cm X11-forwarding +Permits X11 forwarding previously disabled by the +.Cm restrict +option. .El .Pp An example authorized_keys file: @@ -647,6 +673,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss AAAAB5...21S== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== jane@example.net +restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== +user@example.net +restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== +user@example.net .Ed .Sh SSH_KNOWN_HOSTS FILE FORMAT The @@ -856,9 +886,12 @@ This file is for host-based authentication (see It should only be writable by root. .Pp .It Pa /etc/moduli -Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". +Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" +key exchange method. The file format is described in .Xr moduli 5 . +If no usable groups are found in this file then fixed internal groups will +be used. .Pp .It Pa /etc/motd See diff --git a/sshd.c b/sshd.c index 43d4650..430569c 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.458 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: sshd.c,v 1.465 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -121,7 +121,6 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" -#include "roaming.h" #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" @@ -437,7 +436,7 @@ sshd_exchange_identification(int sock_in, int sock_out) options.version_addendum, newline); /* Send our protocol version identification. */ - if (roaming_atomicio(vwrite, sock_out, server_version_string, + if (atomicio(vwrite, sock_out, server_version_string, strlen(server_version_string)) != strlen(server_version_string)) { logit("Could not write ident string to %s", get_remote_ipaddr()); @@ -447,7 +446,7 @@ sshd_exchange_identification(int sock_in, int sock_out) /* Read other sides version identification. */ memset(buf, 0, sizeof(buf)); for (i = 0; i < sizeof(buf) - 1; i++) { - if (roaming_atomicio(read, sock_in, &buf[i], 1) != 1) { + if (atomicio(read, sock_in, &buf[i], 1) != 1) { logit("Did not receive identification string from %s", get_remote_ipaddr()); cleanup_exit(255); @@ -632,25 +631,23 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, - strerror(errno)); - if (chdir("/") == -1) - fatal("chdir(\"/\"): %s", strerror(errno)); - - /* Drop our privileges */ - debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, - (u_int)privsep_pw->pw_gid); -#if 0 - /* XXX not ready, too heavy after chroot */ - do_setusercontext(privsep_pw); -#else - gidset[0] = privsep_pw->pw_gid; - if (setgroups(1, gidset) < 0) - fatal("setgroups: %.100s", strerror(errno)); - permanently_set_uid(privsep_pw); -#endif + /* Demote the child */ + if (getuid() == 0 || geteuid() == 0) { + /* Change our root directory */ + if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) + fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, + strerror(errno)); + if (chdir("/") == -1) + fatal("chdir(\"/\"): %s", strerror(errno)); + + /* Drop our privileges */ + debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, + (u_int)privsep_pw->pw_gid); + gidset[0] = privsep_pw->pw_gid; + if (setgroups(1, gidset) < 0) + fatal("setgroups: %.100s", strerror(errno)); + permanently_set_uid(privsep_pw); + } } static int @@ -716,9 +713,7 @@ privsep_preauth(Authctxt *authctxt) /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); - /* Demote the child */ - if (getuid() == 0 || geteuid() == 0) - privsep_preauth_child(); + privsep_preauth_child(); setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); @@ -820,6 +815,12 @@ list_hostkey_types(void) buffer_append(&b, ",", 1); p = key_ssh_name(key); buffer_append(&b, p, strlen(p)); + + /* for RSA we also support SHA2 signatures */ + if (key->type == KEY_RSA) { + p = ",rsa-sha2-512,rsa-sha2-256"; + buffer_append(&b, p, strlen(p)); + } break; } /* If the private key has a cert peer, then list that too */ @@ -1255,8 +1256,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) for (;;) { if (received_sighup) sighup_restart(); - if (fdset != NULL) - free(fdset); + free(fdset); fdset = xcalloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask)); @@ -1476,6 +1476,8 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = get_connection_info(0, 0); + ssh_malloc_init(); /* must be called before any mallocs */ + #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); #endif @@ -1536,7 +1538,7 @@ main(int ac, char **av) no_daemon_flag = 1; break; case 'E': - logfile = xstrdup(optarg); + logfile = optarg; /* FALLTHROUGH */ case 'e': log_stderr = 1; @@ -1638,10 +1640,8 @@ main(int ac, char **av) #endif /* If requested, redirect the logs to the specified logfile. */ - if (logfile != NULL) { + if (logfile != NULL) log_redirect_stderr_to(logfile); - free(logfile); - } /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) @@ -2513,24 +2513,26 @@ do_ssh1_kex(void) int sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, - const u_char *data, size_t dlen, u_int flag) + const u_char *data, size_t dlen, const char *alg, u_int flag) { int r; u_int xxx_slen, xxx_dlen = dlen; if (privkey) { - if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen) < 0)) + if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen, + alg) < 0)) fatal("%s: key_sign failed", __func__); if (slen) *slen = xxx_slen; } else if (use_privsep) { - if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen) < 0) + if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen, + alg) < 0) fatal("%s: pubkey_sign failed", __func__); if (slen) *slen = xxx_slen; } else { if ((r = ssh_agent_sign(auth_sock, pubkey, signature, slen, - data, dlen, datafellows)) != 0) + data, dlen, alg, datafellows)) != 0) fatal("%s: ssh_agent_sign failed: %s", __func__, ssh_err(r)); } @@ -2563,7 +2565,7 @@ do_ssh2_kex(void) } if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, + packet_set_rekey_limits(options.rekey_limit, (time_t)options.rekey_interval); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( diff --git a/sshd_config b/sshd_config index 4d77f05..a848d73 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -107,7 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. +#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 diff --git a/sshd_config.0 b/sshd_config.0 index aae7fb6..8bda6a3 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -19,17 +19,16 @@ DESCRIPTION AcceptEnv Specifies what environment variables sent by the client will be copied into the session's environ(7). See SendEnv in - ssh_config(5) for how to configure the client. Note that - environment passing is only supported for protocol 2, and that - the TERM environment variable is always sent whenever the client - requests a pseudo-terminal as it is required by the protocol. - Variables are specified by name, which may contain the wildcard - characters M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be - separated by whitespace or spread across multiple AcceptEnv - directives. Be warned that some environment variables could be - used to bypass restricted user environments. For this reason, - care should be taken in the use of this directive. The default - is not to accept any environment variables. + ssh_config(5) for how to configure the client. The TERM + environment variable is always sent whenever the client requests + a pseudo-terminal as it is required by the protocol. Variables + are specified by name, which may contain the wildcard characters + M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y. Multiple environment variables may be separated by + whitespace or spread across multiple AcceptEnv directives. Be + warned that some environment variables could be used to bypass + restricted user environments. For this reason, care should be + taken in the use of this directive. The default is not to accept + any environment variables. AddressFamily Specifies which address family should be used by sshd(8). Valid @@ -115,12 +114,11 @@ DESCRIPTION AuthenticationMethods of M-bM-^@M-^\publickey,publickeyM-bM-^@M-^] will require successful authentication using two different public keys. - This option is only available for SSH protocol 2 and will yield a - fatal error if enabled if protocol 1 is also enabled. Note that - each authentication method listed should also be explicitly - enabled in the configuration. The default is not to require - multiple authentication; successful completion of a single - authentication method is sufficient. + This option will yield a fatal error if enabled if protocol 1 is + also enabled. Note that each authentication method listed should + also be explicitly enabled in the configuration. The default is + not to require multiple authentication; successful completion of + a single authentication method is sufficient. AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. @@ -162,8 +160,9 @@ DESCRIPTION replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. Multiple files may be - listed, separated by whitespace. The default is - M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. + listed, separated by whitespace. Alternately this option may be + set to M-bM-^@M-^\noneM-bM-^@M-^] to skip checking for user keys in files. The + default is M-bM-^@M-^\.ssh/authorized_keys .ssh/authorized_keys2M-bM-^@M-^]. AuthorizedPrincipalsCommand Specifies a program to be used to generate the list of allowed @@ -220,8 +219,7 @@ DESCRIPTION Banner The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is M-bM-^@M-^\noneM-bM-^@M-^] then - no banner is displayed. This option is only available for - protocol version 2. By default, no banner is displayed. + no banner is displayed. By default, no banner is displayed. ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed @@ -258,13 +256,13 @@ DESCRIPTION (especially those outside the jail). Misconfiguration can lead to unsafe environments which sshd(8) cannot detect. - The default is not to chroot(2). + The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2). Ciphers - Specifies the ciphers allowed for protocol version 2. Multiple - ciphers must be comma-separated. If the specified value begins - with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be appended - to the default set instead of replacing them. + Specifies the ciphers allowed. Multiple ciphers must be comma- + separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified ciphers will be appended to the default set + instead of replacing them. The supported ciphers are: @@ -309,15 +307,14 @@ DESCRIPTION The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately - 45 seconds. This option applies to protocol version 2 only. + 45 seconds. ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will - not be sent to the client. This option applies to protocol - version 2 only. + not be sent to the client. Compression Specifies whether compression is allowed, or delayed until the @@ -362,7 +359,7 @@ DESCRIPTION SSH_ORIGINAL_COMMAND environment variable. Specifying a command of M-bM-^@M-^\internal-sftpM-bM-^@M-^] will force the use of an in-process sftp server that requires no support files when used with - ChrootDirectory. + ChrootDirectory. The default is M-bM-^@M-^\noneM-bM-^@M-^]. GatewayPorts Specifies whether remote hosts are allowed to connect to ports @@ -379,13 +376,11 @@ DESCRIPTION GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. - The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that this option applies to protocol - version 2 only. + The default is M-bM-^@M-^\noM-bM-^@M-^]. GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials - cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option - applies to protocol version 2 only. + cache on logout. The default is M-bM-^@M-^\yesM-bM-^@M-^]. GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI @@ -416,9 +411,7 @@ DESCRIPTION HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is - allowed (host-based authentication). This option is similar to - RhostsRSAAuthentication and applies to protocol version 2 only. - The default is M-bM-^@M-^\noM-bM-^@M-^]. + allowed (host-based authentication). The default is M-bM-^@M-^\noM-bM-^@M-^]. HostbasedUsesNameFromPacketOnly Specifies whether or not the server will attempt to perform a @@ -459,8 +452,8 @@ DESCRIPTION read from the SSH_AUTH_SOCK environment variable. HostKeyAlgorithms - Specifies the protocol version 2 host key algorithms that the - server offers. The default for this option is: + Specifies the host key algorithms that the server offers. The + default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, @@ -585,11 +578,11 @@ DESCRIPTION violates the privacy of users and is not recommended. MACs Specifies the available MAC (message authentication code) - algorithms. The MAC algorithm is used in protocol version 2 for - data integrity protection. Multiple algorithms must be comma- - separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, - then the specified algorithms will be appended to the default set - instead of replacing them. + algorithms. The MAC algorithm is used for data integrity + protection. Multiple algorithms must be comma-separated. If the + specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified + algorithms will be appended to the default set instead of + replacing them. The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after encryption (encrypt-then-mac). These are considered safer and @@ -618,8 +611,9 @@ DESCRIPTION umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, + hmac-sha1-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com, - hmac-sha2-256,hmac-sha2-512 + hmac-sha2-256,hmac-sha2-512,hmac-sha1 The list of available MAC algorithms may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. @@ -651,8 +645,9 @@ DESCRIPTION AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, - AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, - ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, + AuthorizedKeysFile, AuthorizedPrincipalsCommand, + AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, + Banner, ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, @@ -670,8 +665,13 @@ DESCRIPTION value, additional failures are logged. The default is 6. MaxSessions - Specifies the maximum number of open sessions permitted per - network connection. The default is 10. + Specifies the maximum number of open shell, login or subsystem + (e.g. sftp) sessions permitted per network connection. Multiple + sessions may be established by clients that support connection + multiplexing. Setting MaxSessions to 1 will effectively disable + session multiplexing, whereas setting it to 0 will prevent all + shell, login and subsystem sessions while still permitting + forwarding. The default is 10. MaxStartups Specifies the maximum number of concurrent unauthenticated @@ -775,10 +775,14 @@ DESCRIPTION Protocol Specifies the protocol versions sshd(8) supports. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple versions must be comma- - separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Note that the order of the - protocol list does not indicate preference, because the client - selects among multiple protocol versions offered by the server. - Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. + separated. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Protocol 1 suffers from a number + of cryptographic weaknesses and should not be used. It is only + offered to support legacy devices. + + Note that the order of the protocol list does not indicate + preference, because the client selects among multiple protocol + versions offered by the server. Specifying M-bM-^@M-^\2,1M-bM-^@M-^] is identical to + M-bM-^@M-^\1,2M-bM-^@M-^]. PubkeyAcceptedKeyTypes Specifies the key types that will be accepted for public key @@ -799,8 +803,7 @@ DESCRIPTION PubkeyAuthentication Specifies whether public key authentication is allowed. The - default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol - version 2 only. + default is M-bM-^@M-^\yesM-bM-^@M-^]. RekeyLimit Specifies the maximum amount of data that may be transmitted @@ -814,8 +817,7 @@ DESCRIPTION documented in the TIME FORMATS section. The default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that rekeying is performed after the cipher's default amount of data has been sent - or received and no time based rekeying is done. This option - applies to protocol version 2 only. + or received and no time based rekeying is done. RevokedKeys Specifies revoked public keys file, or M-bM-^@M-^\noneM-bM-^@M-^] to not use one. @@ -882,8 +884,7 @@ DESCRIPTION M-bM-^@M-^\sftpM-bM-^@M-^] server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients. - By default no subsystems are defined. Note that this option - applies to protocol version 2 only. + By default no subsystems are defined. SyslogFacility Gives the facility code that is used when logging messages from @@ -957,9 +958,10 @@ DESCRIPTION that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The - default is M-bM-^@M-^\yesM-bM-^@M-^]. If UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] - then the pre-authentication unprivileged process is subject to - additional restrictions. + argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If + UsePrivilegeSeparation is set to M-bM-^@M-^\sandboxM-bM-^@M-^] then the pre- + authentication unprivileged process is subject to additional + restrictions. The default is M-bM-^@M-^\sandboxM-bM-^@M-^]. VersionAddendum Optionally specifies additional text to append to the SSH @@ -1049,4 +1051,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 +OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 diff --git a/sshd_config.5 b/sshd_config.5 index b18d340..a37a3ac 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $ -.Dd $Mdocdate: August 14 2015 $ +.\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $ +.Dd $Mdocdate: February 17 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -70,8 +70,7 @@ See in .Xr ssh_config 5 for how to configure the client. -Note that environment passing is only supported for protocol 2, and -that the +The .Ev TERM environment variable is always sent whenever the client requests a pseudo-terminal as it is required by the protocol. @@ -226,7 +225,7 @@ of .Dq publickey,publickey will require successful authentication using two different public keys. .Pp -This option is only available for SSH protocol 2 and will yield a fatal +This option will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. @@ -285,6 +284,9 @@ After expansion, is taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. +Alternately this option may be set to +.Dq none +to skip checking for user keys in files. The default is .Dq .ssh/authorized_keys .ssh/authorized_keys2 . .It Cm AuthorizedPrincipalsCommand @@ -370,7 +372,6 @@ authentication is allowed. If the argument is .Dq none then no banner is displayed. -This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via @@ -429,10 +430,12 @@ Misconfiguration can lead to unsafe environments which .Xr sshd 8 cannot detect. .Pp -The default is not to +The default is +.Dq none , +indicating not to .Xr chroot 2 . .It Cm Ciphers -Specifies the ciphers allowed for protocol version 2. +Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a .Sq + @@ -513,7 +516,6 @@ If .Cm ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. -This option applies to protocol version 2 only. .It Cm ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, @@ -522,7 +524,6 @@ will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. -This option applies to protocol version 2 only. .It Cm Compression Specifies whether compression is allowed, or delayed until the user has authenticated successfully. @@ -596,6 +597,8 @@ Specifying a command of will force the use of an in-process sftp server that requires no support files when used with .Cm ChrootDirectory . +The default is +.Dq none . .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -620,13 +623,11 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . -Note that this option applies to protocol version 2 only. .It Cm GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache on logout. The default is .Dq yes . -Note that this option applies to protocol version 2 only. .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. @@ -669,9 +670,6 @@ may be used to list supported key types. Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). -This option is similar to -.Cm RhostsRSAAuthentication -and applies to protocol version 2 only. The default is .Dq no . .It Cm HostbasedUsesNameFromPacketOnly @@ -742,7 +740,7 @@ is specified, the location of the socket will be read from the .Ev SSH_AUTH_SOCK environment variable. .It Cm HostKeyAlgorithms -Specifies the protocol version 2 host key algorithms +Specifies the host key algorithms that the server offers. The default for this option is: .Bd -literal -offset 3n @@ -963,8 +961,7 @@ DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. .It Cm MACs Specifies the available MAC (message authentication code) algorithms. -The MAC algorithm is used in protocol version 2 -for data integrity protection. +The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a .Sq + @@ -1020,8 +1017,9 @@ The default is: .Bd -literal -offset indent umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-sha1-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com, -hmac-sha2-256,hmac-sha2-512 +hmac-sha2-256,hmac-sha2-512,hmac-sha1 .Ed .Pp The list of available MAC algorithms may also be obtained using the @@ -1091,6 +1089,8 @@ Available keywords are .Cm AuthorizedKeysCommand , .Cm AuthorizedKeysCommandUser , .Cm AuthorizedKeysFile , +.Cm AuthorizedPrincipalsCommand , +.Cm AuthorizedPrincipalsCommandUser , .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , @@ -1134,7 +1134,15 @@ Once the number of failures reaches half this value, additional failures are logged. The default is 6. .It Cm MaxSessions -Specifies the maximum number of open sessions permitted per network connection. +Specifies the maximum number of open shell, login or subsystem (e.g. sftp) +sessions permitted per network connection. +Multiple sessions may be established by clients that support connection +multiplexing. +Setting +.Cm MaxSessions +to 1 will effectively disable session multiplexing, whereas setting it to 0 +will prevent all shell, login and subsystem sessions while still permitting +forwarding. The default is 10. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the @@ -1324,6 +1332,10 @@ and Multiple versions must be comma-separated. The default is .Sq 2 . +Protocol 1 suffers from a number of cryptographic weaknesses and should +not be used. +It is only offered to support legacy devices. +.Pp Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. @@ -1358,7 +1370,6 @@ may be used to list supported key types. Specifies whether public key authentication is allowed. The default is .Dq yes . -Note that this option applies to protocol version 2 only. .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of @@ -1384,7 +1395,6 @@ is .Dq default none , which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done. -This option applies to protocol version 2 only. .It Cm RevokedKeys Specifies revoked public keys file, or .Dq none @@ -1471,7 +1481,6 @@ This may simplify configurations using to force a different filesystem root on clients. .Pp By default no subsystems are defined. -Note that this option applies to protocol version 2 only. .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . @@ -1584,14 +1593,19 @@ After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. -The default is -.Dq yes . +The argument must be +.Dq yes , +.Dq no , +or +.Dq sandbox . If .Cm UsePrivilegeSeparation is set to .Dq sandbox then the pre-authentication unprivileged process is subject to additional restrictions. +The default is +.Dq sandbox . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. diff --git a/ssherr.c b/ssherr.c index 4ca7939..6802070 100644 --- a/ssherr.c +++ b/ssherr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssherr.c,v 1.4 2015/02/16 22:13:32 djm Exp $ */ +/* $OpenBSD: ssherr.c,v 1.5 2015/09/13 14:39:16 tim Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -104,7 +104,7 @@ ssh_err(int n) case SSH_ERR_NEED_REKEY: return "rekeying not supported by peer"; case SSH_ERR_PASSPHRASE_TOO_SHORT: - return "passphrase is too short (minimum four characters)"; + return "passphrase is too short (minimum five characters)"; case SSH_ERR_FILE_CHANGED: return "file changed while reading"; case SSH_ERR_KEY_UNKNOWN_CIPHER: diff --git a/sshkey.c b/sshkey.c index 32dd8f2..87b093e 100644 --- a/sshkey.c +++ b/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.31 2015/12/11 04:21:12 mmcc Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -83,36 +83,39 @@ struct keytype { int type; int nid; int cert; + int sigonly; }; static const struct keytype keytypes[] = { - { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, + { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", - KEY_ED25519_CERT, 0, 1 }, + KEY_ED25519_CERT, 0, 1, 0 }, #ifdef WITH_OPENSSL - { NULL, "RSA1", KEY_RSA1, 0, 0 }, - { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, - { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, + { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, + { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, + { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, + { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, + { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, # ifdef OPENSSL_HAS_ECC - { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, - { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, + { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, + { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, # ifdef OPENSSL_HAS_NISTP521 - { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, + { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, # endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_ECC */ - { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, - { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, + { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, + { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, # ifdef OPENSSL_HAS_ECC { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", - KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, + KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", - KEY_ECDSA_CERT, NID_secp384r1, 1 }, + KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, # ifdef OPENSSL_HAS_NISTP521 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", - KEY_ECDSA_CERT, NID_secp521r1, 1 }, + KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, # endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ - { NULL, NULL, -1, -1, 0 } + { NULL, NULL, -1, -1, 0, 0 } }; const char * @@ -200,7 +203,7 @@ key_alg_list(int certs_only, int plain_only) const struct keytype *kt; for (kt = keytypes; kt->type != -1; kt++) { - if (kt->name == NULL) + if (kt->name == NULL || kt->sigonly) continue; if ((certs_only && !kt->cert) || (plain_only && kt->cert)) continue; @@ -417,20 +420,14 @@ cert_free(struct sshkey_cert *cert) if (cert == NULL) return; - if (cert->certblob != NULL) - sshbuf_free(cert->certblob); - if (cert->critical != NULL) - sshbuf_free(cert->critical); - if (cert->extensions != NULL) - sshbuf_free(cert->extensions); - if (cert->key_id != NULL) - free(cert->key_id); + sshbuf_free(cert->certblob); + sshbuf_free(cert->critical); + sshbuf_free(cert->extensions); + free(cert->key_id); for (i = 0; i < cert->nprincipals; i++) free(cert->principals[i]); - if (cert->principals != NULL) - free(cert->principals); - if (cert->signature_key != NULL) - sshkey_free(cert->signature_key); + free(cert->principals); + sshkey_free(cert->signature_key); explicit_bzero(cert, sizeof(*cert)); free(cert); } @@ -1216,7 +1213,7 @@ read_decimal_bignum(char **cpp, BIGNUM *v) return SSH_ERR_BIGNUM_TOO_LARGE; if (cp[e] == '\0') skip = 0; - else if (index(" \t\r\n", cp[e]) == NULL) + else if (strchr(" \t\r\n", cp[e]) == NULL) return SSH_ERR_INVALID_FORMAT; cp[e] = '\0'; if (BN_dec2bn(&v, cp) <= 0) @@ -1232,11 +1229,10 @@ sshkey_read(struct sshkey *ret, char **cpp) { struct sshkey *k; int retval = SSH_ERR_INVALID_FORMAT; - char *cp, *space; + char *ep, *cp, *space; int r, type, curve_nid = -1; struct sshbuf *blob; #ifdef WITH_SSH1 - char *ep; u_long bits; #endif /* WITH_SSH1 */ @@ -1247,7 +1243,7 @@ sshkey_read(struct sshkey *ret, char **cpp) #ifdef WITH_SSH1 /* Get number of bits. */ bits = strtoul(cp, &ep, 10); - if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || + if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL || bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ /* Get public exponent, public modulus. */ @@ -1255,10 +1251,10 @@ sshkey_read(struct sshkey *ret, char **cpp) return r; if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) return r; - *cpp = ep; /* validate the claimed number of bits */ if (BN_num_bits(ret->rsa->n) != (int)bits) return SSH_ERR_KEY_BITS_MISMATCH; + *cpp = ep; retval = 0; #endif /* WITH_SSH1 */ break; @@ -1296,9 +1292,9 @@ sshkey_read(struct sshkey *ret, char **cpp) *space++ = '\0'; while (*space == ' ' || *space == '\t') space++; - *cpp = space; + ep = space; } else - *cpp = cp + strlen(cp); + ep = cp + strlen(cp); if ((r = sshbuf_b64tod(blob, cp)) != 0) { sshbuf_free(blob); return r; @@ -1329,8 +1325,9 @@ sshkey_read(struct sshkey *ret, char **cpp) ret->cert = k->cert; k->cert = NULL; } + switch (sshkey_type_plain(ret->type)) { #ifdef WITH_OPENSSL - if (sshkey_type_plain(ret->type) == KEY_RSA) { + case KEY_RSA: if (ret->rsa != NULL) RSA_free(ret->rsa); ret->rsa = k->rsa; @@ -1338,8 +1335,8 @@ sshkey_read(struct sshkey *ret, char **cpp) #ifdef DEBUG_PK RSA_print_fp(stderr, ret->rsa, 8); #endif - } - if (sshkey_type_plain(ret->type) == KEY_DSA) { + break; + case KEY_DSA: if (ret->dsa != NULL) DSA_free(ret->dsa); ret->dsa = k->dsa; @@ -1347,9 +1344,9 @@ sshkey_read(struct sshkey *ret, char **cpp) #ifdef DEBUG_PK DSA_print_fp(stderr, ret->dsa, 8); #endif - } + break; # ifdef OPENSSL_HAS_ECC - if (sshkey_type_plain(ret->type) == KEY_ECDSA) { + case KEY_ECDSA: if (ret->ecdsa != NULL) EC_KEY_free(ret->ecdsa); ret->ecdsa = k->ecdsa; @@ -1359,17 +1356,19 @@ sshkey_read(struct sshkey *ret, char **cpp) #ifdef DEBUG_PK sshkey_dump_ec_key(ret->ecdsa); #endif - } + break; # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ - if (sshkey_type_plain(ret->type) == KEY_ED25519) { + case KEY_ED25519: free(ret->ed25519_pk); ret->ed25519_pk = k->ed25519_pk; k->ed25519_pk = NULL; #ifdef DEBUG_PK /* XXX */ #endif + break; } + *cpp = ep; retval = 0; /*XXXX*/ sshkey_free(k); @@ -1717,7 +1716,7 @@ sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || (ret = sshbuf_putb(to->critical, from->critical)) != 0 || - (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) + (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) return ret; to->serial = from->serial; @@ -1758,9 +1757,7 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) struct sshkey *n = NULL; int ret = SSH_ERR_INTERNAL_ERROR; - if (pkp != NULL) - *pkp = NULL; - + *pkp = NULL; switch (k->type) { #ifdef WITH_OPENSSL case KEY_DSA: @@ -2174,7 +2171,7 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) int sshkey_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, u_int compat) + const u_char *data, size_t datalen, const char *alg, u_int compat) { if (sigp != NULL) *sigp = NULL; @@ -2194,7 +2191,7 @@ sshkey_sign(const struct sshkey *key, # endif /* OPENSSL_HAS_ECC */ case KEY_RSA_CERT: case KEY_RSA: - return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); + return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); #endif /* WITH_OPENSSL */ case KEY_ED25519: case KEY_ED25519_CERT: @@ -2226,7 +2223,7 @@ sshkey_verify(const struct sshkey *key, # endif /* OPENSSL_HAS_ECC */ case KEY_RSA_CERT: case KEY_RSA: - return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); + return ssh_rsa_verify(key, sig, siglen, data, dlen); #endif /* WITH_OPENSSL */ case KEY_ED25519: case KEY_ED25519_CERT: @@ -2243,9 +2240,7 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) struct sshkey *pk; int ret = SSH_ERR_INTERNAL_ERROR; - if (dkp != NULL) - *dkp = NULL; - + *dkp = NULL; if ((pk = calloc(1, sizeof(*pk))) == NULL) return SSH_ERR_ALLOC_FAIL; pk->type = k->type; @@ -2462,7 +2457,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) /* Sign the whole mess */ if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), - sshbuf_len(cert), 0)) != 0) + sshbuf_len(cert), NULL, 0)) != 0) goto out; /* Append signature and we are done */ @@ -2472,12 +2467,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) out: if (ret != 0) sshbuf_reset(cert); - if (sig_blob != NULL) - free(sig_blob); - if (ca_blob != NULL) - free(ca_blob); - if (principals != NULL) - sshbuf_free(principals); + free(sig_blob); + free(ca_blob); + sshbuf_free(principals); return ret; } @@ -2538,6 +2530,43 @@ sshkey_cert_check_authority(const struct sshkey *k, return 0; } +size_t +sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) +{ + char from[32], to[32], ret[64]; + time_t tt; + struct tm *tm; + + *from = *to = '\0'; + if (cert->valid_after == 0 && + cert->valid_before == 0xffffffffffffffffULL) + return strlcpy(s, "forever", l); + + if (cert->valid_after != 0) { + /* XXX revisit INT_MAX in 2038 :) */ + tt = cert->valid_after > INT_MAX ? + INT_MAX : cert->valid_after; + tm = localtime(&tt); + strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); + } + if (cert->valid_before != 0xffffffffffffffffULL) { + /* XXX revisit INT_MAX in 2038 :) */ + tt = cert->valid_before > INT_MAX ? + INT_MAX : cert->valid_before; + tm = localtime(&tt); + strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); + } + + if (cert->valid_after == 0) + snprintf(ret, sizeof(ret), "before %s", to); + else if (cert->valid_before == 0xffffffffffffffffULL) + snprintf(ret, sizeof(ret), "after %s", from); + else + snprintf(ret, sizeof(ret), "from %s to %s", from, to); + + return strlcpy(s, ret, l); +} + int sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) { @@ -2701,7 +2730,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) goto out; } if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), - EC_KEY_get0_public_key(k->ecdsa)) != 0) || + EC_KEY_get0_public_key(k->ecdsa))) != 0 || (r = sshkey_ec_validate_private(k->ecdsa)) != 0) goto out; break; @@ -2719,7 +2748,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) goto out; } if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), - EC_KEY_get0_public_key(k->ecdsa)) != 0) || + EC_KEY_get0_public_key(k->ecdsa))) != 0 || (r = sshkey_ec_validate_private(k->ecdsa)) != 0) goto out; break; @@ -2741,10 +2770,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) case KEY_RSA_CERT: if ((r = sshkey_froms(buf, &k)) != 0 || (r = sshkey_add_private(k)) != 0 || - (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || - (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || - (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || - (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || + (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || + (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || + (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || + (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || (r = rsa_generate_additional_parameters(k->rsa)) != 0) goto out; break; @@ -3431,9 +3460,9 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, /* Store public key. This will be in plain text. */ if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || - (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || - (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || - (r = sshbuf_put_cstring(encrypted, comment) != 0)) + (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 || + (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 || + (r = sshbuf_put_cstring(encrypted, comment)) != 0) goto out; /* Allocate space for the private part of the key in the buffer. */ @@ -3454,10 +3483,8 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, out: explicit_bzero(&ciphercontext, sizeof(ciphercontext)); explicit_bzero(buf, sizeof(buf)); - if (buffer != NULL) - sshbuf_free(buffer); - if (encrypted != NULL) - sshbuf_free(encrypted); + sshbuf_free(buffer); + sshbuf_free(encrypted); return r; } @@ -3611,10 +3638,8 @@ sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, pub = NULL; out: - if (copy != NULL) - sshbuf_free(copy); - if (pub != NULL) - sshkey_free(pub); + sshbuf_free(copy); + sshkey_free(pub); return r; } @@ -3726,14 +3751,10 @@ sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, } out: explicit_bzero(&ciphercontext, sizeof(ciphercontext)); - if (comment != NULL) - free(comment); - if (prv != NULL) - sshkey_free(prv); - if (copy != NULL) - sshbuf_free(copy); - if (decrypted != NULL) - sshbuf_free(decrypted); + free(comment); + sshkey_free(prv); + sshbuf_free(copy); + sshbuf_free(decrypted); return r; } #endif /* WITH_SSH1 */ @@ -3823,8 +3844,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, BIO_free(bio); if (pk != NULL) EVP_PKEY_free(pk); - if (prv != NULL) - sshkey_free(prv); + sshkey_free(prv); return r; } #endif /* WITH_OPENSSL */ @@ -3833,8 +3853,6 @@ int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, const char *passphrase, struct sshkey **keyp, char **commentp) { - int r; - *keyp = NULL; if (commentp != NULL) *commentp = NULL; @@ -3856,8 +3874,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, return sshkey_parse_private2(blob, type, passphrase, keyp, commentp); case KEY_UNSPEC: - if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, - commentp)) == 0) + if (sshkey_parse_private2(blob, type, passphrase, keyp, + commentp) == 0) return 0; #ifdef WITH_OPENSSL return sshkey_parse_private_pem_fileblob(blob, type, @@ -3872,10 +3890,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, int sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, - const char *filename, struct sshkey **keyp, char **commentp) + struct sshkey **keyp, char **commentp) { - int r; - if (keyp != NULL) *keyp = NULL; if (commentp != NULL) @@ -3883,13 +3899,11 @@ sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, #ifdef WITH_SSH1 /* it's a SSH v1 key if the public key part is readable */ - if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { + if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) { return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, passphrase, keyp, commentp); } #endif /* WITH_SSH1 */ - if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, - passphrase, keyp, commentp)) == 0) - return 0; - return r; + return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, + passphrase, keyp, commentp); } diff --git a/sshkey.h b/sshkey.h index c8d3cdd..a20a14f 100644 --- a/sshkey.h +++ b/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.9 2015/08/04 05:23:06 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.12 2015/12/04 16:41:28 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -141,6 +141,8 @@ int sshkey_certify(struct sshkey *, struct sshkey *); int sshkey_cert_copy(const struct sshkey *, struct sshkey *); int sshkey_cert_check_authority(const struct sshkey *, int, int, const char *, const char **); +size_t sshkey_format_cert_validity(const struct sshkey_cert *, + char *, size_t) __attribute__((__bounded__(__string__, 2, 3))); int sshkey_ecdsa_nid_from_name(const char *); int sshkey_curve_name_to_nid(const char *); @@ -167,7 +169,7 @@ int sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *); int sshkey_putb_plain(const struct sshkey *, struct sshbuf *); int sshkey_sign(const struct sshkey *, u_char **, size_t *, - const u_char *, size_t, u_int); + const u_char *, size_t, const char *, u_int); int sshkey_verify(const struct sshkey *, const u_char *, size_t, const u_char *, size_t, u_int); @@ -186,17 +188,16 @@ int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, int sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, struct sshkey **keyp, char **commentp); int sshkey_parse_private_fileblob(struct sshbuf *buffer, - const char *passphrase, const char *filename, struct sshkey **keyp, - char **commentp); + const char *passphrase, struct sshkey **keyp, char **commentp); int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, const char *passphrase, struct sshkey **keyp, char **commentp); #ifdef SSHKEY_INTERNAL -int ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, u_int compat); +int ssh_rsa_sign(const struct sshkey *key, + u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, + const char *ident); int ssh_rsa_verify(const struct sshkey *key, - const u_char *signature, size_t signaturelen, - const u_char *data, size_t datalen, u_int compat); + const u_char *sig, size_t siglen, const u_char *data, size_t datalen); int ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat); int ssh_dss_verify(const struct sshkey *key, diff --git a/sshlogin.c b/sshlogin.c index 818312f..cea3e76 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshlogin.c,v 1.31 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: sshlogin.c,v 1.32 2015/12/26 20:51:35 guenther Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland diff --git a/uidswap.c b/uidswap.c index 0702e1d..8bf6b24 100644 --- a/uidswap.c +++ b/uidswap.c @@ -134,7 +134,7 @@ temporarily_use_uid(struct passwd *pw) void permanently_drop_suid(uid_t uid) { -#ifndef HAVE_CYGWIN +#ifndef NO_UID_RESTORATION_TEST uid_t old_uid = getuid(); #endif @@ -142,8 +142,14 @@ permanently_drop_suid(uid_t uid) if (setresuid(uid, uid, uid) < 0) fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); -#ifndef HAVE_CYGWIN - /* Try restoration of UID if changed (test clearing of saved uid) */ +#ifndef NO_UID_RESTORATION_TEST + /* + * Try restoration of UID if changed (test clearing of saved uid). + * + * Note that we don't do this on Cygwin, or on Solaris-based platforms + * where fine-grained privileges are available (the user might be + * deliberately allowed the right to setuid back to root). + */ if (old_uid != uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) fatal("%s: was able to restore old [e]uid", __func__); @@ -199,7 +205,7 @@ restore_uid(void) void permanently_set_uid(struct passwd *pw) { -#ifndef HAVE_CYGWIN +#ifndef NO_UID_RESTORATION_TEST uid_t old_uid = getuid(); gid_t old_gid = getgid(); #endif @@ -227,7 +233,7 @@ permanently_set_uid(struct passwd *pw) if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); -#ifndef HAVE_CYGWIN +#ifndef NO_UID_RESTORATION_TEST /* Try restoration of GID if changed (test clearing of saved gid) */ if (old_gid != pw->pw_gid && pw->pw_uid != 0 && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) @@ -241,7 +247,7 @@ permanently_set_uid(struct passwd *pw) (u_int)pw->pw_gid); } -#ifndef HAVE_CYGWIN +#ifndef NO_UID_RESTORATION_TEST /* Try restoration of UID if changed (test clearing of saved uid) */ if (old_uid != pw->pw_uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) diff --git a/version.h b/version.h index 41e1ea9..4189982 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.75 2015/08/21 03:45:26 djm Exp $ */ +/* $OpenBSD: version.h,v 1.76 2016/02/23 09:14:34 djm Exp $ */ -#define SSH_VERSION "OpenSSH_7.1" +#define SSH_VERSION "OpenSSH_7.2" -#define SSH_PORTABLE "p2" +#define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/xmalloc.c b/xmalloc.c index 98cbf87..b583236 100644 --- a/xmalloc.c +++ b/xmalloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.c,v 1.32 2015/04/24 01:36:01 deraadt Exp $ */ +/* $OpenBSD: xmalloc.c,v 1.33 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -26,6 +26,16 @@ #include "xmalloc.h" #include "log.h" +void +ssh_malloc_init(void) +{ +#if defined(__OpenBSD__) + extern char *malloc_options; + + malloc_options = "S"; +#endif /* __OpenBSD__ */ +} + void * xmalloc(size_t size) { diff --git a/xmalloc.h b/xmalloc.h index 2bec77b..e499289 100644 --- a/xmalloc.h +++ b/xmalloc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.h,v 1.15 2015/04/24 01:36:01 deraadt Exp $ */ +/* $OpenBSD: xmalloc.h,v 1.16 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -16,6 +16,7 @@ * called by a name other than "ssh" or "Secure Shell". */ +void ssh_malloc_init(void); void *xmalloc(size_t); void *xcalloc(size_t, size_t); void *xreallocarray(void *, size_t, size_t); -- cgit v1.1 From 773a64f003e1b4a7ff6761f59e9886a9d3fbd272 Mon Sep 17 00:00:00 2001 From: sobomax Date: Thu, 10 Mar 2016 21:36:24 +0000 Subject: Add -S option to print out summary after compression has been completed. MFC after: 2 weeks --- usr.bin/mkuzip/mkuzip.8 | 3 +++ usr.bin/mkuzip/mkuzip.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/usr.bin/mkuzip/mkuzip.8 b/usr.bin/mkuzip/mkuzip.8 index c839551..cb05098 100644 --- a/usr.bin/mkuzip/mkuzip.8 +++ b/usr.bin/mkuzip/mkuzip.8 @@ -118,6 +118,9 @@ detects identical blocks in the input and replaces each subsequent occurence of such block with pointer to the very first one in the output. Setting this option results is moderate decrease of compressed image size, typically around 3-5% of a final size of the compressed image. +.It Fl S +Print summary about the compression ratio as well as output +file size after file has been processed. .El .Sh NOTES The compression ratio largely depends on the cluster size used. diff --git a/usr.bin/mkuzip/mkuzip.c b/usr.bin/mkuzip/mkuzip.c index 1e3a204..4986197 100644 --- a/usr.bin/mkuzip/mkuzip.c +++ b/usr.bin/mkuzip/mkuzip.c @@ -90,6 +90,7 @@ int main(int argc, char **argv) char *iname, *oname, *obuf, *ibuf; uint64_t *toc; int fdr, fdw, i, opt, verbose, no_zcomp, tmp, en_dedup; + int summary; struct iovec iov[2]; struct stat sb; uint32_t destlen; @@ -104,9 +105,10 @@ int main(int argc, char **argv) verbose = 0; no_zcomp = 0; en_dedup = 0; + summary = 0; handler = &uzip_fmt; - while((opt = getopt(argc, argv, "o:s:vZdL")) != -1) { + while((opt = getopt(argc, argv, "o:s:vZdLS")) != -1) { switch(opt) { case 'o': oname = optarg; @@ -138,6 +140,10 @@ int main(int argc, char **argv) handler = &ulzma_fmt; break; + case 'S': + summary = 1; + break; + default: usage(); /* Not reached */ @@ -294,7 +300,7 @@ int main(int argc, char **argv) } close(fdr); - if (verbose != 0) + if (verbose != 0 || summary != 0) fprintf(stderr, "compressed data to %ju bytes, saved %lld " "bytes, %.2f%% decrease.\n", offset, (long long)(sb.st_size - offset), @@ -337,7 +343,7 @@ static void usage(void) { - fprintf(stderr, "usage: mkuzip [-vZdL] [-o outfile] [-s cluster_size] " + fprintf(stderr, "usage: mkuzip [-vZdLS] [-o outfile] [-s cluster_size] " "infile\n"); exit(1); } -- cgit v1.1 From 641cb8b82324a1e25454953d783a4b1ff7b94f88 Mon Sep 17 00:00:00 2001 From: np Date: Thu, 10 Mar 2016 23:17:26 +0000 Subject: cxgbe(4): Improvements to the code that deals with the firmware's log. - Query the location of the log very early during attach. Refresh the location later after establishing contact with the firmware. - Save the log's location as a flat address in devlog_params. - Use a memory window instead of backdoor access to the EDC/MC to read the log. --- sys/dev/cxgbe/common/common.h | 1 + sys/dev/cxgbe/t4_main.c | 55 ++++++++++++++++++++++--------------------- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/sys/dev/cxgbe/common/common.h b/sys/dev/cxgbe/common/common.h index d499f74..89a9506 100644 --- a/sys/dev/cxgbe/common/common.h +++ b/sys/dev/cxgbe/common/common.h @@ -262,6 +262,7 @@ struct devlog_params { u32 memtype; /* which memory (FW_MEMTYPE_* ) */ u32 start; /* start of log in firmware memory */ u32 size; /* size of log */ + u32 addr; /* start address in flat addr space */ }; /* Stores chip specific parameters */ diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index 05a82b7..8daf3e4 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -409,6 +409,7 @@ static int validate_mem_range(struct adapter *, uint32_t, int); static int fwmtype_to_hwmtype(int); static int validate_mt_off_len(struct adapter *, int, uint32_t, int, uint32_t *); +static int fixup_devlog_params(struct adapter *); static int cfg_itype_and_nqueues(struct adapter *, int, int, int, struct intrs_and_queues *); static int prep_firmware(struct adapter *); @@ -733,6 +734,8 @@ t4_attach(device_t dev) * will work even in "recovery mode". */ setup_memwin(sc); + if (t4_init_devlog_params(sc, 0) == 0) + fixup_devlog_params(sc); sc->cdev = make_dev(is_t4(sc) ? &t4_cdevsw : &t5_cdevsw, device_get_unit(dev), UID_ROOT, GID_WHEEL, 0600, "%s", device_get_nameunit(dev)); @@ -2333,6 +2336,18 @@ validate_mt_off_len(struct adapter *sc, int mtype, uint32_t off, int len, } static int +fixup_devlog_params(struct adapter *sc) +{ + struct devlog_params *dparams = &sc->params.devlog; + int rc; + + rc = validate_mt_off_len(sc, dparams->memtype, dparams->start, + dparams->size, &dparams->addr); + + return (rc); +} + +static int cfg_itype_and_nqueues(struct adapter *sc, int n10g, int n1g, int num_vis, struct intrs_and_queues *iaq) { @@ -3052,8 +3067,6 @@ get_params__pre_init(struct adapter *sc) { int rc; uint32_t param[2], val[2]; - struct fw_devlog_cmd cmd; - struct devlog_params *dlog = &sc->params.devlog; param[0] = FW_PARAM_DEV(PORTVEC); param[1] = FW_PARAM_DEV(CCLK); @@ -3069,21 +3082,13 @@ get_params__pre_init(struct adapter *sc) sc->params.vpd.cclk = val[1]; /* Read device log parameters. */ - bzero(&cmd, sizeof(cmd)); - cmd.op_to_write = htobe32(V_FW_CMD_OP(FW_DEVLOG_CMD) | - F_FW_CMD_REQUEST | F_FW_CMD_READ); - cmd.retval_len16 = htobe32(FW_LEN16(cmd)); - rc = -t4_wr_mbox(sc, sc->mbox, &cmd, sizeof(cmd), &cmd); - if (rc != 0) { + rc = -t4_init_devlog_params(sc, 1); + if (rc == 0) + fixup_devlog_params(sc); + else { device_printf(sc->dev, "failed to get devlog parameters: %d.\n", rc); - bzero(dlog, sizeof (*dlog)); rc = 0; /* devlog isn't critical for device operation */ - } else { - val[0] = be32toh(cmd.memtype_devlog_memaddr16_devlog); - dlog->memtype = G_FW_DEVLOG_CMD_MEMTYPE_DEVLOG(val[0]); - dlog->start = G_FW_DEVLOG_CMD_MEMADDR16_DEVLOG(val[0]) << 4; - dlog->size = be32toh(cmd.memsize_devlog); } return (rc); @@ -5875,7 +5880,7 @@ sysctl_ddp_stats(SYSCTL_HANDLER_ARGS) return (rc); } -const char *devlog_level_strings[] = { +static const char * const devlog_level_strings[] = { [FW_DEVLOG_LEVEL_EMERG] = "EMERG", [FW_DEVLOG_LEVEL_CRIT] = "CRIT", [FW_DEVLOG_LEVEL_ERR] = "ERR", @@ -5884,7 +5889,7 @@ const char *devlog_level_strings[] = { [FW_DEVLOG_LEVEL_DEBUG] = "DEBUG" }; -const char *devlog_facility_strings[] = { +static const char * const devlog_facility_strings[] = { [FW_DEVLOG_FACILITY_CORE] = "CORE", [FW_DEVLOG_FACILITY_CF] = "CF", [FW_DEVLOG_FACILITY_SCHED] = "SCHED", @@ -5908,7 +5913,8 @@ const char *devlog_facility_strings[] = { [FW_DEVLOG_FACILITY_ISCSI] = "ISCSI", [FW_DEVLOG_FACILITY_FCOE] = "FCOE", [FW_DEVLOG_FACILITY_FOISCSI] = "FOISCSI", - [FW_DEVLOG_FACILITY_FOFCOE] = "FOFCOE" + [FW_DEVLOG_FACILITY_FOFCOE] = "FOFCOE", + [FW_DEVLOG_FACILITY_CHNET] = "CHNET", }; static int @@ -5917,27 +5923,22 @@ sysctl_devlog(SYSCTL_HANDLER_ARGS) struct adapter *sc = arg1; struct devlog_params *dparams = &sc->params.devlog; struct fw_devlog_e *buf, *e; - int i, j, rc, nentries, first = 0, m; + int i, j, rc, nentries, first = 0; struct sbuf *sb; uint64_t ftstamp = UINT64_MAX; - if (dparams->start == 0) { - dparams->memtype = FW_MEMTYPE_EDC0; - dparams->start = 0x84000; - dparams->size = 32768; - } - - nentries = dparams->size / sizeof(struct fw_devlog_e); + if (dparams->addr == 0) + return (ENXIO); buf = malloc(dparams->size, M_CXGBE, M_NOWAIT); if (buf == NULL) return (ENOMEM); - m = fwmtype_to_hwmtype(dparams->memtype); - rc = -t4_mem_read(sc, m, dparams->start, dparams->size, (void *)buf); + rc = read_via_memwin(sc, 1, dparams->addr, (void *)buf, dparams->size); if (rc != 0) goto done; + nentries = dparams->size / sizeof(struct fw_devlog_e); for (i = 0; i < nentries; i++) { e = &buf[i]; -- cgit v1.1 From 0e0b4ac1f05aada737d7d2280ab40c6b06016981 Mon Sep 17 00:00:00 2001 From: sobomax Date: Thu, 10 Mar 2016 23:19:35 +0000 Subject: When -S is specified dump summary to stdout, not stderr, so it's easier to capture and process it with external tools via pipe. --- usr.bin/mkuzip/mkuzip.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/usr.bin/mkuzip/mkuzip.c b/usr.bin/mkuzip/mkuzip.c index 4986197..fa73653 100644 --- a/usr.bin/mkuzip/mkuzip.c +++ b/usr.bin/mkuzip/mkuzip.c @@ -90,7 +90,10 @@ int main(int argc, char **argv) char *iname, *oname, *obuf, *ibuf; uint64_t *toc; int fdr, fdw, i, opt, verbose, no_zcomp, tmp, en_dedup; - int summary; + struct { + int en; + FILE *f; + } summary; struct iovec iov[2]; struct stat sb; uint32_t destlen; @@ -105,7 +108,8 @@ int main(int argc, char **argv) verbose = 0; no_zcomp = 0; en_dedup = 0; - summary = 0; + summary.en = 0; + summary.f = stderr; handler = &uzip_fmt; while((opt = getopt(argc, argv, "o:s:vZdLS")) != -1) { @@ -141,7 +145,8 @@ int main(int argc, char **argv) break; case 'S': - summary = 1; + summary.en = 1; + summary.f = stdout; break; default: @@ -300,8 +305,8 @@ int main(int argc, char **argv) } close(fdr); - if (verbose != 0 || summary != 0) - fprintf(stderr, "compressed data to %ju bytes, saved %lld " + if (verbose != 0 || summary.en != 0) + fprintf(summary.f, "compressed data to %ju bytes, saved %lld " "bytes, %.2f%% decrease.\n", offset, (long long)(sb.st_size - offset), 100.0 * (long long)(sb.st_size - offset) / -- cgit v1.1 From ba453f42f3c1044974096e29cb9098cb78db20e5 Mon Sep 17 00:00:00 2001 From: des Date: Fri, 11 Mar 2016 00:23:10 +0000 Subject: Re-add AES-CBC ciphers to the default cipher list on the server. PR: 207679 --- crypto/openssh/FREEBSD-upgrade | 8 +++++++- crypto/openssh/myproposal.h | 5 +++-- crypto/openssh/sshd_config.5 | 3 ++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index 7acd51f..43e2a74 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -1,4 +1,3 @@ - FreeBSD maintainer's guide to OpenSSH-portable ============================================== @@ -166,6 +165,13 @@ ignore HPN-related configuration options to avoid breaking existing configurations. +A) AES-CBC + + The AES-CBC ciphers were removed from the server-side proposal list + in 6.7p1 due to theoretical weaknesses and the availability of + superior ciphers (including AES-CTR and AES-GCM). We have re-added + them for compatibility with third-party clients. + This port was brought to you by (in no particular order) DARPA, NAI diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h index 7a8b432..d286691 100644 --- a/crypto/openssh/myproposal.h +++ b/crypto/openssh/myproposal.h @@ -113,10 +113,11 @@ #define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ "aes128-ctr,aes192-ctr,aes256-ctr" \ - AESGCM_CIPHER_MODES + AESGCM_CIPHER_MODES \ + ",aes128-cbc,aes192-cbc,aes256-cbc" #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ - "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" + "3des-cbc" #define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index baed664..cc43aad 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -482,7 +482,8 @@ The default is: .Bd -literal -offset indent chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com +aes128-gcm@openssh.com,aes256-gcm@openssh.com, +aes128-cbc,aes192-cbc,aes256-cbc .Ed .Pp The list of available ciphers may also be obtained using the -- cgit v1.1 From 218c7825feaddeda53ec3130ebb13f0aa74393a3 Mon Sep 17 00:00:00 2001 From: sjg Date: Fri, 11 Mar 2016 01:35:39 +0000 Subject: Merge bmake-20160307 --- contrib/bmake/ChangeLog | 38 ++++++ contrib/bmake/Makefile | 4 +- contrib/bmake/arch.c | 48 ++++--- contrib/bmake/bmake.1 | 47 +++++-- contrib/bmake/bmake.cat1 | 61 +++++---- contrib/bmake/compat.c | 26 ++-- contrib/bmake/cond.c | 38 +++--- contrib/bmake/dirname.c | 89 ++++++++----- contrib/bmake/for.c | 8 +- contrib/bmake/getopt.c | 89 +++++++------ contrib/bmake/job.c | 35 +++-- contrib/bmake/main.c | 114 +++++++++------- contrib/bmake/make.1 | 47 +++++-- contrib/bmake/make.c | 26 ++-- contrib/bmake/make.h | 11 +- contrib/bmake/meta.c | 82 ++++++------ contrib/bmake/meta.h | 3 +- contrib/bmake/mk/ChangeLog | 39 ++++++ contrib/bmake/mk/auto.dep.mk | 12 +- contrib/bmake/mk/dirdeps.mk | 64 ++++++--- contrib/bmake/mk/gendirdeps.mk | 6 +- contrib/bmake/mk/install-mk | 4 +- contrib/bmake/mk/meta.autodep.mk | 4 +- contrib/bmake/mk/meta.stage.mk | 6 +- contrib/bmake/mk/meta.sys.mk | 4 +- contrib/bmake/mk/meta2deps.sh | 4 +- contrib/bmake/mk/sys.clean-env.mk | 15 ++- contrib/bmake/mk/sys.dependfile.mk | 4 +- contrib/bmake/mk/warnings.mk | 4 +- contrib/bmake/nonints.h | 7 +- contrib/bmake/parse.c | 46 +++---- contrib/bmake/suff.c | 17 ++- contrib/bmake/targ.c | 12 +- contrib/bmake/unit-tests/export-env.exp | 2 + contrib/bmake/unit-tests/export-env.mk | 9 +- contrib/bmake/unit-tests/modts.exp | 10 +- contrib/bmake/unit-tests/modts.mk | 3 +- contrib/bmake/var.c | 222 +++++++++++++++++++------------- share/mk/dirdeps.mk | 64 ++++++--- share/mk/gendirdeps.mk | 6 +- share/mk/meta.autodep.mk | 4 +- share/mk/meta.stage.mk | 6 +- share/mk/meta.sys.mk | 2 +- share/mk/sys.dependfile.mk | 6 +- usr.bin/bmake/Makefile | 4 +- 45 files changed, 840 insertions(+), 512 deletions(-) diff --git a/contrib/bmake/ChangeLog b/contrib/bmake/ChangeLog index c3a4241..78b5a7e 100644 --- a/contrib/bmake/ChangeLog +++ b/contrib/bmake/ChangeLog @@ -1,3 +1,41 @@ +2016-03-07 Simon J. Gerraty + + * Makefile (MAKE_VERSION): 20160307 + Merge with NetBSD make, pick up + o var.c: fix :ts\nnn to be octal by default. + o meta.c: meta_finish() to cleanup memory. + +2016-02-26 Simon J. Gerraty + + * Makefile (MAKE_VERSION): 20160226 + Merge with NetBSD make, pick up + o meta.c: allow meta file for makeDepend if makefiles want it. + +2016-02-19 Simon J. Gerraty + + * var.c: default .MAKE.SAVE_DOLLARS to FALSE + for backwards compatability. + + * Makefile (MAKE_VERSION): 20160220 + Merge with NetBSD make, pick up + o var.c: add knob to control handling of '$$' in := + +2016-02-18 Simon J. Gerraty + + * Makefile (MAKE_VERSION): 20160218 + Merge with NetBSD make, pick up + o var.c: add .export-literal allows us to fix sys.clean-env.mk + post the changes to Var_Subst. + Var_Subst now takes flags, and does not consume '$$' in := + +2016-02-17 Simon J. Gerraty + + * Makefile (MAKE_VERSION): 20160217 + Merge with NetBSD make, pick up + o var.c: preserve '$$' in := + o parse.c: add .dinclude for handling included + makefile like .depend + 2015-12-20 Simon J. Gerraty * Makefile (MAKE_VERSION): 20151220 diff --git a/contrib/bmake/Makefile b/contrib/bmake/Makefile index 625c254..730e15d 100644 --- a/contrib/bmake/Makefile +++ b/contrib/bmake/Makefile @@ -1,7 +1,7 @@ -# $Id: Makefile,v 1.49 2015/12/20 22:54:40 sjg Exp $ +# $Id: Makefile,v 1.55 2016/03/07 22:02:47 sjg Exp $ # Base version on src date -MAKE_VERSION= 20151220 +MAKE_VERSION= 20160307 PROG= bmake diff --git a/contrib/bmake/arch.c b/contrib/bmake/arch.c index 9ceee10..f613a66 100644 --- a/contrib/bmake/arch.c +++ b/contrib/bmake/arch.c @@ -1,4 +1,4 @@ -/* $NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $ */ +/* $NetBSD: arch.c,v 1.68 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,14 +69,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $"; +static char rcsid[] = "$NetBSD: arch.c,v 1.68 2016/02/18 18:29:14 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)arch.c 8.2 (Berkeley) 1/2/94"; #else -__RCSID("$NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $"); +__RCSID("$NetBSD: arch.c,v 1.68 2016/02/18 18:29:14 christos Exp $"); #endif #endif /* not lint */ #endif @@ -136,7 +136,6 @@ __RCSID("$NetBSD: arch.c,v 1.64 2015/10/11 04:51:24 sjg Exp $"); #include #include #include -#include #ifdef HAVE_AR_H #include #else @@ -156,7 +155,6 @@ struct ar_hdr { #if defined(HAVE_RANLIB_H) && !(defined(__ELF__) || defined(NO_RANLIB)) #include #endif -#include #include #include #ifdef HAVE_UTIME_H @@ -254,8 +252,7 @@ ArchFree(void *ap) free(Hash_GetValue(entry)); free(a->name); - if (a->fnametab) - free(a->fnametab); + free(a->fnametab); Hash_DeleteTable(&a->members); free(a); } @@ -310,9 +307,10 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt) void *freeIt; char *result; - result = Var_Parse(cp, ctxt, TRUE, TRUE, &length, &freeIt); - if (freeIt) - free(freeIt); + result = Var_Parse(cp, ctxt, VARF_UNDEFERR|VARF_WANTRES, + &length, &freeIt); + free(freeIt); + if (result == var_Error) { return(FAILURE); } else { @@ -325,7 +323,7 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt) *cp++ = '\0'; if (subLibName) { - libName = Var_Subst(NULL, libName, ctxt, TRUE, TRUE); + libName = Var_Subst(NULL, libName, ctxt, VARF_UNDEFERR|VARF_WANTRES); } @@ -351,9 +349,10 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt) void *freeIt; char *result; - result = Var_Parse(cp, ctxt, TRUE, TRUE, &length, &freeIt); - if (freeIt) - free(freeIt); + result = Var_Parse(cp, ctxt, VARF_UNDEFERR|VARF_WANTRES, + &length, &freeIt); + free(freeIt); + if (result == var_Error) { return(FAILURE); } else { @@ -404,7 +403,8 @@ Arch_ParseArchive(char **linePtr, Lst nodeLst, GNode *ctxt) char *oldMemName = memName; size_t sz; - memName = Var_Subst(NULL, memName, ctxt, TRUE, TRUE); + memName = Var_Subst(NULL, memName, ctxt, + VARF_UNDEFERR|VARF_WANTRES); /* * Now form an archive spec and recurse to deal with nested @@ -759,8 +759,7 @@ ArchStatMember(char *archive, char *member, Boolean hash) badarch: fclose(arch); Hash_DeleteTable(&ar->members); - if (ar->fnametab) - free(ar->fnametab); + free(ar->fnametab); free(ar); return NULL; } @@ -1045,10 +1044,10 @@ Arch_Touch(GNode *gn) arch = ArchFindMember(Var_Value(ARCHIVE, gn, &p1), Var_Value(MEMBER, gn, &p2), &arh, "r+"); - if (p1) - free(p1); - if (p2) - free(p2); + + free(p1); + free(p2); + snprintf(arh.AR_DATE, sizeof(arh.AR_DATE), "%-12ld", (long) now); if (arch != NULL) { @@ -1127,10 +1126,9 @@ Arch_MTime(GNode *gn) arhPtr = ArchStatMember(Var_Value(ARCHIVE, gn, &p1), Var_Value(MEMBER, gn, &p2), TRUE); - if (p1) - free(p1); - if (p2) - free(p2); + + free(p1); + free(p2); if (arhPtr != NULL) { modTime = (time_t)strtol(arhPtr->AR_DATE, NULL, 10); diff --git a/contrib/bmake/bmake.1 b/contrib/bmake/bmake.1 index 39d28c4..603481e 100644 --- a/contrib/bmake/bmake.1 +++ b/contrib/bmake/bmake.1 @@ -1,4 +1,4 @@ -.\" $NetBSD: make.1,v 1.249 2015/06/05 07:33:40 wiz Exp $ +.\" $NetBSD: make.1,v 1.254 2016/02/20 01:43:28 wiz Exp $ .\" .\" Copyright (c) 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)make.1 8.4 (Berkeley) 3/19/94 .\" -.Dd June 4, 2015 +.Dd February 19, 2016 .Dt MAKE 1 .Os .Sh NAME @@ -293,7 +293,7 @@ then will search for the specified file or directory named in the remaining part of the argument string. The search starts with the current directory of -the Makefile and then works upward towards the root of the filesystem. +the Makefile and then works upward towards the root of the file system. If the search is successful, then the resulting directory replaces the .Qq \&.../ specification in the @@ -868,7 +868,7 @@ This can be overridden by setting .Va bf to a value which represents True. .It Pa env -For debugging, it can be useful to inlcude the environment +For debugging, it can be useful to include the environment in the .meta file. .It Pa verbose If in "meta" mode, print a clue about the target being built. @@ -918,7 +918,7 @@ The default value is: This variable is used to record the names of variables assigned to on the command line, so that they may be exported as part of .Ql Ev MAKEFLAGS . -This behaviour can be disabled by assigning an empty value to +This behavior can be disabled by assigning an empty value to .Ql Va .MAKEOVERRIDES within a makefile. Extra variables can be exported from a makefile @@ -941,6 +941,19 @@ The process-id of .It Va .MAKE.PPID The parent process-id of .Nm . +.It Va .MAKE.SAVE_DOLLARS +value should be a boolean that controls whether +.Ql $$ +are preserved when doing +.Ql := +assignments. +The default is false, for backwards compatibility. +Set to true for compatability with other makes. +If set to false, +.Ql $$ +becomes +.Ql $ +per normal evaluation rules. .It Va MAKE_PRINT_VAR_ON_ERROR When .Nm @@ -1044,7 +1057,7 @@ sets to the value of .Ql Ev PWD instead. -This behaviour is disabled if +This behavior is disabled if .Ql Ev MAKEOBJDIRPREFIX is set or .Ql Ev MAKEOBJDIR @@ -1114,7 +1127,7 @@ The wildcard characters may be escaped with a backslash As a consequence of the way values are split into words, matched, and then joined, a construct like .Dl ${VAR:M*} -will normalise the inter-word spacing, removing all leading and +will normalize the inter-word spacing, removing all leading and trailing space, and converting multiple consecutive spaces to single spaces. . @@ -1134,7 +1147,7 @@ Randomize words in variable. The results will be different each time you are referring to the modified variable; use the assignment with expansion .Pq Ql Cm \&:= -to prevent such behaviour. +to prevent such behavior. For example, .Bd -literal -offset indent LIST= uno due tre quattro @@ -1166,7 +1179,7 @@ The value is a format string for using the current .Xr gmtime 3 . .It Cm \&:hash -Compute a 32bit hash of the value and encode it as hex digits. +Compute a 32-bit hash of the value and encode it as hex digits. .It Cm \&:localtime The value is a format string for .Xr strftime 3 , @@ -1444,7 +1457,7 @@ value is divided into words. .Pp Ordinarily, a value is treated as a sequence of words delimited by white space. -Some modifiers suppress this behaviour, +Some modifiers suppress this behavior, causing a value to be treated as a single word (possibly containing embedded white space). An empty value, or a value that consists entirely of white-space, @@ -1530,12 +1543,20 @@ For compatibility with other versions of .Nm .Ql include file ... is also accepted. +.Pp If the include statement is written as .Cm .-include or as .Cm .sinclude then errors locating and/or opening include files are ignored. .Pp +If the include statement is written as +.Cm .dinclude +not only are errors locating and/or opening include files ignored, +but stale dependencies within the included file will be ignored +just like +.Va .MAKE.DEPENDFILE . +.Pp Conditional expressions are also preceded by a single dot as the first character of a line. The possible conditionals are as follows: @@ -1571,6 +1592,10 @@ This allows exporting a value to the environment which is different from that used by .Nm internally. +.It Ic .export-literal Ar variable ... +The same as +.Ql .export-env , +except that variables in the value are not expanded. .It Ic .info Ar message The message is printed along with the name of the makefile and line number. .It Ic .undef Ar variable @@ -2068,7 +2093,7 @@ The sources are a set of pairs. .Bl -tag -width hasErrCtls .It Ar name -This is the minimal specification, used to select one of the builtin +This is the minimal specification, used to select one of the built-in shell specs; .Ar sh , .Ar ksh , diff --git a/contrib/bmake/bmake.cat1 b/contrib/bmake/bmake.cat1 index 4d43e2d..b6159a8 100644 --- a/contrib/bmake/bmake.cat1 +++ b/contrib/bmake/bmake.cat1 @@ -178,11 +178,11 @@ DDEESSCCRRIIPPTTIIOONN then bbmmaakkee will search for the specified file or directory named in the remaining part of the argument string. The search starts with the current directory of the Makefile and then works upward - towards the root of the filesystem. If the search is successful, - then the resulting directory replaces the ".../" specification in - the --mm argument. If used, this feature allows bbmmaakkee to easily - search in the current source tree for customized sys.mk files - (e.g., by using ".../mk/sys.mk" as an argument). + towards the root of the file system. If the search is success- + ful, then the resulting directory replaces the ".../" specifica- + tion in the --mm argument. If used, this feature allows bbmmaakkee to + easily search in the current source tree for customized sys.mk + files (e.g., by using ".../mk/sys.mk" as an argument). --nn Display the commands that would have been executed, but do not actually execute them unless the target depends on the .MAKE spe- @@ -543,7 +543,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS in `_._C_U_R_D_I_R'. This can be overridden by set- ting _b_f to a value which represents True. - _e_n_v For debugging, it can be useful to inlcude + _e_n_v For debugging, it can be useful to include the environment in the .meta file. _v_e_r_b_o_s_e If in "meta" mode, print a clue about the @@ -591,7 +591,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS _._M_A_K_E_O_V_E_R_R_I_D_E_S This variable is used to record the names of variables assigned to on the command line, so that they may be - exported as part of `MAKEFLAGS'. This behaviour can be + exported as part of `MAKEFLAGS'. This behavior can be disabled by assigning an empty value to `_._M_A_K_E_O_V_E_R_R_I_D_E_S' within a makefile. Extra variables can be exported from a makefile by appending their names to `_._M_A_K_E_O_V_E_R_R_I_D_E_S'. @@ -607,6 +607,13 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS _._M_A_K_E_._P_P_I_D The parent process-id of bbmmaakkee. + _._M_A_K_E_._S_A_V_E___D_O_L_L_A_R_S + value should be a boolean that controls whether `$$' are + preserved when doing `:=' assignments. The default is + false, for backwards compatibility. Set to true for com- + patability with other makes. If set to false, `$$' + becomes `$' per normal evaluation rules. + _M_A_K_E___P_R_I_N_T___V_A_R___O_N___E_R_R_O_R When bbmmaakkee stops due to an error, it prints its name and the value of `_._C_U_R_D_I_R' as well as the value of any vari- @@ -670,7 +677,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS sets `_._C_U_R_D_I_R' to the canonical path given by getcwd(3). However, if the environment variable `PWD' is set and gives a path to the current directory, then bbmmaakkee sets - `_._C_U_R_D_I_R' to the value of `PWD' instead. This behaviour + `_._C_U_R_D_I_R' to the value of `PWD' instead. This behavior is disabled if `MAKEOBJDIRPREFIX' is set or `MAKEOBJDIR' contains a variable transform. `PWD' is set to the value of `_._O_B_J_D_I_R' for all programs which bbmmaakkee executes. @@ -717,7 +724,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS of the way values are split into words, matched, and then joined, a construct like ${VAR:M*} - will normalise the inter-word spacing, removing all leading and + will normalize the inter-word spacing, removing all leading and trailing space, and converting multiple consecutive spaces to single spaces. @@ -730,7 +737,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS ::OOxx Randomize words in variable. The results will be different each time you are referring to the modified variable; use the assignment - with expansion (`::==') to prevent such behaviour. For example, + with expansion (`::==') to prevent such behavior. For example, LIST= uno due tre quattro RANDOM_LIST= ${LIST:Ox} @@ -758,7 +765,7 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS gmtime(3). ::hhaasshh - Compute a 32bit hash of the value and encode it as hex digits. + Compute a 32-bit hash of the value and encode it as hex digits. ::llooccaallttiimmee The value is a format string for strftime(3), using the current @@ -914,13 +921,13 @@ VVAARRIIAABBLLEE AASSSSIIGGNNMMEENNTTSS tions related to the way in which the value is divided into words. Ordinarily, a value is treated as a sequence of words delimited by - white space. Some modifiers suppress this behaviour, causing a - value to be treated as a single word (possibly containing embedded - white space). An empty value, or a value that consists entirely of - white-space, is treated as a single word. For the purposes of the - `::[[]]' modifier, the words are indexed both forwards using positive - integers (where index 1 represents the first word), and backwards - using negative integers (where index -1 represents the last word). + white space. Some modifiers suppress this behavior, causing a value + to be treated as a single word (possibly containing embedded white + space). An empty value, or a value that consists entirely of white- + space, is treated as a single word. For the purposes of the `::[[]]' + modifier, the words are indexed both forwards using positive inte- + gers (where index 1 represents the first word), and backwards using + negative integers (where index -1 represents the last word). The _r_a_n_g_e is subjected to variable expansion, and the expanded result is then interpreted as follows: @@ -957,8 +964,14 @@ IINNCCLLUUDDEE SSTTAATTEEMMEENNTTSS,, CCOONNDDIITTIIOO used, the including makefile's directory and any directories specified using the --II option are searched before the system makefile directory. For compatibility with other versions of bbmmaakkee `include file ...' is also - accepted. If the include statement is written as ..--iinncclluuddee or as - ..ssiinncclluuddee then errors locating and/or opening include files are ignored. + accepted. + + If the include statement is written as ..--iinncclluuddee or as ..ssiinncclluuddee then + errors locating and/or opening include files are ignored. + + If the include statement is written as ..ddiinncclluuddee not only are errors + locating and/or opening include files ignored, but stale dependencies + within the included file will be ignored just like _._M_A_K_E_._D_E_P_E_N_D_F_I_L_E. Conditional expressions are also preceded by a single dot as the first character of a line. The possible conditionals are as follows: @@ -982,6 +995,10 @@ IINNCCLLUUDDEE SSTTAATTEEMMEENNTTSS,, CCOONNDDIITTIIOO to _._M_A_K_E_._E_X_P_O_R_T_E_D. This allows exporting a value to the environ- ment which is different from that used by bbmmaakkee internally. + ..eexxppoorrtt--lliitteerraall _v_a_r_i_a_b_l_e _._._. + The same as `.export-env', except that variables in the value are + not expanded. + ..iinnffoo _m_e_s_s_a_g_e The message is printed along with the name of the makefile and line number. @@ -1307,7 +1324,7 @@ SSPPEECCIIAALL TTAARRGGEETTSS sources are a set of _f_i_e_l_d_=_v_a_l_u_e pairs. _n_a_m_e This is the minimal specification, used to select - one of the builtin shell specs; _s_h, _k_s_h, and _c_s_h. + one of the built-in shell specs; _s_h, _k_s_h, and _c_s_h. _p_a_t_h Specifies the path to the shell. @@ -1452,4 +1469,4 @@ BBUUGGSS There is no way of escaping a space character in a filename. -NetBSD 5.1 June 4, 2015 NetBSD 5.1 +NetBSD 5.1 February 19, 2016 NetBSD 5.1 diff --git a/contrib/bmake/compat.c b/contrib/bmake/compat.c index 6cf963f..475c59d 100644 --- a/contrib/bmake/compat.c +++ b/contrib/bmake/compat.c @@ -1,4 +1,4 @@ -/* $NetBSD: compat.c,v 1.101 2015/10/11 04:51:24 sjg Exp $ */ +/* $NetBSD: compat.c,v 1.104 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990 The Regents of the University of California. @@ -70,14 +70,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: compat.c,v 1.101 2015/10/11 04:51:24 sjg Exp $"; +static char rcsid[] = "$NetBSD: compat.c,v 1.104 2016/02/18 18:29:14 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)compat.c 8.2 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: compat.c,v 1.101 2015/10/11 04:51:24 sjg Exp $"); +__RCSID("$NetBSD: compat.c,v 1.104 2016/02/18 18:29:14 christos Exp $"); #endif #endif /* not lint */ #endif @@ -146,8 +146,8 @@ CompatInterrupt(int signo) if (!noExecute && eunlink(file) != -1) { Error("*** %s removed", file); } - if (p1) - free(p1); + + free(p1); /* * Run .INTERRUPT only if hit with interrupt signal @@ -213,7 +213,7 @@ CompatRunCommand(void *cmdp, void *gnp) doIt = FALSE; cmdNode = Lst_Member(gn->commands, cmd); - cmdStart = Var_Subst(NULL, cmd, gn, FALSE, TRUE); + cmdStart = Var_Subst(NULL, cmd, gn, VARF_WANTRES); /* * brk_string will return an argv with a NULL in av[0], thus causing @@ -374,10 +374,10 @@ again: execError("exec", av[0]); _exit(1); } - if (mav) - free(mav); - if (bp) - free(bp); + + free(mav); + free(bp); + Lst_Replace(cmdNode, NULL); #ifdef USE_META @@ -516,8 +516,7 @@ Compat_Make(void *gnp, void *pgnp) if (Lst_Member(gn->iParents, pgn) != NULL) { char *p1; Var_Set(IMPSRC, Var_Value(TARGET, gn, &p1), pgn, 0); - if (p1) - free(p1); + free(p1); } /* @@ -620,8 +619,7 @@ Compat_Make(void *gnp, void *pgnp) if (Lst_Member(gn->iParents, pgn) != NULL) { char *p1; Var_Set(IMPSRC, Var_Value(TARGET, gn, &p1), pgn, 0); - if (p1) - free(p1); + free(p1); } switch(gn->made) { case BEINGMADE: diff --git a/contrib/bmake/cond.c b/contrib/bmake/cond.c index 1916300..cf0107b 100644 --- a/contrib/bmake/cond.c +++ b/contrib/bmake/cond.c @@ -1,4 +1,4 @@ -/* $NetBSD: cond.c,v 1.71 2015/12/02 00:28:24 sjg Exp $ */ +/* $NetBSD: cond.c,v 1.74 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990 The Regents of the University of California. @@ -70,14 +70,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: cond.c,v 1.71 2015/12/02 00:28:24 sjg Exp $"; +static char rcsid[] = "$NetBSD: cond.c,v 1.74 2016/02/18 18:29:14 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)cond.c 8.2 (Berkeley) 1/2/94"; #else -__RCSID("$NetBSD: cond.c,v 1.71 2015/12/02 00:28:24 sjg Exp $"); +__RCSID("$NetBSD: cond.c,v 1.74 2016/02/18 18:29:14 christos Exp $"); #endif #endif /* not lint */ #endif @@ -289,10 +289,10 @@ CondGetArg(char **linePtr, char **argPtr, const char *func) int len; void *freeIt; - cp2 = Var_Parse(cp, VAR_CMD, TRUE, TRUE, &len, &freeIt); + cp2 = Var_Parse(cp, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES, + &len, &freeIt); Buf_AddBytes(&buf, strlen(cp2), cp2); - if (freeIt) - free(freeIt); + free(freeIt); cp += len; continue; } @@ -346,8 +346,8 @@ CondDoDefined(int argLen MAKE_ATTR_UNUSED, const char *arg) } else { result = FALSE; } - if (p1) - free(p1); + + free(p1); return (result); } @@ -574,8 +574,9 @@ CondGetString(Boolean doEval, Boolean *quoted, void **freeIt, Boolean strictLHS) break; case '$': /* if we are in quotes, then an undefined variable is ok */ - str = Var_Parse(condExpr, VAR_CMD, (qt ? 0 : doEval), - TRUE, &len, freeIt); + str = Var_Parse(condExpr, VAR_CMD, + ((!qt && doEval) ? VARF_UNDEFERR : 0) | + VARF_WANTRES, &len, freeIt); if (str == var_Error) { if (*freeIt) { free(*freeIt); @@ -805,10 +806,8 @@ do_string_compare: } done: - if (lhsFree) - free(lhsFree); - if (rhsFree) - free(rhsFree); + free(lhsFree); + free(rhsFree); return t; } @@ -827,7 +826,7 @@ get_mpt_arg(char **linePtr, char **argPtr, const char *func MAKE_ATTR_UNUSED) /* We do all the work here and return the result as the length */ *argPtr = NULL; - val = Var_Parse(cp - 1, VAR_CMD, FALSE, TRUE, &length, &freeIt); + val = Var_Parse(cp - 1, VAR_CMD, VARF_WANTRES, &length, &freeIt); /* * Advance *linePtr to beyond the closing ). Note that * we subtract one because 'length' is calculated from 'cp - 1'. @@ -848,8 +847,7 @@ get_mpt_arg(char **linePtr, char **argPtr, const char *func MAKE_ATTR_UNUSED) * true/false here. */ length = *val ? 2 : 1; - if (freeIt) - free(freeIt); + free(freeIt); return length; } @@ -900,8 +898,7 @@ compare_function(Boolean doEval) } /* Evaluate the argument using the required function. */ t = !doEval || fn_def->fn_proc(arglen, arg); - if (arg) - free(arg); + free(arg); condExpr = cp; return t; } @@ -933,8 +930,7 @@ compare_function(Boolean doEval) * be empty - even if it contained a variable expansion. */ t = !doEval || if_info->defProc(arglen, arg) != if_info->doNot; - if (arg) - free(arg); + free(arg); return t; } diff --git a/contrib/bmake/dirname.c b/contrib/bmake/dirname.c index 8b6b6c3..154593b 100644 --- a/contrib/bmake/dirname.c +++ b/contrib/bmake/dirname.c @@ -1,4 +1,4 @@ -/* $NetBSD: dirname.c,v 1.11 2009/11/24 13:34:20 tnozaki Exp $ */ +/* $NetBSD: dirname.c,v 1.13 2014/07/16 10:52:26 christos Exp $ */ /*- * Copyright (c) 1997, 2002 The NetBSD Foundation, Inc. @@ -35,7 +35,10 @@ #ifndef HAVE_DIRNAME #include - +#include +#ifdef HAVE_LIBGEN_H +#include +#endif #ifdef HAVE_LIMITS_H #include #endif @@ -45,51 +48,73 @@ #ifndef PATH_MAX # define PATH_MAX 1024 #endif +#ifndef MIN +# define MIN(a, b) ((a < b) ? a : b) +#endif -char * -dirname(char *path) + +static size_t +xdirname_r(const char *path, char *buf, size_t buflen) { - static char result[PATH_MAX]; - const char *lastp; + const char *endp; size_t len; /* * If `path' is a null pointer or points to an empty string, * return a pointer to the string ".". */ - if ((path == NULL) || (*path == '\0')) - goto singledot; - + if (path == NULL || *path == '\0') { + path = "."; + len = 1; + goto out; + } /* Strip trailing slashes, if any. */ - lastp = path + strlen(path) - 1; - while (lastp != path && *lastp == '/') - lastp--; + endp = path + strlen(path) - 1; + while (endp != path && *endp == '/') + endp--; - /* Terminate path at the last occurence of '/'. */ - do { - if (*lastp == '/') { - /* Strip trailing slashes, if any. */ - while (lastp != path && *lastp == '/') - lastp--; + /* Find the start of the dir */ + while (endp > path && *endp != '/') + endp--; - /* ...and copy the result into the result buffer. */ - len = (lastp - path) + 1 /* last char */; - if (len > (PATH_MAX - 1)) - len = PATH_MAX - 1; + if (endp == path) { + path = *endp == '/' ? "/" : "."; + len = 1; + goto out; + } - memcpy(result, path, len); - result[len] = '\0'; + do + endp--; + while (endp > path && *endp == '/'); - return (result); - } - } while (--lastp >= path); + len = endp - path + 1; +out: + if (buf != NULL && buflen != 0) { + buflen = MIN(len, buflen - 1); + memcpy(buf, path, buflen); + buf[buflen] = '\0'; + } + return len; +} - /* No /'s found, return a pointer to the string ".". */ -singledot: - result[0] = '.'; - result[1] = '\0'; +char * +dirname(char *path) +{ + static char result[PATH_MAX]; + (void)xdirname_r(path, result, sizeof(result)); + return result; +} + +#ifdef MAIN +#include +#include - return (result); +int +main(int argc, char *argv[]) +{ + printf("%s\n", dirname(argv[1])); + exit(0); } #endif +#endif diff --git a/contrib/bmake/for.c b/contrib/bmake/for.c index 7f10e56..ec00a45 100644 --- a/contrib/bmake/for.c +++ b/contrib/bmake/for.c @@ -1,4 +1,4 @@ -/* $NetBSD: for.c,v 1.50 2015/10/11 04:51:24 sjg Exp $ */ +/* $NetBSD: for.c,v 1.52 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1992, The Regents of the University of California. @@ -30,14 +30,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: for.c,v 1.50 2015/10/11 04:51:24 sjg Exp $"; +static char rcsid[] = "$NetBSD: for.c,v 1.52 2016/02/18 18:29:14 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)for.c 8.1 (Berkeley) 6/6/93"; #else -__RCSID("$NetBSD: for.c,v 1.50 2015/10/11 04:51:24 sjg Exp $"); +__RCSID("$NetBSD: for.c,v 1.52 2016/02/18 18:29:14 christos Exp $"); #endif #endif /* not lint */ #endif @@ -216,7 +216,7 @@ For_Eval(char *line) * We can't do the escapes here - because we don't know whether * we are substuting into ${...} or $(...). */ - sub = Var_Subst(NULL, ptr, VAR_GLOBAL, FALSE, TRUE); + sub = Var_Subst(NULL, ptr, VAR_GLOBAL, VARF_WANTRES); /* * Split into words allowing for quoted strings. diff --git a/contrib/bmake/getopt.c b/contrib/bmake/getopt.c index c40bc13..da29dae 100644 --- a/contrib/bmake/getopt.c +++ b/contrib/bmake/getopt.c @@ -1,3 +1,5 @@ +/* $NetBSD: getopt.c,v 1.29 2014/06/05 22:00:22 christos Exp $ */ + /* * Copyright (c) 1987, 1993, 1994 * The Regents of the University of California. All rights reserved. @@ -10,11 +12,7 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors + * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * @@ -35,11 +33,7 @@ # include "config.h" #endif #if !defined(HAVE_GETOPT) || defined(WANT_GETOPT_LONG) || defined(BROKEN_GETOPT) - -#if defined(LIBC_SCCS) && !defined(lint) -/* static char sccsid[] = "from: @(#)getopt.c 8.2 (Berkeley) 4/2/94"; */ -static char *rcsid = "$Id: getopt.c,v 1.3 1999/01/08 02:14:18 sjg Exp $"; -#endif /* LIBC_SCCS and not lint */ +#include #include #include @@ -61,13 +55,10 @@ char *optarg; /* argument associated with option */ * Parse argc/argv argument vector. */ int -getopt(nargc, nargv, ostr) - int nargc; - char * const *nargv; - const char *ostr; +getopt(int nargc, char * const nargv[], const char *ostr) { extern char *__progname; - static char *place = EMSG; /* option letter processing */ + static const char *place = EMSG; /* option letter processing */ char *oli; /* option letter list index */ #ifndef BSD4_4 @@ -79,43 +70,63 @@ getopt(nargc, nargv, ostr) } #endif - if (optreset || !*place) { /* update scanning pointer */ + if (optreset || *place == 0) { /* update scanning pointer */ optreset = 0; - if (optind >= nargc || *(place = nargv[optind]) != '-') { + place = nargv[optind]; + if (optind >= nargc || *place++ != '-') { + /* Argument is absent or is not an option */ place = EMSG; return (-1); } - if (place[1] && *++place == '-' /* found "--" */ - && !place[1]) { /* and not "--foo" */ + optopt = *place++; + if (optopt == '-' && *place == 0) { + /* "--" => end of options */ ++optind; place = EMSG; return (-1); } - } /* option letter okay? */ - if ((optopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, optopt))) { - /* - * if the user didn't specify '-' as an option, - * assume it means -1. - */ - if (optopt == (int)'-') - return (-1); - if (!*place) + if (optopt == 0) { + /* Solitary '-', treat as a '-' option + if the program (eg su) is looking for it. */ + place = EMSG; + if (strchr(ostr, '-') == NULL) + return -1; + optopt = '-'; + } + } else + optopt = *place++; + + /* See if option letter is one the caller wanted... */ + if (optopt == ':' || (oli = strchr(ostr, optopt)) == NULL) { + if (*place == 0) ++optind; if (opterr && *ostr != ':') (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, optopt); + "%s: unknown option -- %c\n", __progname, optopt); return (BADCH); } - if (*++oli != ':') { /* don't need argument */ + + /* Does this option need an argument? */ + if (oli[1] != ':') { + /* don't need argument */ optarg = NULL; - if (!*place) + if (*place == 0) ++optind; - } - else { /* need an argument */ - if (*place) /* no white space */ - optarg = place; - else if (nargc <= ++optind) { /* no arg */ + } else { + /* Option-argument is either the rest of this argument or the + entire next argument. */ + if (*place) + optarg = __UNCONST(place); + else if (oli[2] == ':') + /* + * GNU Extension, for optional arguments if the rest of + * the argument is empty, we return NULL + */ + optarg = NULL; + else if (nargc > ++optind) + optarg = nargv[optind]; + else { + /* option-argument absent */ place = EMSG; if (*ostr == ':') return (BADARG); @@ -125,12 +136,10 @@ getopt(nargc, nargv, ostr) __progname, optopt); return (BADCH); } - else /* white space */ - optarg = nargv[optind]; place = EMSG; ++optind; } - return (optopt); /* dump back option letter */ + return (optopt); /* return option letter */ } #endif #ifdef MAIN diff --git a/contrib/bmake/job.c b/contrib/bmake/job.c index 20f693a..54c25f5 100644 --- a/contrib/bmake/job.c +++ b/contrib/bmake/job.c @@ -1,4 +1,4 @@ -/* $NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $ */ +/* $NetBSD: job.c,v 1.186 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990 The Regents of the University of California. @@ -70,14 +70,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $"; +static char rcsid[] = "$NetBSD: job.c,v 1.186 2016/02/18 18:29:14 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)job.c 8.2 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $"); +__RCSID("$NetBSD: job.c,v 1.186 2016/02/18 18:29:14 christos Exp $"); #endif #endif /* not lint */ #endif @@ -144,7 +144,6 @@ __RCSID("$NetBSD: job.c,v 1.181 2015/10/11 04:51:24 sjg Exp $"); #include #include -#include #if !defined(USE_SELECT) && defined(HAVE_POLL_H) #include #else @@ -441,8 +440,8 @@ JobCreatePipe(Job *job, int minfd) } /* Set close-on-exec flag for both */ - (void)fcntl(job->jobPipe[0], F_SETFD, 1); - (void)fcntl(job->jobPipe[1], F_SETFD, 1); + (void)fcntl(job->jobPipe[0], F_SETFD, FD_CLOEXEC); + (void)fcntl(job->jobPipe[1], F_SETFD, FD_CLOEXEC); /* * We mark the input side of the pipe non-blocking; we poll(2) the @@ -731,7 +730,7 @@ JobPrintCommand(void *cmdp, void *jobp) numCommands += 1; - cmdStart = cmd = Var_Subst(NULL, cmd, job->node, FALSE, TRUE); + cmdStart = cmd = Var_Subst(NULL, cmd, job->node, VARF_WANTRES); cmdTemplate = "%s\n"; @@ -882,8 +881,7 @@ JobPrintCommand(void *cmdp, void *jobp) DBPRINTF(cmdTemplate, cmd); free(cmdStart); - if (escCmd) - free(escCmd); + free(escCmd); if (errOff) { /* * If echoing is already off, there's no point in issuing the @@ -919,7 +917,7 @@ JobPrintCommand(void *cmdp, void *jobp) static int JobSaveCommand(void *cmd, void *gn) { - cmd = Var_Subst(NULL, (char *)cmd, (GNode *)gn, FALSE, TRUE); + cmd = Var_Subst(NULL, (char *)cmd, (GNode *)gn, VARF_WANTRES); (void)Lst_AtEnd(postCommands->commands, cmd); return(0); } @@ -1250,8 +1248,7 @@ Job_CheckCommands(GNode *gn, void (*abortProc)(const char *, ...)) */ Make_HandleUse(DEFAULT, gn); Var_Set(IMPSRC, Var_Value(TARGET, gn, &p1), gn, 0); - if (p1) - free(p1); + free(p1); } else if (Dir_MTime(gn, 0) == 0 && (gn->type & OP_SPECIAL) == 0) { /* * The node wasn't the target of an operator we have no .DEFAULT @@ -1615,7 +1612,7 @@ JobStart(GNode *gn, int flags) if (job->cmdFILE == NULL) { Punt("Could not fdopen %s", tfile); } - (void)fcntl(FILENO(job->cmdFILE), F_SETFD, 1); + (void)fcntl(FILENO(job->cmdFILE), F_SETFD, FD_CLOEXEC); /* * Send the commands to the command file, flush all its buffers then * rewind and remove the thing. @@ -2212,7 +2209,7 @@ Job_SetPrefix(void) } targPrefix = Var_Subst(NULL, "${" MAKE_JOB_PREFIX "}", - VAR_GLOBAL, FALSE, TRUE); + VAR_GLOBAL, VARF_WANTRES); } /*- @@ -2425,8 +2422,7 @@ Job_ParseShell(char *line) line++; } - if (shellArgv) - free(UNCONST(shellArgv)); + free(UNCONST(shellArgv)); memset(&newShell, 0, sizeof(newShell)); @@ -2674,8 +2670,7 @@ void Job_End(void) { #ifdef CLEANUP - if (shellArgv) - free(shellArgv); + free(shellArgv); #endif } @@ -2880,8 +2875,8 @@ Job_ServerStart(int max_tokens, int jp_0, int jp_1) /* Pipe passed in from parent */ tokenWaitJob.inPipe = jp_0; tokenWaitJob.outPipe = jp_1; - (void)fcntl(jp_0, F_SETFD, 1); - (void)fcntl(jp_1, F_SETFD, 1); + (void)fcntl(jp_0, F_SETFD, FD_CLOEXEC); + (void)fcntl(jp_1, F_SETFD, FD_CLOEXEC); return; } diff --git a/contrib/bmake/main.c b/contrib/bmake/main.c index fcae496..be6039e 100644 --- a/contrib/bmake/main.c +++ b/contrib/bmake/main.c @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $ */ +/* $NetBSD: main.c,v 1.242 2016/03/07 21:45:43 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,7 +69,7 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $"; +static char rcsid[] = "$NetBSD: main.c,v 1.242 2016/03/07 21:45:43 christos Exp $"; #else #include #ifndef lint @@ -81,7 +81,7 @@ __COPYRIGHT("@(#) Copyright (c) 1988, 1989, 1990, 1993\ #if 0 static char sccsid[] = "@(#)main.c 8.3 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $"); +__RCSID("$NetBSD: main.c,v 1.242 2016/03/07 21:45:43 christos Exp $"); #endif #endif /* not lint */ #endif @@ -125,7 +125,6 @@ __RCSID("$NetBSD: main.c,v 1.235 2015/10/25 05:24:44 sjg Exp $"); #include "wait.h" #include -#include #include #include #include @@ -696,8 +695,7 @@ Main_ParseArgLine(const char *line) #endif buf = bmake_malloc(len = strlen(line) + strlen(argv0) + 2); (void)snprintf(buf, len, "%s %s", argv0, line); - if (p1) - free(p1); + free(p1); argv = brk_string(buf, &argc, TRUE, &args); if (argv == NULL) { @@ -723,7 +721,7 @@ Main_SetObjdir(const char *path) /* expand variable substitutions */ if (strchr(path, '$') != 0) { snprintf(buf, MAXPATHLEN, "%s", path); - path = p = Var_Subst(NULL, buf, VAR_GLOBAL, FALSE, TRUE); + path = p = Var_Subst(NULL, buf, VAR_GLOBAL, VARF_WANTRES); } if (path[0] != '/') { @@ -747,8 +745,7 @@ Main_SetObjdir(const char *path) } } - if (p) - free(p); + free(p); return rc; } @@ -807,7 +804,7 @@ MakeMode(const char *mode) if (!mode) mode = mp = Var_Subst(NULL, "${" MAKE_MODE ":tl}", - VAR_GLOBAL, FALSE, TRUE); + VAR_GLOBAL, VARF_WANTRES); if (mode && *mode) { if (strstr(mode, "compat")) { @@ -819,8 +816,8 @@ MakeMode(const char *mode) meta_mode_init(mode); #endif } - if (mp) - free(mp); + + free(mp); } /*- @@ -1253,7 +1250,7 @@ main(int argc, char **argv) (char *)Lst_Datum(ln)); } else { p1 = Var_Subst(NULL, "${" MAKEFILE_PREFERENCE "}", - VAR_CMD, FALSE, TRUE); + VAR_CMD, VARF_WANTRES); if (p1) { (void)str2Lst_Append(makefiles, p1, NULL); (void)Lst_Find(makefiles, NULL, ReadMakefile); @@ -1264,7 +1261,7 @@ main(int argc, char **argv) /* In particular suppress .depend for '-r -V .OBJDIR -f /dev/null' */ if (!noBuiltins || !printVars) { makeDependfile = Var_Subst(NULL, "${.MAKE.DEPENDFILE:T}", - VAR_CMD, FALSE, TRUE); + VAR_CMD, VARF_WANTRES); doing_depend = TRUE; (void)ReadMakefile(makeDependfile, NULL); doing_depend = FALSE; @@ -1276,8 +1273,7 @@ main(int argc, char **argv) MakeMode(NULL); Var_Append("MFLAGS", Var_Value(MAKEFLAGS, VAR_GLOBAL, &p1), VAR_GLOBAL); - if (p1) - free(p1); + free(p1); if (!compatMake) Job_ServerStart(maxJobTokens, jp_0, jp_1); @@ -1302,7 +1298,7 @@ main(int argc, char **argv) */ static char VPATH[] = "${VPATH}"; - vpath = Var_Subst(NULL, VPATH, VAR_CMD, FALSE, TRUE); + vpath = Var_Subst(NULL, VPATH, VAR_CMD, VARF_WANTRES); path = vpath; do { /* skip to end of directory */ @@ -1350,7 +1346,7 @@ main(int argc, char **argv) if (strchr(var, '$')) { value = p1 = Var_Subst(NULL, var, VAR_GLOBAL, - FALSE, TRUE); + VARF_WANTRES); } else if (expandVars) { char tmp[128]; @@ -1358,13 +1354,12 @@ main(int argc, char **argv) Fatal("%s: variable name too big: %s", progname, var); value = p1 = Var_Subst(NULL, tmp, VAR_GLOBAL, - FALSE, TRUE); + VARF_WANTRES); } else { value = Var_Value(var, VAR_GLOBAL, &p1); } printf("%s\n", value ? value : ""); - if (p1) - free(p1); + free(p1); } } else { /* @@ -1420,6 +1415,9 @@ main(int argc, char **argv) if (enterFlag) printf("%s: Leaving directory `%s'\n", progname, curdir); +#ifdef USE_META + meta_finish(); +#endif Suff_End(); Targ_End(); Arch_End(); @@ -1488,8 +1486,7 @@ ReadMakefile(const void *p, const void *q MAKE_ATTR_UNUSED) name = Dir_FindFile(fname, Lst_IsEmpty(sysIncPath) ? defIncPath : sysIncPath); if (!name || (fd = open(name, O_RDONLY)) == -1) { - if (name) - free(name); + free(name); free(path); return(-1); } @@ -1896,7 +1893,7 @@ PrintOnError(GNode *gn, const char *s) } strncpy(tmp, "${MAKE_PRINT_VAR_ON_ERROR:@v@$v='${$v}'\n@}", sizeof(tmp) - 1); - cp = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE); + cp = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES); if (cp) { if (*cp) printf("%s", cp); @@ -1927,7 +1924,7 @@ Main_ExportMAKEFLAGS(Boolean first) strncpy(tmp, "${.MAKEFLAGS} ${.MAKEOVERRIDES:O:u:@v@$v=${$v:Q}@}", sizeof(tmp)); - s = Var_Subst(NULL, tmp, VAR_CMD, FALSE, TRUE); + s = Var_Subst(NULL, tmp, VAR_CMD, VARF_WANTRES); if (s && *s) { #ifdef POSIX setenv("MAKEFLAGS", s, 1); @@ -1950,7 +1947,7 @@ getTmpdir(void) * Ensure it ends with /. */ tmpdir = Var_Subst(NULL, "${TMPDIR:tA:U" _PATH_TMP "}/", VAR_GLOBAL, - FALSE, TRUE); + VARF_WANTRES); if (stat(tmpdir, &st) < 0 || !S_ISDIR(st.st_mode)) { free(tmpdir); tmpdir = bmake_strdup(_PATH_TMP); @@ -1990,6 +1987,44 @@ mkTempFile(const char *pattern, char **fnamep) return fd; } +/* + * Convert a string representation of a boolean. + * Anything that looks like "No", "False", "Off", "0" etc, + * is FALSE, otherwise TRUE. + */ +Boolean +s2Boolean(const char *s, Boolean bf) +{ + if (s) { + switch(*s) { + case '\0': /* not set - the default wins */ + break; + case '0': + case 'F': + case 'f': + case 'N': + case 'n': + bf = FALSE; + break; + case 'O': + case 'o': + switch (s[1]) { + case 'F': + case 'f': + bf = FALSE; + break; + default: + bf = TRUE; + break; + } + break; + default: + bf = TRUE; + break; + } + } + return (bf); +} /* * Return a Boolean based on setting of a knob. @@ -2004,32 +2039,11 @@ getBoolean(const char *name, Boolean bf) char tmp[64]; char *cp; - if (snprintf(tmp, sizeof(tmp), "${%s:tl}", name) < (int)(sizeof(tmp))) { - cp = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE); + if (snprintf(tmp, sizeof(tmp), "${%s:U:tl}", name) < (int)(sizeof(tmp))) { + cp = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES); if (cp) { - switch(*cp) { - case '\0': /* not set - the default wins */ - break; - case '0': - case 'f': - case 'n': - bf = FALSE; - break; - case 'o': - switch (cp[1]) { - case 'f': - bf = FALSE; - break; - default: - bf = TRUE; - break; - } - break; - default: - bf = TRUE; - break; - } + bf = s2Boolean(cp, bf); free(cp); } } diff --git a/contrib/bmake/make.1 b/contrib/bmake/make.1 index 38bba31..ecece48 100644 --- a/contrib/bmake/make.1 +++ b/contrib/bmake/make.1 @@ -1,4 +1,4 @@ -.\" $NetBSD: make.1,v 1.249 2015/06/05 07:33:40 wiz Exp $ +.\" $NetBSD: make.1,v 1.254 2016/02/20 01:43:28 wiz Exp $ .\" .\" Copyright (c) 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)make.1 8.4 (Berkeley) 3/19/94 .\" -.Dd June 4, 2015 +.Dd February 19, 2016 .Dt MAKE 1 .Os .Sh NAME @@ -293,7 +293,7 @@ then will search for the specified file or directory named in the remaining part of the argument string. The search starts with the current directory of -the Makefile and then works upward towards the root of the filesystem. +the Makefile and then works upward towards the root of the file system. If the search is successful, then the resulting directory replaces the .Qq \&.../ specification in the @@ -879,7 +879,7 @@ This can be overridden by setting .Va bf to a value which represents True. .It Pa env -For debugging, it can be useful to inlcude the environment +For debugging, it can be useful to include the environment in the .meta file. .It Pa verbose If in "meta" mode, print a clue about the target being built. @@ -929,7 +929,7 @@ The default value is: This variable is used to record the names of variables assigned to on the command line, so that they may be exported as part of .Ql Ev MAKEFLAGS . -This behaviour can be disabled by assigning an empty value to +This behavior can be disabled by assigning an empty value to .Ql Va .MAKEOVERRIDES within a makefile. Extra variables can be exported from a makefile @@ -952,6 +952,19 @@ The process-id of .It Va .MAKE.PPID The parent process-id of .Nm . +.It Va .MAKE.SAVE_DOLLARS +value should be a boolean that controls whether +.Ql $$ +are preserved when doing +.Ql := +assignments. +The default is false, for backwards compatibility. +Set to true for compatability with other makes. +If set to false, +.Ql $$ +becomes +.Ql $ +per normal evaluation rules. .It Va MAKE_PRINT_VAR_ON_ERROR When .Nm @@ -1055,7 +1068,7 @@ sets to the value of .Ql Ev PWD instead. -This behaviour is disabled if +This behavior is disabled if .Ql Ev MAKEOBJDIRPREFIX is set or .Ql Ev MAKEOBJDIR @@ -1125,7 +1138,7 @@ The wildcard characters may be escaped with a backslash As a consequence of the way values are split into words, matched, and then joined, a construct like .Dl ${VAR:M*} -will normalise the inter-word spacing, removing all leading and +will normalize the inter-word spacing, removing all leading and trailing space, and converting multiple consecutive spaces to single spaces. . @@ -1145,7 +1158,7 @@ Randomize words in variable. The results will be different each time you are referring to the modified variable; use the assignment with expansion .Pq Ql Cm \&:= -to prevent such behaviour. +to prevent such behavior. For example, .Bd -literal -offset indent LIST= uno due tre quattro @@ -1177,7 +1190,7 @@ The value is a format string for using the current .Xr gmtime 3 . .It Cm \&:hash -Compute a 32bit hash of the value and encode it as hex digits. +Compute a 32-bit hash of the value and encode it as hex digits. .It Cm \&:localtime The value is a format string for .Xr strftime 3 , @@ -1455,7 +1468,7 @@ value is divided into words. .Pp Ordinarily, a value is treated as a sequence of words delimited by white space. -Some modifiers suppress this behaviour, +Some modifiers suppress this behavior, causing a value to be treated as a single word (possibly containing embedded white space). An empty value, or a value that consists entirely of white-space, @@ -1541,12 +1554,20 @@ For compatibility with other versions of .Nm .Ql include file ... is also accepted. +.Pp If the include statement is written as .Cm .-include or as .Cm .sinclude then errors locating and/or opening include files are ignored. .Pp +If the include statement is written as +.Cm .dinclude +not only are errors locating and/or opening include files ignored, +but stale dependencies within the included file will be ignored +just like +.Va .MAKE.DEPENDFILE . +.Pp Conditional expressions are also preceded by a single dot as the first character of a line. The possible conditionals are as follows: @@ -1582,6 +1603,10 @@ This allows exporting a value to the environment which is different from that used by .Nm internally. +.It Ic .export-literal Ar variable ... +The same as +.Ql .export-env , +except that variables in the value are not expanded. .It Ic .info Ar message The message is printed along with the name of the makefile and line number. .It Ic .undef Ar variable @@ -2079,7 +2104,7 @@ The sources are a set of pairs. .Bl -tag -width hasErrCtls .It Ar name -This is the minimal specification, used to select one of the builtin +This is the minimal specification, used to select one of the built-in shell specs; .Ar sh , .Ar ksh , diff --git a/contrib/bmake/make.c b/contrib/bmake/make.c index b43bfd5..5ea04fc 100644 --- a/contrib/bmake/make.c +++ b/contrib/bmake/make.c @@ -1,4 +1,4 @@ -/* $NetBSD: make.c,v 1.92 2015/10/11 04:51:24 sjg Exp $ */ +/* $NetBSD: make.c,v 1.95 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,14 +69,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: make.c,v 1.92 2015/10/11 04:51:24 sjg Exp $"; +static char rcsid[] = "$NetBSD: make.c,v 1.95 2016/02/18 18:29:14 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)make.c 8.1 (Berkeley) 6/6/93"; #else -__RCSID("$NetBSD: make.c,v 1.92 2015/10/11 04:51:24 sjg Exp $"); +__RCSID("$NetBSD: make.c,v 1.95 2016/02/18 18:29:14 christos Exp $"); #endif #endif /* not lint */ #endif @@ -482,10 +482,9 @@ Make_HandleUse(GNode *cgn, GNode *pgn) if (gn->uname == NULL) { gn->uname = gn->name; } else { - if (gn->name) - free(gn->name); + free(gn->name); } - gn->name = Var_Subst(NULL, gn->uname, pgn, FALSE, TRUE); + gn->name = Var_Subst(NULL, gn->uname, pgn, VARF_WANTRES); if (gn->name && gn->uname && strcmp(gn->name, gn->uname) != 0) { /* See if we have a target for this node. */ tgn = Targ_FindNode(gn->name, TARG_NOCREATE); @@ -692,8 +691,7 @@ Make_Update(GNode *cgn) checked++; cname = Var_Value(TARGET, cgn, &p1); - if (p1) - free(p1); + free(p1); if (DEBUG(MAKE)) fprintf(debug_file, "Make_Update: %s%s\n", cgn->name, cgn->cohort_num); @@ -838,8 +836,7 @@ Make_Update(GNode *cgn) Var_Set(PREFIX, cpref, pgn, 0); } } - if (p1) - free(p1); + free(p1); Lst_Close(cgn->iParents); } } @@ -907,8 +904,7 @@ MakeAddAllSrc(void *cgnp, void *pgnp) } if (allsrc != NULL) Var_Append(ALLSRC, allsrc, pgn); - if (p2) - free(p2); + free(p2); if (pgn->type & OP_JOIN) { if (cgn->made == MADE) { Var_Append(OODATE, child, pgn); @@ -934,8 +930,7 @@ MakeAddAllSrc(void *cgnp, void *pgnp) */ Var_Append(OODATE, child, pgn); } - if (p1) - free(p1); + free(p1); } return (0); } @@ -981,8 +976,7 @@ Make_DoAllVar(GNode *gn) if (gn->type & OP_JOIN) { char *p1; Var_Set(TARGET, Var_Value(ALLSRC, gn, &p1), gn, 0); - if (p1) - free(p1); + free(p1); } gn->flags |= DONE_ALLSRC; } diff --git a/contrib/bmake/make.h b/contrib/bmake/make.h index 7cf34d8..4448505 100644 --- a/contrib/bmake/make.h +++ b/contrib/bmake/make.h @@ -1,4 +1,4 @@ -/* $NetBSD: make.h,v 1.96 2015/09/21 21:50:16 pooka Exp $ */ +/* $NetBSD: make.h,v 1.98 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -88,6 +88,7 @@ #include #include +#include #include #include #ifdef HAVE_STRING_H @@ -98,6 +99,10 @@ #include #include +#ifndef FD_CLOEXEC +#define FD_CLOEXEC 1 +#endif + #if defined(__GNUC__) #define MAKE_GNUC_PREREQ(x, y) \ ((__GNUC__ == (x) && __GNUC_MINOR__ >= (y)) || \ @@ -501,6 +506,10 @@ Boolean Main_SetObjdir(const char *); int mkTempFile(const char *, char **); int str2Lst_Append(Lst, char *, const char *); +#define VARF_UNDEFERR 1 +#define VARF_WANTRES 2 +#define VARF_ASSIGN 4 + #ifdef __GNUC__ #define UNCONST(ptr) ({ \ union __unconst { \ diff --git a/contrib/bmake/meta.c b/contrib/bmake/meta.c index a7a4b19..f4acbde 100644 --- a/contrib/bmake/meta.c +++ b/contrib/bmake/meta.c @@ -1,4 +1,4 @@ -/* $NetBSD: meta.c,v 1.41 2015/11/30 23:37:56 sjg Exp $ */ +/* $NetBSD: meta.c,v 1.53 2016/03/07 21:45:43 christos Exp $ */ /* * Implement 'meta' mode. @@ -6,7 +6,7 @@ * --sjg */ /* - * Copyright (c) 2009-2010, Juniper Networks, Inc. + * Copyright (c) 2009-2016, Juniper Networks, Inc. * Portions Copyright (c) 2009, John Birrell. * * Redistribution and use in source and binary forms, with or without @@ -37,7 +37,6 @@ #endif #include #include -#include #ifdef HAVE_LIBGEN_H #include #elif !defined(HAVE_DIRNAME) @@ -60,7 +59,9 @@ char * dirname(char *); static BuildMon Mybm; /* for compat */ static Lst metaBailiwick; /* our scope of control */ +static char *metaBailiwickStr; /* string storage for the list */ static Lst metaIgnorePaths; /* paths we deliberately ignore */ +static char *metaIgnorePathsStr; /* string storage for the list */ #ifndef MAKE_META_IGNORE_PATHS #define MAKE_META_IGNORE_PATHS ".MAKE.META.IGNORE_PATHS" @@ -148,8 +149,8 @@ filemon_open(BuildMon *pbm) err(1, "Could not set filemon file descriptor!"); } /* we don't need these once we exec */ - (void)fcntl(pbm->mon_fd, F_SETFD, 1); - (void)fcntl(pbm->filemon_fd, F_SETFD, 1); + (void)fcntl(pbm->mon_fd, F_SETFD, FD_CLOEXEC); + (void)fcntl(pbm->filemon_fd, F_SETFD, FD_CLOEXEC); } /* @@ -300,8 +301,7 @@ meta_name(struct GNode *gn, char *mname, size_t mnamelen, } free(tp); for (i--; i >= 0; i--) { - if (p[i]) - free(p[i]); + free(p[i]); } return (mname); } @@ -328,7 +328,7 @@ is_submake(void *cmdp, void *gnp) } cp = strchr(cmd, '$'); if ((cp)) { - mp = Var_Subst(NULL, cmd, gn, FALSE, TRUE); + mp = Var_Subst(NULL, cmd, gn, VARF_WANTRES); cmd = mp; } cp2 = strstr(cmd, p_make); @@ -353,8 +353,7 @@ is_submake(void *cmdp, void *gnp) } } } - if (mp) - free(mp); + free(mp); return (rc); } @@ -371,11 +370,10 @@ printCMD(void *cmdp, void *mfpp) char *cp = NULL; if (strchr(cmd, '$')) { - cmd = cp = Var_Subst(NULL, cmd, mfp->gn, FALSE, TRUE); + cmd = cp = Var_Subst(NULL, cmd, mfp->gn, VARF_WANTRES); } fprintf(mfp->fp, "CMD %s\n", cmd); - if (cp) - free(cp); + free(cp); return 0; } @@ -466,7 +464,7 @@ meta_create(BuildMon *pbm, GNode *gn) char *mp; /* Describe the target we are building */ - mp = Var_Subst(NULL, "${" MAKE_META_PREFIX "}", gn, FALSE, TRUE); + mp = Var_Subst(NULL, "${" MAKE_META_PREFIX "}", gn, VARF_WANTRES); if (*mp) fprintf(stdout, "%s\n", mp); free(mp); @@ -480,9 +478,6 @@ meta_create(BuildMon *pbm, GNode *gn) fflush(stdout); - if (strcmp(cp, makeDependfile) == 0) - goto out; - if (!writeMeta) /* Don't create meta data. */ goto out; @@ -524,8 +519,7 @@ meta_create(BuildMon *pbm, GNode *gn) } out: for (i--; i >= 0; i--) { - if (p[i]) - free(p[i]); + free(p[i]); } return (mf.fp); @@ -609,10 +603,10 @@ meta_mode_init(const char *make_mode) * We consider ourselves master of all within ${.MAKE.META.BAILIWICK} */ metaBailiwick = Lst_Init(FALSE); - cp = Var_Subst(NULL, "${.MAKE.META.BAILIWICK:O:u:tA}", VAR_GLOBAL, - FALSE, TRUE); - if (cp) { - str2Lst_Append(metaBailiwick, cp, NULL); + metaBailiwickStr = Var_Subst(NULL, "${.MAKE.META.BAILIWICK:O:u:tA}", + VAR_GLOBAL, VARF_WANTRES); + if (metaBailiwickStr) { + str2Lst_Append(metaBailiwick, metaBailiwickStr, NULL); } /* * We ignore any paths that start with ${.MAKE.META.IGNORE_PATHS} @@ -620,11 +614,11 @@ meta_mode_init(const char *make_mode) metaIgnorePaths = Lst_Init(FALSE); Var_Append(MAKE_META_IGNORE_PATHS, "/dev /etc /proc /tmp /var/run /var/tmp ${TMPDIR}", VAR_GLOBAL); - cp = Var_Subst(NULL, + metaIgnorePathsStr = Var_Subst(NULL, "${" MAKE_META_IGNORE_PATHS ":O:u:tA}", VAR_GLOBAL, - FALSE, TRUE); - if (cp) { - str2Lst_Append(metaIgnorePaths, cp, NULL); + VARF_WANTRES); + if (metaIgnorePathsStr) { + str2Lst_Append(metaIgnorePaths, metaIgnorePathsStr, NULL); } } @@ -693,9 +687,9 @@ meta_job_error(Job *job, GNode *gn, int flags, int status) if (job != NULL) { pbm = &job->bm; - } else { if (!gn) gn = job->node; + } else { pbm = &Mybm; } if (pbm->mfp != NULL) { @@ -709,7 +703,7 @@ meta_job_error(Job *job, GNode *gn, int flags, int status) } getcwd(cwd, sizeof(cwd)); Var_Set(".ERROR_CWD", cwd, VAR_GLOBAL, 0); - if (pbm && pbm->meta_fname[0]) { + if (pbm->meta_fname[0]) { Var_Set(".ERROR_META_FILE", pbm->meta_fname, VAR_GLOBAL, 0); } meta_job_finish(job); @@ -734,7 +728,7 @@ meta_job_output(Job *job, char *cp, const char *nl) char *cp2; meta_prefix = Var_Subst(NULL, "${" MAKE_META_PREFIX "}", - VAR_GLOBAL, FALSE, TRUE); + VAR_GLOBAL, VARF_WANTRES); if ((cp2 = strchr(meta_prefix, '$'))) meta_prefix_len = cp2 - meta_prefix; else @@ -785,6 +779,15 @@ meta_job_finish(Job *job) } } +void +meta_finish(void) +{ + Lst_Destroy(metaBailiwick, NULL); + free(metaBailiwickStr); + Lst_Destroy(metaIgnorePaths, NULL); + free(metaIgnorePathsStr); +} + /* * Fetch a full line from fp - growing bufp if needed * Return length in bufp. @@ -1035,14 +1038,12 @@ meta_oodate(GNode *gn, Boolean oodate) ldir = Var_Value(ldir_vname, VAR_GLOBAL, &tp); if (ldir) { strlcpy(latestdir, ldir, sizeof(latestdir)); - if (tp) - free(tp); + free(tp); } ldir = Var_Value(lcwd_vname, VAR_GLOBAL, &tp); if (ldir) { strlcpy(lcwd, ldir, sizeof(lcwd)); - if (tp) - free(tp); + free(tp); } } /* Skip past the pid. */ @@ -1320,7 +1321,7 @@ meta_oodate(GNode *gn, Boolean oodate) if (DEBUG(META)) fprintf(debug_file, "%s: %d: cannot compare command using .OODATE\n", fname, lineno); } - cmd = Var_Subst(NULL, cmd, gn, TRUE, TRUE); + cmd = Var_Subst(NULL, cmd, gn, VARF_WANTRES|VARF_UNDEFERR); if ((cp = strchr(cmd, '\n'))) { int n; @@ -1382,7 +1383,6 @@ meta_oodate(GNode *gn, Boolean oodate) fprintf(debug_file, "%s: missing files: %s...\n", fname, (char *)Lst_Datum(Lst_First(missingFiles))); oodate = TRUE; - Lst_Destroy(missingFiles, (FreeProc *)free); } } else { if ((gn->type & OP_META)) { @@ -1391,6 +1391,9 @@ meta_oodate(GNode *gn, Boolean oodate) oodate = TRUE; } } + + Lst_Destroy(missingFiles, (FreeProc *)free); + if (oodate && needOODATE) { /* * Target uses .OODATE which is empty; or we wouldn't be here. @@ -1399,8 +1402,7 @@ meta_oodate(GNode *gn, Boolean oodate) */ Var_Delete(OODATE, gn); Var_Set(OODATE, Var_Value(ALLSRC, gn, &cp), gn, 0); - if (cp) - free(cp); + free(cp); } return oodate; } @@ -1427,8 +1429,8 @@ meta_compat_start(void) if (pipe(childPipe) < 0) Punt("Cannot create pipe: %s", strerror(errno)); /* Set close-on-exec flag for both */ - (void)fcntl(childPipe[0], F_SETFD, 1); - (void)fcntl(childPipe[1], F_SETFD, 1); + (void)fcntl(childPipe[0], F_SETFD, FD_CLOEXEC); + (void)fcntl(childPipe[1], F_SETFD, FD_CLOEXEC); } void diff --git a/contrib/bmake/meta.h b/contrib/bmake/meta.h index 57c73ca9..e9f5ed3 100644 --- a/contrib/bmake/meta.h +++ b/contrib/bmake/meta.h @@ -1,4 +1,4 @@ -/* $NetBSD: meta.h,v 1.3 2013/03/23 05:31:29 sjg Exp $ */ +/* $NetBSD: meta.h,v 1.4 2016/03/07 21:45:43 christos Exp $ */ /* * Things needed for 'meta' mode. @@ -42,6 +42,7 @@ extern Boolean useMeta; struct Job; /* not defined yet */ void meta_init(void); +void meta_finish(void); void meta_mode_init(const char *); void meta_job_start(struct Job *, GNode *); void meta_job_child(struct Job *); diff --git a/contrib/bmake/mk/ChangeLog b/contrib/bmake/mk/ChangeLog index 3c728c8..f84b5c5 100644 --- a/contrib/bmake/mk/ChangeLog +++ b/contrib/bmake/mk/ChangeLog @@ -1,3 +1,42 @@ +2016-03-02 Simon J. Gerraty + + * meta2deps.sh: don't ignore subdirs. + patch from Bryan Drewery + +2016-02-26 Simon J. Gerraty + + * install-mk (MK_VERSION): 20160226 + + * gendirdeps.mk: mark _DEPENDFILE .NOMETA + +2016-02-20 Simon J. Gerraty + + * dirdeps.mk: we shouldn't normally include .depend but if we do + use .dinclude if we can. + +2016-02-18 Simon J. Gerraty + + * install-mk (MK_VERSION): 20160218 + * sys.clean-env.mk: with recent change to Var_Subst() + we cannot use the '$$' trick, but .export-literal does the job + we need. + * auto.dep.mk: make use .dinclude if we can. + + +2016-02-05 Simon J. Gerraty + + * dirdeps.mk: + Add _build_all_dirs such that local.dirdeps.mk can + add fully qualified dirs to it. + These will be built normally but the current + DEP_RELDIR will not depend on then (to avoid cycles). + This makes it easy to hook things like unit-tests into build. + + +2016-01-21 Simon J. Gerraty + + * dirdeps.mk: add bootstrap-empty + 2015-12-12 Simon J. Gerraty * install-mk (MK_VERSION): 20151212 diff --git a/contrib/bmake/mk/auto.dep.mk b/contrib/bmake/mk/auto.dep.mk index 3313724..6bc53e5 100644 --- a/contrib/bmake/mk/auto.dep.mk +++ b/contrib/bmake/mk/auto.dep.mk @@ -1,6 +1,6 @@ # # RCSid: -# $Id: auto.dep.mk,v 1.3 2014/08/04 05:19:10 sjg Exp $ +# $Id: auto.dep.mk,v 1.4 2016/02/18 21:16:39 sjg Exp $ # # @(#) Copyright (c) 2010, Simon J. Gerraty # @@ -45,6 +45,7 @@ CXXFLAGS += ${CFLAGS_MD} ${CFLAGS_MF} CLEANFILES += .depend ${.MAKE.DEPENDFILE} *.d +.if ${MAKE_VERSION} < 20160218 # skip generating dependfile for misc targets .if ${.TARGETS:Uall:M*all} != "" .END: ${.MAKE.DEPENDFILE} @@ -60,5 +61,14 @@ ${.MAKE.DEPENDFILE}: ${OBJS} ${POBJS} ${SOBJS} -@for f in ${.ALLSRC:M*o:T:O:u:%=%.d}; do \ echo ".-include \"$$f\""; \ done > $@ +.else +# we have .dinclude +.if empty(_SKIP_BUILD) +_all_objs = ${OBJS} ${POBJS} ${SOBJS} +.for d in ${_all_objs:M*o:T:O:u:%=%.d} +.dinclude "$d" +.endfor +.endif .endif +.endif diff --git a/contrib/bmake/mk/dirdeps.mk b/contrib/bmake/mk/dirdeps.mk index 823115d..ec37e35 100644 --- a/contrib/bmake/mk/dirdeps.mk +++ b/contrib/bmake/mk/dirdeps.mk @@ -1,4 +1,4 @@ -# $Id: dirdeps.mk,v 1.55 2015/10/20 22:04:53 sjg Exp $ +# $Id: dirdeps.mk,v 1.59 2016/02/26 23:32:29 sjg Exp $ # Copyright (c) 2010-2013, Juniper Networks, Inc. # All rights reserved. @@ -121,6 +121,9 @@ _DIRDEP_USE_LEVEL?= 0 # and non-specific Makefile.depend* .if !target(_DIRDEP_USE) +# make sure we get the behavior we expect +.MAKE.SAVE_DOLLARS = no + # do some setup we only need once _CURDIR ?= ${.CURDIR} _OBJDIR ?= ${.OBJDIR} @@ -256,11 +259,8 @@ DEP_RELDIR := ${DIRDEPS:R:[1]} MK_DIRDEPS_CACHE = no .endif - -# pickup customizations -# as below you can use !target(_DIRDEP_USE) to protect things -# which should only be done once. -.-include "local.dirdeps.mk" +# reset each time through +_build_all_dirs = # the first time we are included the _DIRDEP_USE target will not be defined # we can use this as a clue to do initialization and other one time things. @@ -280,6 +280,14 @@ DEBUG_DIRDEPS ?= no # remember the initial value of DEP_RELDIR - we test for it below. _DEP_RELDIR := ${DEP_RELDIR} +.endif + +# pickup customizations +# as below you can use !target(_DIRDEP_USE) to protect things +# which should only be done once. +.-include "local.dirdeps.mk" + +.if !target(_DIRDEP_USE) # things we skip for host tools SKIP_HOSTDIR ?= @@ -399,6 +407,7 @@ ${DIRDEPS_CACHE}: .META .NOMETA_CMP MAKEFLAGS= ${.MAKE} -C ${_CURDIR} -f ${BUILD_DIRDEPS_MAKEFILE} \ ${BUILD_DIRDEPS_TARGETS} BUILD_DIRDEPS_CACHE=yes \ .MAKE.DEPENDFILE=.none \ + ${.MAKEFLAGS:tW:S,-D ,-D,g:tw:M*WITH*} \ 3>&1 1>&2 | sed 's,${SRCTOP},$${SRCTOP},g' >> ${.TARGET}.new && \ mv ${.TARGET}.new ${.TARGET} @@ -479,7 +488,11 @@ _build_dirs += ${_machines:@m@${_CURDIR}.$m@} _build_dirs += ${_machines:N${DEP_TARGET_SPEC}:@m@${_CURDIR}.$m@} .if ${DEP_TARGET_SPEC} == ${TARGET_SPEC} # pickup local dependencies now +.if ${MAKE_VERSION} < 20160220 .-include <.depend> +.else +.dinclude <.depend> +.endif .endif .endif .endif @@ -531,22 +544,25 @@ _build_dirs += \ # qualify everything now _build_dirs := ${_build_dirs:${M_dep_qual_fixes:ts:}:O:u} +_build_all_dirs += ${_build_dirs} +_build_all_dirs := ${_build_all_dirs:O:u} + .endif # empty DIRDEPS # Normally if doing make -V something, # we do not want to waste time chasing DIRDEPS # but if we want to count the number of Makefile.depend* read, we do. .if ${.MAKEFLAGS:M-V${_V_READ_DIRDEPS}} == "" -.if !empty(_build_dirs) +.if !empty(_build_all_dirs) .if ${BUILD_DIRDEPS_CACHE} == "yes" x!= { echo; echo '\# ${DEP_RELDIR}.${DEP_TARGET_SPEC}'; \ - echo 'dirdeps: ${_build_dirs:${M_oneperline}}'; echo; } >&3; echo -x!= { ${_build_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo + echo 'dirdeps: ${_build_all_dirs:${M_oneperline}}'; echo; } >&3; echo +x!= { ${_build_all_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo .else # this makes it all happen -dirdeps: ${_build_dirs} +dirdeps: ${_build_all_dirs} .endif -${_build_dirs}: _DIRDEP_USE +${_build_all_dirs}: _DIRDEP_USE .if ${_debug_reldir} .info ${DEP_RELDIR}.${DEP_TARGET_SPEC}: needs: ${_build_dirs} @@ -580,14 +596,14 @@ ${_this_dir}.$m: ${_build_dirs:M*.$m:N${_this_dir}.$m} .endif # Now find more dependencies - and recurse. -.for d in ${_build_dirs} +.for d in ${_build_all_dirs} .if ${_DIRDEP_CHECKED:M$d} == "" # once only _DIRDEP_CHECKED += $d .if ${_debug_search} .info checking $d .endif -# Note: _build_dirs is fully qualifed so d:R is always the directory +# Note: _build_all_dirs is fully qualifed so d:R is always the directory .if exists(${d:R}) # Warning: there is an assumption here that MACHINE is always # the first entry in TARGET_SPEC_VARS. @@ -627,28 +643,37 @@ DIRDEPS = DEP_RELDIR := ${RELDIR} _DEP_RELDIR := ${RELDIR} # pickup local dependencies +.if ${MAKE_VERSION} < 20160220 .-include <.depend> +.else +.dinclude <.depend> +.endif .endif # bootstrapping new dependencies made easy? -.if (make(bootstrap) || make(bootstrap-recurse)) && !target(bootstrap) +.if !target(bootstrap) && (make(bootstrap) || \ + make(bootstrap-this) || \ + make(bootstrap-recurse) || \ + make(bootstrap-empty)) .if exists(${.CURDIR}/${.MAKE.DEPENDFILE:T}) # stop here ${.TARGETS:Mboot*}: -.else +.elif !make(bootstrap-empty) # find a Makefile.depend to use as _src _src != cd ${.CURDIR} && for m in ${.MAKE.DEPENDFILE_PREFERENCE:T:S,${MACHINE},*,}; do test -s $$m || continue; echo $$m; break; done; echo .if empty(_src) -.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T} +.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T}${.newline}Use: bootstrap-empty .endif _src?= ${.MAKE.DEPENDFILE:T} +# just create Makefile.depend* for this dir bootstrap-this: .NOTMAIN @echo Bootstrapping ${RELDIR}/${.MAKE.DEPENDFILE:T} from ${_src:T} (cd ${.CURDIR} && sed 's,${_src:E},${MACHINE},g' ${_src} > ${.MAKE.DEPENDFILE:T}) +# create Makefile.depend* for this dir and its dependencies bootstrap: bootstrap-recurse bootstrap-recurse: bootstrap-this @@ -663,4 +688,11 @@ bootstrap-recurse: .NOTMAIN .MAKE done .endif + +# create an empty Makefile.depend* to get the ball rolling. +bootstrap-empty: .NOTMAIN .NOMETA + @echo Creating empty ${RELDIR}/${.MAKE.DEPENDFILE:T}; \ + echo You need to build ${RELDIR} to correctly populate it. + @{ echo DIRDEPS=; echo ".include "; } > ${.CURDIR}/${.MAKE.DEPENDFILE:T} + .endif diff --git a/contrib/bmake/mk/gendirdeps.mk b/contrib/bmake/mk/gendirdeps.mk index 2497f85..8b80338 100644 --- a/contrib/bmake/mk/gendirdeps.mk +++ b/contrib/bmake/mk/gendirdeps.mk @@ -1,4 +1,4 @@ -# $Id: gendirdeps.mk,v 1.29 2015/10/03 05:00:46 sjg Exp $ +# $Id: gendirdeps.mk,v 1.30 2016/02/27 00:20:39 sjg Exp $ # Copyright (c) 2010-2013, Juniper Networks, Inc. # All rights reserved. @@ -309,7 +309,7 @@ CAT_DEPEND ?= .depend # .depend may contain things we don't want. # The sed command at the end of the stream, allows for the filters # to output _{VAR} tokens which we will turn into proper ${VAR} references. -${_DEPENDFILE}: ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS} +${_DEPENDFILE}: .NOMETA ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS} @(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \ echo 'DIRDEPS = \'; \ echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \ @@ -329,7 +329,7 @@ DIRDEPS := ${SUBDIR:S,^,${RELDIR}/,:O:u} all: ${_DEPENDFILE} -${_DEPENDFILE}: ${MAKEFILE} ${_this} +${_DEPENDFILE}: .NOMETA ${MAKEFILE} ${_this} @(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \ echo 'DIRDEPS = \'; \ echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \ diff --git a/contrib/bmake/mk/install-mk b/contrib/bmake/mk/install-mk index 0c3db00..64b238f 100644 --- a/contrib/bmake/mk/install-mk +++ b/contrib/bmake/mk/install-mk @@ -55,7 +55,7 @@ # Simon J. Gerraty # RCSid: -# $Id: install-mk,v 1.118 2015/12/16 01:57:06 sjg Exp $ +# $Id: install-mk,v 1.121 2016/02/27 00:23:02 sjg Exp $ # # @(#) Copyright (c) 1994 Simon J. Gerraty # @@ -70,7 +70,7 @@ # sjg@crufty.net # -MK_VERSION=20151212 +MK_VERSION=20160226 OWNER= GROUP= MODE=444 diff --git a/contrib/bmake/mk/meta.autodep.mk b/contrib/bmake/mk/meta.autodep.mk index c9fdb0e..5f70564 100644 --- a/contrib/bmake/mk/meta.autodep.mk +++ b/contrib/bmake/mk/meta.autodep.mk @@ -1,4 +1,4 @@ -# $Id: meta.autodep.mk,v 1.39 2015/12/07 04:35:32 sjg Exp $ +# $Id: meta.autodep.mk,v 1.40 2016/02/22 22:44:58 sjg Exp $ # # @(#) Copyright (c) 2010, Simon J. Gerraty @@ -86,7 +86,7 @@ WANT_UPDATE_DEPENDFILE ?= yes .endif .if ${WANT_UPDATE_DEPENDFILE:Uno:tl} != "no" -.if ${.MAKE.MODE:Mmeta*} == "" || ${.MAKE.MODE:M*read*} != "" +.if ${.MAKE.MODE:Uno:Mmeta*} == "" || ${.MAKE.MODE:Uno:M*read*} != "" UPDATE_DEPENDFILE = no .endif diff --git a/contrib/bmake/mk/meta.stage.mk b/contrib/bmake/mk/meta.stage.mk index b77b27a..0355d66 100644 --- a/contrib/bmake/mk/meta.stage.mk +++ b/contrib/bmake/mk/meta.stage.mk @@ -1,4 +1,4 @@ -# $Id: meta.stage.mk,v 1.41 2015/11/13 17:34:04 sjg Exp $ +# $Id: meta.stage.mk,v 1.43 2016/02/24 18:46:32 sjg Exp $ # # @(#) Copyright (c) 2011, Simon J. Gerraty # @@ -26,7 +26,7 @@ _dirdep = ${RELDIR} CLEANFILES+= .dirdep # this allows us to trace dependencies back to their src dir -.dirdep: +.dirdep: .NOPATH @echo '${_dirdep}' > $@ .if defined(NO_POSIX_SHELL) || ${type printf:L:sh:Mbuiltin} == "" @@ -241,7 +241,7 @@ CLEANFILES += ${STAGE_TARGETS} stage_incs stage_includes # for non-jobs mode the order here matters staging: ${STAGE_TARGETS:N*_links} ${STAGE_TARGETS:M*_links} -.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:M*_links} != "" +.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:U:M*_links} != "" # the above isn't sufficient .for t in ${STAGE_TARGETS:N*links:O:u} .ORDER: $t stage_links diff --git a/contrib/bmake/mk/meta.sys.mk b/contrib/bmake/mk/meta.sys.mk index 8e55878..764f2d1 100644 --- a/contrib/bmake/mk/meta.sys.mk +++ b/contrib/bmake/mk/meta.sys.mk @@ -1,4 +1,4 @@ -# $Id: meta.sys.mk,v 1.26 2015/11/14 21:16:13 sjg Exp $ +# $Id: meta.sys.mk,v 1.27 2016/02/22 22:44:58 sjg Exp $ # # @(#) Copyright (c) 2010, Simon J. Gerraty @@ -102,7 +102,7 @@ META_COOKIE_TOUCH= # some targets need to be .PHONY in non-meta mode META_NOPHONY= .PHONY # Are we, after all, in meta mode? -.if ${.MAKE.MODE:Mmeta*} != "" +.if ${.MAKE.MODE:Uno:Mmeta*} != "" MKDEP_MK = meta.autodep.mk .if ${.MAKE.MAKEFILES:M*sys.dependfile.mk} == "" diff --git a/contrib/bmake/mk/meta2deps.sh b/contrib/bmake/mk/meta2deps.sh index 0c934af..a9ea075 100755 --- a/contrib/bmake/mk/meta2deps.sh +++ b/contrib/bmake/mk/meta2deps.sh @@ -77,7 +77,7 @@ # RCSid: -# $Id: meta2deps.sh,v 1.9 2015/04/03 18:23:25 sjg Exp $ +# $Id: meta2deps.sh,v 1.10 2016/03/02 18:53:36 sjg Exp $ # Copyright (c) 2010-2013, Juniper Networks, Inc. # All rights reserved. @@ -309,7 +309,7 @@ meta2deps() { *) seen=$dir;; esac case "$dir" in - ${CURDIR:-.}|${CURDIR:-.}/*|"") continue;; + ${CURDIR:-.}|"") continue;; $src_re) # avoid repeating ourselves... case "$DPDEPS,$seensrc," in diff --git a/contrib/bmake/mk/sys.clean-env.mk b/contrib/bmake/mk/sys.clean-env.mk index b1867c3..396599b 100644 --- a/contrib/bmake/mk/sys.clean-env.mk +++ b/contrib/bmake/mk/sys.clean-env.mk @@ -1,4 +1,4 @@ -# $Id: sys.clean-env.mk,v 1.20 2012/11/12 06:56:04 sjg Exp $ +# $Id: sys.clean-env.mk,v 1.21 2016/02/18 21:16:40 sjg Exp $ # # @(#) Copyright (c) 2009, Simon J. Gerraty # @@ -94,6 +94,7 @@ _tricky_env_vars = MAKEOBJDIR OBJTOP # MAKEOBJDIR='${.CURDIR:S,${SRCTOP},${OBJTOP},}' _srctop := ${SRCTOP:U${SB_SRC:U${SB}/src}} _objroot := ${OBJROOT:U${SB_OBJROOT:U${SB}/${SB_OBJPREFIX}}} +.if ${MAKE_VERSION} < 20160218 _objtop := ${OBJTOP:U${_objroot}${MACHINE}} # Take care of ${MACHINE} .if ${MACHINE} == "host" || ${OBJTOP} == ${HOST_OBJTOP:Uno} @@ -113,7 +114,17 @@ MAKEOBJDIR = $${.CURDIR:S,${_srctop},$${OBJTOP},} .for v in ${_tricky_env_vars} $v := ${$v} .endfor +.else +# we cannot use the '$$' trick, anymore +# but we can export a literal (unexpanded) value +SRCTOP := ${_srctop} +OBJROOT := ${_objroot} +OBJTOP = ${OBJROOT}${MACHINE} +MAKEOBJDIR = ${.CURDIR:S,${SRCTOP},${OBJTOP},} +.export-literal SRCTOP OBJROOT ${_tricky_env_vars} +.endif #.info ${_tricky_env_vars:@v@${.newline}$v=${$v}@} - +#showenv: +# @env | egrep 'OBJ|SRC' .endif # MAKEOBJDIR .endif # level 0 diff --git a/contrib/bmake/mk/sys.dependfile.mk b/contrib/bmake/mk/sys.dependfile.mk index e915082..b4d79f7 100644 --- a/contrib/bmake/mk/sys.dependfile.mk +++ b/contrib/bmake/mk/sys.dependfile.mk @@ -1,4 +1,4 @@ -# $Id: sys.dependfile.mk,v 1.6 2014/08/02 18:02:06 sjg Exp $ +# $Id: sys.dependfile.mk,v 1.7 2016/02/20 01:57:39 sjg Exp $ # # @(#) Copyright (c) 2012, Simon J. Gerraty # @@ -49,7 +49,9 @@ _e := ${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@} # If any already exist, we should follow suit. _aml = ${ALL_MACHINE_LIST:Uarm amd64 i386 powerpc:N${MACHINE}} ${MACHINE} # MACHINE must be the last entry in _aml ;-) +_m := ${MACHINE} _e := ${_aml:@MACHINE@${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@}@} +MACHINE := ${_m} .if !empty(_e) .MAKE.DEPENDFILE ?= ${.MAKE.DEPENDFILE_PREFERENCE:M*${MACHINE}:[1]} .endif diff --git a/contrib/bmake/mk/warnings.mk b/contrib/bmake/mk/warnings.mk index bacbefb..dc230bc 100644 --- a/contrib/bmake/mk/warnings.mk +++ b/contrib/bmake/mk/warnings.mk @@ -1,5 +1,5 @@ # RCSid: -# $Id: warnings.mk,v 1.8 2014/04/02 19:20:23 sjg Exp $ +# $Id: warnings.mk,v 1.9 2016/02/20 02:00:58 sjg Exp $ # # @(#) Copyright (c) 2002, Simon J. Gerraty # @@ -15,6 +15,8 @@ # .ifndef _w_cflags +# make sure we get the behavior we expect +.MAKE.SAVE_DOLLARS = no # Any number of warnings sets can be added. .-include "warnings-sets.mk" diff --git a/contrib/bmake/nonints.h b/contrib/bmake/nonints.h index 2332858..5a5c613 100644 --- a/contrib/bmake/nonints.h +++ b/contrib/bmake/nonints.h @@ -1,4 +1,4 @@ -/* $NetBSD: nonints.h,v 1.69 2015/10/11 04:51:24 sjg Exp $ */ +/* $NetBSD: nonints.h,v 1.72 2016/02/18 20:25:08 sjg Exp $ */ /*- * Copyright (c) 1988, 1989, 1990, 1993 @@ -120,6 +120,7 @@ void Finish(int) MAKE_ATTR_DEAD; int eunlink(const char *); void execError(const char *, const char *); char *getTmpdir(void); +Boolean s2Boolean(const char *, Boolean); Boolean getBoolean(const char *, Boolean); /* parse.c */ @@ -184,8 +185,8 @@ void Var_Set(const char *, const char *, GNode *, int); void Var_Append(const char *, const char *, GNode *); Boolean Var_Exists(const char *, GNode *); char *Var_Value(const char *, GNode *, char **); -char *Var_Parse(const char *, GNode *, Boolean, Boolean, int *, void **); -char *Var_Subst(const char *, const char *, GNode *, Boolean, Boolean); +char *Var_Parse(const char *, GNode *, int, int *, void **); +char *Var_Subst(const char *, const char *, GNode *, int); char *Var_GetTail(const char *); char *Var_GetHead(const char *); void Var_Init(void); diff --git a/contrib/bmake/parse.c b/contrib/bmake/parse.c index 7f3afbd..2a22c0b 100644 --- a/contrib/bmake/parse.c +++ b/contrib/bmake/parse.c @@ -1,4 +1,4 @@ -/* $NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $ */ +/* $NetBSD: parse.c,v 1.212 2016/02/19 06:19:06 sjg Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,14 +69,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $"; +static char rcsid[] = "$NetBSD: parse.c,v 1.212 2016/02/19 06:19:06 sjg Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)parse.c 8.3 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $"); +__RCSID("$NetBSD: parse.c,v 1.212 2016/02/19 06:19:06 sjg Exp $"); #endif #endif /* not lint */ #endif @@ -128,7 +128,6 @@ __RCSID("$NetBSD: parse.c,v 1.206 2015/11/26 00:23:04 sjg Exp $"); #include #include #include -#include #include #include @@ -161,6 +160,7 @@ typedef struct IFile { int lineno; /* current line number in file */ int first_lineno; /* line number of start of text */ int cond_depth; /* 'if' nesting when file opened */ + Boolean depending; /* state of doing_depend on EOF */ char *P_str; /* point to base of string buffer */ char *P_ptr; /* point to next char of string buffer */ char *P_end; /* point to the end of string buffer */ @@ -816,7 +816,7 @@ ParseMessage(char *line) while (isspace((u_char)*line)) line++; - line = Var_Subst(NULL, line, VAR_CMD, FALSE, TRUE); + line = Var_Subst(NULL, line, VAR_CMD, VARF_WANTRES); Parse_Error(mtype, "%s", line); free(line); @@ -1233,9 +1233,9 @@ ParseDoDependency(char *line) int length; void *freeIt; - (void)Var_Parse(cp, VAR_CMD, TRUE, TRUE, &length, &freeIt); - if (freeIt) - free(freeIt); + (void)Var_Parse(cp, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES, + &length, &freeIt); + free(freeIt); cp += length-1; } } @@ -1948,7 +1948,7 @@ Parse_DoVar(char *line, GNode *ctxt) if (!Var_Exists(line, ctxt)) Var_Set(line, "", ctxt, 0); - cp = Var_Subst(NULL, cp, ctxt, FALSE, TRUE); + cp = Var_Subst(NULL, cp, ctxt, VARF_WANTRES|VARF_ASSIGN); oldVars = oldOldVars; freeCp = TRUE; @@ -1963,7 +1963,7 @@ Parse_DoVar(char *line, GNode *ctxt) * expansion on the whole thing. The resulting string will need * freeing when we're done, so set freeCmd to TRUE. */ - cp = Var_Subst(NULL, cp, VAR_CMD, TRUE, TRUE); + cp = Var_Subst(NULL, cp, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES); freeCp = TRUE; } @@ -2155,7 +2155,7 @@ Parse_AddIncludeDir(char *dir) */ static void -Parse_include_file(char *file, Boolean isSystem, int silent) +Parse_include_file(char *file, Boolean isSystem, Boolean depinc, int silent) { struct loadedfile *lf; char *fullname; /* full pathname of file */ @@ -2255,6 +2255,8 @@ Parse_include_file(char *file, Boolean isSystem, int silent) /* Start reading from this file next */ Parse_SetInput(fullname, 0, -1, loadedfile_nextbuf, lf); curFile->lf = lf; + if (depinc) + doing_depend = depinc; /* only turn it on */ } static void @@ -2302,9 +2304,9 @@ ParseDoInclude(char *line) * Substitute for any variables in the file name before trying to * find the thing. */ - file = Var_Subst(NULL, file, VAR_CMD, FALSE, TRUE); + file = Var_Subst(NULL, file, VAR_CMD, VARF_WANTRES); - Parse_include_file(file, endc == '>', silent); + Parse_include_file(file, endc == '>', (*line == 'd'), silent); free(file); } @@ -2339,10 +2341,8 @@ ParseSetIncludedFile(void) fprintf(debug_file, "%s: ${.INCLUDEDFROMDIR} = `%s' " "${.INCLUDEDFROMFILE} = `%s'\n", __func__, pd, pf); - if (fp) - free(fp); - if (dp) - free(dp); + free(fp); + free(dp); } /*- *--------------------------------------------------------------------- @@ -2472,6 +2472,7 @@ Parse_SetInput(const char *name, int line, int fd, curFile->nextbuf = nextbuf; curFile->nextbuf_arg = arg; curFile->lf = NULL; + curFile->depending = doing_depend; /* restore this on EOF */ assert(nextbuf != NULL); @@ -2532,7 +2533,7 @@ ParseTraditionalInclude(char *line) * Substitute for any variables in the file name before trying to * find the thing. */ - all_files = Var_Subst(NULL, file, VAR_CMD, FALSE, TRUE); + all_files = Var_Subst(NULL, file, VAR_CMD, VARF_WANTRES); if (*file == '\0') { Parse_Error(PARSE_FATAL, @@ -2550,7 +2551,7 @@ ParseTraditionalInclude(char *line) else done = 1; - Parse_include_file(file, FALSE, silent); + Parse_include_file(file, FALSE, FALSE, silent); } free(all_files); } @@ -2600,7 +2601,7 @@ ParseGmakeExport(char *line) /* * Expand the value before putting it in the environment. */ - value = Var_Subst(NULL, value, VAR_CMD, FALSE, TRUE); + value = Var_Subst(NULL, value, VAR_CMD, VARF_WANTRES); setenv(variable, value, 1); } #endif @@ -2628,6 +2629,7 @@ ParseEOF(void) assert(curFile->nextbuf != NULL); + doing_depend = curFile->depending; /* restore this */ /* get next input buffer, if any */ ptr = curFile->nextbuf(curFile->nextbuf_arg, &len); curFile->P_ptr = ptr; @@ -2990,7 +2992,7 @@ Parse_File(const char *name, int fd) continue; } if (strncmp(cp, "include", 7) == 0 || - ((cp[0] == 's' || cp[0] == '-') && + ((cp[0] == 'd' || cp[0] == 's' || cp[0] == '-') && strncmp(&cp[1], "include", 7) == 0)) { ParseDoInclude(cp); continue; @@ -3149,7 +3151,7 @@ Parse_File(const char *name, int fd) * variables expanded before being parsed. Tell the variable * module to complain if some variable is undefined... */ - line = Var_Subst(NULL, line, VAR_CMD, TRUE, TRUE); + line = Var_Subst(NULL, line, VAR_CMD, VARF_UNDEFERR|VARF_WANTRES); /* * Need a non-circular list for the target nodes diff --git a/contrib/bmake/suff.c b/contrib/bmake/suff.c index db69643..98bd447 100644 --- a/contrib/bmake/suff.c +++ b/contrib/bmake/suff.c @@ -1,4 +1,4 @@ -/* $NetBSD: suff.c,v 1.75 2015/12/20 22:44:10 sjg Exp $ */ +/* $NetBSD: suff.c,v 1.78 2016/02/18 18:29:14 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,14 +69,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: suff.c,v 1.75 2015/12/20 22:44:10 sjg Exp $"; +static char rcsid[] = "$NetBSD: suff.c,v 1.78 2016/02/18 18:29:14 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)suff.c 8.4 (Berkeley) 3/21/94"; #else -__RCSID("$NetBSD: suff.c,v 1.75 2015/12/20 22:44:10 sjg Exp $"); +__RCSID("$NetBSD: suff.c,v 1.78 2016/02/18 18:29:14 christos Exp $"); #endif #endif /* not lint */ #endif @@ -1556,7 +1556,7 @@ SuffExpandChildren(LstNode cln, GNode *pgn) if (DEBUG(SUFF)) { fprintf(debug_file, "Expanding \"%s\"...", cgn->name); } - cp = Var_Subst(NULL, cgn->name, pgn, TRUE, TRUE); + cp = Var_Subst(NULL, cgn->name, pgn, VARF_UNDEFERR|VARF_WANTRES); if (cp != NULL) { Lst members = Lst_Init(FALSE); @@ -1609,13 +1609,13 @@ SuffExpandChildren(LstNode cln, GNode *pgn) int len; void *freeIt; - junk = Var_Parse(cp, pgn, TRUE, TRUE, &len, &freeIt); + junk = Var_Parse(cp, pgn, VARF_UNDEFERR|VARF_WANTRES, + &len, &freeIt); if (junk != var_Error) { cp += len - 1; } - if (freeIt) - free(freeIt); + free(freeIt); } else if (*cp == '\\' && *cp != '\0') { /* * Escaped something -- skip over it @@ -1933,8 +1933,7 @@ SuffFindArchiveDeps(GNode *gn, Lst slst) for (i = (sizeof(copy)/sizeof(copy[0]))-1; i >= 0; i--) { char *p1; Var_Set(copy[i], Var_Value(copy[i], mem, &p1), gn, 0); - if (p1) - free(p1); + free(p1); } diff --git a/contrib/bmake/targ.c b/contrib/bmake/targ.c index 5db5477..dd52b29 100644 --- a/contrib/bmake/targ.c +++ b/contrib/bmake/targ.c @@ -1,4 +1,4 @@ -/* $NetBSD: targ.c,v 1.60 2015/05/25 09:01:06 manu Exp $ */ +/* $NetBSD: targ.c,v 1.61 2016/01/17 17:45:21 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,14 +69,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: targ.c,v 1.60 2015/05/25 09:01:06 manu Exp $"; +static char rcsid[] = "$NetBSD: targ.c,v 1.61 2016/01/17 17:45:21 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)targ.c 8.2 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: targ.c,v 1.60 2015/05/25 09:01:06 manu Exp $"); +__RCSID("$NetBSD: targ.c,v 1.61 2016/01/17 17:45:21 christos Exp $"); #endif #endif /* not lint */ #endif @@ -292,10 +292,8 @@ TargFreeGN(void *gnp) free(gn->name); - if (gn->uname) - free(gn->uname); - if (gn->path) - free(gn->path); + free(gn->uname); + free(gn->path); /* gn->fname points to name allocated when file was opened, don't free */ Lst_Destroy(gn->iParents, NULL); diff --git a/contrib/bmake/unit-tests/export-env.exp b/contrib/bmake/unit-tests/export-env.exp index 6221232..8a779e6 100644 --- a/contrib/bmake/unit-tests/export-env.exp +++ b/contrib/bmake/unit-tests/export-env.exp @@ -2,8 +2,10 @@ make: UT_TEST=export-env.mk UT_ENV=not-exported UT_EXP=not-exported +UT_LIT=literal export-env.mk env: UT_TEST=export-env.mk UT_ENV=exported UT_EXP=exported +UT_LIT=literal ${UT_TEST} exit status 0 diff --git a/contrib/bmake/unit-tests/export-env.mk b/contrib/bmake/unit-tests/export-env.mk index 6b7cd4c..93aa672 100644 --- a/contrib/bmake/unit-tests/export-env.mk +++ b/contrib/bmake/unit-tests/export-env.mk @@ -1,4 +1,4 @@ -# $Id: export-env.mk,v 1.1.1.1 2014/08/30 18:57:18 sjg Exp $ +# $Id: export-env.mk,v 1.1.1.2 2016/02/18 20:35:24 sjg Exp $ # our normal .export, subsequent changes affect the environment UT_TEST=this @@ -15,9 +15,12 @@ UT_EXP=before-export export UT_EXP=exported UT_EXP=not-exported +UT_LIT= literal ${UT_TEST} +.export-literal UT_LIT + all: - @echo make:; ${UT_TEST UT_ENV UT_EXP:L:@v@echo $v=${$v};@} - @echo env:; ${UT_TEST UT_ENV UT_EXP:L:@v@echo $v=$${$v};@} + @echo make:; ${UT_TEST UT_ENV UT_EXP UT_LIT:L:@v@echo $v=${$v};@} + @echo env:; ${UT_TEST UT_ENV UT_EXP UT_LIT:L:@v@echo $v=$${$v};@} diff --git a/contrib/bmake/unit-tests/modts.exp b/contrib/bmake/unit-tests/modts.exp index cf3c91d..3389649 100644 --- a/contrib/bmake/unit-tests/modts.exp +++ b/contrib/bmake/unit-tests/modts.exp @@ -23,10 +23,16 @@ THREE FOUR FIVE SIX" +LIST:ts/xa:tu="ONE +TWO +THREE +FOUR +FIVE +SIX" make: Bad modifier `:tx' for LIST LIST:tx="}" -make: Bad modifier `:ts\x' for LIST -LIST:ts/x:tu="\x:tu}" +make: Bad modifier `:ts\X' for LIST +LIST:ts/x:tu="\X:tu}" FU_mod-ts="a/b/cool" FU_mod-ts:ts:T="cool" == cool? B.${AAA:ts}="Baaa" == Baaa? diff --git a/contrib/bmake/unit-tests/modts.mk b/contrib/bmake/unit-tests/modts.mk index 54b3d3d..e66dc25 100644 --- a/contrib/bmake/unit-tests/modts.mk +++ b/contrib/bmake/unit-tests/modts.mk @@ -36,8 +36,9 @@ mod-ts: @${PRINT} 'LIST:ts/n="${LIST:ts\n}"' @${PRINT} 'LIST:ts/t="${LIST:ts\t}"' @${PRINT} 'LIST:ts/012:tu="${LIST:ts\012:tu}"' + @${PRINT} 'LIST:ts/xa:tu="${LIST:ts\xa:tu}"' @${PRINT} 'LIST:tx="${LIST:tx}"' - @${PRINT} 'LIST:ts/x:tu="${LIST:ts\x:tu}"' + @${PRINT} 'LIST:ts/x:tu="${LIST:ts\X:tu}"' @${PRINT} 'FU_$@="${FU_${@:ts}:ts}"' @${PRINT} 'FU_$@:ts:T="${FU_${@:ts}:ts:T}" == cool?' @${PRINT} 'B.$${AAA:ts}="${B.${AAA:ts}}" == Baaa?' diff --git a/contrib/bmake/var.c b/contrib/bmake/var.c index 43429e2..36ba6de 100644 --- a/contrib/bmake/var.c +++ b/contrib/bmake/var.c @@ -1,4 +1,4 @@ -/* $NetBSD: var.c,v 1.200 2015/12/01 07:26:08 sjg Exp $ */ +/* $NetBSD: var.c,v 1.206 2016/03/07 20:20:35 sjg Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,14 +69,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: var.c,v 1.200 2015/12/01 07:26:08 sjg Exp $"; +static char rcsid[] = "$NetBSD: var.c,v 1.206 2016/03/07 20:20:35 sjg Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)var.c 8.3 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: var.c,v 1.200 2015/12/01 07:26:08 sjg Exp $"); +__RCSID("$NetBSD: var.c,v 1.206 2016/03/07 20:20:35 sjg Exp $"); #endif #endif /* not lint */ #endif @@ -154,13 +154,23 @@ char **savedEnv = NULL; char var_Error[] = ""; /* - * Similar to var_Error, but returned when the 'errnum' flag for Var_Parse is - * set false. Why not just use a constant? Well, gcc likes to condense - * identical string instances... + * Similar to var_Error, but returned when the 'VARF_UNDEFERR' flag for + * Var_Parse is not set. Why not just use a constant? Well, gcc likes + * to condense identical string instances... */ static char varNoError[] = ""; /* + * Traditionally we consume $$ during := like any other expansion. + * Other make's do not. + * This knob allows controlling the behavior. + * FALSE for old behavior. + * TRUE for new compatible. + */ +#define SAVE_DOLLARS ".MAKE.SAVE_DOLLARS" +static Boolean save_dollars = FALSE; + +/* * Internally, variables are contained in four different contexts. * 1) the environment. They may not be changed. If an environment * variable is appended-to, the result is placed in the global @@ -216,7 +226,11 @@ static int var_exportedVars = VAR_EXPORTED_NONE; * We pass this to Var_Export when doing the initial export * or after updating an exported var. */ -#define VAR_EXPORT_PARENT 1 +#define VAR_EXPORT_PARENT 1 +/* + * We pass this to Var_Export1 to tell it to leave the value alone. + */ +#define VAR_EXPORT_LITERAL 2 /* Var*Pattern flags */ #define VAR_SUB_GLOBAL 0x01 /* Apply substitution globally */ @@ -541,7 +555,7 @@ Var_Delete(const char *name, GNode *ctxt) char *cp; if (strchr(name, '$')) { - cp = Var_Subst(NULL, name, VAR_GLOBAL, FALSE, TRUE); + cp = Var_Subst(NULL, name, VAR_GLOBAL, VARF_WANTRES); } else { cp = (char *)name; } @@ -580,12 +594,13 @@ Var_Delete(const char *name, GNode *ctxt) * We only manipulate flags of vars if 'parent' is set. */ static int -Var_Export1(const char *name, int parent) +Var_Export1(const char *name, int flags) { char tmp[BUFSIZ]; Var *v; char *val = NULL; int n; + int parent = (flags & VAR_EXPORT_PARENT); if (*name == '.') return 0; /* skip internals */ @@ -613,7 +628,7 @@ Var_Export1(const char *name, int parent) return 0; /* nothing to do */ } val = Buf_GetAll(&v->val, NULL); - if (strchr(val, '$')) { + if ((flags & VAR_EXPORT_LITERAL) == 0 && strchr(val, '$')) { if (parent) { /* * Flag this as something we need to re-export. @@ -632,7 +647,7 @@ Var_Export1(const char *name, int parent) } n = snprintf(tmp, sizeof(tmp), "${%s}", name); if (n < (int)sizeof(tmp)) { - val = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE); + val = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES); setenv(name, val, 1); free(val); } @@ -700,7 +715,7 @@ Var_ExportVars(void) int ac; int i; - val = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE); + val = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES); if (*val) { av = brk_string(val, &ac, FALSE, &as); for (i = 0; i < ac; i++) { @@ -725,7 +740,7 @@ Var_Export(char *str, int isExport) char *val; char **av; char *as; - int track; + int flags; int ac; int i; @@ -734,13 +749,16 @@ Var_Export(char *str, int isExport) return; } + flags = 0; if (strncmp(str, "-env", 4) == 0) { - track = 0; str += 4; + } else if (strncmp(str, "-literal", 8) == 0) { + str += 8; + flags |= VAR_EXPORT_LITERAL; } else { - track = VAR_EXPORT_PARENT; + flags |= VAR_EXPORT_PARENT; } - val = Var_Subst(NULL, str, VAR_GLOBAL, FALSE, TRUE); + val = Var_Subst(NULL, str, VAR_GLOBAL, VARF_WANTRES); if (*val) { av = brk_string(val, &ac, FALSE, &as); for (i = 0; i < ac; i++) { @@ -760,10 +778,10 @@ Var_Export(char *str, int isExport) continue; } } - if (Var_Export1(name, track)) { + if (Var_Export1(name, flags)) { if (VAR_EXPORTED_ALL != var_exportedVars) var_exportedVars = VAR_EXPORTED_YES; - if (isExport && track) { + if (isExport && (flags & VAR_EXPORT_PARENT)) { Var_Append(MAKE_EXPORTED, name, VAR_GLOBAL); } } @@ -830,7 +848,7 @@ Var_UnExport(char *str) /* Using .MAKE.EXPORTED */ n = snprintf(tmp, sizeof(tmp), "${" MAKE_EXPORTED ":O:u}"); if (n < (int)sizeof(tmp)) { - vlist = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE); + vlist = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES); } } if (vlist) { @@ -860,7 +878,7 @@ Var_UnExport(char *str) n = snprintf(tmp, sizeof(tmp), "${" MAKE_EXPORTED ":N%s}", v->name); if (n < (int)sizeof(tmp)) { - cp = Var_Subst(NULL, tmp, VAR_GLOBAL, FALSE, TRUE); + cp = Var_Subst(NULL, tmp, VAR_GLOBAL, VARF_WANTRES); Var_Set(MAKE_EXPORTED, cp, VAR_GLOBAL, 0); free(cp); } @@ -915,7 +933,7 @@ Var_Set(const char *name, const char *val, GNode *ctxt, int flags) * point in searching them all just to save a bit of memory... */ if (strchr(name, '$') != NULL) { - expanded_name = Var_Subst(NULL, name, ctxt, FALSE, TRUE); + expanded_name = Var_Subst(NULL, name, ctxt, VARF_WANTRES); if (expanded_name[0] == 0) { if (DEBUG(VAR)) { fprintf(debug_file, "Var_Set(\"%s\", \"%s\", ...) " @@ -983,7 +1001,10 @@ Var_Set(const char *name, const char *val, GNode *ctxt, int flags) Var_Append(MAKEOVERRIDES, name, VAR_GLOBAL); } - + if (*name == '.') { + if (strcmp(name, SAVE_DOLLARS) == 0) + save_dollars = s2Boolean(val, save_dollars); + } out: free(expanded_name); @@ -1026,7 +1047,7 @@ Var_Append(const char *name, const char *val, GNode *ctxt) char *expanded_name = NULL; if (strchr(name, '$') != NULL) { - expanded_name = Var_Subst(NULL, name, ctxt, FALSE, TRUE); + expanded_name = Var_Subst(NULL, name, ctxt, VARF_WANTRES); if (expanded_name[0] == 0) { if (DEBUG(VAR)) { fprintf(debug_file, "Var_Append(\"%s\", \"%s\", ...) " @@ -1091,7 +1112,7 @@ Var_Exists(const char *name, GNode *ctxt) char *cp; if ((cp = strchr(name, '$')) != NULL) { - cp = Var_Subst(NULL, name, ctxt, FALSE, TRUE); + cp = Var_Subst(NULL, name, ctxt, VARF_WANTRES); } v = VarFind(cp ? cp : name, ctxt, FIND_CMD|FIND_GLOBAL|FIND_ENV); free(cp); @@ -1389,7 +1410,7 @@ VarSYSVMatch(GNode *ctx, Var_Parse_State *vpstate, addSpace = TRUE; if ((ptr = Str_SYSVMatch(word, pat->lhs, &len)) != NULL) { - varexp = Var_Subst(NULL, pat->rhs, ctx, FALSE, TRUE); + varexp = Var_Subst(NULL, pat->rhs, ctx, VARF_WANTRES); Str_SYSVSubst(buf, varexp, ptr, len); free(varexp); } else { @@ -1629,14 +1650,14 @@ VarSubstitute(GNode *ctx MAKE_ATTR_UNUSED, Var_Parse_State *vpstate, *----------------------------------------------------------------------- */ static void -VarREError(int errnum, regex_t *pat, const char *str) +VarREError(int reerr, regex_t *pat, const char *str) { char *errbuf; int errlen; - errlen = regerror(errnum, pat, 0, 0); + errlen = regerror(reerr, pat, 0, 0); errbuf = bmake_malloc(errlen); - regerror(errnum, pat, errbuf, errlen); + regerror(reerr, pat, errbuf, errlen); Error("%s: %s", str, errbuf); free(errbuf); } @@ -1809,7 +1830,7 @@ VarLoopExpand(GNode *ctx MAKE_ATTR_UNUSED, if (word && *word) { Var_Set(loop->tvar, word, loop->ctxt, VAR_NO_EXPORT); - s = Var_Subst(NULL, loop->str, loop->ctxt, loop->errnum, TRUE); + s = Var_Subst(NULL, loop->str, loop->ctxt, loop->errnum | VARF_WANTRES); if (s != NULL && *s != '\0') { if (addSpace && *s != '\n') Buf_AddByte(buf, ' '); @@ -2143,13 +2164,14 @@ VarUniq(const char *str) */ static char * VarGetPattern(GNode *ctxt, Var_Parse_State *vpstate MAKE_ATTR_UNUSED, - int errnum, const char **tstr, int delim, int *flags, + int flags, const char **tstr, int delim, int *vflags, int *length, VarPattern *pattern) { const char *cp; char *rstr; Buffer buf; int junk; + int errnum = flags & VARF_UNDEFERR; Buf_Init(&buf, 0); if (length == NULL) @@ -2171,16 +2193,16 @@ VarGetPattern(GNode *ctxt, Var_Parse_State *vpstate MAKE_ATTR_UNUSED, cp++; } else if (*cp == '$') { if (cp[1] == delim) { - if (flags == NULL) + if (vflags == NULL) Buf_AddByte(&buf, *cp); else /* * Unescaped $ at end of pattern => anchor * pattern at end. */ - *flags |= VAR_MATCH_END; + *vflags |= VAR_MATCH_END; } else { - if (flags == NULL || (*flags & VAR_NOSUBST) == 0) { + if (vflags == NULL || (*vflags & VAR_NOSUBST) == 0) { char *cp2; int len; void *freeIt; @@ -2190,7 +2212,8 @@ VarGetPattern(GNode *ctxt, Var_Parse_State *vpstate MAKE_ATTR_UNUSED, * delimiter, assume it's a variable * substitution and recurse. */ - cp2 = Var_Parse(cp, ctxt, errnum, TRUE, &len, &freeIt); + cp2 = Var_Parse(cp, ctxt, errnum | VARF_WANTRES, &len, + &freeIt); Buf_AddBytes(&buf, strlen(cp2), cp2); free(freeIt); cp += len - 1; @@ -2463,7 +2486,7 @@ VarStrftime(const char *fmt, int zulu) static char * ApplyModifiers(char *nstr, const char *tstr, int startc, int endc, - Var *v, GNode *ctxt, Boolean errnum, Boolean wantit, + Var *v, GNode *ctxt, int flags, int *lengthPtr, void **freePtr) { const char *start; @@ -2494,7 +2517,7 @@ ApplyModifiers(char *nstr, const char *tstr, int rlen; int c; - rval = Var_Parse(tstr, ctxt, errnum, wantit, &rlen, &freeIt); + rval = Var_Parse(tstr, ctxt, flags, &rlen, &freeIt); /* * If we have not parsed up to endc or ':', @@ -2519,10 +2542,9 @@ ApplyModifiers(char *nstr, const char *tstr, int used; nstr = ApplyModifiers(nstr, rval, - 0, 0, - v, ctxt, errnum, wantit, &used, freePtr); + 0, 0, v, ctxt, flags, &used, freePtr); if (nstr == var_Error - || (nstr == varNoError && errnum == 0) + || (nstr == varNoError && (flags & VARF_UNDEFERR) == 0) || strlen(rval) != (size_t) used) { free(freeIt); goto out; /* error already reported */ @@ -2557,7 +2579,7 @@ ApplyModifiers(char *nstr, const char *tstr, char *sv_name; VarPattern pattern; int how; - int flags; + int vflags; if (v->name[0] == 0) goto bad_modifier; @@ -2593,9 +2615,9 @@ ApplyModifiers(char *nstr, const char *tstr, delim = startc == PROPEN ? PRCLOSE : BRCLOSE; pattern.flags = 0; - flags = (wantit) ? 0 : VAR_NOSUBST; - pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum, - &cp, delim, &flags, + vflags = (flags & VARF_WANTRES) ? 0 : VAR_NOSUBST; + pattern.rhs = VarGetPattern(ctxt, &parsestate, flags, + &cp, delim, &vflags, &pattern.rightLen, NULL); if (v->flags & VAR_JUNK) { @@ -2609,7 +2631,7 @@ ApplyModifiers(char *nstr, const char *tstr, termc = *--cp; delim = '\0'; - if (wantit) { + if (flags & VARF_WANTRES) { switch (how) { case '+': Var_Append(v->name, pattern.rhs, v_ctxt); @@ -2640,29 +2662,30 @@ ApplyModifiers(char *nstr, const char *tstr, case '@': { VarLoop_t loop; - int flags = VAR_NOSUBST; + int vflags = VAR_NOSUBST; cp = ++tstr; delim = '@'; - if ((loop.tvar = VarGetPattern(ctxt, &parsestate, errnum, + if ((loop.tvar = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, - &flags, &loop.tvarLen, + &vflags, &loop.tvarLen, NULL)) == NULL) goto cleanup; - if ((loop.str = VarGetPattern(ctxt, &parsestate, errnum, + if ((loop.str = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, - &flags, &loop.strLen, + &vflags, &loop.strLen, NULL)) == NULL) goto cleanup; termc = *cp; delim = '\0'; - loop.errnum = errnum; + loop.errnum = flags & VARF_UNDEFERR; loop.ctxt = ctxt; newStr = VarModify(ctxt, &parsestate, nstr, VarLoopExpand, &loop); + Var_Delete(loop.tvar, ctxt); free(loop.tvar); free(loop.str); break; @@ -2671,15 +2694,19 @@ ApplyModifiers(char *nstr, const char *tstr, case 'U': { Buffer buf; /* Buffer for patterns */ - int wantit_; /* want data in buffer */ + int nflags; - if (wantit) { + if (flags & VARF_WANTRES) { + int wantres; if (*tstr == 'U') - wantit_ = ((v->flags & VAR_JUNK) != 0); + wantres = ((v->flags & VAR_JUNK) != 0); else - wantit_ = ((v->flags & VAR_JUNK) == 0); + wantres = ((v->flags & VAR_JUNK) == 0); + nflags = flags & ~VARF_WANTRES; + if (wantres) + nflags |= VARF_WANTRES; } else - wantit_ = wantit; + nflags = flags; /* * Pass through tstr looking for 1) escaped delimiters, * '$'s and backslashes (place the escaped character in @@ -2708,7 +2735,7 @@ ApplyModifiers(char *nstr, const char *tstr, int len; void *freeIt; - cp2 = Var_Parse(cp, ctxt, errnum, wantit_, &len, &freeIt); + cp2 = Var_Parse(cp, ctxt, nflags, &len, &freeIt); Buf_AddBytes(&buf, strlen(cp2), cp2); free(freeIt); cp += len - 1; @@ -2721,7 +2748,7 @@ ApplyModifiers(char *nstr, const char *tstr, if ((v->flags & VAR_JUNK) != 0) v->flags |= VAR_KEEP; - if (wantit_) { + if (nflags & VARF_WANTRES) { newStr = Buf_Destroy(&buf, FALSE); } else { newStr = nstr; @@ -2768,12 +2795,12 @@ ApplyModifiers(char *nstr, const char *tstr, delim = '!'; emsg = NULL; cp = ++tstr; - if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum, + if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, NULL, &pattern.rightLen, NULL)) == NULL) goto cleanup; - if (wantit) + if (flags & VARF_WANTRES) newStr = Cmd_Exec(pattern.rhs, &emsg); else newStr = varNoError; @@ -2801,7 +2828,7 @@ ApplyModifiers(char *nstr, const char *tstr, cp = tstr+1; /* point to char after '[' */ delim = ']'; /* look for closing ']' */ estr = VarGetPattern(ctxt, &parsestate, - errnum, &cp, delim, + flags, &cp, delim, NULL, NULL, NULL); if (estr == NULL) goto cleanup; /* report missing ']' */ @@ -2978,6 +3005,9 @@ ApplyModifiers(char *nstr, const char *tstr, parsestate.varSpace = 0; /* no separator */ cp = tstr + 2; } else if (tstr[2] == '\\') { + const char *xp = &tstr[3]; + int base = 8; /* assume octal */ + switch (tstr[3]) { case 'n': parsestate.varSpace = '\n'; @@ -2987,12 +3017,20 @@ ApplyModifiers(char *nstr, const char *tstr, parsestate.varSpace = '\t'; cp = tstr + 4; break; + case 'x': + base = 16; + xp++; + goto get_numeric; + case '0': + base = 0; + goto get_numeric; default: if (isdigit((unsigned char)tstr[3])) { char *ep; + get_numeric: parsestate.varSpace = - strtoul(&tstr[3], &ep, 0); + strtoul(xp, &ep, base); if (*ep != ':' && *ep != endc) goto bad_modifier; cp = ep; @@ -3152,7 +3190,7 @@ ApplyModifiers(char *nstr, const char *tstr, * expand it. */ cp2 = pattern; - pattern = Var_Subst(NULL, cp2, ctxt, errnum, TRUE); + pattern = Var_Subst(NULL, cp2, ctxt, flags | VARF_WANTRES); free(cp2); } if (DEBUG(VAR)) @@ -3188,14 +3226,14 @@ ApplyModifiers(char *nstr, const char *tstr, } cp = tstr; - if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, errnum, + if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, &pattern.flags, &pattern.leftLen, NULL)) == NULL) goto cleanup; - if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum, + if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, NULL, &pattern.rightLen, &pattern)) == NULL) @@ -3242,7 +3280,7 @@ ApplyModifiers(char *nstr, const char *tstr, int lhs_flags, rhs_flags; /* find ':', and then substitute accordingly */ - if (wantit) { + if (flags & VARF_WANTRES) { cond_rc = Cond_EvalExpression(NULL, v->name, &value, 0, FALSE); if (cond_rc == COND_INVALID) { lhs_flags = rhs_flags = VAR_NOSUBST; @@ -3262,7 +3300,7 @@ ApplyModifiers(char *nstr, const char *tstr, cp = ++tstr; delim = ':'; - if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, errnum, + if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, &lhs_flags, &pattern.leftLen, NULL)) == NULL) @@ -3270,7 +3308,7 @@ ApplyModifiers(char *nstr, const char *tstr, /* BROPEN or PROPEN */ delim = endc; - if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, errnum, + if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, &rhs_flags, &pattern.rightLen, NULL)) == NULL) @@ -3311,12 +3349,12 @@ ApplyModifiers(char *nstr, const char *tstr, cp = tstr; - if ((re = VarGetPattern(ctxt, &parsestate, errnum, &cp, delim, + if ((re = VarGetPattern(ctxt, &parsestate, flags, &cp, delim, NULL, NULL, NULL)) == NULL) goto cleanup; if ((pattern.replace = VarGetPattern(ctxt, &parsestate, - errnum, &cp, delim, NULL, + flags, &cp, delim, NULL, NULL, NULL)) == NULL){ free(re); goto cleanup; @@ -3440,7 +3478,7 @@ ApplyModifiers(char *nstr, const char *tstr, case 's': if (tstr[1] == 'h' && (tstr[2] == endc || tstr[2] == ':')) { const char *emsg; - if (wantit) { + if (flags & VARF_WANTRES) { newStr = Cmd_Exec(nstr, &emsg); if (emsg) Error(emsg, nstr); @@ -3493,12 +3531,12 @@ ApplyModifiers(char *nstr, const char *tstr, delim='='; cp = tstr; if ((pattern.lhs = VarGetPattern(ctxt, &parsestate, - errnum, &cp, delim, &pattern.flags, + flags, &cp, delim, &pattern.flags, &pattern.leftLen, NULL)) == NULL) goto cleanup; delim = endc; if ((pattern.rhs = VarGetPattern(ctxt, &parsestate, - errnum, &cp, delim, NULL, &pattern.rightLen, + flags, &cp, delim, NULL, &pattern.rightLen, &pattern)) == NULL) goto cleanup; @@ -3581,8 +3619,9 @@ ApplyModifiers(char *nstr, const char *tstr, * Input: * str The string to parse * ctxt The context for the variable - * errnum TRUE if undefined variables are an error - * wantit TRUE if we actually want the result + * flags VARF_UNDEFERR if undefineds are an error + * VARF_WANTRES if we actually want the result + * VARF_ASSIGN if we are in a := assignment * lengthPtr OUT: The length of the specification * freePtr OUT: Non-NULL if caller should free *freePtr * @@ -3601,9 +3640,8 @@ ApplyModifiers(char *nstr, const char *tstr, */ /* coverity[+alloc : arg-*4] */ char * -Var_Parse(const char *str, GNode *ctxt, - Boolean errnum, Boolean wantit, - int *lengthPtr, void **freePtr) +Var_Parse(const char *str, GNode *ctxt, int flags, + int *lengthPtr, void **freePtr) { const char *tstr; /* Pointer into str */ Var *v; /* Variable in invocation */ @@ -3671,7 +3709,7 @@ Var_Parse(const char *str, GNode *ctxt, /* * Error */ - return (errnum ? var_Error : varNoError); + return (flags & VARF_UNDEFERR) ? var_Error : varNoError; } else { haveModifier = FALSE; tstr = &str[1]; @@ -3708,7 +3746,7 @@ Var_Parse(const char *str, GNode *ctxt, if (*tstr == '$') { int rlen; void *freeIt; - char *rval = Var_Parse(tstr, ctxt, errnum, wantit, &rlen, &freeIt); + char *rval = Var_Parse(tstr, ctxt, flags, &rlen, &freeIt); if (rval != NULL) { Buf_AddBytes(&buf, strlen(rval), rval); } @@ -3821,7 +3859,7 @@ Var_Parse(const char *str, GNode *ctxt, return(pstr); } else { Buf_Destroy(&buf, TRUE); - return (errnum ? var_Error : varNoError); + return (flags & VARF_UNDEFERR) ? var_Error : varNoError; } } else { /* @@ -3855,7 +3893,7 @@ Var_Parse(const char *str, GNode *ctxt, */ nstr = Buf_GetAll(&v->val, NULL); if (strchr(nstr, '$') != NULL) { - nstr = Var_Subst(NULL, nstr, ctxt, errnum, wantit); + nstr = Var_Subst(NULL, nstr, ctxt, flags); *freePtr = nstr; } @@ -3868,7 +3906,7 @@ Var_Parse(const char *str, GNode *ctxt, extraFree = NULL; if (extramodifiers != NULL) { nstr = ApplyModifiers(nstr, extramodifiers, '(', ')', - v, ctxt, errnum, wantit, &used, &extraFree); + v, ctxt, flags, &used, &extraFree); } if (haveModifier) { @@ -3876,7 +3914,7 @@ Var_Parse(const char *str, GNode *ctxt, tstr++; nstr = ApplyModifiers(nstr, tstr, startc, endc, - v, ctxt, errnum, wantit, &used, freePtr); + v, ctxt, flags, &used, freePtr); tstr += used; free(extraFree); } else { @@ -3917,7 +3955,7 @@ Var_Parse(const char *str, GNode *ctxt, nstr = bmake_strndup(start, *lengthPtr); *freePtr = nstr; } else { - nstr = errnum ? var_Error : varNoError; + nstr = (flags & VARF_UNDEFERR) ? var_Error : varNoError; } } if (nstr != Buf_GetAll(&v->val, NULL)) @@ -3932,15 +3970,16 @@ Var_Parse(const char *str, GNode *ctxt, *----------------------------------------------------------------------- * Var_Subst -- * Substitute for all variables in the given string in the given context - * If undefErr is TRUE, Parse_Error will be called when an undefined + * If flags & VARF_UNDEFERR, Parse_Error will be called when an undefined * variable is encountered. * * Input: * var Named variable || NULL for all * str the string which to substitute * ctxt the context wherein to find variables - * undefErr TRUE if undefineds are an error - * wantit TRUE if we actually want the result + * flags VARF_UNDEFERR if undefineds are an error + * VARF_WANTRES if we actually want the result + * VARF_ASSIGN if we are in a := assignment * * Results: * The resulting string. @@ -3950,8 +3989,7 @@ Var_Parse(const char *str, GNode *ctxt, *----------------------------------------------------------------------- */ char * -Var_Subst(const char *var, const char *str, GNode *ctxt, - Boolean undefErr, Boolean wantit) +Var_Subst(const char *var, const char *str, GNode *ctxt, int flags) { Buffer buf; /* Buffer for forming things */ char *val; /* Value to substitute for a variable */ @@ -3975,6 +4013,8 @@ Var_Subst(const char *var, const char *str, GNode *ctxt, * In such a case, we skip over the escape character and store the * dollar sign into the buffer directly. */ + if (save_dollars && (flags & VARF_ASSIGN)) + Buf_AddByte(&buf, *str); str++; Buf_AddByte(&buf, *str); str++; @@ -4049,7 +4089,7 @@ Var_Subst(const char *var, const char *str, GNode *ctxt, continue; } - val = Var_Parse(str, ctxt, undefErr, wantit, &length, &freeIt); + val = Var_Parse(str, ctxt, flags, &length, &freeIt); /* * When we come down here, val should either point to the @@ -4066,7 +4106,7 @@ Var_Subst(const char *var, const char *str, GNode *ctxt, */ if (oldVars) { str += length; - } else if (undefErr || val == var_Error) { + } else if ((flags & VARF_UNDEFERR) || val == var_Error) { /* * If variable is undefined, complain and skip the * variable. The complaint will stop us from doing anything diff --git a/share/mk/dirdeps.mk b/share/mk/dirdeps.mk index a989f95..efc729c 100644 --- a/share/mk/dirdeps.mk +++ b/share/mk/dirdeps.mk @@ -1,5 +1,5 @@ # $FreeBSD$ -# $Id: dirdeps.mk,v 1.55 2015/10/20 22:04:53 sjg Exp $ +# $Id: dirdeps.mk,v 1.59 2016/02/26 23:32:29 sjg Exp $ # Copyright (c) 2010-2013, Juniper Networks, Inc. # All rights reserved. @@ -122,6 +122,9 @@ _DIRDEP_USE_LEVEL?= 0 # and non-specific Makefile.depend* .if !target(_DIRDEP_USE) +# make sure we get the behavior we expect +.MAKE.SAVE_DOLLARS = no + # do some setup we only need once _CURDIR ?= ${.CURDIR} _OBJDIR ?= ${.OBJDIR} @@ -257,11 +260,8 @@ DEP_RELDIR := ${DIRDEPS:R:[1]} MK_DIRDEPS_CACHE = no .endif - -# pickup customizations -# as below you can use !target(_DIRDEP_USE) to protect things -# which should only be done once. -.-include "local.dirdeps.mk" +# reset each time through +_build_all_dirs = # the first time we are included the _DIRDEP_USE target will not be defined # we can use this as a clue to do initialization and other one time things. @@ -281,6 +281,14 @@ DEBUG_DIRDEPS ?= no # remember the initial value of DEP_RELDIR - we test for it below. _DEP_RELDIR := ${DEP_RELDIR} +.endif + +# pickup customizations +# as below you can use !target(_DIRDEP_USE) to protect things +# which should only be done once. +.-include "local.dirdeps.mk" + +.if !target(_DIRDEP_USE) # things we skip for host tools SKIP_HOSTDIR ?= @@ -400,6 +408,7 @@ ${DIRDEPS_CACHE}: .META .NOMETA_CMP MAKEFLAGS= ${.MAKE} -C ${_CURDIR} -f ${BUILD_DIRDEPS_MAKEFILE} \ ${BUILD_DIRDEPS_TARGETS} BUILD_DIRDEPS_CACHE=yes \ .MAKE.DEPENDFILE=.none \ + ${.MAKEFLAGS:tW:S,-D ,-D,g:tw:M*WITH*} \ 3>&1 1>&2 | sed 's,${SRCTOP},$${SRCTOP},g' >> ${.TARGET}.new && \ mv ${.TARGET}.new ${.TARGET} @@ -480,7 +489,11 @@ _build_dirs += ${_machines:@m@${_CURDIR}.$m@} _build_dirs += ${_machines:N${DEP_TARGET_SPEC}:@m@${_CURDIR}.$m@} .if ${DEP_TARGET_SPEC} == ${TARGET_SPEC} # pickup local dependencies now +.if ${MAKE_VERSION} < 20160220 .-include <.depend> +.else +.dinclude <.depend> +.endif .endif .endif .endif @@ -532,22 +545,25 @@ _build_dirs += \ # qualify everything now _build_dirs := ${_build_dirs:${M_dep_qual_fixes:ts:}:O:u} +_build_all_dirs += ${_build_dirs} +_build_all_dirs := ${_build_all_dirs:O:u} + .endif # empty DIRDEPS # Normally if doing make -V something, # we do not want to waste time chasing DIRDEPS # but if we want to count the number of Makefile.depend* read, we do. .if ${.MAKEFLAGS:M-V${_V_READ_DIRDEPS}} == "" -.if !empty(_build_dirs) +.if !empty(_build_all_dirs) .if ${BUILD_DIRDEPS_CACHE} == "yes" x!= { echo; echo '\# ${DEP_RELDIR}.${DEP_TARGET_SPEC}'; \ - echo 'dirdeps: ${_build_dirs:${M_oneperline}}'; echo; } >&3; echo -x!= { ${_build_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo + echo 'dirdeps: ${_build_all_dirs:${M_oneperline}}'; echo; } >&3; echo +x!= { ${_build_all_dirs:@x@${target($x):?:echo '$x: _DIRDEP_USE';}@} echo; } >&3; echo .else # this makes it all happen -dirdeps: ${_build_dirs} +dirdeps: ${_build_all_dirs} .endif -${_build_dirs}: _DIRDEP_USE +${_build_all_dirs}: _DIRDEP_USE .if ${_debug_reldir} .info ${DEP_RELDIR}.${DEP_TARGET_SPEC}: needs: ${_build_dirs} @@ -581,14 +597,14 @@ ${_this_dir}.$m: ${_build_dirs:M*.$m:N${_this_dir}.$m} .endif # Now find more dependencies - and recurse. -.for d in ${_build_dirs} +.for d in ${_build_all_dirs} .if ${_DIRDEP_CHECKED:M$d} == "" # once only _DIRDEP_CHECKED += $d .if ${_debug_search} .info checking $d .endif -# Note: _build_dirs is fully qualifed so d:R is always the directory +# Note: _build_all_dirs is fully qualifed so d:R is always the directory .if exists(${d:R}) # Warning: there is an assumption here that MACHINE is always # the first entry in TARGET_SPEC_VARS. @@ -628,28 +644,37 @@ DIRDEPS = DEP_RELDIR := ${RELDIR} _DEP_RELDIR := ${RELDIR} # pickup local dependencies +.if ${MAKE_VERSION} < 20160220 .-include <.depend> +.else +.dinclude <.depend> +.endif .endif # bootstrapping new dependencies made easy? -.if (make(bootstrap) || make(bootstrap-recurse)) && !target(bootstrap) +.if !target(bootstrap) && (make(bootstrap) || \ + make(bootstrap-this) || \ + make(bootstrap-recurse) || \ + make(bootstrap-empty)) .if exists(${.CURDIR}/${.MAKE.DEPENDFILE:T}) # stop here ${.TARGETS:Mboot*}: -.else +.elif !make(bootstrap-empty) # find a Makefile.depend to use as _src _src != cd ${.CURDIR} && for m in ${.MAKE.DEPENDFILE_PREFERENCE:T:S,${MACHINE},*,}; do test -s $$m || continue; echo $$m; break; done; echo .if empty(_src) -.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T} +.error cannot find any of ${.MAKE.DEPENDFILE_PREFERENCE:T}${.newline}Use: bootstrap-empty .endif _src?= ${.MAKE.DEPENDFILE:T} +# just create Makefile.depend* for this dir bootstrap-this: .NOTMAIN @echo Bootstrapping ${RELDIR}/${.MAKE.DEPENDFILE:T} from ${_src:T} (cd ${.CURDIR} && sed 's,${_src:E},${MACHINE},g' ${_src} > ${.MAKE.DEPENDFILE:T}) +# create Makefile.depend* for this dir and its dependencies bootstrap: bootstrap-recurse bootstrap-recurse: bootstrap-this @@ -664,4 +689,11 @@ bootstrap-recurse: .NOTMAIN .MAKE done .endif + +# create an empty Makefile.depend* to get the ball rolling. +bootstrap-empty: .NOTMAIN .NOMETA + @echo Creating empty ${RELDIR}/${.MAKE.DEPENDFILE:T}; \ + echo You need to build ${RELDIR} to correctly populate it. + @{ echo DIRDEPS=; echo ".include "; } > ${.CURDIR}/${.MAKE.DEPENDFILE:T} + .endif diff --git a/share/mk/gendirdeps.mk b/share/mk/gendirdeps.mk index b4d1386..cacb570 100644 --- a/share/mk/gendirdeps.mk +++ b/share/mk/gendirdeps.mk @@ -1,5 +1,5 @@ # $FreeBSD$ -# $Id: gendirdeps.mk,v 1.29 2015/10/03 05:00:46 sjg Exp $ +# $Id: gendirdeps.mk,v 1.30 2016/02/27 00:20:39 sjg Exp $ # Copyright (c) 2010-2013, Juniper Networks, Inc. # All rights reserved. @@ -310,7 +310,7 @@ CAT_DEPEND ?= .depend # .depend may contain things we don't want. # The sed command at the end of the stream, allows for the filters # to output _{VAR} tokens which we will turn into proper ${VAR} references. -${_DEPENDFILE}: ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS} +${_DEPENDFILE}: .NOMETA ${CAT_DEPEND:M.depend} ${META_FILES:O:u:@m@${exists($m):?$m:}@} ${_this} ${META2DEPS} @(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \ echo 'DIRDEPS = \'; \ echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \ @@ -330,7 +330,7 @@ DIRDEPS := ${SUBDIR:S,^,${RELDIR}/,:O:u} all: ${_DEPENDFILE} -${_DEPENDFILE}: ${MAKEFILE} ${_this} +${_DEPENDFILE}: .NOMETA ${MAKEFILE} ${_this} @(${GENDIRDEPS_HEADER} echo '# Autogenerated - do NOT edit!'; echo; \ echo 'DIRDEPS = \'; \ echo '${DIRDEPS:@d@ $d \\${.newline}@}'; echo; \ diff --git a/share/mk/meta.autodep.mk b/share/mk/meta.autodep.mk index aa41c6e..ac0c408 100644 --- a/share/mk/meta.autodep.mk +++ b/share/mk/meta.autodep.mk @@ -1,5 +1,5 @@ # $FreeBSD$ -# $Id: meta.autodep.mk,v 1.36 2014/08/02 23:10:29 sjg Exp $ +# $Id: meta.autodep.mk,v 1.40 2016/02/22 22:44:58 sjg Exp $ # # @(#) Copyright (c) 2010, Simon J. Gerraty @@ -87,7 +87,7 @@ WANT_UPDATE_DEPENDFILE ?= yes .endif .if ${WANT_UPDATE_DEPENDFILE:Uno:tl} != "no" -.if ${.MAKE.MODE:Mmeta*} == "" || ${.MAKE.MODE:M*read*} != "" +.if ${.MAKE.MODE:Uno:Mmeta*} == "" || ${.MAKE.MODE:Uno:M*read*} != "" UPDATE_DEPENDFILE = no .endif diff --git a/share/mk/meta.stage.mk b/share/mk/meta.stage.mk index 0f5f37d..e315828 100644 --- a/share/mk/meta.stage.mk +++ b/share/mk/meta.stage.mk @@ -1,5 +1,5 @@ # $FreeBSD$ -# $Id: meta.stage.mk,v 1.35 2015/05/20 06:40:33 sjg Exp $ +# $Id: meta.stage.mk,v 1.43 2016/02/24 18:46:32 sjg Exp $ # # @(#) Copyright (c) 2011, Simon J. Gerraty # @@ -27,7 +27,7 @@ _dirdep = ${RELDIR} CLEANFILES+= .dirdep # this allows us to trace dependencies back to their src dir -.dirdep: +.dirdep: .NOPATH @echo '${_dirdep}' > $@ .if defined(NO_POSIX_SHELL) || ${type printf:L:sh:Mbuiltin} == "" @@ -242,7 +242,7 @@ CLEANFILES += ${STAGE_TARGETS} stage_incs stage_includes # for non-jobs mode the order here matters staging: ${STAGE_TARGETS:N*_links} ${STAGE_TARGETS:M*_links} -.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:M*_links} != "" +.if ${.MAKE.JOBS:U0} > 0 && ${STAGE_TARGETS:U:M*_links} != "" # the above isn't sufficient .for t in ${STAGE_TARGETS:N*links:O:u} .ORDER: $t stage_links diff --git a/share/mk/meta.sys.mk b/share/mk/meta.sys.mk index 8a42b6c..5c68c88 100644 --- a/share/mk/meta.sys.mk +++ b/share/mk/meta.sys.mk @@ -111,7 +111,7 @@ _metaError: .NOMETA .NOTMAIN .endif # Are we, after all, in meta mode? -.if ${.MAKE.MODE:Mmeta*} != "" +.if ${.MAKE.MODE:Uno:Mmeta*} != "" MKDEP_MK = meta.autodep.mk # if we think we are updating dependencies, diff --git a/share/mk/sys.dependfile.mk b/share/mk/sys.dependfile.mk index d12d939..745873f 100644 --- a/share/mk/sys.dependfile.mk +++ b/share/mk/sys.dependfile.mk @@ -1,5 +1,5 @@ # $FreeBSD$ -# $Id: sys.dependfile.mk,v 1.6 2014/08/02 18:02:06 sjg Exp $ +# $Id: sys.dependfile.mk,v 1.7 2016/02/20 01:57:39 sjg Exp $ # # @(#) Copyright (c) 2012, Simon J. Gerraty # @@ -49,8 +49,10 @@ _e := ${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@} # MACHINE specific depend files are supported, but *not* default. # If any already exist, we should follow suit. _aml = ${ALL_MACHINE_LIST:Uarm amd64 i386 powerpc:N${MACHINE}} ${MACHINE} -# MACHINE must be the last entry in _aml ;-) +# make sure we restore MACHINE +_m := ${MACHINE} _e := ${_aml:@MACHINE@${.MAKE.DEPENDFILE_PREFERENCE:@m@${exists($m):?$m:}@}@} +MACHINE := ${_m} .if !empty(_e) .MAKE.DEPENDFILE ?= ${.MAKE.DEPENDFILE_PREFERENCE:M*${MACHINE}:[1]} .endif diff --git a/usr.bin/bmake/Makefile b/usr.bin/bmake/Makefile index 7b18da6..3981c29 100644 --- a/usr.bin/bmake/Makefile +++ b/usr.bin/bmake/Makefile @@ -14,10 +14,10 @@ CFLAGS+= -I${.CURDIR} CLEANDIRS+= FreeBSD CLEANFILES+= bootstrap -# $Id: Makefile,v 1.49 2015/12/20 22:54:40 sjg Exp $ +# $Id: Makefile,v 1.55 2016/03/07 22:02:47 sjg Exp $ # Base version on src date -MAKE_VERSION= 20151220 +MAKE_VERSION= 20160307 PROG?= ${.CURDIR:T} -- cgit v1.1 From 2f6fcdc43750a94a0e4088c3dd9204b80a8fe661 Mon Sep 17 00:00:00 2001 From: np Date: Fri, 11 Mar 2016 01:54:43 +0000 Subject: cxgbe(4): Add a sysctl for the event capture mask of the TP block's logic analyzer. dev.t5nex..misc.tp_la_mask dev.t4nex..misc.tp_la_mask --- sys/dev/cxgbe/t4_main.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index 8daf3e4..fa2f593 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -476,6 +476,7 @@ static int sysctl_rdma_stats(SYSCTL_HANDLER_ARGS); static int sysctl_tcp_stats(SYSCTL_HANDLER_ARGS); static int sysctl_tids(SYSCTL_HANDLER_ARGS); static int sysctl_tp_err_stats(SYSCTL_HANDLER_ARGS); +static int sysctl_tp_la_mask(SYSCTL_HANDLER_ARGS); static int sysctl_tp_la(SYSCTL_HANDLER_ARGS); static int sysctl_tx_rate(SYSCTL_HANDLER_ARGS); static int sysctl_ulprx_la(SYSCTL_HANDLER_ARGS); @@ -4808,6 +4809,10 @@ t4_sysctls(struct adapter *sc) CTLTYPE_STRING | CTLFLAG_RD, sc, 0, sysctl_tp_err_stats, "A", "TP error statistics"); + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "tp_la_mask", + CTLTYPE_INT | CTLFLAG_RW, sc, 0, sysctl_tp_la_mask, "I", + "TP logic analyzer event capture mask"); + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "tp_la", CTLTYPE_STRING | CTLFLAG_RD, sc, 0, sysctl_tp_la, "A", "TP logic analyzer"); @@ -6994,6 +6999,26 @@ sysctl_tp_err_stats(SYSCTL_HANDLER_ARGS) return (rc); } +static int +sysctl_tp_la_mask(SYSCTL_HANDLER_ARGS) +{ + struct adapter *sc = arg1; + struct tp_params *tpp = &sc->params.tp; + u_int mask; + int rc; + + mask = tpp->la_mask >> 16; + rc = sysctl_handle_int(oidp, &mask, 0, req); + if (rc != 0 || req->newptr == NULL) + return (rc); + if (mask > 0xffff) + return (EINVAL); + tpp->la_mask = mask << 16; + t4_set_reg_field(sc, A_TP_DBG_LA_CONFIG, 0xffff0000U, tpp->la_mask); + + return (0); +} + struct field_desc { const char *name; u_int start; -- cgit v1.1 From 7dc9277bbcf0bc3c8ab1e322cbf565246556ca80 Mon Sep 17 00:00:00 2001 From: np Date: Fri, 11 Mar 2016 03:15:17 +0000 Subject: cxgbe(4): Add sysctls to display the TP microcode version and the expansion rom version (if there's one). trantor:~# sysctl dev.t4nex dev.t5nex | grep _version dev.t4nex.0.firmware_version: 1.15.28.0 dev.t4nex.0.tp_version: 0.1.9.4 dev.t5nex.0.firmware_version: 1.15.28.0 dev.t5nex.0.exprom_version: 1.0.0.68 dev.t5nex.0.tp_version: 0.1.4.9 --- sys/dev/cxgbe/adapter.h | 4 +++- sys/dev/cxgbe/common/common.h | 1 + sys/dev/cxgbe/t4_main.c | 25 +++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/sys/dev/cxgbe/adapter.h b/sys/dev/cxgbe/adapter.h index 32c9c2b..8cb9983 100644 --- a/sys/dev/cxgbe/adapter.h +++ b/sys/dev/cxgbe/adapter.h @@ -803,7 +803,9 @@ struct adapter { int tracer_valid; /* bitmap of valid tracers */ int tracer_enabled; /* bitmap of enabled tracers */ - char fw_version[32]; + char fw_version[16]; + char tp_version[16]; + char exprom_version[16]; char cfg_file[32]; u_int cfcsum; struct adapter_params params; diff --git a/sys/dev/cxgbe/common/common.h b/sys/dev/cxgbe/common/common.h index 89a9506..cc6edf3 100644 --- a/sys/dev/cxgbe/common/common.h +++ b/sys/dev/cxgbe/common/common.h @@ -290,6 +290,7 @@ struct adapter_params { unsigned int fw_vers; unsigned int tp_vers; + unsigned int exprom_vers; unsigned short mtus[NMTUS]; unsigned short a_wnd[NCCTRL_WIN]; diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index fa2f593..d724002 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -2826,7 +2826,24 @@ prep_firmware(struct adapter *sc) G_FW_HDR_FW_VER_MINOR(sc->params.fw_vers), G_FW_HDR_FW_VER_MICRO(sc->params.fw_vers), G_FW_HDR_FW_VER_BUILD(sc->params.fw_vers)); + t4_get_tp_version(sc, &sc->params.tp_vers); + snprintf(sc->tp_version, sizeof(sc->tp_version), "%u.%u.%u.%u", + G_FW_HDR_FW_VER_MAJOR(sc->params.tp_vers), + G_FW_HDR_FW_VER_MINOR(sc->params.tp_vers), + G_FW_HDR_FW_VER_MICRO(sc->params.tp_vers), + G_FW_HDR_FW_VER_BUILD(sc->params.tp_vers)); + + if (t4_get_exprom_version(sc, &sc->params.exprom_vers) != 0) + sc->params.exprom_vers = 0; + else { + snprintf(sc->exprom_version, sizeof(sc->exprom_version), + "%u.%u.%u.%u", + G_FW_HDR_FW_VER_MAJOR(sc->params.exprom_vers), + G_FW_HDR_FW_VER_MINOR(sc->params.exprom_vers), + G_FW_HDR_FW_VER_MICRO(sc->params.exprom_vers), + G_FW_HDR_FW_VER_BUILD(sc->params.exprom_vers)); + } /* Reset device */ if (need_fw_reset && @@ -4594,6 +4611,14 @@ t4_sysctls(struct adapter *sc) SYSCTL_ADD_INT(ctx, children, OID_AUTO, "hw_revision", CTLFLAG_RD, NULL, chip_rev(sc), "chip hardware revision"); + SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "tp_version", + CTLFLAG_RD, sc->tp_version, 0, "TP microcode version"); + + if (sc->params.exprom_vers != 0) { + SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "exprom_version", + CTLFLAG_RD, sc->exprom_version, 0, "expansion ROM version"); + } + SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "firmware_version", CTLFLAG_RD, sc->fw_version, 0, "firmware version"); -- cgit v1.1 From 4006aeb76ce367d441e21ef2042893daa8de4955 Mon Sep 17 00:00:00 2001 From: imp Date: Fri, 11 Mar 2016 03:38:10 +0000 Subject: Factor out lib32 generation to its own file. This is prep for a similar Makefile.libsoft which will do the same for armv6 soft fp API libraries in prep for pulling the trigger on moving to armv6 hard float. Once there's two files, I'll work with bdrewery@ to merge the two files as they are mostly the same. The high rate of churn for Makefile* makes it quite difficult to make progress out of tree. Differential Review: https://reviews.freebsd.org/D5566 --- Makefile.inc1 | 135 +------------------------------------------------------- Makefile.lib32 | 136 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 138 insertions(+), 133 deletions(-) create mode 100644 Makefile.lib32 diff --git a/Makefile.inc1 b/Makefile.inc1 index 85e1a60..36e464f 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -454,70 +454,11 @@ XCXXFLAGS+= ${BFLAGS} .endif .endif # ${XCC:M/*} -WMAKE= ${WMAKEENV} ${MAKE} ${WORLD_FLAGS} -f Makefile.inc1 DESTDIR=${WORLDTMP} - .if ${TARGET_ARCH} == "amd64" || ${TARGET_ARCH} == "powerpc64" -# 32 bit world -LIB32_OBJTREE= ${OBJTREE}${.CURDIR}/world32 -LIB32TMP= ${OBJTREE}${.CURDIR}/lib32 - -.if ${TARGET_ARCH} == "amd64" -.if empty(TARGET_CPUTYPE) -LIB32CPUFLAGS= -march=i686 -mmmx -msse -msse2 -.else -LIB32CPUFLAGS= -march=${TARGET_CPUTYPE} -.endif -LIB32WMAKEENV= MACHINE=i386 MACHINE_ARCH=i386 \ - MACHINE_CPU="i686 mmx sse sse2" -LIB32WMAKEFLAGS= \ - AS="${XAS} --32" \ - LD="${XLD} -m elf_i386_fbsd -Y P,${LIB32TMP}/usr/lib32" \ - OBJCOPY="${XOBJCOPY}" - -.elif ${TARGET_ARCH} == "powerpc64" -.if empty(TARGET_CPUTYPE) -LIB32CPUFLAGS= -mcpu=powerpc -.else -LIB32CPUFLAGS= -mcpu=${TARGET_CPUTYPE} -.endif -LIB32WMAKEENV= MACHINE=powerpc MACHINE_ARCH=powerpc -LIB32WMAKEFLAGS= \ - LD="${XLD} -m elf32ppc_fbsd" \ - OBJCOPY="${XOBJCOPY}" +.include "Makefile.lib32" .endif - -LIB32FLAGS= -m32 ${LIB32CPUFLAGS} -DCOMPAT_32BIT \ - -isystem ${LIB32TMP}/usr/include/ \ - -L${LIB32TMP}/usr/lib32 \ - -B${LIB32TMP}/usr/lib32 -.if ${XCC:N${CCACHE_BIN}:M/*} -LIB32FLAGS+= --sysroot=${WORLDTMP} -.endif - -# Yes, the flags are redundant. -LIB32WMAKEENV+= MAKEOBJDIRPREFIX=${LIB32_OBJTREE} \ - _LDSCRIPTROOT=${LIB32TMP} \ - INSTALL="sh ${.CURDIR}/tools/install.sh" \ - PATH=${TMPPATH} \ - LIBDIR=/usr/lib32 \ - SHLIBDIR=/usr/lib32 \ - DTRACE="${DTRACE} -32" -LIB32WMAKEFLAGS+= CC="${XCC} ${LIB32FLAGS}" \ - CXX="${XCXX} ${LIB32FLAGS}" \ - DESTDIR=${LIB32TMP} \ - -DCOMPAT_32BIT \ - -DLIBRARIES_ONLY \ - -DNO_CPU_CFLAGS \ - MK_CTF=no \ - -DNO_LINT \ - MK_TESTS=no - -LIB32WMAKE= ${LIB32WMAKEENV} ${MAKE} ${LIB32WMAKEFLAGS} \ - MK_MAN=no MK_HTML=no -LIB32IMAKE= ${LIB32WMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} \ - MK_TOOLCHAIN=no ${IMAKE_INSTALL} -.endif +WMAKE= ${WMAKEENV} ${MAKE} ${WORLD_FLAGS} -f Makefile.inc1 DESTDIR=${WORLDTMP} IMAKEENV= ${CROSSENV:N_LDSCRIPTROOT=*} IMAKE= ${IMAKEENV} ${MAKE} -f Makefile.inc1 \ @@ -700,78 +641,6 @@ everything: @echo ">>> stage 4.4: building everything" @echo "--------------------------------------------------------------" ${_+_}cd ${.CURDIR}; _PARALLEL_SUBDIR_OK=1 ${WMAKE} all -.if defined(LIB32TMP) -build32: .PHONY - @echo - @echo "--------------------------------------------------------------" - @echo ">>> stage 5.1: building 32 bit shim libraries" - @echo "--------------------------------------------------------------" - mkdir -p ${LIB32TMP}/usr/include - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.usr.dist \ - -p ${LIB32TMP}/usr >/dev/null - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \ - -p ${LIB32TMP}/usr/include >/dev/null - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ - -p ${LIB32TMP}/usr >/dev/null -.if ${MK_DEBUG_FILES} != "no" - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ - -p ${LIB32TMP}/usr/lib >/dev/null - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ - -p ${LIB32TMP}/usr/lib/debug/usr >/dev/null -.endif - mkdir -p ${WORLDTMP} - ln -sf ${.CURDIR}/sys ${WORLDTMP} -.for _t in obj includes - ${_+_}cd ${.CURDIR}/include; ${LIB32WMAKE} DIRPRFX=include/ ${_t} - ${_+_}cd ${.CURDIR}/lib; ${LIB32WMAKE} DIRPRFX=lib/ ${_t} -.if ${MK_CDDL} != "no" - ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32WMAKE} DIRPRFX=cddl/lib/ ${_t} -.endif - ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32WMAKE} DIRPRFX=gnu/lib/ ${_t} -.if ${MK_CRYPT} != "no" - ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32WMAKE} DIRPRFX=secure/lib/ ${_t} -.endif -.if ${MK_KERBEROS} != "no" - ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32WMAKE} DIRPRFX=kerberos5/lib ${_t} -.endif -.endfor -.for _dir in usr.bin/lex/lib - ${_+_}cd ${.CURDIR}/${_dir}; ${LIB32WMAKE} DIRPRFX=${_dir}/ obj -.endfor -.for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic - ${_+_}cd ${.CURDIR}/${_dir}; \ - WORLDTMP=${WORLDTMP} \ - MAKEFLAGS="-m ${.CURDIR}/tools/build/mk ${.MAKEFLAGS}" \ - MAKEOBJDIRPREFIX=${LIB32_OBJTREE} ${MAKE} SSP_CFLAGS= DESTDIR= \ - DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ - build-tools -.endfor - ${_+_}cd ${.CURDIR}; \ - ${LIB32WMAKE} -f Makefile.inc1 -DNO_FSCHG libraries -.for _t in obj depend all - ${_+_}cd ${.CURDIR}/libexec/rtld-elf; PROG=ld-elf32.so.1 ${LIB32WMAKE} \ - -DNO_FSCHG DIRPRFX=libexec/rtld-elf/ ${_t} - ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32WMAKE} \ - DIRPRFX=usr.bin/ldd ${_t} -.endfor - -distribute32 install32: .MAKE .PHONY - ${_+_}cd ${.CURDIR}/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.if ${MK_CDDL} != "no" - ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.endif - ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.if ${MK_CRYPT} != "no" - ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.endif -.if ${MK_KERBEROS} != "no" - ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.endif - ${_+_}cd ${.CURDIR}/libexec/rtld-elf; \ - PROG=ld-elf32.so.1 ${LIB32IMAKE} ${.TARGET:S/32$//} - ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32IMAKE} \ - ${.TARGET:S/32$//} -.endif WMAKE_TGTS= WMAKE_TGTS+= _worldtmp _legacy diff --git a/Makefile.lib32 b/Makefile.lib32 new file mode 100644 index 0000000..e385d53 --- /dev/null +++ b/Makefile.lib32 @@ -0,0 +1,136 @@ +# $FreeBSD$ + +# Makefile for the 32-bit compat libraries on PowerPC and AMD64. +# could also be for mips, but that doesn't work today. + +# 32 bit world +LIB32_OBJTREE= ${OBJTREE}${.CURDIR}/world32 +LIB32TMP= ${OBJTREE}${.CURDIR}/lib32 + +.if ${TARGET_ARCH} == "amd64" +.if empty(TARGET_CPUTYPE) +LIB32CPUFLAGS= -march=i686 -mmmx -msse -msse2 +.else +LIB32CPUFLAGS= -march=${TARGET_CPUTYPE} +.endif +LIB32WMAKEENV= MACHINE=i386 MACHINE_ARCH=i386 \ + MACHINE_CPU="i686 mmx sse sse2" +LIB32WMAKEFLAGS= \ + AS="${XAS} --32" \ + LD="${XLD} -m elf_i386_fbsd -Y P,${LIB32TMP}/usr/lib32" \ + OBJCOPY="${XOBJCOPY}" + +.elif ${TARGET_ARCH} == "powerpc64" +.if empty(TARGET_CPUTYPE) +LIB32CPUFLAGS= -mcpu=powerpc +.else +LIB32CPUFLAGS= -mcpu=${TARGET_CPUTYPE} +.endif +LIB32WMAKEENV= MACHINE=powerpc MACHINE_ARCH=powerpc +LIB32WMAKEFLAGS= \ + LD="${XLD} -m elf32ppc_fbsd" \ + OBJCOPY="${XOBJCOPY}" +.endif + + +LIB32FLAGS= -m32 ${LIB32CPUFLAGS} -DCOMPAT_32BIT \ + -isystem ${LIB32TMP}/usr/include/ \ + -L${LIB32TMP}/usr/lib32 \ + -B${LIB32TMP}/usr/lib32 +.if ${XCC:N${CCACHE_BIN}:M/*} +LIB32FLAGS+= --sysroot=${WORLDTMP} +.endif + +# Yes, the flags are redundant. +LIB32WMAKEENV+= MAKEOBJDIRPREFIX=${LIB32_OBJTREE} \ + _LDSCRIPTROOT=${LIB32TMP} \ + INSTALL="sh ${.CURDIR}/tools/install.sh" \ + PATH=${TMPPATH} \ + LIBDIR=/usr/lib32 \ + SHLIBDIR=/usr/lib32 \ + DTRACE="${DTRACE} -32" +LIB32WMAKEFLAGS+= CC="${XCC} ${LIB32FLAGS}" \ + CXX="${XCXX} ${LIB32FLAGS}" \ + DESTDIR=${LIB32TMP} \ + -DCOMPAT_32BIT \ + -DLIBRARIES_ONLY \ + -DNO_CPU_CFLAGS \ + MK_CTF=no \ + -DNO_LINT \ + MK_TESTS=no + +LIB32WMAKE= ${LIB32WMAKEENV} ${MAKE} ${LIB32WMAKEFLAGS} \ + MK_MAN=no MK_HTML=no +LIB32IMAKE= ${LIB32WMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} \ + MK_TOOLCHAIN=no ${IMAKE_INSTALL} + +build32: .PHONY + @echo + @echo "--------------------------------------------------------------" + @echo ">>> stage 5.1: building 32 bit shim libraries" + @echo "--------------------------------------------------------------" + mkdir -p ${LIB32TMP}/usr/include + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.usr.dist \ + -p ${LIB32TMP}/usr >/dev/null + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \ + -p ${LIB32TMP}/usr/include >/dev/null + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ + -p ${LIB32TMP}/usr >/dev/null +.if ${MK_DEBUG_FILES} != "no" + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ + -p ${LIB32TMP}/usr/lib >/dev/null + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ + -p ${LIB32TMP}/usr/lib/debug/usr >/dev/null +.endif + mkdir -p ${WORLDTMP} + ln -sf ${.CURDIR}/sys ${WORLDTMP} +.for _t in obj includes + ${_+_}cd ${.CURDIR}/include; ${LIB32WMAKE} DIRPRFX=include/ ${_t} + ${_+_}cd ${.CURDIR}/lib; ${LIB32WMAKE} DIRPRFX=lib/ ${_t} +.if ${MK_CDDL} != "no" + ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32WMAKE} DIRPRFX=cddl/lib/ ${_t} +.endif + ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32WMAKE} DIRPRFX=gnu/lib/ ${_t} +.if ${MK_CRYPT} != "no" + ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32WMAKE} DIRPRFX=secure/lib/ ${_t} +.endif +.if ${MK_KERBEROS} != "no" + ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32WMAKE} DIRPRFX=kerberos5/lib ${_t} +.endif +.endfor +.for _dir in usr.bin/lex/lib + ${_+_}cd ${.CURDIR}/${_dir}; ${LIB32WMAKE} DIRPRFX=${_dir}/ obj +.endfor +.for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic + ${_+_}cd ${.CURDIR}/${_dir}; \ + WORLDTMP=${WORLDTMP} \ + MAKEFLAGS="-m ${.CURDIR}/tools/build/mk ${.MAKEFLAGS}" \ + MAKEOBJDIRPREFIX=${LIB32_OBJTREE} ${MAKE} SSP_CFLAGS= DESTDIR= \ + DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ + build-tools +.endfor + ${_+_}cd ${.CURDIR}; \ + ${LIB32WMAKE} -f Makefile.inc1 -DNO_FSCHG libraries +.for _t in obj depend all + ${_+_}cd ${.CURDIR}/libexec/rtld-elf; PROG=ld-elf32.so.1 ${LIB32WMAKE} \ + -DNO_FSCHG DIRPRFX=libexec/rtld-elf/ ${_t} + ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32WMAKE} \ + DIRPRFX=usr.bin/ldd ${_t} +.endfor + +distribute32 install32: .MAKE .PHONY + ${_+_}cd ${.CURDIR}/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} +.if ${MK_CDDL} != "no" + ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} +.endif + ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} +.if ${MK_CRYPT} != "no" + ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} +.endif +.if ${MK_KERBEROS} != "no" + ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} +.endif + ${_+_}cd ${.CURDIR}/libexec/rtld-elf; \ + PROG=ld-elf32.so.1 ${LIB32IMAKE} ${.TARGET:S/32$//} + ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32IMAKE} \ + ${.TARGET:S/32$//} -- cgit v1.1 From 26d856133116a9034d5a02ce72674e0a70e3c059 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 04:09:47 +0000 Subject: Fix make -n upgrade_checks. MFC after: 1 week Sponsored by: EMC / Isilon Storage Division --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a80dec9..40af8ca 100644 --- a/Makefile +++ b/Makefile @@ -301,7 +301,7 @@ kernel: buildkernel installkernel upgrade_checks: .if ${HAVE_MAKE} != ${WANT_MAKE} || \ (defined(WANT_MAKE_VERSION) && ${MAKE_VERSION} < ${WANT_MAKE_VERSION}) - @(cd ${.CURDIR} && ${MAKE} ${WANT_MAKE:S,^f,,}) + @${_+_}(cd ${.CURDIR} && ${MAKE} ${WANT_MAKE:S,^f,,}) .endif # -- cgit v1.1 From 749836195e7ff31d84dd08e44abc3b8d8cfb588f Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 04:09:50 +0000 Subject: Fix upgrade of bmake by not setting conflicting MAKE_VERSION. This may be used in later checks, such as in bsd.dep.mk, to enable features that rely on the built-in value. Sponsored by: EMC / Isilon Storage Division --- usr.bin/bmake/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.bin/bmake/Makefile b/usr.bin/bmake/Makefile index 3981c29..b3291ed 100644 --- a/usr.bin/bmake/Makefile +++ b/usr.bin/bmake/Makefile @@ -17,7 +17,7 @@ CLEANFILES+= bootstrap # $Id: Makefile,v 1.55 2016/03/07 22:02:47 sjg Exp $ # Base version on src date -MAKE_VERSION= 20160307 +_MAKE_VERSION= 20160307 PROG?= ${.CURDIR:T} @@ -92,7 +92,7 @@ CFLAGS+= ${CPPFLAGS} CFLAGS+= -D_PATH_DEFSYSPATH=\"${DEFAULT_SYS_PATH}\" CFLAGS+= -I. -I${srcdir} ${XDEFS} -DMAKE_NATIVE CFLAGS+= ${COPTS.${.ALLSRC:M*.c:T:u}} -COPTS.main.c+= "-DMAKE_VERSION=\"${MAKE_VERSION}\"" +COPTS.main.c+= "-DMAKE_VERSION=\"${_MAKE_VERSION}\"" # meta mode can be useful even without filemon FILEMON_H ?= /usr/include/dev/filemon/filemon.h -- cgit v1.1 From ef44939f33a0e14b0928cc8f20b6f51151334431 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 04:09:53 +0000 Subject: Fix bmake upgrade NO_MAN warnings. MFC after: 1 week Sponsored by: EMC / Isilon Storage Division --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 40af8ca..bc191e1 100644 --- a/Makefile +++ b/Makefile @@ -311,9 +311,10 @@ upgrade_checks: # MMAKEENV= MAKEOBJDIRPREFIX=${MYMAKE:H} \ DESTDIR= \ + MK_MAN=no \ INSTALL="sh ${.CURDIR}/tools/install.sh" MMAKE= ${MMAKEENV} ${MAKE} \ - -DNO_MAN -DNO_SHARED \ + -DNO_SHARED \ -DNO_CPU_CFLAGS -DNO_WERROR \ MK_TESTS=no \ DESTDIR= PROGNAME=${MYMAKE:T} -- cgit v1.1 From f0db244394c49d3031076230e3282062aa6ae429 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 04:09:56 +0000 Subject: FAST_DEPEND: Use .dinclude to enable full .depend logic in bmake. The inclusion of .MAKE.DEPENDFILE (.depend) has special logic in make to ignore stale/missing dependencies. bmake 20160220 added a '.dinclude' directive that uses the special logic for .depend when including the file. This fixes a build error when a file is moved or deleted that exists in a .depend.OBJ file. This happened in r292782 when sha512c.c "moved" and an incremental build of lib/libmd would fail with: make: don't know how to make /usr/src/lib/libcrypt/../libmd/sha512c.c. Stop Now this will just be seen as a stale dependency and cause a rebuild: make: /usr/obj/usr/src/lib/libmd/.depend.sha512c.o, 13: ignoring stale .depend for /usr/src/lib/libcrypt/../libmd/sha512c.c --- sha512c.o --- ... This rebuild will only be done once since the .depend.sha512c.o will be updated on the build with the -MF flags. This also removes -MP being passed for the .depend.OBJ generation (which would create fake targets for system headers) since the logic is no longer needed to protect from missing files. Sponsored by: EMC / Isilon Storage Division --- Makefile | 2 ++ share/mk/bsd.dep.mk | 6 ++++++ sys/conf/kern.post.mk | 9 ++++++++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index bc191e1..49fe0ab 100644 --- a/Makefile +++ b/Makefile @@ -159,6 +159,8 @@ _MAKEOBJDIRPREFIX!= /usr/bin/env -i PATH=${PATH} MK_AUTO_OBJ=no ${MAKE} \ # We cannot blindly use a make which may not be the one we want # so be exlicit - until all choice is removed. WANT_MAKE= bmake +# 20160220 - support .dinclude for FAST_DEPEND. +WANT_MAKE_VERSION= 20160220 MYMAKE= ${MAKEOBJDIRPREFIX}${.CURDIR}/make.${MACHINE}/${WANT_MAKE} .if defined(.PARSEDIR) HAVE_MAKE= bmake diff --git a/share/mk/bsd.dep.mk b/share/mk/bsd.dep.mk index 19ab9e5..92c10a4 100644 --- a/share/mk/bsd.dep.mk +++ b/share/mk/bsd.dep.mk @@ -176,7 +176,9 @@ ${_D}.po: ${_DSRC} ${POBJS:S/^${_D}.po$//} _meta_filemon= 1 .endif .if ${MK_FAST_DEPEND} == "yes" +.if ${MAKE_VERSION} < 20160220 DEPEND_MP?= -MP +.endif # Handle OBJS=../somefile.o hacks. Just replace '/' rather than use :T to # avoid collisions. DEPEND_FILTER= C,/,_,g @@ -200,7 +202,11 @@ CFLAGS+= ${DEPEND_CFLAGS} .endif .if !defined(_SKIP_READ_DEPEND) .for __depend_obj in ${DEPENDFILES_OBJS} +.if ${MAKE_VERSION} < 20160220 .sinclude "${.OBJDIR}/${__depend_obj}" +.else +.dinclude "${.OBJDIR}/${__depend_obj}" +.endif .endfor .endif # !defined(_SKIP_READ_DEPEND) .endif # !defined(_meta_filemon) diff --git a/sys/conf/kern.post.mk b/sys/conf/kern.post.mk index ba2c792..d5047a8 100644 --- a/sys/conf/kern.post.mk +++ b/sys/conf/kern.post.mk @@ -231,7 +231,10 @@ _meta_filemon= 1 .if ${MK_FAST_DEPEND} == "yes" DEPENDOBJS+= ${SYSTEM_OBJS} genassym.o DEPENDFILES_OBJS= ${DEPENDOBJS:O:u:C/^/.depend./} -DEPEND_CFLAGS+= -MD -MP -MF.depend.${.TARGET} +.if ${MAKE_VERSION} < 20160220 +DEPEND_MP?= -MP +.endif +DEPEND_CFLAGS+= -MD ${DEPEND_MP} -MF.depend.${.TARGET} DEPEND_CFLAGS+= -MT${.TARGET} .if !defined(_meta_filemon) .if defined(.PARSEDIR) @@ -244,7 +247,11 @@ CFLAGS+= ${DEPEND_CFLAGS} .endif .if !defined(_SKIP_READ_DEPEND) .for __depend_obj in ${DEPENDFILES_OBJS} +.if ${MAKE_VERSION} < 20160220 .sinclude "${.OBJDIR}/${__depend_obj}" +.else +.dinclude "${.OBJDIR}/${__depend_obj}" +.endif .endfor .endif # !defined(_SKIP_READ_DEPEND) .endif # !defined(_meta_filemon) -- cgit v1.1 From 7d184288717893d0b477ef3ca74b465dc38f9203 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 04:17:39 +0000 Subject: Use the new bmake .dinclude feature to make these safe. At least FAST_DEPEND won't even run 'make depend', so the code was potentially broken with FAST_DEPEND anyhow. The .dinclude directive will ignore missing files rather than make them be fatal. Sponsored by: EMC / Isilon Storage Division --- lib/clang/clang.build.mk | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/clang/clang.build.mk b/lib/clang/clang.build.mk index 8ab2399..5a3d169 100644 --- a/lib/clang/clang.build.mk +++ b/lib/clang/clang.build.mk @@ -240,11 +240,15 @@ Checkers.inc.h: ${CLANG_SRCS}/lib/StaticAnalyzer/Checkers/Checkers.td -I ${CLANG_SRCS}/include -d ${.TARGET:C/\.h$/.d/} -o ${.TARGET} \ ${CLANG_SRCS}/lib/StaticAnalyzer/Checkers/Checkers.td -.if !make(depend) -. for dep in ${TGHDRS:C/$/.inc.d/} -. sinclude "${dep}" -. endfor -.endif +.for dep in ${TGHDRS:C/$/.inc.d/} +. if ${MAKE_VERSION} < 20160220 +. if !make(depend) +. sinclude "${dep}" +. endif +. else +. dinclude "${dep}" +. endif +.endfor SRCS+= ${TGHDRS:C/$/.inc.h/} CLEANFILES+= ${TGHDRS:C/$/.inc.h/} ${TGHDRS:C/$/.inc.d/} -- cgit v1.1 From 888ca89bc6c26e54b31a84cb42509792a76a5ae1 Mon Sep 17 00:00:00 2001 From: ak Date: Fri, 11 Mar 2016 06:07:09 +0000 Subject: - Implement -T option to allow to specify a fs type for a vnode-backed memory disk - Rephrase -t option description (manpage) - Split long sentences (manpage) Differential Review: https://reviews.freebsd.org/D4394 Reviewed by: mav, wblock (manpage) Approved by: mav --- sbin/mdmfs/mdmfs.8 | 34 +++++++++++++++++++++++++++------- sbin/mdmfs/mdmfs.c | 5 ++++- 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/sbin/mdmfs/mdmfs.8 b/sbin/mdmfs/mdmfs.8 index f38d29d..a91cab2 100644 --- a/sbin/mdmfs/mdmfs.8 +++ b/sbin/mdmfs/mdmfs.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 7, 2016 +.Dd March 9, 2016 .Dt MDMFS 8 .Os .Sh NAME @@ -36,7 +36,7 @@ driver .Sh SYNOPSIS .Nm -.Op Fl DLlMNnPStUX +.Op Fl DLlMNnPStTUX .Op Fl a Ar maxcontig .Op Fl b Ar block-size .Op Fl c Ar blocks-per-cylinder-group @@ -51,6 +51,7 @@ driver .Op Fl o Ar mount-options .Op Fl p Ar permissions .Op Fl s Ar size +.Op Fl T Ar fstype .Op Fl v Ar version .Op Fl w Ar user : Ns Ar group .Ar md-device @@ -228,10 +229,19 @@ backed disks .It Fl t Turn on the TRIM enable flag for .Xr newfs 8 . -The +When used with a file system that issue BIO_DELETE bio requests, .Xr md 4 -device supports the BIO_DELETE command, enabling the TRIM on created -filesystem allows return of freed memory to the system pool. +returns deleted blocks to the system memory pool. +.It Fl T Ar fstype +Specify a file system type for a vnode-backed memory disk. +Any file system supported by +.Xr mount 8 +command can be specified. +This option only makes sense when +.Fl F +and +.Fl P +are used. .It Fl U Enable soft-updates on the file system. This is the default, and is accepted only @@ -283,8 +293,8 @@ and .Fl n options are passed to .Xr newfs 8 -with the same letter; -the +with the same letter. +The .Fl O option is passed to .Xr newfs 8 @@ -295,6 +305,12 @@ The option is passed to .Xr mount 8 with the same letter. +The +.Fl T +option is passed to +.Xr mount 8 +as +.Fl t . See the programs that the options are passed to for more information on their semantics. .Sh EXAMPLES @@ -335,6 +351,10 @@ Configure a vnode-backed file system and mount its first partition, using automatic device numbering: .Pp .Dl "mdmfs -P -F foo.img mds1a /tmp/" +.Pp +Mount a vnode-backed cd9660 file system using automatic device numbering: +.Pp +.Dl "mdmfs -T cd9660 -P -F foo.iso md /tmp" .Sh COMPATIBILITY The .Nm diff --git a/sbin/mdmfs/mdmfs.c b/sbin/mdmfs/mdmfs.c index 66a6911..4b3a012 100644 --- a/sbin/mdmfs/mdmfs.c +++ b/sbin/mdmfs/mdmfs.c @@ -129,7 +129,7 @@ main(int argc, char **argv) } while ((ch = getopt(argc, argv, - "a:b:Cc:Dd:E:e:F:f:hi:LlMm:NnO:o:Pp:Ss:tUv:w:X")) != -1) + "a:b:Cc:Dd:E:e:F:f:hi:LlMm:NnO:o:Pp:Ss:tT:Uv:w:X")) != -1) switch (ch) { case 'a': argappend(&newfs_arg, "-a %s", optarg); @@ -218,6 +218,9 @@ main(int argc, char **argv) case 't': argappend(&newfs_arg, "-t"); break; + case 'T': + argappend(&mount_arg, "-t %s", optarg); + break; case 'U': softdep = true; break; -- cgit v1.1 From e7840322090ad3f571294048641dfa7c0602d7b0 Mon Sep 17 00:00:00 2001 From: des Date: Fri, 11 Mar 2016 11:38:31 +0000 Subject: Define __bounded__ to fix the gcc build. While there, raise WARNS. --- lib/libpam/modules/pam_ssh/Makefile | 1 - lib/libpam/modules/pam_ssh/pam_ssh.c | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/libpam/modules/pam_ssh/Makefile b/lib/libpam/modules/pam_ssh/Makefile index af44d6e..a2dabc5 100644 --- a/lib/libpam/modules/pam_ssh/Makefile +++ b/lib/libpam/modules/pam_ssh/Makefile @@ -7,7 +7,6 @@ LIB= pam_ssh MAN= pam_ssh.8 SRCS= pam_ssh.c -WARNS?= 3 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h SRCS+= ssh_namespace.h diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c index 8fc68fd..f95c737 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ b/lib/libpam/modules/pam_ssh/pam_ssh.c @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include +#define __bounded__(x, y, z) #include "key.h" #include "buffer.h" #include "authfd.h" @@ -84,7 +85,9 @@ static const char *pam_ssh_keyfiles[] = { }; static const char *pam_ssh_agent = "/usr/bin/ssh-agent"; -static char *const pam_ssh_agent_argv[] = { "ssh_agent", "-s", NULL }; +static char str_ssh_agent[] = "ssh-agent"; +static char str_dash_s[] = "-s"; +static char *const pam_ssh_agent_argv[] = { str_ssh_agent, str_dash_s, NULL }; static char *const pam_ssh_agent_envp[] = { NULL }; /* -- cgit v1.1 From ef2ed17f02a0af84f0a43734e9a433a9ab080fa9 Mon Sep 17 00:00:00 2001 From: kib Date: Fri, 11 Mar 2016 11:51:38 +0000 Subject: Do not perform unneccessary shared recursion on the allproc_lock in pfs_visible(). The recursion does not cause deadlock because the sx implementation does not prefer exclusive waiters over the shared, but this is an implementation detail. Reported by: pho, Matthew Bryan Reviewed by: jhb Tested by: pho Approved by: des (pseudofs maintainer) Sponsored by: The FreeBSD Foundation MFC after: 2 weeks --- sys/fs/pseudofs/pseudofs_vnops.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c index f00b4b2..7a9ec7b 100644 --- a/sys/fs/pseudofs/pseudofs_vnops.c +++ b/sys/fs/pseudofs/pseudofs_vnops.c @@ -104,7 +104,8 @@ pfs_visible_proc(struct thread *td, struct pfs_node *pn, struct proc *proc) } static int -pfs_visible(struct thread *td, struct pfs_node *pn, pid_t pid, struct proc **p) +pfs_visible(struct thread *td, struct pfs_node *pn, pid_t pid, + bool allproc_locked, struct proc **p) { struct proc *proc; @@ -115,7 +116,8 @@ pfs_visible(struct thread *td, struct pfs_node *pn, pid_t pid, struct proc **p) *p = NULL; if (pid == NO_PID) PFS_RETURN (1); - if ((proc = pfind(pid)) == NULL) + proc = allproc_locked ? pfind_locked(pid) : pfind(pid); + if (proc == NULL) PFS_RETURN (0); if (pfs_visible_proc(td, pn, proc)) { if (p) @@ -202,7 +204,7 @@ pfs_getattr(struct vop_getattr_args *va) PFS_TRACE(("%s", pn->pn_name)); pfs_assert_not_owned(pn); - if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) + if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc)) PFS_RETURN (ENOENT); vap->va_type = vn->v_type; @@ -293,7 +295,7 @@ pfs_ioctl(struct vop_ioctl_args *va) * This is necessary because process' privileges may * have changed since the open() call. */ - if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) { + if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc)) { VOP_UNLOCK(vn, 0); PFS_RETURN (EIO); } @@ -326,7 +328,7 @@ pfs_getextattr(struct vop_getextattr_args *va) * This is necessary because either process' privileges may * have changed since the open() call. */ - if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) + if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc)) PFS_RETURN (EIO); if (pn->pn_getextattr == NULL) @@ -462,7 +464,7 @@ pfs_lookup(struct vop_cachedlookup_args *va) PFS_RETURN (ENOENT); /* check that parent directory is visible... */ - if (!pfs_visible(curthread, pd, pvd->pvd_pid, NULL)) + if (!pfs_visible(curthread, pd, pvd->pvd_pid, false, NULL)) PFS_RETURN (ENOENT); /* self */ @@ -546,7 +548,7 @@ pfs_lookup(struct vop_cachedlookup_args *va) got_pnode: pfs_assert_not_owned(pd); pfs_assert_not_owned(pn); - visible = pfs_visible(curthread, pn, pid, NULL); + visible = pfs_visible(curthread, pn, pid, false, NULL); if (!visible) { error = ENOENT; goto failed; @@ -635,7 +637,7 @@ pfs_read(struct vop_read_args *va) * This is necessary because either process' privileges may * have changed since the open() call. */ - if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) + if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc)) PFS_RETURN (EIO); if (proc != NULL) { _PHOLD(proc); @@ -791,7 +793,7 @@ pfs_readdir(struct vop_readdir_args *va) pfs_lock(pd); /* check if the directory is visible to the caller */ - if (!pfs_visible(curthread, pd, pid, &proc)) { + if (!pfs_visible(curthread, pd, pid, true, &proc)) { sx_sunlock(&allproc_lock); pfs_unlock(pd); PFS_RETURN (ENOENT); @@ -995,7 +997,7 @@ pfs_write(struct vop_write_args *va) * This is necessary because either process' privileges may * have changed since the open() call. */ - if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) + if (!pfs_visible(curthread, pn, pvd->pvd_pid, false, &proc)) PFS_RETURN (EIO); if (proc != NULL) { _PHOLD(proc); -- cgit v1.1 From 3e5354d8c8b08bcae46d71b7bde6be0350cf1653 Mon Sep 17 00:00:00 2001 From: mav Date: Fri, 11 Mar 2016 12:59:07 +0000 Subject: Allow standard commands for "unknown" classes in RESCUE mode. For example, it allows quite useful `geom disk list` command. MFC after: 1 week --- sbin/geom/core/geom.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sbin/geom/core/geom.c b/sbin/geom/core/geom.c index 5d23d93..e0b77ba 100644 --- a/sbin/geom/core/geom.c +++ b/sbin/geom/core/geom.c @@ -635,8 +635,7 @@ get_class(int *argc, char ***argv) } else if (!strcasecmp(class_name, "label")) { version = &glabel_version; class_commands = glabel_class_commands; - } else - errx(EXIT_FAILURE, "Invalid class name."); + } #endif /* !STATIC_GEOM_CLASSES */ set_class_name(); -- cgit v1.1 From 12eea6c323c4eb88d113ab239c8285c419542dac Mon Sep 17 00:00:00 2001 From: mav Date: Fri, 11 Mar 2016 13:06:11 +0000 Subject: Use `geom disk list` instead `camcontrol identify`. The new way works for almost any disk, while the old only for ATA. MFC after: 2 weeks --- usr.sbin/pc-sysinstall/backend-query/disk-list.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/pc-sysinstall/backend-query/disk-list.sh b/usr.sbin/pc-sysinstall/backend-query/disk-list.sh index 2616ef9..875b330 100755 --- a/usr.sbin/pc-sysinstall/backend-query/disk-list.sh +++ b/usr.sbin/pc-sysinstall/backend-query/disk-list.sh @@ -82,8 +82,8 @@ do esac fi - # Try and find some identification information with camcontrol - NEWLINE=$(camcontrol identify $DEV 2>/dev/null | sed -ne 's/^device model *//p') + # Try and get some identification information from GEOM + NEWLINE=$(geom disk list $DEV 2>/dev/null | sed -ne 's/^ descr: *//p') if [ -z "$NEWLINE" ]; then NEWLINE=" " fi -- cgit v1.1 From c2ff09f6f1cd53d3e6daf040bf6b5106db804a50 Mon Sep 17 00:00:00 2001 From: mav Date: Fri, 11 Mar 2016 14:14:15 +0000 Subject: Unify and improve metadata wiping. MFC after: 2 weeks --- usr.sbin/pc-sysinstall/backend/functions-disk.sh | 42 ++++++++++-------------- 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/usr.sbin/pc-sysinstall/backend/functions-disk.sh b/usr.sbin/pc-sysinstall/backend/functions-disk.sh index eac10d9..e40bc81 100755 --- a/usr.sbin/pc-sysinstall/backend/functions-disk.sh +++ b/usr.sbin/pc-sysinstall/backend/functions-disk.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -x #- # Copyright (c) 2010 iXsystems, Inc. All rights reserved. # @@ -257,12 +257,7 @@ delete_all_gpart() # Destroy the disk geom rc_nohalt "gpart destroy ${DISK}" - # Make sure we clear any hidden gpt tables - clear_backup_gpt_table "${DISK}" - - # Wipe out front of disk - rc_nohalt "dd if=/dev/zero of=${DISK} count=3000" - + wipe_metadata "${DISK}" }; # Function to export all zpools before starting an install @@ -292,7 +287,7 @@ stop_all_gmirror() then echo_log "Stopping mirror $gprov $DISK" rc_nohalt "gmirror remove $gprov $DISK" - rc_nohalt "dd if=/dev/zero of=/dev/${DISK} count=4096" + wipe_metadata "${DISK}" fi done }; @@ -611,12 +606,17 @@ stop_gjournal() } ; -# Function to wipe the potential backup gpt table from a disk -clear_backup_gpt_table() +# Function to wipe the potential metadata from a disk +wipe_metadata() { - echo_log "Clearing gpt backup table location on disk" - rc_nohalt "dd if=/dev/zero of=${1} bs=1m count=1" - rc_nohalt "dd if=/dev/zero of=${1} bs=1m oseek=`diskinfo ${1} | awk '{print int($3 / (1024*1024)) - 4;}'`" + echo_log "Wiping possible metadata on ${1}" + local SIZE="`diskinfo ${1} | awk '{print int($3/(1024*1024)) }'`" + if [ "$SIZE" -gt "5" ] ; then + rc_halt "dd if=/dev/zero of=${1} bs=1m count=1" + rc_halt "dd if=/dev/zero of=${1} bs=1m oseek=$((SIZE-4))" + else + rc_halt "dd if=/dev/zero of=${1} bs=128k" + fi } ; # Function which runs gpart and creates a single large APM partition scheme @@ -696,8 +696,7 @@ init_mbr_full_disk() rc_halt "gpart add -a 4k -t freebsd -i 1 ${_intDISK}" sleep 2 - echo_log "Cleaning up ${_intDISK}s1" - rc_halt "dd if=/dev/zero of=${_intDISK}s1 count=1024" + wipe_metadata "${_intDISK}s1" # Make the partition active rc_halt "gpart set -a active -i 1 ${_intDISK}" @@ -770,9 +769,7 @@ run_gpart_gpt_part() rc_halt "gpart modify -t freebsd -i ${slicenum} ${DISK}" sleep 2 - # Clean up old partition - echo_log "Cleaning up $slice" - rc_halt "dd if=/dev/zero of=${DISK}p${slicenum} count=1024" + wipe_metadata "${slice}" sleep 4 @@ -830,9 +827,7 @@ run_gpart_slice() rc_halt "gpart modify -t freebsd -i ${slicenum} ${DISK}" sleep 2 - # Clean up old partition - echo_log "Cleaning up $slice" - rc_halt "dd if=/dev/zero of=${DISK}s${slicenum} count=1024" + wipe_metadata "${slice}" sleep 1 @@ -883,9 +878,8 @@ run_gpart_free() echo_log "Running gpart on ${DISK}" rc_halt "gpart add -a 4k -t freebsd -i ${slicenum} ${DISK}" sleep 2 - - echo_log "Cleaning up $slice" - rc_halt "dd if=/dev/zero of=${slice} count=1024" + + wipe_metadata "${slice}" sleep 1 -- cgit v1.1 From b01d3ee35102a84fc26294b6ce195a43f216c098 Mon Sep 17 00:00:00 2001 From: mav Date: Fri, 11 Mar 2016 14:24:32 +0000 Subject: Don't bother to invoke gmirror or zpool if the module is not loaded. --- usr.sbin/pc-sysinstall/backend/functions-disk.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr.sbin/pc-sysinstall/backend/functions-disk.sh b/usr.sbin/pc-sysinstall/backend/functions-disk.sh index e40bc81..014ae25 100755 --- a/usr.sbin/pc-sysinstall/backend/functions-disk.sh +++ b/usr.sbin/pc-sysinstall/backend/functions-disk.sh @@ -263,6 +263,9 @@ delete_all_gpart() # Function to export all zpools before starting an install stop_all_zfs() { + if [ ! -c /dev/zfs ]; then + return; + fi local DISK="`echo ${1} | sed 's|/dev/||g'`" # Export any zpools using this device so we can overwrite @@ -278,6 +281,9 @@ stop_all_zfs() # Function which stops all gmirrors before doing any disk manipulation stop_all_gmirror() { + if [ ! -d /dev/mirror ]; then + return; + fi local DISK="`echo ${1} | sed 's|/dev/||g'`" GPROV="`gmirror list | grep ". Name: mirror/" | cut -d '/' -f 2`" for gprov in $GPROV -- cgit v1.1 From 3c7ee78e6c1fb9705ae5ca97293daf3da09d4e19 Mon Sep 17 00:00:00 2001 From: des Date: Fri, 11 Mar 2016 14:47:14 +0000 Subject: Not ready for level 6 yet due to -Wredundant-decls. --- lib/libpam/modules/pam_ssh/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/libpam/modules/pam_ssh/Makefile b/lib/libpam/modules/pam_ssh/Makefile index a2dabc5..c9240a2 100644 --- a/lib/libpam/modules/pam_ssh/Makefile +++ b/lib/libpam/modules/pam_ssh/Makefile @@ -7,6 +7,7 @@ LIB= pam_ssh MAN= pam_ssh.8 SRCS= pam_ssh.c +WARNS?= 5 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h SRCS+= ssh_namespace.h -- cgit v1.1 From 2a21f7140fd159560fc3e43ecb18ac261bd7b886 Mon Sep 17 00:00:00 2001 From: des Date: Fri, 11 Mar 2016 14:57:40 +0000 Subject: Apply upstream r3651: the IPv6 address of the L root has changed. --- contrib/unbound/iterator/iter_hints.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/unbound/iterator/iter_hints.c b/contrib/unbound/iterator/iter_hints.c index d7f8158..217dfa2 100644 --- a/contrib/unbound/iterator/iter_hints.c +++ b/contrib/unbound/iterator/iter_hints.c @@ -152,7 +152,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed; if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed; if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed; - if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:3::42")) goto failed; + if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:9f::42")) goto failed; if(!ah(dp, "M.ROOT-SERVERS.NET.", "2001:dc3::35")) goto failed; } return dp; -- cgit v1.1 From 80cf8e3a5cd8a8959dab63b8327492bf132f16a4 Mon Sep 17 00:00:00 2001 From: maxim Date: Fri, 11 Mar 2016 15:26:56 +0000 Subject: o Document net.inet.icmp.maskfake and net.inet.icmp.tstamprepl sysctls. --- sbin/ping/ping.8 | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/sbin/ping/ping.8 b/sbin/ping/ping.8 index 7617585..24cb432 100644 --- a/sbin/ping/ping.8 +++ b/sbin/ping/ping.8 @@ -28,7 +28,7 @@ .\" @(#)ping.8 8.2 (Berkeley) 12/11/93 .\" $FreeBSD$ .\" -.Dd April 4, 2006 +.Dd March 11, 2016 .Dt PING 8 .Os .Sh NAME @@ -201,10 +201,17 @@ print the netmask of the remote machine. Set the .Va net.inet.icmp.maskrepl MIB variable to enable -.Dv ICMP_MASKREPLY . +.Dv ICMP_MASKREPLY +and +.Va net.inet.icmp.maskfake +if you want to override the netmask in the response. For .Cm time , print the origination, reception and transmission timestamps. +Set the +.Va net.inet.icmp.tstamprepl +MIB variable to enable or disable +.Dv ICMP_TSTAMPREPLY . .It Fl m Ar ttl Set the IP Time To Live for outgoing packets. If not specified, the kernel uses the value of the -- cgit v1.1 From 5c49f37ec40e2afa98cce3c9272acbe063323e27 Mon Sep 17 00:00:00 2001 From: maxim Date: Fri, 11 Mar 2016 15:29:00 +0000 Subject: o Xr icmp(4). --- sbin/ping/ping.8 | 1 + 1 file changed, 1 insertion(+) diff --git a/sbin/ping/ping.8 b/sbin/ping/ping.8 index 24cb432..9e2fe37 100644 --- a/sbin/ping/ping.8 +++ b/sbin/ping/ping.8 @@ -527,6 +527,7 @@ These values are defined in .El .Sh SEE ALSO .Xr netstat 1 , +.Xr icmp 4 , .Xr ifconfig 8 , .Xr routed 8 , .Xr traceroute 8 -- cgit v1.1 From 986728b2546cacf72ad5eceebc3c9b7e118561c4 Mon Sep 17 00:00:00 2001 From: maxim Date: Fri, 11 Mar 2016 16:03:47 +0000 Subject: o Kill EoL whitespaces. No functional changes. --- sbin/ping/ping.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index 1831cb7..1fc1963 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -807,7 +807,7 @@ main(int argc, char *const *argv) datalen = sweepmin; send_len = icmp_len + sweepmin; } - if (options & F_SWEEP && !sweepmax) + if (options & F_SWEEP && !sweepmax) errx(EX_USAGE, "Maximum sweep size must be specified"); /* @@ -845,9 +845,9 @@ main(int argc, char *const *argv) if (sweepmax) (void)printf(": (%d ... %d) data bytes\n", sweepmin, sweepmax); - else + else (void)printf(": %d data bytes\n", datalen); - + } else { if (sweepmax) (void)printf("PING %s: (%d ... %d) data bytes\n", @@ -969,14 +969,14 @@ main(int argc, char *const *argv) } if (n == 0 || options & F_FLOOD) { if (sweepmax && sntransmitted == snpackets) { - for (i = 0; i < sweepincr ; ++i) + for (i = 0; i < sweepincr ; ++i) *datap++ = i; datalen += sweepincr; if (datalen > sweepmax) break; send_len = icmp_len + datalen; sntransmitted = 0; - } + } if (!npackets || ntransmitted < npackets) pinger(); else { @@ -1179,7 +1179,7 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) if (options & F_QUIET) return; - + if (options & F_WAITTIME && triptime > waittime) { ++nrcvtimeout; return; -- cgit v1.1 From e24ba1eb53e66c865d0afc65bbb8e0cb0a424272 Mon Sep 17 00:00:00 2001 From: emaste Date: Fri, 11 Mar 2016 16:24:39 +0000 Subject: libdwarf: fix SHT_REL relocation processing Relocation of type SHT_REL must use the current value as addend. PR: 204084 Obtained from: NetBSD libdwarf_elf_init.c v1.4 --- contrib/elftoolchain/libdwarf/libdwarf_elf_init.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c b/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c index af2d370..5ab6ffc 100644 --- a/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c +++ b/contrib/elftoolchain/libdwarf/libdwarf_elf_init.c @@ -51,7 +51,8 @@ static const char *debug_name[] = { static void _dwarf_elf_write_reloc(Dwarf_Debug dbg, Elf_Data *symtab_data, int endian, - void *buf, uint64_t offset, GElf_Xword r_info, GElf_Sxword r_addend) + void *buf, uint64_t offset, GElf_Xword r_info, GElf_Sxword r_addend, + int is_rel) { GElf_Sym sym; int size; @@ -60,6 +61,14 @@ _dwarf_elf_write_reloc(Dwarf_Debug dbg, Elf_Data *symtab_data, int endian, return; if ((size = _dwarf_get_reloc_size(dbg, GELF_R_TYPE(r_info))) == 0) return; /* Unknown or non-absolute relocation. */ + if (is_rel) { + uint64_t roffset = offset; + + if (endian == ELFDATA2MSB) + r_addend = _dwarf_read_msb(buf, &roffset, size); + else + r_addend = _dwarf_read_lsb(buf, &roffset, size); + } if (endian == ELFDATA2MSB) _dwarf_write_msb(buf, &offset, sym.st_value + r_addend, size); else @@ -76,7 +85,7 @@ _dwarf_elf_apply_rel_reloc(Dwarf_Debug dbg, void *buf, Elf_Data *rel_data, j = 0; while (gelf_getrel(rel_data, j++, &rel) != NULL) _dwarf_elf_write_reloc(dbg, symtab_data, endian, buf, - rel.r_offset, rel.r_info, 0); + rel.r_offset, rel.r_info, 0, 1); } static void @@ -89,7 +98,7 @@ _dwarf_elf_apply_rela_reloc(Dwarf_Debug dbg, void *buf, Elf_Data *rel_data, j = 0; while (gelf_getrela(rel_data, j++, &rela) != NULL) _dwarf_elf_write_reloc(dbg, symtab_data, endian, buf, - rela.r_offset, rela.r_info, rela.r_addend); + rela.r_offset, rela.r_info, rela.r_addend, 0); } static int -- cgit v1.1 From b6a8e1f86ed43d3b931dd278692efebde9cb86e9 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 16:57:41 +0000 Subject: Enable FAST_DEPEND by default. Discussed on: arch Sponsored by: EMC / Isilon Storage Division --- UPDATING | 10 ++++++++++ share/mk/bsd.opts.mk | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index 09154b6..d3e4545 100644 --- a/UPDATING +++ b/UPDATING @@ -31,6 +31,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11.x IS SLOW: disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20160311: + WITH_FAST_DEPEND is now enabled by default for in-tree and out-of-tree + builds. It no longer runs mkdep(1) during 'make depend', and the + 'make depend' stage can safely be skipped now as it is auto ran + when building 'make all' and will generate all SRCS and DPSRCS before + building anything else. Dependencies are gathered at compile time with + -MF flags kept in separate .depend files per object file. Users should + run 'make cleandepend' once if using -DNO_CLEAN to clean out older + stale .depend files. + 20160306: On amd64, clang 3.8.0 can now insert sections of type AMD64_UNWIND into kernel modules. Therefore, if you load any kernel modules at boot time, diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk index b073782..0fae155 100644 --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -52,6 +52,7 @@ __DEFAULT_YES_OPTIONS = \ ASSERT_DEBUG \ DEBUG_FILES \ DOCCOMPRESS \ + FAST_DEPEND \ INCLUDES \ INSTALLLIB \ KERBEROS \ @@ -68,7 +69,6 @@ __DEFAULT_YES_OPTIONS = \ __DEFAULT_NO_OPTIONS = \ CCACHE_BUILD \ - FAST_DEPEND \ CTF \ INSTALL_AS_USER \ STALE_STAGED -- cgit v1.1 From 55158da34aced2f13f2257f070c5dd704860d37d Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 17:00:42 +0000 Subject: Add a WITHOUT_FAST_DEPEND --- tools/build/options/WITHOUT_FAST_DEPEND | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 tools/build/options/WITHOUT_FAST_DEPEND diff --git a/tools/build/options/WITHOUT_FAST_DEPEND b/tools/build/options/WITHOUT_FAST_DEPEND new file mode 100644 index 0000000..2e6ca44 --- /dev/null +++ b/tools/build/options/WITHOUT_FAST_DEPEND @@ -0,0 +1,5 @@ +.\" $FreeBSD$ +Set to use the historical +.Xr mkdep 1 +for the "make depend" phase of the build. +This option is deprecated and will be removed soon. -- cgit v1.1 From 666e66d6f6143b8c3196a7e50ffc15575ce85b86 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 17:03:30 +0000 Subject: Regenerate --- share/man/man5/src.conf.5 | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5 index 62c288b..b6d9bb4 100644 --- a/share/man/man5/src.conf.5 +++ b/share/man/man5/src.conf.5 @@ -1,7 +1,7 @@ .\" DO NOT EDIT-- this file is automatically generated. .\" from FreeBSD: head/tools/build/options/makeman 292283 2015-12-15 18:42:30Z bdrewery .\" $FreeBSD$ -.Dd March 1, 2016 +.Dd March 11, 2016 .Dt SRC.CONF 5 .Os .Sh NAME @@ -618,14 +618,12 @@ An alternate bootstrap tool chain must be provided. .\" from FreeBSD: head/tools/build/options/WITHOUT_EXAMPLES 156938 2006-03-21 09:06:24Z ru Set to avoid installing examples to .Pa /usr/share/examples/ . -.It Va WITH_FAST_DEPEND -.\" from FreeBSD: head/tools/build/options/WITH_FAST_DEPEND 290433 2015-11-06 04:45:29Z bdrewery -Set to generate -.Sy .depend -files in the build during compilation instead of the -historial +.It Va WITHOUT_FAST_DEPEND +.\" from FreeBSD: head/tools/build/options/WITHOUT_FAST_DEPEND 296669 2016-03-11 17:00:42Z bdrewery +Set to use the historical .Xr mkdep 1 -call during the "make depend" phase. +for the "make depend" phase of the build. +This option is deprecated and will be removed soon. .It Va WITHOUT_FDT .\" from FreeBSD: head/tools/build/options/WITHOUT_FDT 221539 2011-05-06 19:10:27Z ru Set to not build Flattened Device Tree support as part of the base system. -- cgit v1.1 From 6b0e11ca04c2b2e208d61d2e9fe5cb651b73402d Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 17:21:27 +0000 Subject: Revert r296645 as it breaks stable/10->head builds. --- Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 49fe0ab..aa78eff 100644 --- a/Makefile +++ b/Makefile @@ -313,10 +313,9 @@ upgrade_checks: # MMAKEENV= MAKEOBJDIRPREFIX=${MYMAKE:H} \ DESTDIR= \ - MK_MAN=no \ INSTALL="sh ${.CURDIR}/tools/install.sh" MMAKE= ${MMAKEENV} ${MAKE} \ - -DNO_SHARED \ + -DNO_MAN -DNO_SHARED \ -DNO_CPU_CFLAGS -DNO_WERROR \ MK_TESTS=no \ DESTDIR= PROGNAME=${MYMAKE:T} -- cgit v1.1 From 181a3ed1112123edabb8268b17ab32daf347d899 Mon Sep 17 00:00:00 2001 From: dim Date: Fri, 11 Mar 2016 17:25:18 +0000 Subject: In nvmecontrol, fix gcc warnings about the local 'power' variables shadowing a global declaration. --- sbin/nvmecontrol/power.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sbin/nvmecontrol/power.c b/sbin/nvmecontrol/power.c index e681ccd..bf2b882 100644 --- a/sbin/nvmecontrol/power.c +++ b/sbin/nvmecontrol/power.c @@ -87,7 +87,7 @@ power_list(struct nvme_controller_data *cdata) } static void -power_set(int fd, int power, int workload, int perm) +power_set(int fd, int power_val, int workload, int perm) { struct nvme_pt_command pt; uint32_t p; @@ -96,7 +96,7 @@ power_set(int fd, int power, int workload, int perm) memset(&pt, 0, sizeof(pt)); pt.cmd.opc = NVME_OPC_SET_FEATURES; pt.cmd.cdw10 = NVME_FEAT_POWER_MANAGEMENT | p; - pt.cmd.cdw11 = power | (workload << 5); + pt.cmd.cdw11 = power_val | (workload << 5); if (ioctl(fd, NVME_PASSTHROUGH_CMD, &pt) < 0) err(1, "set feature power mgmt request failed"); @@ -127,7 +127,7 @@ void power(int argc, char *argv[]) { struct nvme_controller_data cdata; - int ch, listflag = 0, powerflag = 0, power = 0, fd; + int ch, listflag = 0, powerflag = 0, power_val = 0, fd; int workload = 0; char *end; @@ -138,7 +138,7 @@ power(int argc, char *argv[]) break; case 'p': powerflag = 1; - power = strtol(optarg, &end, 0); + power_val = strtol(optarg, &end, 0); if (*end != '\0') { fprintf(stderr, "Invalid power state number: %s\n", optarg); power_usage(); @@ -174,7 +174,7 @@ power(int argc, char *argv[]) } if (powerflag) { - power_set(fd, power, workload, 0); + power_set(fd, power_val, workload, 0); goto out; } power_show(fd); -- cgit v1.1 From 69832b755023fe3f1647699ea9018f19c110644f Mon Sep 17 00:00:00 2001 From: mav Date: Fri, 11 Mar 2016 17:39:54 +0000 Subject: Oops, remove debugging forgotten in r296655. MFC after: 2 weeks --- usr.sbin/pc-sysinstall/backend/functions-disk.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/pc-sysinstall/backend/functions-disk.sh b/usr.sbin/pc-sysinstall/backend/functions-disk.sh index 014ae25..0a2cd26 100755 --- a/usr.sbin/pc-sysinstall/backend/functions-disk.sh +++ b/usr.sbin/pc-sysinstall/backend/functions-disk.sh @@ -1,4 +1,4 @@ -#!/bin/sh -x +#!/bin/sh #- # Copyright (c) 2010 iXsystems, Inc. All rights reserved. # -- cgit v1.1 From 7d9586e4d4d73e942a40a9ea62010c0fd9cee812 Mon Sep 17 00:00:00 2001 From: dumbbell Date: Fri, 11 Mar 2016 18:59:15 +0000 Subject: drm: Fix dev->ioctl_count references leak This fixes the following error: kernel: error: [drm:pid1167:drm_release] *ERROR* Device busy: 2 Because of that, drm_lastclose() was not called, leading to a few memory leaks once the driver was unloaded. MFC after: 1 week --- sys/dev/drm2/drm_drv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/dev/drm2/drm_drv.c b/sys/dev/drm2/drm_drv.c index c3e6869..9529ac3 100644 --- a/sys/dev/drm2/drm_drv.c +++ b/sys/dev/drm2/drm_drv.c @@ -386,17 +386,21 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags, switch (cmd) { case FIONBIO: case FIOASYNC: + atomic_dec(&dev->ioctl_count); return 0; case FIOSETOWN: + atomic_dec(&dev->ioctl_count); return fsetown(*(int *)data, &file_priv->minor->buf_sigio); case FIOGETOWN: + atomic_dec(&dev->ioctl_count); *(int *) data = fgetown(&file_priv->minor->buf_sigio); return 0; } if (IOCGROUP(cmd) != DRM_IOCTL_BASE) { + atomic_dec(&dev->ioctl_count); DRM_DEBUG("Bad ioctl group 0x%x\n", (int)IOCGROUP(cmd)); return EINVAL; } -- cgit v1.1 From e5d360f1f25f7c014ec0ddf7244f88f79b611c6d Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 19:24:15 +0000 Subject: Avoid bmake upgrade NO_MAN warning by just setting MAN to empty. Suggested by: imp --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index aa78eff..2dfe009 100644 --- a/Makefile +++ b/Makefile @@ -315,7 +315,7 @@ MMAKEENV= MAKEOBJDIRPREFIX=${MYMAKE:H} \ DESTDIR= \ INSTALL="sh ${.CURDIR}/tools/install.sh" MMAKE= ${MMAKEENV} ${MAKE} \ - -DNO_MAN -DNO_SHARED \ + MAN= -DNO_SHARED \ -DNO_CPU_CFLAGS -DNO_WERROR \ MK_TESTS=no \ DESTDIR= PROGNAME=${MYMAKE:T} -- cgit v1.1 From 5d796db58bf44569d26a792e0dc1c003b4d6468d Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 19:28:43 +0000 Subject: Avoid MK_TESTS error on stable/10 by just preventing SUBDIR recursion. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2dfe009..e8b3902 100644 --- a/Makefile +++ b/Makefile @@ -317,7 +317,7 @@ MMAKEENV= MAKEOBJDIRPREFIX=${MYMAKE:H} \ MMAKE= ${MMAKEENV} ${MAKE} \ MAN= -DNO_SHARED \ -DNO_CPU_CFLAGS -DNO_WERROR \ - MK_TESTS=no \ + -DNO_SUBDIR \ DESTDIR= PROGNAME=${MYMAKE:T} bmake: .PHONY -- cgit v1.1 From 23ec6e34dcd11362068881933d01b08b710f6faf Mon Sep 17 00:00:00 2001 From: jhibbits Date: Fri, 11 Mar 2016 20:04:32 +0000 Subject: Add to CFLAGS, rather than replacing. This allows additional CFLAGS, as set in bsd.cpu.mk, to go through. --- lib/libunbound/Makefile | 2 +- usr.sbin/unbound/anchor/Makefile | 2 +- usr.sbin/unbound/checkconf/Makefile | 2 +- usr.sbin/unbound/control/Makefile | 2 +- usr.sbin/unbound/daemon/Makefile | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/libunbound/Makefile b/lib/libunbound/Makefile index e348c66..76a61f6 100644 --- a/lib/libunbound/Makefile +++ b/lib/libunbound/Makefile @@ -10,7 +10,7 @@ UNBOUNDDIR= ${.CURDIR}/../../contrib/unbound LIB= unbound PRIVATELIB= -CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR} +CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR} SRCS= alloc.c as112.c autotrust.c config_file.c configlexer.l configparser.y \ context.c dname.c dns.c dns64.c dnstree.c fptr_wlist.c infra.c \ diff --git a/usr.sbin/unbound/anchor/Makefile b/usr.sbin/unbound/anchor/Makefile index 64e01d2..d2431eb 100644 --- a/usr.sbin/unbound/anchor/Makefile +++ b/usr.sbin/unbound/anchor/Makefile @@ -9,7 +9,7 @@ EXPATDIR= ${.CURDIR}/../../../contrib/expat PROG= unbound-anchor SRCS= unbound-anchor.c -CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} -I${EXPATDIR}/lib +CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} -I${EXPATDIR}/lib LIBADD= unbound bsdxml ssl crypto pthread MAN= unbound-anchor.8 diff --git a/usr.sbin/unbound/checkconf/Makefile b/usr.sbin/unbound/checkconf/Makefile index 884465b..98ac3bb 100644 --- a/usr.sbin/unbound/checkconf/Makefile +++ b/usr.sbin/unbound/checkconf/Makefile @@ -8,7 +8,7 @@ UNBOUNDDIR= ${.CURDIR}/../../../contrib/unbound PROG= unbound-checkconf SRCS= unbound-checkconf.c worker_cb.c -CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} +CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} LIBADD= unbound pthread MAN= unbound-checkconf.8 diff --git a/usr.sbin/unbound/control/Makefile b/usr.sbin/unbound/control/Makefile index 824e441..9aab04a 100644 --- a/usr.sbin/unbound/control/Makefile +++ b/usr.sbin/unbound/control/Makefile @@ -8,7 +8,7 @@ UNBOUNDDIR= ${.CURDIR}/../../../contrib/unbound PROG= unbound-control SRCS= unbound-control.c worker_cb.c -CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} +CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} LIBADD= unbound crypto ssl pthread MAN= unbound-control.8 diff --git a/usr.sbin/unbound/daemon/Makefile b/usr.sbin/unbound/daemon/Makefile index f90e06e..af42975 100644 --- a/usr.sbin/unbound/daemon/Makefile +++ b/usr.sbin/unbound/daemon/Makefile @@ -8,7 +8,7 @@ UNBOUNDDIR= ${.CURDIR}/../../../contrib/unbound PROG= unbound SRCS= acl_list.c cachedump.c daemon.c remote.c stats.c unbound.c worker.c -CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} +CFLAGS+= -I${UNBOUNDDIR} -I${LDNSDIR} LIBADD= unbound util ssl crypto pthread MAN= unbound.8 unbound.conf.5 -- cgit v1.1 From c7d3f0869b708ea831a468bafc24c35dcaeb48b1 Mon Sep 17 00:00:00 2001 From: dim Date: Fri, 11 Mar 2016 20:30:06 +0000 Subject: Pull in r246280 from upstream libc++ trunk (by Eric Fiselier): Fix most GCC warnings during build. Only -Wattribute left. This helps to fix a number of -Werror warnings when building world with recent versions of gcc (e.g. the devel/*-xtoolchain-gcc ports). --- contrib/libc++/include/string | 7 ++++--- contrib/libc++/include/system_error | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/contrib/libc++/include/string b/contrib/libc++/include/string index 5777ee2..6e63ab1 100644 --- a/contrib/libc++/include/string +++ b/contrib/libc++/include/string @@ -1445,7 +1445,8 @@ public: _LIBCPP_INLINE_VISIBILITY size_type length() const _NOEXCEPT {return size();} _LIBCPP_INLINE_VISIBILITY size_type max_size() const _NOEXCEPT; _LIBCPP_INLINE_VISIBILITY size_type capacity() const _NOEXCEPT - {return (__is_long() ? __get_long_cap() : __min_cap) - 1;} + {return (__is_long() ? __get_long_cap() + : static_cast(__min_cap)) - 1;} void resize(size_type __n, value_type __c); _LIBCPP_INLINE_VISIBILITY void resize(size_type __n) {resize(__n, value_type());} @@ -1785,11 +1786,11 @@ private: template static _LIBCPP_INLINE_VISIBILITY size_type __align_it(size_type __s) _NOEXCEPT - {return __s + (__a-1) & ~(__a-1);} + {return (__s + (__a-1)) & ~(__a-1);} enum {__alignment = 16}; static _LIBCPP_INLINE_VISIBILITY size_type __recommend(size_type __s) _NOEXCEPT - {return (__s < __min_cap ? __min_cap : + {return (__s < __min_cap ? static_cast(__min_cap) : __align_it (__s+1)) - 1;} diff --git a/contrib/libc++/include/system_error b/contrib/libc++/include/system_error index 66bf6d6..134bb32 100644 --- a/contrib/libc++/include/system_error +++ b/contrib/libc++/include/system_error @@ -371,7 +371,7 @@ public: error_category() _NOEXCEPT; #else _LIBCPP_ALWAYS_INLINE - _LIBCPP_CONSTEXPR_AFTER_CXX11 error_category() _NOEXCEPT _LIBCPP_DEFAULT; + _LIBCPP_CONSTEXPR_AFTER_CXX11 error_category() _NOEXCEPT _LIBCPP_DEFAULT #endif private: error_category(const error_category&);// = delete; -- cgit v1.1 From 2bf5979518a20dca9b6102d3b6271d65a65fb46b Mon Sep 17 00:00:00 2001 From: dumbbell Date: Fri, 11 Mar 2016 21:00:14 +0000 Subject: drm/i915: Fix malloc type in i915_gem_object_bind_to_gtt() drm_mm.c expects DRM_MEM_MM, not DRM_I915_GEM. --- sys/dev/drm2/i915/i915_gem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/drm2/i915/i915_gem.c b/sys/dev/drm2/i915/i915_gem.c index bece6b2..625c8a6 100644 --- a/sys/dev/drm2/i915/i915_gem.c +++ b/sys/dev/drm2/i915/i915_gem.c @@ -3263,7 +3263,7 @@ i915_gem_object_bind_to_gtt(struct drm_i915_gem_object *obj, i915_gem_object_pin_pages(obj); - node = malloc(sizeof(*node), DRM_I915_GEM, M_NOWAIT | M_ZERO); + node = malloc(sizeof(*node), DRM_MEM_MM, M_NOWAIT | M_ZERO); if (node == NULL) { i915_gem_object_unpin_pages(obj); return -ENOMEM; @@ -3286,7 +3286,7 @@ i915_gem_object_bind_to_gtt(struct drm_i915_gem_object *obj, goto search_free; i915_gem_object_unpin_pages(obj); - free(node, DRM_I915_GEM); + free(node, DRM_MEM_MM); return ret; } if (WARN_ON(!i915_gem_valid_gtt_space(dev, node, obj->cache_level))) { -- cgit v1.1 From d652802e2431dec69e6586378b0a804c9aa5d4f7 Mon Sep 17 00:00:00 2001 From: gonzo Date: Fri, 11 Mar 2016 21:05:16 +0000 Subject: Make it possible for operations to refer to GPIO pins by name - Try to guess what is provided as a pin spec for -t or for get/set operation: number or name. Fails in case of ambiguity. - Add -p and -N switches to force pin specification interpretation: -p forces spec to be pin number, -N forces it to be name Submitted by: Emmanuel Vadot Differential Revision: https://reviews.freebsd.org/D5201 --- usr.sbin/gpioctl/gpioctl.8 | 42 ++++++++++++++- usr.sbin/gpioctl/gpioctl.c | 127 +++++++++++++++++++++++++++++++-------------- 2 files changed, 127 insertions(+), 42 deletions(-) diff --git a/usr.sbin/gpioctl/gpioctl.8 b/usr.sbin/gpioctl/gpioctl.8 index dc2a554..358f75e 100644 --- a/usr.sbin/gpioctl/gpioctl.8 +++ b/usr.sbin/gpioctl/gpioctl.8 @@ -27,7 +27,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 8, 2015 +.Dd March 11, 2016 .Dt GPIOCTL 1 .Os .Sh NAME @@ -40,21 +40,25 @@ .Op Fl v .Nm .Op Fl f Ar ctldev +.Op Fl pN .Cm -t .Ar pin .Nm .Op Fl f Ar ctldev +.Op Fl pN .Cm -c .Ar pin .Ar flag .Op flag ... .Nm .Op Fl f Ar ctldev +.Op Fl pN .Cm -n .Ar pin .Ar pin-name .Nm .Op Cm -f Ar ctldev +.Op Fl pN .Ar pin .Ar [0|1] .Sh DESCRIPTION @@ -62,6 +66,20 @@ The .Nm utility could be used to manage GPIO pins from userland and list available pins. .Pp +The +.Pa pin +argument can either be a +.Pa pin-number +or a +.Pa pin-name . +If it is a number and a pin has this number as its name and you did not use +.Fl N +or +.Fl p +, then +.Nm +exits. +.Pp The options are as follows: .Bl -tag -width ".Fl f Ar ctldev" .It Fl c Ar pin Ar flag Op flag ... @@ -96,9 +114,17 @@ list available pins .It Fl n Ar pin Ar pin-name set the name used to describe the pin .It Fl t Ar pin -toggle value of provided pin number +toggle value of provided pin .It Fl v be verbose: for each listed pin print current configuration +.It Fl p +Force +.Pa pin +to be interpreted as a pin number +.It Fl N +Force +.Pa pin +to be interpreted as a pin name .El .Sh EXAMPLES .Bl -bullet @@ -114,6 +140,18 @@ gpioctl -f /dev/gpioc0 12 1 Configure pin 12 to be input pin .Pp gpioctl -f /dev/gpioc0 -c 12 IN +.It +Set the name of pin 12 to test +.Pp +gpioctl -f /dev/gpioc0 -n 12 test +.It +Toggle the value the pin named test +.Pp +gpioctl -f /dev/gpioc0 -t test +.It +Toggle the value of pin number 12 even if another pin has the name 12 +.Pp +gpioctl -f /dev/gpioc0 -pt 12 .El .Sh SEE ALSO .Xr gpio 4 , diff --git a/usr.sbin/gpioctl/gpioctl.c b/usr.sbin/gpioctl/gpioctl.c index 38e53e7..42287e9 100644 --- a/usr.sbin/gpioctl/gpioctl.c +++ b/usr.sbin/gpioctl/gpioctl.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 2009, Oleksandr Tymoshenko * Copyright (c) 2014, Rui Paulo + * Copyright (c) 2015, Emmanuel Vadot * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -40,6 +41,10 @@ __FBSDID("$FreeBSD$"); #include +#define PIN_TYPE_UNKNOWN 0 +#define PIN_TYPE_NUMBER 1 +#define PIN_TYPE_NAME 2 + struct flag_desc { const char *name; uint32_t flag; @@ -66,10 +71,10 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, "\tgpioctl [-f ctldev] -l [-v]\n"); - fprintf(stderr, "\tgpioctl [-f ctldev] -t pin\n"); - fprintf(stderr, "\tgpioctl [-f ctldev] -c pin flag ...\n"); - fprintf(stderr, "\tgpioctl [-f ctldev] -n pin pin-name\n"); - fprintf(stderr, "\tgpioctl [-f ctldev] pin [0|1]\n"); + fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] -t pin\n"); + fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] -c pin flag ...\n"); + fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] -n pin pin-name\n"); + fprintf(stderr, "\tgpioctl [-f ctldev] [-pN] pin [0|1]\n"); exit(1); } @@ -163,6 +168,32 @@ dump_pins(gpio_handle_t handle, int verbose) free(cfgs); } +static int +get_pinnum_by_name(gpio_handle_t handle, const char *name) { + int i, maxpin, pinn; + gpio_config_t *cfgs; + gpio_config_t *pin; + + pinn = -1; + maxpin = gpio_pin_list(handle, &cfgs); + if (maxpin < 0) { + perror("gpio_pin_list"); + exit(1); + } + + for (i = 0; i <= maxpin; i++) { + pin = cfgs + i; + gpio_pin_get(handle, pin->g_pin); + if (!strcmp(name, pin->g_name)) { + pinn = i; + break; + } + } + free(cfgs); + + return pinn; +} + static void fail(const char *fmt, ...) { @@ -181,19 +212,16 @@ main(int argc, char **argv) gpio_config_t pin; gpio_handle_t handle; char *ctlfile = NULL; - int pinn, pinv, ch; + int pinn, pinv, pin_type, ch; int flags, flag, ok; int config, list, name, toggle, verbose; - config = toggle = verbose = list = name = pinn = 0; + config = toggle = verbose = list = name = pin_type = 0; - while ((ch = getopt(argc, argv, "c:f:ln:t:v")) != -1) { + while ((ch = getopt(argc, argv, "cf:lntvNp")) != -1) { switch (ch) { case 'c': config = 1; - pinn = str2int(optarg, &ok); - if (!ok) - fail("Invalid pin number: %s\n", optarg); break; case 'f': ctlfile = optarg; @@ -203,15 +231,15 @@ main(int argc, char **argv) break; case 'n': name = 1; - pinn = str2int(optarg, &ok); - if (!ok) - fail("Invalid pin number: %s\n", optarg); + break; + case 'N': + pin_type = PIN_TYPE_NAME; + break; + case'p': + pin_type = PIN_TYPE_NUMBER; break; case 't': toggle = 1; - pinn = str2int(optarg, &ok); - if (!ok) - fail("Invalid pin number: %s\n", optarg); break; case 'v': verbose = 1; @@ -232,33 +260,58 @@ main(int argc, char **argv) exit(1); } + if (list) { + dump_pins(handle, verbose); + gpio_close(handle); + exit(0); + } + + if (argc == 0) + usage(); + + /* Find the pin number by the name */ + switch (pin_type) { + case PIN_TYPE_UNKNOWN: + /* First test if it is a pin number */ + pinn = str2int(argv[0], &ok); + if (ok) { + /* Test if we have any pin named by this number and tell the user */ + if (get_pinnum_by_name(handle, argv[0]) != -1) + fail("%s is also a pin name, use -p or -N\n", argv[0]); + } else { + /* Test if it is a name */ + if ((pinn = get_pinnum_by_name(handle, argv[0])) == -1) + fail("Can't find pin named \"%s\"\n", argv[0]); + } + break; + case PIN_TYPE_NUMBER: + pinn = str2int(argv[0], &ok); + if (!ok) + fail("Invalid pin number: %s\n", argv[0]); + break; + case PIN_TYPE_NAME: + if ((pinn = get_pinnum_by_name(handle, argv[0])) == -1) + fail("Can't find pin named \"%s\"\n", argv[0]); + break; + } + /* Set the pin name. */ if (name) { - if (argc == 0) { + if (argc != 2) usage(); - exit(1); - } - if (gpio_pin_set_name(handle, pinn, argv[0]) < 0) { + if (gpio_pin_set_name(handle, pinn, argv[1]) < 0) { perror("gpio_pin_set_name"); exit(1); } exit(0); } - if (list) { - dump_pins(handle, verbose); - gpio_close(handle); - exit(0); - } - if (toggle) { /* - * -t pin assumes no additional arguments - */ - if (argc > 0) { + * -t pin assumes no additional arguments + */ + if (argc > 1) usage(); - exit(1); - } if (gpio_pin_toggle(handle, pinn) < 0) { perror("gpio_pin_toggle"); exit(1); @@ -269,7 +322,7 @@ main(int argc, char **argv) if (config) { flags = 0; - for (i = 0; i < argc; i++) { + for (i = 1; i < argc; i++) { flag = str2cap(argv[i]); if (flag < 0) fail("Invalid flag: %s\n", argv[i]); @@ -287,14 +340,8 @@ main(int argc, char **argv) /* * Last two cases - set value or print value */ - if ((argc == 0) || (argc > 2)) { + if ((argc == 0) || (argc > 2)) usage(); - exit(1); - } - - pinn = str2int(argv[0], &ok); - if (!ok) - fail("Invalid pin number: %s\n", argv[0]); /* * Read pin value @@ -311,7 +358,7 @@ main(int argc, char **argv) /* Is it valid number (0 or 1) ? */ pinv = str2int(argv[1], &ok); - if (!ok || ((pinv != 0) && (pinv != 1))) + if (ok == 0 || ((pinv != 0) && (pinv != 1))) fail("Invalid pin value: %s\n", argv[1]); /* -- cgit v1.1 From 5b04e75f255bde5223c27fde853cd9d15d9841c5 Mon Sep 17 00:00:00 2001 From: glebius Date: Fri, 11 Mar 2016 21:06:17 +0000 Subject: Allow minimum and maximum sweep size be the same. Submitted by: maxim --- sbin/ping/ping.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index 1fc1963..a5f8602 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -793,8 +793,8 @@ main(int argc, char *const *argv) } #endif if (sweepmax) { - if (sweepmin >= sweepmax) - errx(EX_USAGE, "Maximum packet size must be greater than the minimum packet size"); + if (sweepmin > sweepmax) + errx(EX_USAGE, "Maximum packet size must be no less than the minimum packet size"); if (datalen != DEFDATALEN) errx(EX_USAGE, "Packet size and ping sweep are mutually exclusive"); -- cgit v1.1 From afcccceb429d34ed780e6cbd25edb9ae9e11347c Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 22:11:36 +0000 Subject: Add more casper leftover files. Reported by: jhb --- ObsoleteFiles.inc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index e53a91a..13c9156 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -144,6 +144,12 @@ OLD_FILES+=libexec/casper/grp OLD_FILES+=libexec/casper/pwd OLD_FILES+=libexec/casper/random OLD_FILES+=libexec/casper/sysctl +OLD_FILES+=libexec/casper/.debug/random.debug +OLD_FILES+=libexec/casper/.debug/dns.debug +OLD_FILES+=libexec/casper/.debug/sysctl.debug +OLD_FILES+=libexec/casper/.debug/pwd.debug +OLD_FILES+=libexec/casper/.debug/grp.debug +OLD_DIRS+=libexec/casper/.debug OLD_DIRS+=libexec/casper OLD_FILES+=usr/lib/libcapsicum.a OLD_FILES+=usr/lib/libcapsicum.so -- cgit v1.1 From 4d2c154bf803bf7363ee36b0d18f0668d0a2a024 Mon Sep 17 00:00:00 2001 From: emaste Date: Fri, 11 Mar 2016 22:37:12 +0000 Subject: libelf: correct byte count in cross-endian note translation MFC after: 1 month Sponsored by: The FreeBSD Foundation --- contrib/elftoolchain/libelf/libelf_convert.m4 | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/elftoolchain/libelf/libelf_convert.m4 b/contrib/elftoolchain/libelf/libelf_convert.m4 index 9f99f1e..0eddbe7 100644 --- a/contrib/elftoolchain/libelf/libelf_convert.m4 +++ b/contrib/elftoolchain/libelf/libelf_convert.m4 @@ -1019,6 +1019,7 @@ _libelf_cvt_NOTE_tof(unsigned char *dst, size_t dsz, unsigned char *src, WRITE_WORD(dst, type); src += sizeof(Elf_Note); + count -= sizeof(Elf_Note); if (count < sz) sz = count; -- cgit v1.1 From 2ee22fb244fae34ad556d4999e349485af1493e6 Mon Sep 17 00:00:00 2001 From: dim Date: Fri, 11 Mar 2016 22:56:16 +0000 Subject: Pull in r250279 from upstream libc++ trunk (by Eric Fiselier): Fix GCC atomic implementation in C++03 Pull in r250802 from upstream libc++ trunk (by Eric Fiselier): Detect relaxed constexpr rules for gcc versions Pull in r255585 from upstream libc++ trunk (by Eric Fiselier): Fix various GCC mis-configurations for newer versions. This patch goes through and enables C++11 and C++14 features for newer GCC's. The main changes are: 1. Turn on variable templates. (Uses __cpp_variable_templates) 2. Assert atomic is trivially copyable (Uses _GNUC_VER >= 501). 3. Turn on trailing return support for GCC. (Uses _GNUC_VER >= 404) 4. XFAIL void_t test for GCC 5.1 and 5.2. Fixed in GCC 6. Together, these should fix building clang 3.8.0 as part of building world with recent versions of gcc (e.g. the devel/*-xtoolchain-gcc ports). --- contrib/libc++/include/__config | 9 +++++++-- contrib/libc++/include/atomic | 17 ++++++++++++++--- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/contrib/libc++/include/__config b/contrib/libc++/include/__config index 8288b46..051d12c 100644 --- a/contrib/libc++/include/__config +++ b/contrib/libc++/include/__config @@ -429,10 +429,15 @@ namespace std { #define _LIBCPP_HAS_NO_CONSTEXPR #endif -// No version of GCC supports relaxed constexpr rules +// Determine if GCC supports relaxed constexpr +#if !defined(__cpp_constexpr) || __cpp_constexpr < 201304L #define _LIBCPP_HAS_NO_CXX14_CONSTEXPR +#endif + // GCC 5 will support variable templates +#if !defined(__cpp_variable_templates) || __cpp_variable_templates < 201304L #define _LIBCPP_HAS_NO_VARIABLE_TEMPLATES +#endif #define _NOEXCEPT throw() #define _NOEXCEPT_(x) @@ -454,7 +459,6 @@ namespace std { #else // __GXX_EXPERIMENTAL_CXX0X__ -#define _LIBCPP_HAS_NO_TRAILING_RETURN #define _LIBCPP_HAS_NO_ALWAYS_INLINE_VARIADICS #if _GNUC_VER < 403 @@ -468,6 +472,7 @@ namespace std { #if _GNUC_VER < 404 #define _LIBCPP_HAS_NO_DECLTYPE #define _LIBCPP_HAS_NO_DELETED_FUNCTIONS +#define _LIBCPP_HAS_NO_TRAILING_RETURN #define _LIBCPP_HAS_NO_UNICODE_CHARS #define _LIBCPP_HAS_NO_VARIADICS #define _LIBCPP_HAS_NO_GENERALIZED_INITIALIZERS diff --git a/contrib/libc++/include/atomic b/contrib/libc++/include/atomic index 97a998d..92b9c4d 100644 --- a/contrib/libc++/include/atomic +++ b/contrib/libc++/include/atomic @@ -553,7 +553,18 @@ typedef enum memory_order namespace __gcc_atomic { template struct __gcc_atomic_t { - __gcc_atomic_t() _NOEXCEPT {} + +#if _GNUC_VER >= 501 + static_assert(is_trivially_copyable<_Tp>::value, + "std::atomic requires that 'Tp' be a trivially copyable type"); +#endif + + _LIBCPP_INLINE_VISIBILITY +#ifndef _LIBCPP_HAS_NO_DEFAULTED_FUNCTIONS + __gcc_atomic_t() _NOEXCEPT = default; +#else + __gcc_atomic_t() _NOEXCEPT : __a_value() {} +#endif // _LIBCPP_HAS_NO_DEFAULTED_FUNCTIONS _LIBCPP_CONSTEXPR explicit __gcc_atomic_t(_Tp value) _NOEXCEPT : __a_value(value) {} _Tp __a_value; @@ -574,7 +585,7 @@ struct __can_assign { sizeof(__test_atomic_assignable<_Tp, _Td>(1)) == sizeof(char); }; -static inline constexpr int __to_gcc_order(memory_order __order) { +static inline _LIBCPP_CONSTEXPR int __to_gcc_order(memory_order __order) { // Avoid switch statement to make this a constexpr. return __order == memory_order_relaxed ? __ATOMIC_RELAXED: (__order == memory_order_acquire ? __ATOMIC_ACQUIRE: @@ -584,7 +595,7 @@ static inline constexpr int __to_gcc_order(memory_order __order) { __ATOMIC_CONSUME)))); } -static inline constexpr int __to_gcc_failure_order(memory_order __order) { +static inline _LIBCPP_CONSTEXPR int __to_gcc_failure_order(memory_order __order) { // Avoid switch statement to make this a constexpr. return __order == memory_order_relaxed ? __ATOMIC_RELAXED: (__order == memory_order_acquire ? __ATOMIC_ACQUIRE: -- cgit v1.1 From 374ffbde403c7a99e42ddb239990e2613938e775 Mon Sep 17 00:00:00 2001 From: jhb Date: Fri, 11 Mar 2016 23:18:06 +0000 Subject: Use SI_SUB_LAST instead of SI_SUB_SMP as the "catch-all" subsystem. Reviewed by: kib Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D5515 --- sys/kern/kern_alq.c | 2 +- sys/netinet/siftr.c | 2 +- sys/ofed/drivers/infiniband/core/device.c | 2 +- sys/ofed/drivers/infiniband/hw/mlx4/main.c | 2 +- sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/kern/kern_alq.c b/sys/kern/kern_alq.c index 7f8c603..21508d2 100644 --- a/sys/kern/kern_alq.c +++ b/sys/kern/kern_alq.c @@ -969,5 +969,5 @@ static moduledata_t alq_mod = NULL }; -DECLARE_MODULE(alq, alq_mod, SI_SUB_SMP, SI_ORDER_ANY); +DECLARE_MODULE(alq, alq_mod, SI_SUB_LAST, SI_ORDER_ANY); MODULE_VERSION(alq, 1); diff --git a/sys/netinet/siftr.c b/sys/netinet/siftr.c index 6b31d7b..c484e98 100644 --- a/sys/netinet/siftr.c +++ b/sys/netinet/siftr.c @@ -1561,6 +1561,6 @@ static moduledata_t siftr_mod = { * Defines the initialisation order of this kld relative to others * within the same subsystem as defined by param 3 */ -DECLARE_MODULE(siftr, siftr_mod, SI_SUB_SMP, SI_ORDER_ANY); +DECLARE_MODULE(siftr, siftr_mod, SI_SUB_LAST, SI_ORDER_ANY); MODULE_DEPEND(siftr, alq, 1, 1, 1); MODULE_VERSION(siftr, MODVERSION); diff --git a/sys/ofed/drivers/infiniband/core/device.c b/sys/ofed/drivers/infiniband/core/device.c index db3b831..a3aee41 100644 --- a/sys/ofed/drivers/infiniband/core/device.c +++ b/sys/ofed/drivers/infiniband/core/device.c @@ -790,4 +790,4 @@ static moduledata_t ibcore_mod = { MODULE_VERSION(ibcore, 1); MODULE_DEPEND(ibcore, linuxkpi, 1, 1, 1); -DECLARE_MODULE(ibcore, ibcore_mod, SI_SUB_SMP, SI_ORDER_ANY); +DECLARE_MODULE(ibcore, ibcore_mod, SI_SUB_LAST, SI_ORDER_ANY); diff --git a/sys/ofed/drivers/infiniband/hw/mlx4/main.c b/sys/ofed/drivers/infiniband/hw/mlx4/main.c index 68440df..1f14e5c 100644 --- a/sys/ofed/drivers/infiniband/hw/mlx4/main.c +++ b/sys/ofed/drivers/infiniband/hw/mlx4/main.c @@ -2881,7 +2881,7 @@ static moduledata_t mlx4ib_mod = { .evhand = mlx4ib_evhand, }; -DECLARE_MODULE(mlx4ib, mlx4ib_mod, SI_SUB_SMP, SI_ORDER_ANY); +DECLARE_MODULE(mlx4ib, mlx4ib_mod, SI_SUB_LAST, SI_ORDER_ANY); MODULE_DEPEND(mlx4ib, mlx4, 1, 1, 1); MODULE_DEPEND(mlx4ib, ibcore, 1, 1, 1); MODULE_DEPEND(mlx4ib, linuxkpi, 1, 1, 1); diff --git a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c index 6326bd2..5e69a52 100644 --- a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c +++ b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_main.c @@ -1535,6 +1535,6 @@ static moduledata_t ipoib_mod = { .evhand = ipoib_evhand, }; -DECLARE_MODULE(ipoib, ipoib_mod, SI_SUB_SMP, SI_ORDER_ANY); +DECLARE_MODULE(ipoib, ipoib_mod, SI_SUB_LAST, SI_ORDER_ANY); MODULE_DEPEND(ipoib, ibcore, 1, 1, 1); MODULE_DEPEND(ipoib, linuxkpi, 1, 1, 1); -- cgit v1.1 From ef752a91d65b814108a5969ccc3f73af786f1b12 Mon Sep 17 00:00:00 2001 From: np Date: Fri, 11 Mar 2016 23:24:04 +0000 Subject: cxgbe(4): sysctls to display the TOE's TCP timers. cask:~# sysctl -d dev.t5nex.0.toe dev.t5nex.0.toe.finwait2_timer: FINWAIT2 timer (us) dev.t5nex.0.toe.initial_srtt: Initial SRTT (us) dev.t5nex.0.toe.keepalive_intvl: Keepidle interval (us) dev.t5nex.0.toe.keepalive_idle: Keepidle idle timer (us) dev.t5nex.0.toe.persist_max: Persist timer max (us) dev.t5nex.0.toe.persist_min: Persist timer min (us) dev.t5nex.0.toe.rexmt_max: Retransmit max (us) dev.t5nex.0.toe.rexmt_min: Retransmit min (us) dev.t5nex.0.toe.dack_timer: DACK timer (us) dev.t5nex.0.toe.dack_tick: DACK tick (us) dev.t5nex.0.toe.timestamp_tick: TCP timestamp tick (us) dev.t5nex.0.toe.timer_tick: TP timer tick (us) ... cask:~# sysctl dev.t5nex.0.toe dev.t5nex.0.toe.finwait2_timer: 9765440 dev.t5nex.0.toe.initial_srtt: 244128 dev.t5nex.0.toe.keepalive_intvl: 73240800 dev.t5nex.0.toe.keepalive_idle: 7031116800 dev.t5nex.0.toe.persist_max: 9765440 dev.t5nex.0.toe.persist_min: 976544 dev.t5nex.0.toe.rexmt_max: 9765440 dev.t5nex.0.toe.rexmt_min: 244128 dev.t5nex.0.toe.dack_timer: 19520 dev.t5nex.0.toe.dack_tick: 32.768 dev.t5nex.0.toe.timestamp_tick: 1048.576 dev.t5nex.0.toe.timer_tick: 32.768 ... --- sys/dev/cxgbe/t4_main.c | 135 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index d724002..b2a63a6 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -482,6 +482,9 @@ static int sysctl_tx_rate(SYSCTL_HANDLER_ARGS); static int sysctl_ulprx_la(SYSCTL_HANDLER_ARGS); static int sysctl_wcwr_stats(SYSCTL_HANDLER_ARGS); #endif +static int sysctl_tp_tick(SYSCTL_HANDLER_ARGS); +static int sysctl_tp_dack_timer(SYSCTL_HANDLER_ARGS); +static int sysctl_tp_timer(SYSCTL_HANDLER_ARGS); static uint32_t fconf_iconf_to_mode(uint32_t, uint32_t); static uint32_t mode_to_fconf(uint32_t); static uint32_t mode_to_iconf(uint32_t); @@ -4890,6 +4893,54 @@ t4_sysctls(struct adapter *sc) sc->tt.tx_align = 1; SYSCTL_ADD_INT(ctx, children, OID_AUTO, "tx_align", CTLFLAG_RW, &sc->tt.tx_align, 0, "chop and align payload"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "timer_tick", + CTLTYPE_STRING | CTLFLAG_RD, sc, 0, sysctl_tp_tick, "A", + "TP timer tick (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "timestamp_tick", + CTLTYPE_STRING | CTLFLAG_RD, sc, 1, sysctl_tp_tick, "A", + "TCP timestamp tick (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "dack_tick", + CTLTYPE_STRING | CTLFLAG_RD, sc, 2, sysctl_tp_tick, "A", + "DACK tick (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "dack_timer", + CTLTYPE_UINT | CTLFLAG_RD, sc, 0, sysctl_tp_dack_timer, + "IU", "DACK timer (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "rexmt_min", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_RXT_MIN, + sysctl_tp_timer, "LU", "Retransmit min (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "rexmt_max", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_RXT_MAX, + sysctl_tp_timer, "LU", "Retransmit max (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "persist_min", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_PERS_MIN, + sysctl_tp_timer, "LU", "Persist timer min (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "persist_max", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_PERS_MAX, + sysctl_tp_timer, "LU", "Persist timer max (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "keepalive_idle", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_KEEP_IDLE, + sysctl_tp_timer, "LU", "Keepidle idle timer (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "keepalive_intvl", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_KEEP_INTVL, + sysctl_tp_timer, "LU", "Keepidle interval (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "initial_srtt", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_INIT_SRTT, + sysctl_tp_timer, "LU", "Initial SRTT (us)"); + + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "finwait2_timer", + CTLTYPE_ULONG | CTLFLAG_RD, sc, A_TP_FINWAIT2_TIMER, + sysctl_tp_timer, "LU", "FINWAIT2 timer (us)"); } #endif } @@ -7388,6 +7439,90 @@ sysctl_wcwr_stats(SYSCTL_HANDLER_ARGS) } #endif +static void +unit_conv(char *buf, size_t len, u_int val, u_int factor) +{ + u_int rem = val % factor; + + if (rem == 0) + snprintf(buf, len, "%u", val / factor); + else { + while (rem % 10 == 0) + rem /= 10; + snprintf(buf, len, "%u.%u", val / factor, rem); + } +} + +static int +sysctl_tp_tick(SYSCTL_HANDLER_ARGS) +{ + struct adapter *sc = arg1; + char buf[16]; + u_int res, re; + u_int cclk_ps = 1000000000 / sc->params.vpd.cclk; + + res = t4_read_reg(sc, A_TP_TIMER_RESOLUTION); + switch (arg2) { + case 0: + /* timer_tick */ + re = G_TIMERRESOLUTION(res); + break; + case 1: + /* TCP timestamp tick */ + re = G_TIMESTAMPRESOLUTION(res); + break; + case 2: + /* DACK tick */ + re = G_DELAYEDACKRESOLUTION(res); + break; + default: + return (EDOOFUS); + } + + unit_conv(buf, sizeof(buf), (cclk_ps << re), 1000000); + + return (sysctl_handle_string(oidp, buf, sizeof(buf), req)); +} + +static int +sysctl_tp_dack_timer(SYSCTL_HANDLER_ARGS) +{ + struct adapter *sc = arg1; + u_int res, dack_re, v; + u_int cclk_ps = 1000000000 / sc->params.vpd.cclk; + + res = t4_read_reg(sc, A_TP_TIMER_RESOLUTION); + dack_re = G_DELAYEDACKRESOLUTION(res); + v = ((cclk_ps << dack_re) / 1000000) * t4_read_reg(sc, A_TP_DACK_TIMER); + + return (sysctl_handle_int(oidp, &v, 0, req)); +} + +static int +sysctl_tp_timer(SYSCTL_HANDLER_ARGS) +{ + struct adapter *sc = arg1; + int reg = arg2; + u_int tre; + u_long tp_tick_us, v; + u_int cclk_ps = 1000000000 / sc->params.vpd.cclk; + + MPASS(reg == A_TP_RXT_MIN || reg == A_TP_RXT_MAX || + reg == A_TP_PERS_MIN || reg == A_TP_PERS_MAX || + reg == A_TP_KEEP_IDLE || A_TP_KEEP_INTVL || reg == A_TP_INIT_SRTT || + reg == A_TP_FINWAIT2_TIMER); + + tre = G_TIMERRESOLUTION(t4_read_reg(sc, A_TP_TIMER_RESOLUTION)); + tp_tick_us = (cclk_ps << tre) / 1000000; + + if (reg == A_TP_INIT_SRTT) + v = tp_tick_us * G_INITSRTT(t4_read_reg(sc, reg)); + else + v = tp_tick_us * t4_read_reg(sc, reg); + + return (sysctl_handle_long(oidp, &v, 0, req)); +} + static uint32_t fconf_iconf_to_mode(uint32_t fconf, uint32_t iconf) { -- cgit v1.1 From 24b7e3c54feda651e335ff8aacc2cbd68003ed76 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:44:27 +0000 Subject: DIRDEPS_BUILD: Remove the cookie when target is out-of-date. The meta file may decide the target is out of date but nothing ensures that the *next* build will build this target if it fails this time for some reason; it is still out-of-date until it succeeds. Convert the include/ cookie usage to the global versions. Sponsored by: EMC / Isilon Storage Division --- include/Makefile | 16 +++++++--------- share/mk/local.sys.mk | 6 +++++- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/include/Makefile b/include/Makefile index 8033de1..80900ef 100644 --- a/include/Makefile +++ b/include/Makefile @@ -131,6 +131,7 @@ _MARCHS+= x86 .if ${MK_STAGING} == "yes" # tell bsd.incs.mk that we have it covered NO_STAGE_INCLUDES= +META_COOKIES+= stage_prep stage_include compat copies symlinks .endif .include @@ -157,6 +158,7 @@ ${SHARED}: compat # Take care of stale directory-level symlinks. compat: + ${META_COOKIE_RM} .for i in ${LDIRS} ${LSUBDIRS} machine ${_MARCHS} crypto if [ -L ${DESTDIR}${INCLUDEDIR}/$i ]; then \ rm -f ${DESTDIR}${INCLUDEDIR}/$i; \ @@ -165,11 +167,10 @@ compat: mtree -deU ${MTREE_FOLLOWS_SYMLINKS} \ -f ${.CURDIR}/../etc/mtree/BSD.include.dist \ -p ${DESTDIR}${INCLUDEDIR} > /dev/null -.if ${MK_DIRDEPS_BUILD} == "yes" - @touch ${.TARGET} -.endif + ${META_COOKIE_TOUCH} copies: + ${META_COOKIE_RM} .for i in ${LDIRS} ${LSUBDIRS} ${LSUBSUBDIRS} crypto machine machine/pc \ ${_MARCHS} if [ -d ${DESTDIR}${INCLUDEDIR}/$i ]; then \ @@ -254,11 +255,10 @@ copies: cd ${.CURDIR}/../sys/teken; \ ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 teken.h \ ${DESTDIR}${INCLUDEDIR}/teken -.if ${MK_DIRDEPS_BUILD} == "yes" - @touch ${.OBJDIR}/${.TARGET} -.endif + ${META_COOKIE_TOUCH} symlinks: + ${META_COOKIE_RM} @${ECHO} "Setting up symlinks to kernel source tree..." .for i in ${LDIRS} cd ${.CURDIR}/../sys/$i; \ @@ -371,9 +371,7 @@ symlinks: ${INSTALL_SYMLINK} ../../../sys/rpc/$$h \ ${DESTDIR}${INCLUDEDIR}/rpc; \ done -.if ${MK_DIRDEPS_BUILD} == "yes" - @touch ${.OBJDIR}/${.TARGET} -.endif + ${META_COOKIE_TOUCH} .if ${MACHINE} == "host" && !defined(_SKIP_BUILD) # we're here because we are building a sysroot... diff --git a/share/mk/local.sys.mk b/share/mk/local.sys.mk index c1baee5..269e253 100644 --- a/share/mk/local.sys.mk +++ b/share/mk/local.sys.mk @@ -28,10 +28,14 @@ MAKE_PRINT_VAR_ON_ERROR += .MAKE.MAKEFILES .PATH .if ${.MAKE.MODE:Mmeta*} != "" # we can afford to use cookies to prevent some targets # re-running needlessly -META_COOKIE_TOUCH= touch ${COOKIE.${.TARGET}:U${.OBJDIR}/${.TARGET}} +META_COOKIE= ${COOKIE.${.TARGET}:U${.OBJDIR}/${.TARGET}} +META_COOKIE_RM= @rm -f ${META_COOKIE} +META_COOKIE_TOUCH= @touch ${META_COOKIE} # some targets need to be .PHONY - but not in meta mode META_NOPHONY= +CLEANFILES+= ${META_COOKIES} .else +META_COOKIE_RM= META_COOKIE_TOUCH= META_NOPHONY= .PHONY .endif -- cgit v1.1 From 3e01f13c50249aea2a9354223189824aa173a2f4 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:44:56 +0000 Subject: DIRDEPS_BUILD: None of this is needed anymore. This file is using stage-install, so all of the .dirdep files are properly handled. The cookie handling also properly handles rebuilds with .meta files. DESTDIR from bsd.sys.mk is also respected for staging. This logic came in r239572. Sponsored by: EMC / Isilon Storage Division --- include/Makefile | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/include/Makefile b/include/Makefile index 80900ef..dcf0d6d 100644 --- a/include/Makefile +++ b/include/Makefile @@ -128,31 +128,11 @@ _MARCHS= ${MACHINE_CPUARCH} _MARCHS+= x86 .endif -.if ${MK_STAGING} == "yes" -# tell bsd.incs.mk that we have it covered -NO_STAGE_INCLUDES= -META_COOKIES+= stage_prep stage_include compat copies symlinks -.endif +META_COOKIES+= compat copies symlinks +stage_includes: ${SHARED} .include -.if ${MK_STAGING} != "no" && !defined(_SKIP_BUILD) -.if make(all) -DESTDIR= ${STAGE_OBJTOP} - -all: stage_include -installincludes: buildincludes -buildincludes: stage_prep - -stage_prep: - @mkdir -p ${DESTDIR}${INCLUDEDIR} - @touch $@ - -stage_include: .dirdep installincludes - @touch $@ -.endif -.endif - installincludes: ${SHARED} ${SHARED}: compat -- cgit v1.1 From f67b615a295f3fd5ea072377243735df330797ea Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:44:59 +0000 Subject: Remove out-of-place make(buildincludes) check. This came in r239572 for META_MODE handling but it doesn't make sense since the staging is always done in make(all); make(buildincludes) is never actually ran in the META_MODE build. Reported by: bapt Sponsored by: EMC / Isilon Storage Division --- share/mk/bsd.files.mk | 4 ---- 1 file changed, 4 deletions(-) diff --git a/share/mk/bsd.files.mk b/share/mk/bsd.files.mk index d22f196..7925d83 100644 --- a/share/mk/bsd.files.mk +++ b/share/mk/bsd.files.mk @@ -30,9 +30,7 @@ ${group}OWN?= ${SHAREOWN} ${group}GRP?= ${SHAREGRP} ${group}MODE?= ${SHAREMODE} ${group}DIR?= ${BINDIR} -.if !make(buildincludes) STAGE_SETS+= ${group} -.endif STAGE_DIR.${group}= ${STAGE_OBJTOP}${${group}DIR} _${group}FILES= @@ -49,9 +47,7 @@ ${group}NAME_${file:T}?= ${${group}NAME} .else ${group}NAME_${file:T}?= ${file:T} .endif -.if !make(buildincludes) STAGE_AS_SETS+= ${file:T} -.endif STAGE_AS_${file:T}= ${${group}NAME_${file:T}} # XXX {group}OWN,GRP,MODE STAGE_DIR.${file:T}= ${STAGE_OBJTOP}${${group}DIR_${file:T}} -- cgit v1.1 From 4453e287922ff3a96dbcf73a3bff0618322942e0 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:02 +0000 Subject: DIRDEPS_BUILD: Extend beforeinstall: staging hack. Most beforeinstall: usage is not adding commands but only adding targets, such as in share/sendmail. Sponsored by: EMC / Isilon Storage Division --- share/mk/bsd.sys.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk index be4c52f..2a26d3f 100644 --- a/share/mk/bsd.sys.mk +++ b/share/mk/bsd.sys.mk @@ -198,7 +198,7 @@ staging stage_libs stage_files stage_as stage_links stage_symlinks: # allow targets like beforeinstall to be leveraged DESTDIR= ${STAGE_OBJTOP} -.if commands(beforeinstall) +.if target(beforeinstall) .if !empty(_LIBS) || (${MK_STAGING_PROG} != "no" && !defined(INTERNALPROG)) staging: beforeinstall .endif -- cgit v1.1 From 076eeb23035d1dc687a6d4cc03dc05e7f278791a Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:05 +0000 Subject: DIRDEPS_BUILD: export DESTDIR for STAGING. An example of where this is needed is in share/examples which for 'etc-examples' runs 'make -C SRCTOP/etc etc-examples' which installs to the default DESTDIR otherwise. Sponsored by: EMC / Isilon Storage Division --- share/mk/bsd.sys.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk index 2a26d3f..cf53d86 100644 --- a/share/mk/bsd.sys.mk +++ b/share/mk/bsd.sys.mk @@ -197,6 +197,7 @@ staging stage_libs stage_files stage_as stage_links stage_symlinks: .else # allow targets like beforeinstall to be leveraged DESTDIR= ${STAGE_OBJTOP} +.export DESTDIR .if target(beforeinstall) .if !empty(_LIBS) || (${MK_STAGING_PROG} != "no" && !defined(INTERNALPROG)) -- cgit v1.1 From 946eac8da84e5763b65b0f91465b545188f630ee Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:09 +0000 Subject: DIRDEPS_BUILD: Fix staging of share/sendmail and share/examples. Sponsored by: EMC / Isilon Storage Division --- etc/Makefile | 12 ++++++++++-- etc/defaults/Makefile | 1 - etc/defaults/Makefile.depend | 11 +++++++++++ share/examples/Makefile | 9 +++++++-- share/examples/Makefile.depend | 12 ++++++++++++ share/sendmail/Makefile | 9 +++++++-- share/sendmail/Makefile.depend | 1 + targets/pseudo/userland/share/Makefile.depend | 1 + 8 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 etc/defaults/Makefile.depend create mode 100644 share/examples/Makefile.depend diff --git a/etc/Makefile b/etc/Makefile index 27d1ba4..24e0c95 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -3,6 +3,9 @@ .include +# No need as it is empty and just causes rebuilds since this file does so much. +UPDATE_DEPENDFILE= no + SUBDIR= \ newsyslog.conf.d @@ -450,11 +453,16 @@ distrib-dirs: ${MTREES:N/*} distrib-cleanup .PHONY done .endif -etc-examples: +etc-examples-install: + ${META_COOKIE_RM} cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \ ${BIN1} ${BIN2} nsmb.conf opieaccess \ ${DESTDIR}${SHAREDIR}/examples/etc - ${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \ + ${META_COOKIE_TOUCH} + +etc-examples: etc-examples-install + ${_+_}cd ${.CURDIR}/defaults; \ + ${MAKE} ${${MK_STAGING} == "yes":?all:install} \ DESTDIR=${DESTDIR}${SHAREDIR}/examples .include diff --git a/etc/defaults/Makefile b/etc/defaults/Makefile index 1f6ac5e..4b3a4ce 100644 --- a/etc/defaults/Makefile +++ b/etc/defaults/Makefile @@ -3,7 +3,6 @@ .include FILES= devfs.rules periodic.conf rc.conf -NO_OBJ= FILESDIR= /etc/defaults .if ${MK_BLUETOOTH} != "no" diff --git a/etc/defaults/Makefile.depend b/etc/defaults/Makefile.depend new file mode 100644 index 0000000..f80275d --- /dev/null +++ b/etc/defaults/Makefile.depend @@ -0,0 +1,11 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + + +.include + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/share/examples/Makefile b/share/examples/Makefile index 2484aff..7f243fa 100644 --- a/share/examples/Makefile +++ b/share/examples/Makefile @@ -219,9 +219,11 @@ XFILES+= bhyve/vmrun.sh SHARED?= copies beforeinstall: ${SHARED} etc-examples +META_COOKIES+= copies symlinks .ORDER: ${SHARED} etc-examples copies: + ${META_COOKIE_RM} .for i in ${LDIRS} if [ -L ${DESTDIR}${BINDIR}/$i ]; then \ rm -f ${DESTDIR}${BINDIR}/$i; \ @@ -233,16 +235,19 @@ copies: ${INSTALL} -o ${SHAREOWN} -g ${SHAREGRP} -m ${SHAREMODE} \ ${.CURDIR}/${file} ${DESTDIR}${BINDIR}/${file} .endfor + ${META_COOKIE_TOUCH} symlinks: + ${META_COOKIE_RM} .for i in ${LDIRS} rm -rf ${DESTDIR}${BINDIR}/$i ln -s ${.CURDIR}/$i ${DESTDIR}${BINDIR}/$i .endfor + ${META_COOKIE_TOUCH} etc-examples: .if ${SHARED} != "symlinks" - (cd ${.CURDIR}/../../etc; ${MAKE} etc-examples) + ${_+_}(cd ${.CURDIR}/../../etc; ${MAKE} etc-examples) .endif .if ${SHARED} != "symlinks" @@ -261,4 +266,4 @@ SUBDIR+=tests SUBDIR_PARALLEL= -.include +.include diff --git a/share/examples/Makefile.depend b/share/examples/Makefile.depend new file mode 100644 index 0000000..d7cfba0 --- /dev/null +++ b/share/examples/Makefile.depend @@ -0,0 +1,12 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + usr.bin/xinstall.host \ + + +.include + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/share/sendmail/Makefile b/share/sendmail/Makefile index a548b63..c8dee5a 100644 --- a/share/sendmail/Makefile +++ b/share/sendmail/Makefile @@ -16,8 +16,10 @@ SHARED?= copies all clean cleandir depend lint tags: beforeinstall: ${SHARED} +META_COOKIES+= copies symlinks -copies:: +copies: + ${META_COOKIE_RM} if [ -L ${DDIR}/${CFDIR} ]; then rm -f ${DDIR}/${CFDIR}; fi .for dir in ${CFDIRS} ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 -d ${DDIR}/${dir} @@ -25,8 +27,11 @@ copies:: .for file in ${CFFILES} ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 ${SENDMAIL_DIR}/${file} ${DDIR}/${file} .endfor + ${META_COOKIE_TOUCH} -symlinks:: +symlinks: + ${META_COOKIE_RM} rm -rf ${DDIR}/${CFDIR}; ln -s ${SENDMAIL_DIR}/${CFDIR} ${DDIR}/${CFDIR} + ${META_COOKIE_TOUCH} .include diff --git a/share/sendmail/Makefile.depend b/share/sendmail/Makefile.depend index f80275d..d7cfba0 100644 --- a/share/sendmail/Makefile.depend +++ b/share/sendmail/Makefile.depend @@ -2,6 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ + usr.bin/xinstall.host \ .include diff --git a/targets/pseudo/userland/share/Makefile.depend b/targets/pseudo/userland/share/Makefile.depend index 4e7c9e1..3589a10 100644 --- a/targets/pseudo/userland/share/Makefile.depend +++ b/targets/pseudo/userland/share/Makefile.depend @@ -85,6 +85,7 @@ DIRDEPS = \ share/doc/usd/title \ share/dtrace \ share/dtrace/toolkit \ + share/examples \ share/examples/atf \ share/examples/ipfilter \ share/examples/pf \ -- cgit v1.1 From 34545cf914b2b536e14bffa611fc7f7c09aaf330 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:13 +0000 Subject: DIRDEPS_BUILD: Avoid rebuilds due to changed build commands with newly staged tools. This is a follow-up to r291561 which reworked the bootstrap tool PATH handling. An example of this is when building lib/clang/libclangedit. At first clang-tblgen will not be staged in the host tree so it will have CLANG_TBLGEN=clang-tblgen set and exported. During the build though it will stage clang-tblgen and then find it via the PATH. On the next build it finds clang-tblgen in the stage directory and would set CLANG_TBLGEN=/clang-tblgen thus causing the build command to change. In both cases the same exact tool was used though so there is no need to rebuild. If the tool did change the normal meta/filemon handling would pick that up via timestamp comparisons and rebuild. Sponsored by: EMC / Isilon Storage Division --- share/mk/local.meta.sys.mk | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/share/mk/local.meta.sys.mk b/share/mk/local.meta.sys.mk index 9f000f5..c853f7c 100644 --- a/share/mk/local.meta.sys.mk +++ b/share/mk/local.meta.sys.mk @@ -236,8 +236,7 @@ PATH:= ${TOOLSDIR}${dir}:${PATH} _toolchain_bin.${var}= ${TOOLSDIR}${_toolchain_bin_${var}:U/usr/bin/${var:tl}} .if exists(${_toolchain_bin.${var}}) HOST_${var}?= ${_toolchain_bin.${var}} -${var}?= ${HOST_${var}} -.export HOST_${var} ${var} +.export HOST_${var} .endif .endfor .endif -- cgit v1.1 From 4ce2f6cba1b025ba3d1d9dd3172f984ee353507f Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:17 +0000 Subject: DIRDEPS_BUILD: Fix building during dirdeps. Sponsored by: EMC / Isilon Storage Division --- share/i18n/esdb/Makefile.part | 2 ++ share/zoneinfo/Makefile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/share/i18n/esdb/Makefile.part b/share/i18n/esdb/Makefile.part index 60048c2..a9e140a 100644 --- a/share/i18n/esdb/Makefile.part +++ b/share/i18n/esdb/Makefile.part @@ -60,7 +60,9 @@ esdb.alias.${ESUBDIR}: ${PARTFILE} ${ALIASFILE} .endfor echo >>${.TARGET} +.if !defined(_SKIP_BUILD) all: esdb.dir.${ESUBDIR} esdb.alias.${ESUBDIR} codesets +.endif codesets: ${ESDB} .if !defined(NO_PREPROC) diff --git a/share/zoneinfo/Makefile b/share/zoneinfo/Makefile index b3d968d..8969da4 100644 --- a/share/zoneinfo/Makefile +++ b/share/zoneinfo/Makefile @@ -67,7 +67,9 @@ TZBUILDSUBDIRS= \ Pacific \ SystemV +.if !defined(_SKIP_BUILD) all: zoneinfo +.endif .PHONY: zoneinfo zoneinfo: yearistype ${TDATA} -- cgit v1.1 From a295004d11d1c81794f9a6436917f85f93d2b60f Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:20 +0000 Subject: DIRDEPS_BUILD: Reduce restaging here. This also fixes meta tracking for the beforeinstall since it had been marked .PHONY before (in bsd.sys.mk). Sponsored by: EMC / Isilon Storage Division --- share/zoneinfo/Makefile | 11 ++++++++--- share/zoneinfo/Makefile.depend | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/share/zoneinfo/Makefile b/share/zoneinfo/Makefile index 8969da4..6f40843 100644 --- a/share/zoneinfo/Makefile +++ b/share/zoneinfo/Makefile @@ -70,22 +70,27 @@ TZBUILDSUBDIRS= \ .if !defined(_SKIP_BUILD) all: zoneinfo .endif +META_COOKIES+= zoneinfo install-zoneinfo -.PHONY: zoneinfo -zoneinfo: yearistype ${TDATA} +zoneinfo: yearistype ${TDATA} ${META_NOPHONY} + ${META_COOKIE_RM} mkdir -p ${TZBUILDDIR} cd ${TZBUILDDIR}; mkdir -p ${TZBUILDSUBDIRS} umask 022; cd ${.CURDIR}; \ zic -D -d ${TZBUILDDIR} -p ${POSIXRULES} -m ${NOBINMODE} \ ${LEAPFILE} -y ${.OBJDIR}/yearistype ${TZFILES} + ${META_COOKIE_TOUCH} -beforeinstall: +beforeinstall: install-zoneinfo +install-zoneinfo: ${META_NOPHONY} + ${META_COOKIE_RM} cd ${TZBUILDDIR} && \ find -s * -type f -print -exec ${INSTALL} \ -o ${BINOWN} -g ${BINGRP} -m ${NOBINMODE} \ \{} ${DESTDIR}/usr/share/zoneinfo/\{} \; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m ${NOBINMODE} \ ${CONTRIBDIR}/zone.tab ${DESTDIR}/usr/share/zoneinfo/ + ${META_COOKIE_TOUCH} afterinstall: # diff --git a/share/zoneinfo/Makefile.depend b/share/zoneinfo/Makefile.depend index f80275d..d7cfba0 100644 --- a/share/zoneinfo/Makefile.depend +++ b/share/zoneinfo/Makefile.depend @@ -2,6 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ + usr.bin/xinstall.host \ .include -- cgit v1.1 From d586594a01badd7a3134b7081cb2b07ecc8cea6a Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:23 +0000 Subject: DIRDEPS_BUILD: Add a sure way to prohibit building 'all' during dirdeps phase. This obsoletes the _SKIP_BUILD check but keeps it for now until it proves to be enough. In the dirdeps build the first 'make all' or 'make' ran would invoke 'make dirdeps' which builds dependencies and then builds the current directory in a sub-make (when BUILD_AT_LEVEL0 is no, which for us it is). This behavior causes things attached to 'all:' to build in the dirdeps phase AND the sub-make phase which creates all kinds of problems for staging, meta file tracking, and races. Sponsored by: EMC / Isilon Storage Division --- share/mk/local.meta.sys.mk | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/share/mk/local.meta.sys.mk b/share/mk/local.meta.sys.mk index c853f7c..14bfb64 100644 --- a/share/mk/local.meta.sys.mk +++ b/share/mk/local.meta.sys.mk @@ -132,6 +132,16 @@ PYTHON ?= /usr/local/bin/python .export PYTHON # this works best if share/mk is ready for it. BUILD_AT_LEVEL0= no +# _SKIP_BUILD is not 100% as it requires wrapping all 'all:' targets to avoid +# building in MAKELEVEL0. Just prohibit 'all' entirely in this case to avoid +# problems. +.if ${MK_DIRDEPS_BUILD} == "yes" && \ + ${.MAKE.LEVEL} == 0 && ${BUILD_AT_LEVEL0:Uyes:tl} == "no" +.MAIN: dirdeps +.if make(all) +.error DIRDEPS_BUILD: Please run '${MAKE}' instead of '${MAKE} all'. +.endif +.endif # we want to end up with a singe stage tree for all machines .if ${MK_STAGING} == "yes" -- cgit v1.1 From 88db8d87c1a2bf378fc44e1368317e5e9abc4103 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:28 +0000 Subject: META_MODE: Simplify the META_COOKIE handling to use .USE/.USEBEFORE. Extend it to other cases of meta mode cookies so they get the proper rm cookie behavior when a .meta file detects it needs to rebuild and fails. Sponsored by: EMC / Isilon Storage Division --- etc/Makefile | 4 +--- include/Makefile | 14 ++++---------- share/examples/Makefile | 10 +++------- share/mk/local.sys.mk | 14 +++++++++++--- share/sendmail/Makefile | 10 +++------- share/zoneinfo/Makefile | 10 +++------- targets/pseudo/bootstrap-tools/Makefile | 6 ++---- targets/pseudo/kernel/Makefile | 3 +-- targets/pseudo/stage/Makefile | 3 +-- 9 files changed, 29 insertions(+), 45 deletions(-) diff --git a/etc/Makefile b/etc/Makefile index 24e0c95..cb91c23 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -453,12 +453,10 @@ distrib-dirs: ${MTREES:N/*} distrib-cleanup .PHONY done .endif -etc-examples-install: - ${META_COOKIE_RM} +etc-examples-install: ${META_DEPS} cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \ ${BIN1} ${BIN2} nsmb.conf opieaccess \ ${DESTDIR}${SHAREDIR}/examples/etc - ${META_COOKIE_TOUCH} etc-examples: etc-examples-install ${_+_}cd ${.CURDIR}/defaults; \ diff --git a/include/Makefile b/include/Makefile index dcf0d6d..bb79098 100644 --- a/include/Makefile +++ b/include/Makefile @@ -128,7 +128,7 @@ _MARCHS= ${MACHINE_CPUARCH} _MARCHS+= x86 .endif -META_COOKIES+= compat copies symlinks +META_TARGETS+= compat copies symlinks stage_includes: ${SHARED} .include @@ -137,8 +137,7 @@ installincludes: ${SHARED} ${SHARED}: compat # Take care of stale directory-level symlinks. -compat: - ${META_COOKIE_RM} +compat: ${META_DEPS} .for i in ${LDIRS} ${LSUBDIRS} machine ${_MARCHS} crypto if [ -L ${DESTDIR}${INCLUDEDIR}/$i ]; then \ rm -f ${DESTDIR}${INCLUDEDIR}/$i; \ @@ -147,10 +146,8 @@ compat: mtree -deU ${MTREE_FOLLOWS_SYMLINKS} \ -f ${.CURDIR}/../etc/mtree/BSD.include.dist \ -p ${DESTDIR}${INCLUDEDIR} > /dev/null - ${META_COOKIE_TOUCH} -copies: - ${META_COOKIE_RM} +copies: ${META_DEPS} .for i in ${LDIRS} ${LSUBDIRS} ${LSUBSUBDIRS} crypto machine machine/pc \ ${_MARCHS} if [ -d ${DESTDIR}${INCLUDEDIR}/$i ]; then \ @@ -235,10 +232,8 @@ copies: cd ${.CURDIR}/../sys/teken; \ ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 teken.h \ ${DESTDIR}${INCLUDEDIR}/teken - ${META_COOKIE_TOUCH} -symlinks: - ${META_COOKIE_RM} +symlinks: ${META_DEPS} @${ECHO} "Setting up symlinks to kernel source tree..." .for i in ${LDIRS} cd ${.CURDIR}/../sys/$i; \ @@ -351,7 +346,6 @@ symlinks: ${INSTALL_SYMLINK} ../../../sys/rpc/$$h \ ${DESTDIR}${INCLUDEDIR}/rpc; \ done - ${META_COOKIE_TOUCH} .if ${MACHINE} == "host" && !defined(_SKIP_BUILD) # we're here because we are building a sysroot... diff --git a/share/examples/Makefile b/share/examples/Makefile index 7f243fa..cbc85b0 100644 --- a/share/examples/Makefile +++ b/share/examples/Makefile @@ -219,11 +219,10 @@ XFILES+= bhyve/vmrun.sh SHARED?= copies beforeinstall: ${SHARED} etc-examples -META_COOKIES+= copies symlinks +META_TARGETS+= copies symlinks .ORDER: ${SHARED} etc-examples -copies: - ${META_COOKIE_RM} +copies: ${META_DEPS} .for i in ${LDIRS} if [ -L ${DESTDIR}${BINDIR}/$i ]; then \ rm -f ${DESTDIR}${BINDIR}/$i; \ @@ -235,15 +234,12 @@ copies: ${INSTALL} -o ${SHAREOWN} -g ${SHAREGRP} -m ${SHAREMODE} \ ${.CURDIR}/${file} ${DESTDIR}${BINDIR}/${file} .endfor - ${META_COOKIE_TOUCH} -symlinks: - ${META_COOKIE_RM} +symlinks: ${META_DEPS} .for i in ${LDIRS} rm -rf ${DESTDIR}${BINDIR}/$i ln -s ${.CURDIR}/$i ${DESTDIR}${BINDIR}/$i .endfor - ${META_COOKIE_TOUCH} etc-examples: .if ${SHARED} != "symlinks" diff --git a/share/mk/local.sys.mk b/share/mk/local.sys.mk index 269e253..2236dfe 100644 --- a/share/mk/local.sys.mk +++ b/share/mk/local.sys.mk @@ -33,10 +33,18 @@ META_COOKIE_RM= @rm -f ${META_COOKIE} META_COOKIE_TOUCH= @touch ${META_COOKIE} # some targets need to be .PHONY - but not in meta mode META_NOPHONY= -CLEANFILES+= ${META_COOKIES} +CLEANFILES+= ${META_TARGETS} +_meta_dep_before: .USEBEFORE + ${META_COOKIE_RM} +_meta_dep_after: .USE + ${META_COOKIE_TOUCH} +# Attach this to a target to allow it to benefit from meta mode's +# not rerunning a command if it doesn't need to be considering its +# metafile/filemon-tracked dependencies. +META_DEPS= _meta_dep_before _meta_dep_after .META .else META_COOKIE_RM= META_COOKIE_TOUCH= -META_NOPHONY= .PHONY +META_NOPHONY= .PHONY .endif - +META_DEPS+= ${META_NOPHONY} diff --git a/share/sendmail/Makefile b/share/sendmail/Makefile index c8dee5a..9ec23f2 100644 --- a/share/sendmail/Makefile +++ b/share/sendmail/Makefile @@ -16,10 +16,9 @@ SHARED?= copies all clean cleandir depend lint tags: beforeinstall: ${SHARED} -META_COOKIES+= copies symlinks +META_TARGETS+= copies symlinks -copies: - ${META_COOKIE_RM} +copies: ${META_DEPS} if [ -L ${DDIR}/${CFDIR} ]; then rm -f ${DDIR}/${CFDIR}; fi .for dir in ${CFDIRS} ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 -d ${DDIR}/${dir} @@ -27,11 +26,8 @@ copies: .for file in ${CFFILES} ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 ${SENDMAIL_DIR}/${file} ${DDIR}/${file} .endfor - ${META_COOKIE_TOUCH} -symlinks: - ${META_COOKIE_RM} +symlinks: ${META_DEPS} rm -rf ${DDIR}/${CFDIR}; ln -s ${SENDMAIL_DIR}/${CFDIR} ${DDIR}/${CFDIR} - ${META_COOKIE_TOUCH} .include diff --git a/share/zoneinfo/Makefile b/share/zoneinfo/Makefile index 6f40843..1ca7ea6 100644 --- a/share/zoneinfo/Makefile +++ b/share/zoneinfo/Makefile @@ -70,27 +70,23 @@ TZBUILDSUBDIRS= \ .if !defined(_SKIP_BUILD) all: zoneinfo .endif -META_COOKIES+= zoneinfo install-zoneinfo +META_TARGETS+= zoneinfo install-zoneinfo -zoneinfo: yearistype ${TDATA} ${META_NOPHONY} - ${META_COOKIE_RM} +zoneinfo: yearistype ${TDATA} ${META_DEPS} mkdir -p ${TZBUILDDIR} cd ${TZBUILDDIR}; mkdir -p ${TZBUILDSUBDIRS} umask 022; cd ${.CURDIR}; \ zic -D -d ${TZBUILDDIR} -p ${POSIXRULES} -m ${NOBINMODE} \ ${LEAPFILE} -y ${.OBJDIR}/yearistype ${TZFILES} - ${META_COOKIE_TOUCH} beforeinstall: install-zoneinfo -install-zoneinfo: ${META_NOPHONY} - ${META_COOKIE_RM} +install-zoneinfo: ${META_DEPS} cd ${TZBUILDDIR} && \ find -s * -type f -print -exec ${INSTALL} \ -o ${BINOWN} -g ${BINGRP} -m ${NOBINMODE} \ \{} ${DESTDIR}/usr/share/zoneinfo/\{} \; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m ${NOBINMODE} \ ${CONTRIBDIR}/zone.tab ${DESTDIR}/usr/share/zoneinfo/ - ${META_COOKIE_TOUCH} afterinstall: # diff --git a/targets/pseudo/bootstrap-tools/Makefile b/targets/pseudo/bootstrap-tools/Makefile index 2d38a70..1b9b339 100644 --- a/targets/pseudo/bootstrap-tools/Makefile +++ b/targets/pseudo/bootstrap-tools/Makefile @@ -49,22 +49,20 @@ BSARGS+= OBJTOP=${BTOOLSDIR}${SRCTOP} OBJROOT='$${OBJTOP}/' BSARGS+= MK_CROSS_COMPILER=no MK_CLANG=no MK_GCC=no DISTRIB_ENV= INSTALL="sh ${SRCTOP}/tools/install.sh" NO_FSCHG=1 MK_TESTS=no -legacy: .MAKE .META +legacy: .MAKE ${META_DEPS} mkdir -p ${LEGACY_TOOLS} ${DISTRIB_ENV} ${MAKE} -C ${SRCTOP}/etc distrib-dirs \ DESTDIR=${BTOOLSDIR} > $@.distrib-dirs_btoolsdir ${DISTRIB_ENV} ${MAKE} -C ${SRCTOP}/etc distrib-dirs \ DESTDIR=${LEGACY_TOOLS} > $@.distrib-dirs_legacy_tools ${BSENV} ${MAKE} -C ${SRCTOP} -f Makefile.inc1 ${BSARGS} $@ - touch $@ bootstrap-tools: legacy build-tools: bootstrap-tools cross-tools: build-tools -cross-tools build-tools bootstrap-tools: .MAKE .META +cross-tools build-tools bootstrap-tools: .MAKE ${META_DEPS} ${BSENV} ${MAKE} -C ${SRCTOP} -f Makefile.inc1 ${BSARGS} $@ - touch $@ # MAKELEVEL=0 so that dirdeps.mk does its thing # BSENV:MPATH=* lets us use the bootstrapped stuff in LEGACY_TOOLS above. diff --git a/targets/pseudo/kernel/Makefile b/targets/pseudo/kernel/Makefile index 502c830..8783d35 100644 --- a/targets/pseudo/kernel/Makefile +++ b/targets/pseudo/kernel/Makefile @@ -10,11 +10,10 @@ KERN_CONFDIR= ${SRCTOP}/sys/${TARGET}/conf CONFIG= ${STAGE_HOST_OBJTOP}/usr/sbin/config -${KERNCONF}.config: .MAKE .META +${KERNCONF}.config: .MAKE ${META_DEPS} mkdir -p ${KERN_OBJDIR:H} (cd ${KERN_CONFDIR} && \ ${CONFIG} ${CONFIGARGS} -d ${KERN_OBJDIR} ${KERNCONF}) - @touch $@ # we need to pass curdirOk=yes to meta mode, since we want .meta files # in ${KERN_OBJDIR} diff --git a/targets/pseudo/stage/Makefile b/targets/pseudo/stage/Makefile index daa352d..ed3217d 100644 --- a/targets/pseudo/stage/Makefile +++ b/targets/pseudo/stage/Makefile @@ -6,11 +6,10 @@ all: # mtree makes a lot of noise if we are not root, # we don't need to see it. -stage-distrib-dirs: .META +stage-distrib-dirs: .META ${META_DEPS} mkdir -p ${STAGE_OBJTOP} INSTALL="sh ${SRCTOP}/tools/install.sh" ${.MAKE} -C ${SRCTOP}/etc \ distrib-dirs -DNO_FSCHG -DWITH_TESTS DESTDIR=${STAGE_OBJTOP} - touch $@ .include -- cgit v1.1 From c3a42f86a770b004fc371083a609ae9fa2d29d0e Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:32 +0000 Subject: META_MODE: We can only use a cookie if filemon is being used. Sponsored by: EMC / Isilon Storage Divsion --- share/mk/local.sys.mk | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/share/mk/local.sys.mk b/share/mk/local.sys.mk index 2236dfe..59d6899 100644 --- a/share/mk/local.sys.mk +++ b/share/mk/local.sys.mk @@ -27,12 +27,11 @@ MAKE_PRINT_VAR_ON_ERROR += .MAKE.MAKEFILES .PATH .if ${.MAKE.MODE:Mmeta*} != "" # we can afford to use cookies to prevent some targets -# re-running needlessly +# re-running needlessly but only when using filemon. +.if ${.MAKE.MODE:Mnofilemon} == "" META_COOKIE= ${COOKIE.${.TARGET}:U${.OBJDIR}/${.TARGET}} META_COOKIE_RM= @rm -f ${META_COOKIE} META_COOKIE_TOUCH= @touch ${META_COOKIE} -# some targets need to be .PHONY - but not in meta mode -META_NOPHONY= CLEANFILES+= ${META_TARGETS} _meta_dep_before: .USEBEFORE ${META_COOKIE_RM} @@ -42,9 +41,12 @@ _meta_dep_after: .USE # not rerunning a command if it doesn't need to be considering its # metafile/filemon-tracked dependencies. META_DEPS= _meta_dep_before _meta_dep_after .META +.endif .else -META_COOKIE_RM= -META_COOKIE_TOUCH= +# some targets need to be .PHONY - but not in meta mode META_NOPHONY= .PHONY .endif +META_NOPHONY?= +META_COOKIE_RM?= +META_COOKIE_TOUCH?= META_DEPS+= ${META_NOPHONY} -- cgit v1.1 From 2c67a820e7de695231dd0a64dcad287b3b04f404 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:36 +0000 Subject: Remove exists() checks so normal out-of-date handling can be used. This also fixes META MODE rebuilding these because the 'number of build commands' changed from the previous build. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division --- share/i18n/esdb/BIG5/Makefile | 4 +--- share/i18n/esdb/Makefile.part | 6 ++---- share/i18n/esdb/UTF/Makefile | 4 ++-- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/share/i18n/esdb/BIG5/Makefile b/share/i18n/esdb/BIG5/Makefile index 4852b83..f7b1512 100644 --- a/share/i18n/esdb/BIG5/Makefile +++ b/share/i18n/esdb/BIG5/Makefile @@ -13,12 +13,10 @@ Big5_$i_variable!= sed \ ${.CURDIR}/Big5.variable .endfor .for i in ${PART} -.if !exists(Big5-${i:S/:/@/}.src) # XXX: FIXME Big5-${i:S/:/@/}.src: Big5.src Big5.variable sed -e 's/encoding/Big5-$i/' \ -e 's/variable/${Big5_$i_variable}/' \ ${.CURDIR}/Big5.src > $@ - @echo Big5-${i:S/:/@/}.src >>.tmpfiles -.endif + @echo ${.TARGET} >>.tmpfiles .endfor diff --git a/share/i18n/esdb/Makefile.part b/share/i18n/esdb/Makefile.part index a9e140a..8de4045 100644 --- a/share/i18n/esdb/Makefile.part +++ b/share/i18n/esdb/Makefile.part @@ -67,11 +67,9 @@ codesets: ${ESDB} .if !defined(NO_PREPROC) .for i in ${PART} -.if !exists(${EPREFIX}${i:S/:/@/}.src) ${EPREFIX}${i:S/:/@/}.src: ${CODE}.src - sed ${SED_EXP:S@%%PART%%@${i}@} ${.CURDIR}/${CODE}.src > ${EPREFIX}${i:S/:/@/}.src - @echo ${EPREFIX}${i:S/:/@/}.src >>.tmpfiles -.endif + sed ${SED_EXP:S@%%PART%%@${i}@} ${.ALLSRC} > ${.TARGET} + @echo ${.TARGET} >>.tmpfiles .endfor .endif diff --git a/share/i18n/esdb/UTF/Makefile b/share/i18n/esdb/UTF/Makefile index 92ddcdd..a8e21ef 100644 --- a/share/i18n/esdb/UTF/Makefile +++ b/share/i18n/esdb/UTF/Makefile @@ -36,6 +36,6 @@ ${EPREFIX}${i}.src: ${CODE}.src sed -e 's/UTF-x/UTF-${i}/' \ -e 's/UTF-mod/${UTF-${i}-mod}/' \ -e 's/UTF-var/${UTF-${i}-var}/' \ - ${.CURDIR}/${CODE}.src > ${EPREFIX}${i:S/:/@/}.src - @echo ${EPREFIX}${i:S/:/@/}.src >>.tmpfiles + ${.ALLSRC} > ${.TARGET} + @echo ${.TARGET} >>.tmpfiles .endfor -- cgit v1.1 From 2fdf7099a2368ea82da925e0e63a536bee51294c Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:39 +0000 Subject: Don't even define or append subdir targets with NO_SUBDIR. No functional change. This prevents adding empty targets to the main called target which is confusing for debugging. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division --- share/mk/bsd.subdir.mk | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/share/mk/bsd.subdir.mk b/share/mk/bsd.subdir.mk index 290f894..fa6c6d4 100644 --- a/share/mk/bsd.subdir.mk +++ b/share/mk/bsd.subdir.mk @@ -131,7 +131,8 @@ ${SUBDIR:N.WAIT}: .PHONY .MAKE # such as 'install' becoming {before,real,after}install, just recurse # 'install'. Despite that, 'realinstall' is special due to ordering issues # with 'afterinstall'. -.if make(${__target}) || (${__target} == realinstall && make(install)) +.if !defined(NO_SUBDIR) && (make(${__target}) || \ + (${__target} == realinstall && make(install))) # Can ordering be skipped for this and SUBDIR_PARALLEL forced? .if ${STANDALONE_SUBDIR_TARGETS:M${__target}} _is_standalone_target= 1 @@ -153,12 +154,10 @@ __deps+= ${__target}_subdir_${DIRPRFX}${__dep} .endfor .endif ${__target}_subdir_${DIRPRFX}${__dir}: .PHONY .MAKE .SILENT ${__deps} -.if !defined(NO_SUBDIR) @${_+_}target=${__target:realinstall=install}; \ dir=${__dir}; \ ${_SUBDIR_SH}; .endif -.endif .endfor # __dir in ${SUBDIR} ${__target}: ${__subdir_targets} .else -- cgit v1.1 From efd5b82a191b171dc247997735432fe231da2de2 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:42 +0000 Subject: Remove bogus .ORDER. This is not SUBDIR_PARALLEL and if it were this .ORDER would not work since the targets are _subdir_ not . MFC after: 1 week Sponsored by: EMC / Isilon Storage Division --- lib/atf/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/atf/Makefile b/lib/atf/Makefile index 0772065..481bce9 100644 --- a/lib/atf/Makefile +++ b/lib/atf/Makefile @@ -35,6 +35,4 @@ SUBDIR= libatf-c \ _tests= tests .endif -.ORDER: ${SUBDIR} - .include -- cgit v1.1 From b18adddc3c011947ee9b88a692a497d6ea6ed82a Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:45 +0000 Subject: Revert r269030. CLEANFILES is already added to .NOPATH since r241298. Sponsored by: EMC / Isilon Storage Division --- sys/boot/i386/loader/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/boot/i386/loader/Makefile b/sys/boot/i386/loader/Makefile index bcbe0b8..9d3cad4 100644 --- a/sys/boot/i386/loader/Makefile +++ b/sys/boot/i386/loader/Makefile @@ -125,6 +125,6 @@ LDADD= ${LIBFICL} ${LIBFIREWIRE} ${LIBZFSBOOT} ${LIBI386} ${LIBSTAND} beforedepend ${OBJS}: machine CLEANFILES+= machine CFLAGS+= -DLOADER_PREFER_AMD64 -machine: .NOPATH +machine: ln -sf ${.CURDIR}/../../../i386/include machine .endif -- cgit v1.1 From 4d90d5a44706c59fa5c6b5be47ec0e25e7eae508 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:51 +0000 Subject: Add more .NOMETA missed in r291320 Sponsored by: EMC / Isilon Storage Division --- sys/boot/efi/boot1/Makefile | 4 ++-- sys/boot/efi/fdt/Makefile | 2 +- sys/boot/efi/loader/Makefile | 4 ++-- sys/boot/ficl/Makefile | 2 +- sys/boot/i386/gptboot/Makefile | 2 +- sys/boot/i386/gptzfsboot/Makefile | 2 +- sys/boot/i386/libfirewire/Makefile | 2 +- sys/boot/i386/libi386/Makefile | 2 +- sys/boot/i386/loader/Makefile | 2 +- sys/boot/i386/zfsboot/Makefile | 2 +- sys/boot/libstand32/Makefile | 2 +- sys/boot/ofw/libofw/Makefile | 2 +- sys/boot/uboot/fdt/Makefile | 2 +- sys/boot/uboot/lib/Makefile | 2 +- sys/boot/userboot/ficl/Makefile | 2 +- sys/boot/zfs/Makefile | 2 +- 16 files changed, 18 insertions(+), 18 deletions(-) diff --git a/sys/boot/efi/boot1/Makefile b/sys/boot/efi/boot1/Makefile index c4c92cb..0675cca 100644 --- a/sys/boot/efi/boot1/Makefile +++ b/sys/boot/efi/boot1/Makefile @@ -124,13 +124,13 @@ beforedepend ${OBJS}: machine CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../${MACHINE}/include machine .if ${MACHINE_CPUARCH} == "amd64" || ${MACHINE_CPUARCH} == "i386" beforedepend ${OBJS}: x86 CLEANFILES+= x86 -x86: +x86: .NOMETA ln -sf ${.CURDIR}/../../../x86/include x86 .endif diff --git a/sys/boot/efi/fdt/Makefile b/sys/boot/efi/fdt/Makefile index 15862dc..65f6e63 100644 --- a/sys/boot/efi/fdt/Makefile +++ b/sys/boot/efi/fdt/Makefile @@ -27,7 +27,7 @@ CFLAGS+= -I${.CURDIR}/../../fdt # Pick up the bootstrap header for some interface items CFLAGS+= -I${.CURDIR}/../../common -I${.CURDIR}/../../.. -I. -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../${MACHINE}/include machine CLEANFILES+= machine diff --git a/sys/boot/efi/loader/Makefile b/sys/boot/efi/loader/Makefile index d36e54b..9246bf2 100644 --- a/sys/boot/efi/loader/Makefile +++ b/sys/boot/efi/loader/Makefile @@ -131,13 +131,13 @@ beforedepend ${OBJS}: machine CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../${MACHINE}/include machine .if ${MACHINE_CPUARCH} == "amd64" || ${MACHINE_CPUARCH} == "i386" beforedepend ${OBJS}: x86 CLEANFILES+= x86 -x86: +x86: .NOMETA ln -sf ${.CURDIR}/../../../x86/include x86 .endif diff --git a/sys/boot/ficl/Makefile b/sys/boot/ficl/Makefile index 0451aa9..bce9ffa 100644 --- a/sys/boot/ficl/Makefile +++ b/sys/boot/ficl/Makefile @@ -75,7 +75,7 @@ ${SRCS:M*.c:R:S/$/.o/g}: machine beforedepend ${OBJS}: machine .endif -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../i386/include machine CLEANFILES+= machine diff --git a/sys/boot/i386/gptboot/Makefile b/sys/boot/i386/gptboot/Makefile index 71814c1..1aafe0b 100644 --- a/sys/boot/i386/gptboot/Makefile +++ b/sys/boot/i386/gptboot/Makefile @@ -74,7 +74,7 @@ gptboot.o: ${.CURDIR}/../../common/ufsread.c .if ${MACHINE_CPUARCH} == "amd64" beforedepend gptboot.o: machine CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../i386/include machine .endif diff --git a/sys/boot/i386/gptzfsboot/Makefile b/sys/boot/i386/gptzfsboot/Makefile index 91a637f..1406333 100644 --- a/sys/boot/i386/gptzfsboot/Makefile +++ b/sys/boot/i386/gptzfsboot/Makefile @@ -72,7 +72,7 @@ zfsboot.o: ${.CURDIR}/../../zfs/zfsimpl.c .if ${MACHINE_CPUARCH} == "amd64" beforedepend zfsboot.o: machine CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../i386/include machine .endif diff --git a/sys/boot/i386/libfirewire/Makefile b/sys/boot/i386/libfirewire/Makefile index 191b954..904f4ab 100644 --- a/sys/boot/i386/libfirewire/Makefile +++ b/sys/boot/i386/libfirewire/Makefile @@ -18,7 +18,7 @@ CFLAGS+= -Wformat -Wall .if ${MACHINE_CPUARCH} == "amd64" CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../i386/include machine .endif diff --git a/sys/boot/i386/libi386/Makefile b/sys/boot/i386/libi386/Makefile index 3e61a1b..f3c1d8d 100644 --- a/sys/boot/i386/libi386/Makefile +++ b/sys/boot/i386/libi386/Makefile @@ -60,7 +60,7 @@ CFLAGS+= ${FORMAT_EXTENSIONS} .if ${MACHINE_CPUARCH} == "amd64" CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../i386/include machine .endif diff --git a/sys/boot/i386/loader/Makefile b/sys/boot/i386/loader/Makefile index 9d3cad4..776ba92 100644 --- a/sys/boot/i386/loader/Makefile +++ b/sys/boot/i386/loader/Makefile @@ -125,6 +125,6 @@ LDADD= ${LIBFICL} ${LIBFIREWIRE} ${LIBZFSBOOT} ${LIBI386} ${LIBSTAND} beforedepend ${OBJS}: machine CLEANFILES+= machine CFLAGS+= -DLOADER_PREFER_AMD64 -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../i386/include machine .endif diff --git a/sys/boot/i386/zfsboot/Makefile b/sys/boot/i386/zfsboot/Makefile index 5ecf13c..f65e0ad 100644 --- a/sys/boot/i386/zfsboot/Makefile +++ b/sys/boot/i386/zfsboot/Makefile @@ -85,7 +85,7 @@ SRCS= zfsboot.c .if ${MACHINE_CPUARCH} == "amd64" beforedepend zfsboot.o: machine CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../i386/include machine .endif diff --git a/sys/boot/libstand32/Makefile b/sys/boot/libstand32/Makefile index 66798d7..6dbf1f4 100644 --- a/sys/boot/libstand32/Makefile +++ b/sys/boot/libstand32/Makefile @@ -23,6 +23,6 @@ CFLAGS+= -m32 -I. .if ${MACHINE_CPUARCH} == "amd64" CLEANFILES+= machine beforedepend ${OBJS}: machine -machine: +machine: .NOMETA ln -fs ${.CURDIR}/../../i386/include machine .endif diff --git a/sys/boot/ofw/libofw/Makefile b/sys/boot/ofw/libofw/Makefile index 751ebfd..3b91ea2 100644 --- a/sys/boot/ofw/libofw/Makefile +++ b/sys/boot/ofw/libofw/Makefile @@ -25,7 +25,7 @@ SRCS+= ppc64_elf_freebsd.c CFLAGS+= -DDISK_DEBUG .endif -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../${MACHINE_CPUARCH}/include machine CLEANFILES+= machine diff --git a/sys/boot/uboot/fdt/Makefile b/sys/boot/uboot/fdt/Makefile index 6f68665c..95c0800 100644 --- a/sys/boot/uboot/fdt/Makefile +++ b/sys/boot/uboot/fdt/Makefile @@ -23,7 +23,7 @@ CFLAGS+= -I${.CURDIR}/../../fdt # Pick up the bootstrap header for some interface items CFLAGS+= -I${.CURDIR}/../../common -I${.CURDIR}/../../.. -I. -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../${MACHINE_CPUARCH}/include machine CLEANFILES+= machine diff --git a/sys/boot/uboot/lib/Makefile b/sys/boot/uboot/lib/Makefile index b56c060..982da71 100644 --- a/sys/boot/uboot/lib/Makefile +++ b/sys/boot/uboot/lib/Makefile @@ -41,7 +41,7 @@ CFLAGS+= -I${.CURDIR}/../../common -I${.CURDIR}/../../.. -I. CFLAGS+= -DDISK_DEBUG .endif -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../../${MACHINE_CPUARCH}/include machine CLEANFILES+= machine diff --git a/sys/boot/userboot/ficl/Makefile b/sys/boot/userboot/ficl/Makefile index d8f749f..fd6c7f0 100644 --- a/sys/boot/userboot/ficl/Makefile +++ b/sys/boot/userboot/ficl/Makefile @@ -53,7 +53,7 @@ softcore.c: ${SOFTWORDS} softcore.awk # #beforedepend ${OBJS}: machine # -#machine: +#machine: .NOMETA # ln -sf ${.CURDIR}/../../i386/include machine # #CLEANFILES+= machine diff --git a/sys/boot/zfs/Makefile b/sys/boot/zfs/Makefile index 6f8c26b..3ab2251 100644 --- a/sys/boot/zfs/Makefile +++ b/sys/boot/zfs/Makefile @@ -21,7 +21,7 @@ CFLAGS+= -Wformat -Wall .if ${MACHINE_CPUARCH} == "amd64" CLEANFILES+= machine -machine: +machine: .NOMETA ln -sf ${.CURDIR}/../../i386/include machine .endif -- cgit v1.1 From c0ff0c5cb0ba3b502c586e9dadb49633f685b150 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:56 +0000 Subject: Add missing CLEANFILES. MFC after: 1 week Sponsored by: EMC / Isilon Storage Division --- lib/libc++/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/libc++/Makefile b/lib/libc++/Makefile index 94e91b9..50d976e 100644 --- a/lib/libc++/Makefile +++ b/lib/libc++/Makefile @@ -54,6 +54,7 @@ CXXRT_SRCS+= libelftc_dem_gnu3.c\ guard.cc .for _S in ${CXXRT_SRCS} +CLEANFILES+= cxxrt_${_S} STATICOBJS+= cxxrt_${_S:R}.o cxxrt_${_S}: ${_LIBCXXRTDIR}/${_S} .NOMETA ln -sf ${.ALLSRC} ${.TARGET} -- cgit v1.1 From 2d30f7a0c524347b02ad71e5ac059fdd4e2e3649 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:45:59 +0000 Subject: DIRDEPS_BUILD: Update dependencies. Sponsored by: EMC / Isilon Storage Division --- lib/libpam/modules/pam_ssh/Makefile.depend | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/libpam/modules/pam_ssh/Makefile.depend b/lib/libpam/modules/pam_ssh/Makefile.depend index 08fb149..6b7118b 100644 --- a/lib/libpam/modules/pam_ssh/Makefile.depend +++ b/lib/libpam/modules/pam_ssh/Makefile.depend @@ -5,13 +5,11 @@ DIRDEPS = \ gnu/lib/csu \ gnu/lib/libgcc \ include \ - include/arpa \ include/xlocale \ lib/${CSU_DIR} \ lib/libc \ lib/libcompiler_rt \ lib/libpam/libpam \ - lib/libutil \ secure/lib/libcrypto \ secure/lib/libssh \ -- cgit v1.1 From e362e0e49e8af9953e2295635925a15a686d58f4 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Fri, 11 Mar 2016 23:56:33 +0000 Subject: Move Makefile.lib32 to Makefile.libcompat and generalize it. This is in preparation for LIBSOFT. This file only supports *1* LIBCOMPAT value currently and must be capitalized. In Makefile.libcompat given LIBCOMPAT=FOO there can be values set for LIBFOOCFLAGS, LIBFOOCPUFLAGS, LIBFOOWMAKEENV, LIBFOOWMAKEFLAGS, LIBFOOCPUFLAGS, and LIBFOODTRACE. These will have the standard cross-build values appended onto them. This could be extended to support multiple libcompat libraries in the future once there is a need. Reviewed by: imp Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5612 --- Makefile.inc1 | 58 ++++++++++---------- Makefile.lib32 | 136 ----------------------------------------------- Makefile.libcompat | 152 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 182 insertions(+), 164 deletions(-) delete mode 100644 Makefile.lib32 create mode 100644 Makefile.libcompat diff --git a/Makefile.inc1 b/Makefile.inc1 index 36e464f..daf33f4 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -454,8 +454,10 @@ XCXXFLAGS+= ${BFLAGS} .endif .endif # ${XCC:M/*} -.if ${TARGET_ARCH} == "amd64" || ${TARGET_ARCH} == "powerpc64" -.include "Makefile.lib32" +.if ${MK_LIB32} != "no" && (${TARGET_ARCH} == "amd64" || \ + ${TARGET_ARCH} == "powerpc64") +LIBCOMPAT= 32 +.include "Makefile.libcompat" .endif WMAKE= ${WMAKEENV} ${MAKE} ${WORLD_FLAGS} -f Makefile.inc1 DESTDIR=${WORLDTMP} @@ -513,8 +515,8 @@ _worldtmp: .PHONY @echo "--------------------------------------------------------------" .if !defined(NO_CLEAN) rm -rf ${WORLDTMP} -.if defined(LIB32TMP) - rm -rf ${LIB32TMP} +.if defined(LIBCOMPAT) + rm -rf ${LIBCOMPATTMP} .endif .else rm -rf ${WORLDTMP}/legacy/usr/include @@ -544,13 +546,13 @@ _worldtmp: .PHONY mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ -p ${WORLDTMP}/usr/lib >/dev/null .endif -.if ${MK_LIB32} != "no" - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ +.if defined(LIBCOMPAT) + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ -p ${WORLDTMP}/usr >/dev/null .if ${MK_DEBUG_FILES} != "no" - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ -p ${WORLDTMP}/legacy/usr/lib/debug/usr >/dev/null - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ -p ${WORLDTMP}/usr/lib/debug/usr >/dev/null .endif .endif @@ -586,8 +588,8 @@ _cleanobj: @echo ">>> stage 2.1: cleaning up the object tree" @echo "--------------------------------------------------------------" ${_+_}cd ${.CURDIR}; ${WMAKE} ${CLEANDIR} -.if defined(LIB32TMP) - ${_+_}cd ${.CURDIR}; ${LIB32WMAKE} -f Makefile.inc1 ${CLEANDIR} +.if defined(LIBCOMPAT) + ${_+_}cd ${.CURDIR}; ${LIBCOMPATWMAKE} -f Makefile.inc1 ${CLEANDIR} .endif .endif _obj: @@ -653,8 +655,8 @@ WMAKE_TGTS+= _includes _libraries WMAKE_TGTS+= _depend .endif WMAKE_TGTS+= everything -.if defined(LIB32TMP) && ${MK_LIB32} != "no" && empty(SUBDIR_OVERRIDE) -WMAKE_TGTS+= build32 +.if defined(LIBCOMPAT) && empty(SUBDIR_OVERRIDE) +WMAKE_TGTS+= build${libcompat} .endif buildworld: buildworld_prologue ${WMAKE_TGTS} buildworld_epilogue @@ -694,7 +696,7 @@ buildenv: .PHONY @cd ${BUILDENV_DIR} && env ${WMAKEENV} BUILDENV=1 ${BUILDENV_SHELL} \ || true -TOOLCHAIN_TGTS= ${WMAKE_TGTS:N_depend:Neverything:Nbuild32} +TOOLCHAIN_TGTS= ${WMAKE_TGTS:N_depend:Neverything:Nbuild${libcompat}} toolchain: ${TOOLCHAIN_TGTS} kernel-toolchain: ${TOOLCHAIN_TGTS:N_includes:N_libraries} @@ -788,8 +790,8 @@ ITOOLS+=makewhatis # Non-base distributions produced by the base system EXTRA_DISTRIBUTIONS= doc -.if defined(LIB32TMP) && ${MK_LIB32} != "no" -EXTRA_DISTRIBUTIONS+= lib32 +.if defined(LIBCOMPAT) +EXTRA_DISTRIBUTIONS+= lib${libcompat} .endif .if ${MK_TESTS} != "no" EXTRA_DISTRIBUTIONS+= tests @@ -841,11 +843,11 @@ distributeworld installworld: _installcheck_world mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ -p ${DESTDIR}/${DISTDIR}/${dist}/usr/lib >/dev/null .endif -.if ${MK_LIB32} != "no" - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ +.if defined(LIBCOMPAT) + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ -p ${DESTDIR}/${DISTDIR}/${dist}/usr >/dev/null .if ${MK_DEBUG_FILES} != "no" - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ -p ${DESTDIR}/${DISTDIR}/${dist}/usr/lib/debug/usr >/dev/null .endif .endif @@ -865,8 +867,8 @@ distributeworld installworld: _installcheck_world sed -e 's#^\./#./${dist}/usr/#' >> ${METALOG} ${IMAKEENV} mtree -C -f ${.CURDIR}/etc/mtree/BSD.include.dist | \ sed -e 's#^\./#./${dist}/usr/include/#' >> ${METALOG} -.if ${MK_LIB32} != "no" - ${IMAKEENV} mtree -C -f ${.CURDIR}/etc/mtree/BSD.lib32.dist | \ +.if defined(LIBCOMPAT) + ${IMAKEENV} mtree -C -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist | \ sed -e 's#^\./#./${dist}/usr/#' >> ${METALOG} .endif .endif @@ -951,8 +953,8 @@ reinstall: .MAKE .PHONY @echo ">>> Installing everything" @echo "--------------------------------------------------------------" ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 install -.if defined(LIB32TMP) && ${MK_LIB32} != "no" - ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 install32 +.if defined(LIBCOMPAT) + ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 install${libcompat} .endif redistribute: .MAKE .PHONY @@ -960,9 +962,9 @@ redistribute: .MAKE .PHONY @echo ">>> Distributing everything" @echo "--------------------------------------------------------------" ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 distribute -.if defined(LIB32TMP) && ${MK_LIB32} != "no" - ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 distribute32 \ - DISTRIBUTION=lib32 +.if defined(LIBCOMPAT) + ${_+_}cd ${.CURDIR}; ${MAKE} -f Makefile.inc1 distribute${libcompat} \ + DISTRIBUTION=lib${libcompat} .endif distrib-dirs distribution: .MAKE .PHONY @@ -1025,7 +1027,7 @@ INSTALLKERNEL= ${_kernel} .endif .endfor -${WMAKE_TGTS:N_worldtmp:Nbuild32} ${.ALLTARGETS:M_*:N_worldtmp}: .MAKE .PHONY +${WMAKE_TGTS:N_worldtmp:Nbuild${libcompat}} ${.ALLTARGETS:M_*:N_worldtmp}: .MAKE .PHONY # # buildkernel @@ -2274,8 +2276,8 @@ _xi-mtree: .PHONY -p ${XDDESTDIR}/usr >/dev/null mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \ -p ${XDDESTDIR}/usr/include >/dev/null -.if ${MK_LIB32} != "no" - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ +.if defined(LIBCOMPAT) + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ -p ${XDDESTDIR}/usr >/dev/null .endif .if ${MK_TESTS} != "no" diff --git a/Makefile.lib32 b/Makefile.lib32 deleted file mode 100644 index e385d53..0000000 --- a/Makefile.lib32 +++ /dev/null @@ -1,136 +0,0 @@ -# $FreeBSD$ - -# Makefile for the 32-bit compat libraries on PowerPC and AMD64. -# could also be for mips, but that doesn't work today. - -# 32 bit world -LIB32_OBJTREE= ${OBJTREE}${.CURDIR}/world32 -LIB32TMP= ${OBJTREE}${.CURDIR}/lib32 - -.if ${TARGET_ARCH} == "amd64" -.if empty(TARGET_CPUTYPE) -LIB32CPUFLAGS= -march=i686 -mmmx -msse -msse2 -.else -LIB32CPUFLAGS= -march=${TARGET_CPUTYPE} -.endif -LIB32WMAKEENV= MACHINE=i386 MACHINE_ARCH=i386 \ - MACHINE_CPU="i686 mmx sse sse2" -LIB32WMAKEFLAGS= \ - AS="${XAS} --32" \ - LD="${XLD} -m elf_i386_fbsd -Y P,${LIB32TMP}/usr/lib32" \ - OBJCOPY="${XOBJCOPY}" - -.elif ${TARGET_ARCH} == "powerpc64" -.if empty(TARGET_CPUTYPE) -LIB32CPUFLAGS= -mcpu=powerpc -.else -LIB32CPUFLAGS= -mcpu=${TARGET_CPUTYPE} -.endif -LIB32WMAKEENV= MACHINE=powerpc MACHINE_ARCH=powerpc -LIB32WMAKEFLAGS= \ - LD="${XLD} -m elf32ppc_fbsd" \ - OBJCOPY="${XOBJCOPY}" -.endif - - -LIB32FLAGS= -m32 ${LIB32CPUFLAGS} -DCOMPAT_32BIT \ - -isystem ${LIB32TMP}/usr/include/ \ - -L${LIB32TMP}/usr/lib32 \ - -B${LIB32TMP}/usr/lib32 -.if ${XCC:N${CCACHE_BIN}:M/*} -LIB32FLAGS+= --sysroot=${WORLDTMP} -.endif - -# Yes, the flags are redundant. -LIB32WMAKEENV+= MAKEOBJDIRPREFIX=${LIB32_OBJTREE} \ - _LDSCRIPTROOT=${LIB32TMP} \ - INSTALL="sh ${.CURDIR}/tools/install.sh" \ - PATH=${TMPPATH} \ - LIBDIR=/usr/lib32 \ - SHLIBDIR=/usr/lib32 \ - DTRACE="${DTRACE} -32" -LIB32WMAKEFLAGS+= CC="${XCC} ${LIB32FLAGS}" \ - CXX="${XCXX} ${LIB32FLAGS}" \ - DESTDIR=${LIB32TMP} \ - -DCOMPAT_32BIT \ - -DLIBRARIES_ONLY \ - -DNO_CPU_CFLAGS \ - MK_CTF=no \ - -DNO_LINT \ - MK_TESTS=no - -LIB32WMAKE= ${LIB32WMAKEENV} ${MAKE} ${LIB32WMAKEFLAGS} \ - MK_MAN=no MK_HTML=no -LIB32IMAKE= ${LIB32WMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} \ - MK_TOOLCHAIN=no ${IMAKE_INSTALL} - -build32: .PHONY - @echo - @echo "--------------------------------------------------------------" - @echo ">>> stage 5.1: building 32 bit shim libraries" - @echo "--------------------------------------------------------------" - mkdir -p ${LIB32TMP}/usr/include - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.usr.dist \ - -p ${LIB32TMP}/usr >/dev/null - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \ - -p ${LIB32TMP}/usr/include >/dev/null - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ - -p ${LIB32TMP}/usr >/dev/null -.if ${MK_DEBUG_FILES} != "no" - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ - -p ${LIB32TMP}/usr/lib >/dev/null - mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib32.dist \ - -p ${LIB32TMP}/usr/lib/debug/usr >/dev/null -.endif - mkdir -p ${WORLDTMP} - ln -sf ${.CURDIR}/sys ${WORLDTMP} -.for _t in obj includes - ${_+_}cd ${.CURDIR}/include; ${LIB32WMAKE} DIRPRFX=include/ ${_t} - ${_+_}cd ${.CURDIR}/lib; ${LIB32WMAKE} DIRPRFX=lib/ ${_t} -.if ${MK_CDDL} != "no" - ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32WMAKE} DIRPRFX=cddl/lib/ ${_t} -.endif - ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32WMAKE} DIRPRFX=gnu/lib/ ${_t} -.if ${MK_CRYPT} != "no" - ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32WMAKE} DIRPRFX=secure/lib/ ${_t} -.endif -.if ${MK_KERBEROS} != "no" - ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32WMAKE} DIRPRFX=kerberos5/lib ${_t} -.endif -.endfor -.for _dir in usr.bin/lex/lib - ${_+_}cd ${.CURDIR}/${_dir}; ${LIB32WMAKE} DIRPRFX=${_dir}/ obj -.endfor -.for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic - ${_+_}cd ${.CURDIR}/${_dir}; \ - WORLDTMP=${WORLDTMP} \ - MAKEFLAGS="-m ${.CURDIR}/tools/build/mk ${.MAKEFLAGS}" \ - MAKEOBJDIRPREFIX=${LIB32_OBJTREE} ${MAKE} SSP_CFLAGS= DESTDIR= \ - DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ - build-tools -.endfor - ${_+_}cd ${.CURDIR}; \ - ${LIB32WMAKE} -f Makefile.inc1 -DNO_FSCHG libraries -.for _t in obj depend all - ${_+_}cd ${.CURDIR}/libexec/rtld-elf; PROG=ld-elf32.so.1 ${LIB32WMAKE} \ - -DNO_FSCHG DIRPRFX=libexec/rtld-elf/ ${_t} - ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32WMAKE} \ - DIRPRFX=usr.bin/ldd ${_t} -.endfor - -distribute32 install32: .MAKE .PHONY - ${_+_}cd ${.CURDIR}/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.if ${MK_CDDL} != "no" - ${_+_}cd ${.CURDIR}/cddl/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.endif - ${_+_}cd ${.CURDIR}/gnu/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.if ${MK_CRYPT} != "no" - ${_+_}cd ${.CURDIR}/secure/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.endif -.if ${MK_KERBEROS} != "no" - ${_+_}cd ${.CURDIR}/kerberos5/lib; ${LIB32IMAKE} ${.TARGET:S/32$//} -.endif - ${_+_}cd ${.CURDIR}/libexec/rtld-elf; \ - PROG=ld-elf32.so.1 ${LIB32IMAKE} ${.TARGET:S/32$//} - ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIB32IMAKE} \ - ${.TARGET:S/32$//} diff --git a/Makefile.libcompat b/Makefile.libcompat new file mode 100644 index 0000000..8a1fbec --- /dev/null +++ b/Makefile.libcompat @@ -0,0 +1,152 @@ +# $FreeBSD$ + +.if !targets(__<${_this:T}>__) +__<${_this:T}>__: + +# Makefile for the compatibility libraries. +# - 32-bit compat libraries on PowerPC and AMD64. +# could also be for mips, but that doesn't work today. + +# ------------------------------------------------------------------- +# 32 bit world +.if ${TARGET_ARCH} == "amd64" +.if empty(TARGET_CPUTYPE) +LIB32CPUFLAGS= -march=i686 -mmmx -msse -msse2 +.else +LIB32CPUFLAGS= -march=${TARGET_CPUTYPE} +.endif +LIB32WMAKEENV= MACHINE=i386 MACHINE_ARCH=i386 \ + MACHINE_CPU="i686 mmx sse sse2" +LIB32WMAKEFLAGS= \ + AS="${XAS} --32" \ + LD="${XLD} -m elf_i386_fbsd -Y P,${LIBCOMPATTMP}/usr/lib32" \ + OBJCOPY="${XOBJCOPY}" + +.elif ${TARGET_ARCH} == "powerpc64" +.if empty(TARGET_CPUTYPE) +LIB32CPUFLAGS= -mcpu=powerpc +.else +LIB32CPUFLAGS= -mcpu=${TARGET_CPUTYPE} +.endif +LIB32WMAKEENV= MACHINE=powerpc MACHINE_ARCH=powerpc +LIB32WMAKEFLAGS= \ + LD="${XLD} -m elf32ppc_fbsd" \ + OBJCOPY="${XOBJCOPY}" +.endif + + +LIB32CFLAGS= -m32 -DCOMPAT_32BIT +LIB32DTRACE= ${DTRACE} -32 +LIB32WMAKEFLAGS+= -DCOMPAT_32BIT + +# ------------------------------------------------------------------- +# Generic code for each type. +# Set defaults based on type. +libcompat= ${LIBCOMPAT:tl} +_LIBCOMPAT_MAKEVARS= _OBJTREE TMP CFLAGS WMAKEENV WMAKEFLAGS WMAKE +.for _var in ${_LIBCOMPAT_MAKEVARS} +.if !empty(LIB${LIBCOMPAT}${_var}) +LIBCOMPAT${_var}?= ${LIB${LIBCOMPAT}${_var}} +.endif +.endfor + +# Shared flags +LIBCOMPAT_OBJTREE?= ${OBJTREE}${.CURDIR}/world${libcompat} +LIBCOMPATTMP?= ${OBJTREE}${.CURDIR}/lib${libcompat} + +LIBCOMPATCFLAGS+= ${LIBCOMPATCPUFLAGS} \ + -isystem ${LIBCOMPATTMP}/usr/include/ \ + -L${LIBCOMPATTMP}/usr/lib${libcompat} \ + -B${LIBCOMPATTMP}/usr/lib${libcompat} + +# Yes, the flags are redundant. +LIBCOMPATWMAKEENV+= MAKEOBJDIRPREFIX=${LIBCOMPAT_OBJTREE} \ + _LDSCRIPTROOT=${LIBCOMPATTMP} \ + INSTALL="sh ${.CURDIR}/tools/install.sh" \ + PATH=${TMPPATH} \ + LIBDIR=/usr/lib${libcompat} \ + SHLIBDIR=/usr/lib${libcompat} \ + DTRACE="${LIB$COMPATDTRACE:U${DTRACE}}" +LIBCOMPATWMAKEFLAGS+= CC="${XCC} ${LIBCOMPATCFLAGS}" \ + CXX="${XCXX} ${LIBCOMPATCFLAGS}" \ + DESTDIR=${LIBCOMPATTMP} \ + -DLIBRARIES_ONLY \ + -DNO_CPU_CFLAGS \ + MK_CTF=no \ + -DNO_LINT \ + MK_TESTS=no +LIBCOMPATWMAKE+= ${LIBCOMPATWMAKEENV} ${MAKE} ${LIBCOMPATWMAKEFLAGS} \ + MK_MAN=no MK_HTML=no +LIBCOMPATIMAKE+= ${LIBCOMPATWMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} \ + MK_TOOLCHAIN=no ${IMAKE_INSTALL} + +.if ${XCC:N${CCACHE_BIN}:M/*} +LIBCOMPATCFLAGS+= --sysroot=${WORLDTMP} +.endif + +_LC_LIBDIRS.yes= lib gnu/lib +_LC_LIBDIRS.${MK_CDDL:tl}= cddl/lib +_LC_LIBDIRS.${MK_CRYPT:tl}= secure/lib +_LC_LIBDIRS.${MK_KERBEROS:tl}= kerberos5/lib + +# Shared logic +build${libcompat}: .PHONY + @echo + @echo "--------------------------------------------------------------" + @echo ">>> stage 5.1: building lib${libcompat} shim libraries" + @echo "--------------------------------------------------------------" + mkdir -p ${LIBCOMPATTMP}/usr/include + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.usr.dist \ + -p ${LIBCOMPATTMP}/usr >/dev/null + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.include.dist \ + -p ${LIBCOMPATTMP}/usr/include >/dev/null + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ + -p ${LIBCOMPATTMP}/usr >/dev/null +.if ${MK_DEBUG_FILES} != "no" + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ + -p ${LIBCOMPATTMP}/usr/lib >/dev/null + mtree -deU -f ${.CURDIR}/etc/mtree/BSD.lib${libcompat}.dist \ + -p ${LIBCOMPATTMP}/usr/lib/debug/usr >/dev/null +.endif + mkdir -p ${WORLDTMP} + ln -sf ${.CURDIR}/sys ${WORLDTMP} +.for _t in obj includes + ${_+_}cd ${.CURDIR}/include; ${LIBCOMPATWMAKE} DIRPRFX=include/ ${_t} +.for _dir in ${_LC_LIBDIRS.yes} + ${_+_}cd ${.CURDIR}/${_dir}; ${LIBCOMPATWMAKE} DIRPRFX=${_dir}/ ${_t} +.endfor +.endfor +.for _dir in usr.bin/lex/lib + ${_+_}cd ${.CURDIR}/${_dir}; ${LIBCOMPATWMAKE} DIRPRFX=${_dir}/ obj +.endfor +.for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic + ${_+_}cd ${.CURDIR}/${_dir}; \ + WORLDTMP=${WORLDTMP} \ + MAKEFLAGS="-m ${.CURDIR}/tools/build/mk ${.MAKEFLAGS}" \ + MAKEOBJDIRPREFIX=${LIBCOMPAT_OBJTREE} ${MAKE} SSP_CFLAGS= DESTDIR= \ + DIRPRFX=${_dir}/ -DNO_LINT -DNO_CPU_CFLAGS MK_WARNS=no MK_CTF=no \ + build-tools +.endfor + ${_+_}cd ${.CURDIR}; \ + ${LIBCOMPATWMAKE} -f Makefile.inc1 -DNO_FSCHG libraries +.if ${libcompat} == "32" +.for _t in obj depend all + ${_+_}cd ${.CURDIR}/libexec/rtld-elf; PROG=ld-elf32.so.1 ${LIBCOMPATWMAKE} \ + -DNO_FSCHG DIRPRFX=libexec/rtld-elf/ ${_t} + ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIBCOMPATWMAKE} \ + DIRPRFX=usr.bin/ldd ${_t} +.endfor +.endif + +distribute${libcompat} install${libcompat}: .PHONY +.for _dir in ${_LC_LIBDIRS.yes} + ${_+_}cd ${.CURDIR}/${_dir}; ${LIBCOMPATIMAKE} ${.TARGET:S/${libcompat}$//} +.endfor +.if ${libcompat} == "32" + ${_+_}cd ${.CURDIR}/libexec/rtld-elf; \ + PROG=ld-elf32.so.1 ${LIBCOMPATIMAKE} ${.TARGET:S/32$//} + ${_+_}cd ${.CURDIR}/usr.bin/ldd; PROG=ldd32 ${LIBCOMPATIMAKE} \ + ${.TARGET:S/32$//} +.endif + +.endif -- cgit v1.1 From 3114028bf2a06e0a6fcf49cdeb0d8104845e9d3d Mon Sep 17 00:00:00 2001 From: np Date: Sat, 12 Mar 2016 02:54:55 +0000 Subject: cxgbe(4): Catch up with the latest list of card capabilities as reported by the firmware. --- sys/dev/cxgbe/adapter.h | 3 ++ sys/dev/cxgbe/t4_main.c | 86 +++++++++++++++++++++++++++++-------------------- 2 files changed, 54 insertions(+), 35 deletions(-) diff --git a/sys/dev/cxgbe/adapter.h b/sys/dev/cxgbe/adapter.h index 8cb9983..ee14712 100644 --- a/sys/dev/cxgbe/adapter.h +++ b/sys/dev/cxgbe/adapter.h @@ -812,10 +812,13 @@ struct adapter { const struct chip_params *chip_params; struct t4_virt_res vres; + uint16_t nbmcaps; uint16_t linkcaps; + uint16_t switchcaps; uint16_t niccaps; uint16_t toecaps; uint16_t rdmacaps; + uint16_t tlscaps; uint16_t iscsicaps; uint16_t fcoecaps; diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index b2a63a6..d16ed52 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -328,9 +328,15 @@ TUNABLE_INT("hw.cxgbe.fw_install", &t4_fw_install); * ASIC features that will be used. Disable the ones you don't want so that the * chip resources aren't wasted on features that will not be used. */ +static int t4_nbmcaps_allowed = 0; +TUNABLE_INT("hw.cxgbe.nbmcaps_allowed", &t4_nbmcaps_allowed); + static int t4_linkcaps_allowed = 0; /* No DCBX, PPP, etc. by default */ TUNABLE_INT("hw.cxgbe.linkcaps_allowed", &t4_linkcaps_allowed); +static int t4_switchcaps_allowed = 0; +TUNABLE_INT("hw.cxgbe.switchcaps_allowed", &t4_switchcaps_allowed); + static int t4_niccaps_allowed = FW_CAPS_CONFIG_NIC; TUNABLE_INT("hw.cxgbe.niccaps_allowed", &t4_niccaps_allowed); @@ -340,6 +346,9 @@ TUNABLE_INT("hw.cxgbe.toecaps_allowed", &t4_toecaps_allowed); static int t4_rdmacaps_allowed = 0; TUNABLE_INT("hw.cxgbe.rdmacaps_allowed", &t4_rdmacaps_allowed); +static int t4_tlscaps_allowed = 0; +TUNABLE_INT("hw.cxgbe.tlscaps_allowed", &t4_tlscaps_allowed); + static int t4_iscsicaps_allowed = 0; TUNABLE_INT("hw.cxgbe.iscsicaps_allowed", &t4_iscsicaps_allowed); @@ -3058,10 +3067,13 @@ use_config_on_flash: * Let the firmware know what features will (not) be used so it can tune * things accordingly. */ + LIMIT_CAPS(nbmcaps); LIMIT_CAPS(linkcaps); + LIMIT_CAPS(switchcaps); LIMIT_CAPS(niccaps); LIMIT_CAPS(toecaps); LIMIT_CAPS(rdmacaps); + LIMIT_CAPS(tlscaps); LIMIT_CAPS(iscsicaps); LIMIT_CAPS(fcoecaps); #undef LIMIT_CAPS @@ -3166,10 +3178,13 @@ get_params__post_init(struct adapter *sc) #define READ_CAPS(x) do { \ sc->x = htobe16(caps.x); \ } while (0) + READ_CAPS(nbmcaps); READ_CAPS(linkcaps); + READ_CAPS(switchcaps); READ_CAPS(niccaps); READ_CAPS(toecaps); READ_CAPS(rdmacaps); + READ_CAPS(tlscaps); READ_CAPS(iscsicaps); READ_CAPS(fcoecaps); @@ -4576,24 +4591,33 @@ t4_register_fw_msg_handler(struct adapter *sc, int type, fw_msg_handler_t h) return (0); } +/* + * Should match fw_caps_config_ enums in t4fw_interface.h + */ +static char *caps_decoder[] = { + "\20\0011IPMI\002NCSI", /* 0: NBM */ + "\20\001PPP\002QFC\003DCBX", /* 1: link */ + "\20\001INGRESS\002EGRESS", /* 2: switch */ + "\20\001NIC\002VM\003IDS\004UM\005UM_ISGL" /* 3: NIC */ + "\006HASHFILTER\007ETHOFLD", + "\20\001TOE", /* 4: TOE */ + "\20\001RDDP\002RDMAC", /* 5: RDMA */ + "\20\001INITIATOR_PDU\002TARGET_PDU" /* 6: iSCSI */ + "\003INITIATOR_CNXOFLD\004TARGET_CNXOFLD" + "\005INITIATOR_SSNOFLD\006TARGET_SSNOFLD" + "\007T10DIF" + "\010INITIATOR_CMDOFLD\011TARGET_CMDOFLD", + "\20\00KEYS", /* 7: TLS */ + "\20\001INITIATOR\002TARGET\003CTRL_OFLD" /* 8: FCoE */ + "\004PO_INITIATOR\005PO_TARGET", +}; + static void t4_sysctls(struct adapter *sc) { struct sysctl_ctx_list *ctx; struct sysctl_oid *oid; struct sysctl_oid_list *children, *c0; - static char *caps[] = { - "\20\1PPP\2QFC\3DCBX", /* caps[0] linkcaps */ - "\20\1NIC\2VM\3IDS\4UM\5UM_ISGL" /* caps[1] niccaps */ - "\6HASHFILTER\7ETHOFLD", - "\20\1TOE", /* caps[2] toecaps */ - "\20\1RDDP\2RDMAC", /* caps[3] rdmacaps */ - "\20\1INITIATOR_PDU\2TARGET_PDU" /* caps[4] iscsicaps */ - "\3INITIATOR_CNXOFLD\4TARGET_CNXOFLD" - "\5INITIATOR_SSNOFLD\6TARGET_SSNOFLD", - "\20\1INITIATOR\2TARGET\3CTRL_OFLD" /* caps[5] fcoecaps */ - "\4PO_INITIAOR\5PO_TARGET" - }; static char *doorbells = {"\20\1UDB\2WCWR\3UDBWC\4KDB"}; ctx = device_get_sysctl_ctx(sc->dev); @@ -4635,29 +4659,21 @@ t4_sysctls(struct adapter *sc) CTLTYPE_STRING | CTLFLAG_RD, doorbells, sc->doorbells, sysctl_bitfield, "A", "available doorbells"); - SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "linkcaps", - CTLTYPE_STRING | CTLFLAG_RD, caps[0], sc->linkcaps, - sysctl_bitfield, "A", "available link capabilities"); - - SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "niccaps", - CTLTYPE_STRING | CTLFLAG_RD, caps[1], sc->niccaps, - sysctl_bitfield, "A", "available NIC capabilities"); - - SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "toecaps", - CTLTYPE_STRING | CTLFLAG_RD, caps[2], sc->toecaps, - sysctl_bitfield, "A", "available TCP offload capabilities"); - - SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "rdmacaps", - CTLTYPE_STRING | CTLFLAG_RD, caps[3], sc->rdmacaps, - sysctl_bitfield, "A", "available RDMA capabilities"); - - SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "iscsicaps", - CTLTYPE_STRING | CTLFLAG_RD, caps[4], sc->iscsicaps, - sysctl_bitfield, "A", "available iSCSI capabilities"); - - SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "fcoecaps", - CTLTYPE_STRING | CTLFLAG_RD, caps[5], sc->fcoecaps, - sysctl_bitfield, "A", "available FCoE capabilities"); +#define SYSCTL_CAP(name, n, text) \ + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, #name, \ + CTLTYPE_STRING | CTLFLAG_RD, caps_decoder[n], sc->name, \ + sysctl_bitfield, "A", "available " text "capabilities") + + SYSCTL_CAP(nbmcaps, 0, "NBM"); + SYSCTL_CAP(linkcaps, 1, "link"); + SYSCTL_CAP(switchcaps, 2, "switch"); + SYSCTL_CAP(niccaps, 3, "NIC"); + SYSCTL_CAP(toecaps, 4, "TCP offload"); + SYSCTL_CAP(rdmacaps, 5, "RDMA"); + SYSCTL_CAP(iscsicaps, 6, "iSCSI"); + SYSCTL_CAP(tlscaps, 7, "TLS"); + SYSCTL_CAP(fcoecaps, 8, "FCoE"); +#undef SYSCTL_CAP SYSCTL_ADD_INT(ctx, children, OID_AUTO, "core_clock", CTLFLAG_RD, NULL, sc->params.vpd.cclk, "core clock frequency (in KHz)"); -- cgit v1.1 From 96b33bc25da77281b4b27bb22bbdf64cc9a1d9e2 Mon Sep 17 00:00:00 2001 From: np Date: Sat, 12 Mar 2016 03:02:33 +0000 Subject: cxgbe(4): Fix typo in previous commit. --- sys/dev/cxgbe/t4_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index d16ed52..3ff8a66 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -4595,7 +4595,7 @@ t4_register_fw_msg_handler(struct adapter *sc, int type, fw_msg_handler_t h) * Should match fw_caps_config_ enums in t4fw_interface.h */ static char *caps_decoder[] = { - "\20\0011IPMI\002NCSI", /* 0: NBM */ + "\20\001IPMI\002NCSI", /* 0: NBM */ "\20\001PPP\002QFC\003DCBX", /* 1: link */ "\20\001INGRESS\002EGRESS", /* 2: switch */ "\20\001NIC\002VM\003IDS\004UM\005UM_ISGL" /* 3: NIC */ -- cgit v1.1 From 01c1595386376acfbd033808b962cb106a45f73b Mon Sep 17 00:00:00 2001 From: andrew Date: Sat, 12 Mar 2016 06:50:16 +0000 Subject: Print the correct size of loader.efi when failing to load it into memory. Obtained from: AsiaBSDCon Sponsored by: ABT Systems Ltd --- sys/boot/efi/boot1/boot1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/boot/efi/boot1/boot1.c b/sys/boot/efi/boot1/boot1.c index 1161b0a..1b84d41 100644 --- a/sys/boot/efi/boot1/boot1.c +++ b/sys/boot/efi/boot1/boot1.c @@ -405,7 +405,7 @@ try_boot() if ((status = bs->LoadImage(TRUE, image, devpath_last(dev->devpath), loaderbuf, loadersize, &loaderhandle)) != EFI_SUCCESS) { printf("Failed to load image provided by %s, size: %zu, (%lu)\n", - mod->name, bufsize, EFI_ERROR_CODE(status)); + mod->name, loadersize, EFI_ERROR_CODE(status)); goto errout; } -- cgit v1.1 From 8313320e6ece61884835ebe7679de2975aed3909 Mon Sep 17 00:00:00 2001 From: jhb Date: Sat, 12 Mar 2016 07:13:20 +0000 Subject: Remove Symbol.map entries for old AIO system calls for FreeBSD 6 compat. These entries should have never been present since they only exist for compat with FreeBSD 6.x (and older) binaries. This was missed in r296572. Technically this breaks the ABI by removing versioned symbols. However, no binaries should be linked against these symbols. No release has shipped with a header that contained a prototype for these functions. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D5615 --- lib/libc/sys/Symbol.map | 9 --------- 1 file changed, 9 deletions(-) diff --git a/lib/libc/sys/Symbol.map b/lib/libc/sys/Symbol.map index dc2ed0e..c1532ac 100644 --- a/lib/libc/sys/Symbol.map +++ b/lib/libc/sys/Symbol.map @@ -200,9 +200,6 @@ FBSD_1.0 { nstat; ntp_adjtime; ntp_gettime; - oaio_read; - oaio_write; - olio_listio; open; pathconf; pipe; @@ -809,12 +806,6 @@ FBSDprivate_1.0 { __sys_ntp_adjtime; _ntp_gettime; __sys_ntp_gettime; - _oaio_read; - __sys_oaio_read; - _oaio_write; - __sys_oaio_write; - _olio_listio; - __sys_olio_listio; _open; __sys_open; _openat; -- cgit v1.1 From faec271eeb32354a7197494b5b1b6ebf76fa9fe5 Mon Sep 17 00:00:00 2001 From: trasz Date: Sat, 12 Mar 2016 07:54:42 +0000 Subject: Fix autofs triggering problem. Assume you have an NFS server, 192.168.1.1, with share "share". This commit fixes a problem where "mkdir /net/192.168.1.1/share/meh" would return spurious error instead of creating the directory if the target filesystem wasn't mounted yet; subsequent attempts would work correctly. The failure scenario is kind of complicated to explain, but it all boils down to calling VOP_MKDIR() for the target filesystem (NFS) with wrong dvp - the autofs vnode instead of the filesystem root mounted over it. Reviewed by: kib@ MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5442 --- sys/fs/autofs/autofs_vnops.c | 22 ++++++---------------- sys/kern/vfs_lookup.c | 19 +++++++++++++++++++ sys/sys/errno.h | 1 + 3 files changed, 26 insertions(+), 16 deletions(-) diff --git a/sys/fs/autofs/autofs_vnops.c b/sys/fs/autofs/autofs_vnops.c index 550c514..97f8380 100644 --- a/sys/fs/autofs/autofs_vnops.c +++ b/sys/fs/autofs/autofs_vnops.c @@ -214,7 +214,7 @@ autofs_lookup(struct vop_lookup_args *ap) struct autofs_mount *amp; struct autofs_node *anp, *child; struct componentname *cnp; - int error, lock_flags; + int error; dvp = ap->a_dvp; vpp = ap->a_vpp; @@ -257,23 +257,13 @@ autofs_lookup(struct vop_lookup_args *ap) return (error); if (newvp != NULL) { - error = VOP_LOOKUP(newvp, ap->a_vpp, ap->a_cnp); - /* - * Instead of figuring out whether our vnode should - * be locked or not given the error and cnp flags, - * just "copy" the lock status from vnode returned - * by mounted filesystem's VOP_LOOKUP(). Get rid - * of that new vnode afterwards. + * The target filesystem got automounted. + * Let the lookup(9) go around with the same + * path component. */ - lock_flags = VOP_ISLOCKED(newvp); - if (lock_flags == 0) { - VOP_UNLOCK(dvp, 0); - vrele(newvp); - } else { - vput(newvp); - } - return (error); + vput(newvp); + return (ERELOOKUP); } } diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 9a2a1db..536dfbc 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -495,6 +495,7 @@ lookup(struct nameidata *ndp) int rdonly; /* lookup read-only flag bit */ int error = 0; int dpunlocked = 0; /* dp has already been unlocked */ + int relookup = 0; /* do not consume the path component */ struct componentname *cnp = &ndp->ni_cnd; int lkflags_save; int ni_dvp_unlocked; @@ -745,6 +746,14 @@ unionlookup: goto unionlookup; } + if (error == ERELOOKUP) { + vref(dp); + ndp->ni_vp = dp; + error = 0; + relookup = 1; + goto good; + } + if (error != EJUSTRETURN) goto bad; /* @@ -777,6 +786,8 @@ unionlookup: goto success; } else cnp->cn_lkflags = lkflags_save; + +good: #ifdef NAMEI_DIAGNOSTIC printf("found\n"); #endif @@ -856,6 +867,14 @@ nextname: */ KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/', ("lookup: invalid path state.")); + if (relookup) { + relookup = 0; + if (ndp->ni_dvp != dp) + vput(ndp->ni_dvp); + else + vrele(ndp->ni_dvp); + goto dirloop; + } if (*ndp->ni_next == '/') { cnp->cn_nameptr = ndp->ni_next; while (*cnp->cn_nameptr == '/') { diff --git a/sys/sys/errno.h b/sys/sys/errno.h index d4c5950..52efd31 100644 --- a/sys/sys/errno.h +++ b/sys/sys/errno.h @@ -190,6 +190,7 @@ __END_DECLS #define EJUSTRETURN (-2) /* don't modify regs, just return */ #define ENOIOCTL (-3) /* ioctl not handled by this layer */ #define EDIRIOCTL (-4) /* do direct ioctl in GEOM */ +#define ERELOOKUP (-5) /* retry the directory lookup */ #endif #endif -- cgit v1.1 From beb648d9cce78a16b9f9ca0d1b977f532793855d Mon Sep 17 00:00:00 2001 From: trasz Date: Sat, 12 Mar 2016 08:50:38 +0000 Subject: Remove cn_consume from 'struct componentname'. It was never set to anything other than 0. Reviewed by: kib@ MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5611 --- sys/fs/unionfs/union_subr.c | 3 --- sys/kern/vfs_lookup.c | 12 ------------ sys/sys/namei.h | 1 - 3 files changed, 16 deletions(-) diff --git a/sys/fs/unionfs/union_subr.c b/sys/fs/unionfs/union_subr.c index 74192dc..951d775 100644 --- a/sys/fs/unionfs/union_subr.c +++ b/sys/fs/unionfs/union_subr.c @@ -530,7 +530,6 @@ unionfs_relookup(struct vnode *dvp, struct vnode **vpp, cn->cn_cred = cnp->cn_cred; cn->cn_nameptr = cn->cn_pnbuf; - cn->cn_consume = cnp->cn_consume; if (nameiop == DELETE) cn->cn_flags |= (cnp->cn_flags & (DOWHITEOUT | SAVESTART)); @@ -918,7 +917,6 @@ unionfs_vn_create_on_upper(struct vnode **vpp, struct vnode *udvp, cn.cn_thread = td; cn.cn_cred = cred; cn.cn_nameptr = cn.cn_pnbuf; - cn.cn_consume = 0; vref(udvp); if ((error = relookup(udvp, &vp, &cn)) != 0) @@ -1184,7 +1182,6 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td) cn.cn_lkflags = LK_EXCLUSIVE; cn.cn_thread = td; cn.cn_cred = cred; - cn.cn_consume = 0; /* * check entry in lower. diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 536dfbc..06060b3 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -538,7 +538,6 @@ dirloop: * the name set the SAVENAME flag. When done, they assume * responsibility for freeing the pathname buffer. */ - cnp->cn_consume = 0; for (cp = cnp->cn_nameptr; *cp != 0 && *cp != '/'; cp++) continue; cnp->cn_namelen = cp - cnp->cn_nameptr; @@ -791,17 +790,6 @@ good: #ifdef NAMEI_DIAGNOSTIC printf("found\n"); #endif - /* - * Take into account any additional components consumed by - * the underlying filesystem. - */ - if (cnp->cn_consume > 0) { - cnp->cn_nameptr += cnp->cn_consume; - ndp->ni_next += cnp->cn_consume; - ndp->ni_pathlen -= cnp->cn_consume; - cnp->cn_consume = 0; - } - dp = ndp->ni_vp; /* diff --git a/sys/sys/namei.h b/sys/sys/namei.h index f1b1223..bb1631b 100644 --- a/sys/sys/namei.h +++ b/sys/sys/namei.h @@ -53,7 +53,6 @@ struct componentname { char *cn_pnbuf; /* pathname buffer */ char *cn_nameptr; /* pointer to looked up name */ long cn_namelen; /* length of looked up component */ - long cn_consume; /* chars to consume in lookup() */ }; /* -- cgit v1.1 From 88049166755b25c3786c88652b97ac64f43c8117 Mon Sep 17 00:00:00 2001 From: trasz Date: Sat, 12 Mar 2016 09:05:43 +0000 Subject: Refactor the way we restore cn_lkflags; no functional changes. MFC after: 1 month Sponsored by: The FreeBSD Foundation --- sys/kern/vfs_lookup.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 06060b3..f4b0596 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -726,8 +726,9 @@ unionlookup: lkflags_save = cnp->cn_lkflags; cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags, cnp->cn_flags); - if ((error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp)) != 0) { - cnp->cn_lkflags = lkflags_save; + error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp); + cnp->cn_lkflags = lkflags_save; + if (error != 0) { KASSERT(ndp->ni_vp == NULL, ("leaf should be empty")); #ifdef NAMEI_DIAGNOSTIC printf("not found\n"); @@ -783,8 +784,7 @@ unionlookup: VREF(ndp->ni_startdir); } goto success; - } else - cnp->cn_lkflags = lkflags_save; + } good: #ifdef NAMEI_DIAGNOSTIC -- cgit v1.1 From c15527c9e3ed467dff53561111ec0e546239626e Mon Sep 17 00:00:00 2001 From: trasz Date: Sat, 12 Mar 2016 09:33:26 +0000 Subject: Use S_BLKSIZE instead of magic constant. MFC after: 1 month Sponsored by: The FreeBSD Foundation --- sys/fs/autofs/autofs_vfsops.c | 3 ++- sys/fs/autofs/autofs_vnops.c | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/sys/fs/autofs/autofs_vfsops.c b/sys/fs/autofs/autofs_vfsops.c index e84f6b8..722ff24 100644 --- a/sys/fs/autofs/autofs_vfsops.c +++ b/sys/fs/autofs/autofs_vfsops.c @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -192,7 +193,7 @@ static int autofs_statfs(struct mount *mp, struct statfs *sbp) { - sbp->f_bsize = 512; + sbp->f_bsize = S_BLKSIZE; sbp->f_iosize = 0; sbp->f_blocks = 0; sbp->f_bfree = 0; diff --git a/sys/fs/autofs/autofs_vnops.c b/sys/fs/autofs/autofs_vnops.c index 97f8380..2a2dd1a 100644 --- a/sys/fs/autofs/autofs_vnops.c +++ b/sys/fs/autofs/autofs_vnops.c @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -110,8 +111,8 @@ autofs_getattr(struct vop_getattr_args *ap) vap->va_rdev = NODEV; vap->va_fsid = mp->mnt_stat.f_fsid.val[0]; vap->va_fileid = anp->an_fileno; - vap->va_size = 512; /* XXX */ - vap->va_blocksize = 512; + vap->va_size = S_BLKSIZE; + vap->va_blocksize = S_BLKSIZE; vap->va_mtime = anp->an_ctime; vap->va_atime = anp->an_ctime; vap->va_ctime = anp->an_ctime; @@ -119,7 +120,7 @@ autofs_getattr(struct vop_getattr_args *ap) vap->va_gen = 0; vap->va_flags = 0; vap->va_rdev = 0; - vap->va_bytes = 512; /* XXX */ + vap->va_bytes = S_BLKSIZE; vap->va_filerev = 0; vap->va_spare = 0; -- cgit v1.1 From 30fbd7121b921dcd3c30f030f88d982e22b4848d Mon Sep 17 00:00:00 2001 From: dumbbell Date: Sat, 12 Mar 2016 09:44:23 +0000 Subject: agp: Do not attach to Intel GEN6+ The i915 video driver doesn't depend on agp(4) anymore for Sandybridge and later GPUs. Therefore, there is no need to attach agp(4) to those devices. While here, fix `agp_i965_res_spec` to include the aperture base for GEN4 and GEN5. Reviewed by: kib Approved by: kib Differential Revision: https://reviews.freebsd.org/D5586 --- sys/dev/agp/agp_i810.c | 542 +++---------------------------------------------- sys/dev/agp/agpreg.h | 22 +- 2 files changed, 33 insertions(+), 531 deletions(-) diff --git a/sys/dev/agp/agp_i810.c b/sys/dev/agp/agp_i810.c index c9ebcc5..7df5d84 100644 --- a/sys/dev/agp/agp_i810.c +++ b/sys/dev/agp/agp_i810.c @@ -86,7 +86,6 @@ struct agp_i810_match; static int agp_i810_check_active(device_t bridge_dev); static int agp_i830_check_active(device_t bridge_dev); static int agp_i915_check_active(device_t bridge_dev); -static int agp_sb_check_active(device_t bridge_dev); static void agp_82852_set_desc(device_t dev, const struct agp_i810_match *match); @@ -97,12 +96,10 @@ static void agp_i830_dump_regs(device_t dev); static void agp_i855_dump_regs(device_t dev); static void agp_i915_dump_regs(device_t dev); static void agp_i965_dump_regs(device_t dev); -static void agp_sb_dump_regs(device_t dev); static int agp_i810_get_stolen_size(device_t dev); static int agp_i830_get_stolen_size(device_t dev); static int agp_i915_get_stolen_size(device_t dev); -static int agp_sb_get_stolen_size(device_t dev); static int agp_i810_get_gtt_mappable_entries(device_t dev); static int agp_i830_get_gtt_mappable_entries(device_t dev); @@ -111,7 +108,6 @@ static int agp_i915_get_gtt_mappable_entries(device_t dev); static int agp_i810_get_gtt_total_entries(device_t dev); static int agp_i965_get_gtt_total_entries(device_t dev); static int agp_gen5_get_gtt_total_entries(device_t dev); -static int agp_sb_get_gtt_total_entries(device_t dev); static int agp_i810_install_gatt(device_t dev); static int agp_i830_install_gatt(device_t dev); @@ -131,14 +127,11 @@ static void agp_i965_install_gtt_pte(device_t dev, u_int index, vm_offset_t physical, int flags); static void agp_g4x_install_gtt_pte(device_t dev, u_int index, vm_offset_t physical, int flags); -static void agp_sb_install_gtt_pte(device_t dev, u_int index, - vm_offset_t physical, int flags); static void agp_i810_write_gtt(device_t dev, u_int index, uint32_t pte); static void agp_i915_write_gtt(device_t dev, u_int index, uint32_t pte); static void agp_i965_write_gtt(device_t dev, u_int index, uint32_t pte); static void agp_g4x_write_gtt(device_t dev, u_int index, uint32_t pte); -static void agp_sb_write_gtt(device_t dev, u_int index, uint32_t pte); static u_int32_t agp_i810_read_gtt_pte(device_t dev, u_int index); static u_int32_t agp_i915_read_gtt_pte(device_t dev, u_int index); @@ -147,7 +140,6 @@ static u_int32_t agp_g4x_read_gtt_pte(device_t dev, u_int index); static vm_paddr_t agp_i810_read_gtt_pte_paddr(device_t dev, u_int index); static vm_paddr_t agp_i915_read_gtt_pte_paddr(device_t dev, u_int index); -static vm_paddr_t agp_sb_read_gtt_pte_paddr(device_t dev, u_int index); static int agp_i810_set_aperture(device_t dev, u_int32_t aperture); static int agp_i830_set_aperture(device_t dev, u_int32_t aperture); @@ -174,7 +166,6 @@ enum { CHIP_G33, /* G33/Q33/Q35 */ CHIP_IGD, /* Pineview */ CHIP_G4X, /* G45/Q45 */ - CHIP_SB, /* SandyBridge */ }; /* The i810 through i855 have the registers at BAR 1, and the GATT gets @@ -196,12 +187,7 @@ static struct resource_spec agp_i915_res_spec[] = { static struct resource_spec agp_i965_res_spec[] = { { SYS_RES_MEMORY, AGP_I965_GTTMMADR, RF_ACTIVE | RF_SHAREABLE }, - { -1, 0 } -}; - -static struct resource_spec agp_g4x_res_spec[] = { - { SYS_RES_MEMORY, AGP_G4X_MMADR, RF_ACTIVE | RF_SHAREABLE }, - { SYS_RES_MEMORY, AGP_G4X_GTTADR, RF_ACTIVE | RF_SHAREABLE }, + { SYS_RES_MEMORY, AGP_I965_APBASE, RF_ACTIVE | RF_SHAREABLE }, { -1, 0 } }; @@ -392,22 +378,22 @@ static const struct agp_i810_driver agp_i810_i915_driver = { .chipset_flush = agp_i915_chipset_flush, }; -static const struct agp_i810_driver agp_i810_g965_driver = { - .chiptype = CHIP_I965, - .gen = 4, +static const struct agp_i810_driver agp_i810_g33_driver = { + .chiptype = CHIP_G33, + .gen = 3, .busdma_addr_mask_sz = 36, - .res_spec = agp_i965_res_spec, + .res_spec = agp_i915_res_spec, .check_active = agp_i915_check_active, .set_desc = agp_i810_set_desc, .dump_regs = agp_i965_dump_regs, .get_stolen_size = agp_i915_get_stolen_size, .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries, .get_gtt_total_entries = agp_i965_get_gtt_total_entries, - .install_gatt = agp_i965_install_gatt, + .install_gatt = agp_i830_install_gatt, .deinstall_gatt = agp_i830_deinstall_gatt, - .write_gtt = agp_i965_write_gtt, - .install_gtt_pte = agp_i965_install_gtt_pte, - .read_gtt_pte = agp_i965_read_gtt_pte, + .write_gtt = agp_i915_write_gtt, + .install_gtt_pte = agp_i915_install_gtt_pte, + .read_gtt_pte = agp_i915_read_gtt_pte, .read_gtt_pte_paddr = agp_i915_read_gtt_pte_paddr, .set_aperture = agp_i915_set_aperture, .chipset_flush_setup = agp_i965_chipset_flush_setup, @@ -415,14 +401,14 @@ static const struct agp_i810_driver agp_i810_g965_driver = { .chipset_flush = agp_i915_chipset_flush, }; -static const struct agp_i810_driver agp_i810_g33_driver = { - .chiptype = CHIP_G33, +static const struct agp_i810_driver agp_i810_igd_driver = { + .chiptype = CHIP_IGD, .gen = 3, .busdma_addr_mask_sz = 36, .res_spec = agp_i915_res_spec, .check_active = agp_i915_check_active, .set_desc = agp_i810_set_desc, - .dump_regs = agp_i965_dump_regs, + .dump_regs = agp_i915_dump_regs, .get_stolen_size = agp_i915_get_stolen_size, .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries, .get_gtt_total_entries = agp_i965_get_gtt_total_entries, @@ -438,22 +424,22 @@ static const struct agp_i810_driver agp_i810_g33_driver = { .chipset_flush = agp_i915_chipset_flush, }; -static const struct agp_i810_driver agp_i810_igd_driver = { - .chiptype = CHIP_IGD, - .gen = 3, +static const struct agp_i810_driver agp_i810_g965_driver = { + .chiptype = CHIP_I965, + .gen = 4, .busdma_addr_mask_sz = 36, - .res_spec = agp_i915_res_spec, + .res_spec = agp_i965_res_spec, .check_active = agp_i915_check_active, .set_desc = agp_i810_set_desc, - .dump_regs = agp_i915_dump_regs, + .dump_regs = agp_i965_dump_regs, .get_stolen_size = agp_i915_get_stolen_size, .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries, .get_gtt_total_entries = agp_i965_get_gtt_total_entries, - .install_gatt = agp_i830_install_gatt, + .install_gatt = agp_i965_install_gatt, .deinstall_gatt = agp_i830_deinstall_gatt, - .write_gtt = agp_i915_write_gtt, - .install_gtt_pte = agp_i915_install_gtt_pte, - .read_gtt_pte = agp_i915_read_gtt_pte, + .write_gtt = agp_i965_write_gtt, + .install_gtt_pte = agp_i965_install_gtt_pte, + .read_gtt_pte = agp_i965_read_gtt_pte, .read_gtt_pte_paddr = agp_i915_read_gtt_pte_paddr, .set_aperture = agp_i915_set_aperture, .chipset_flush_setup = agp_i965_chipset_flush_setup, @@ -484,75 +470,6 @@ static const struct agp_i810_driver agp_i810_g4x_driver = { .chipset_flush = agp_i915_chipset_flush, }; -static const struct agp_i810_driver agp_i810_sb_driver = { - .chiptype = CHIP_SB, - .gen = 6, - .busdma_addr_mask_sz = 40, - .res_spec = agp_g4x_res_spec, - .check_active = agp_sb_check_active, - .set_desc = agp_i810_set_desc, - .dump_regs = agp_sb_dump_regs, - .get_stolen_size = agp_sb_get_stolen_size, - .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries, - .get_gtt_total_entries = agp_sb_get_gtt_total_entries, - .install_gatt = agp_g4x_install_gatt, - .deinstall_gatt = agp_i830_deinstall_gatt, - .write_gtt = agp_sb_write_gtt, - .install_gtt_pte = agp_sb_install_gtt_pte, - .read_gtt_pte = agp_g4x_read_gtt_pte, - .read_gtt_pte_paddr = agp_sb_read_gtt_pte_paddr, - .set_aperture = agp_i915_set_aperture, - .chipset_flush_setup = agp_i810_chipset_flush_setup, - .chipset_flush_teardown = agp_i810_chipset_flush_teardown, - .chipset_flush = agp_i810_chipset_flush, -}; - -static const struct agp_i810_driver agp_i810_hsw_driver = { - .chiptype = CHIP_SB, - .gen = 7, - .busdma_addr_mask_sz = 40, - .res_spec = agp_g4x_res_spec, - .check_active = agp_sb_check_active, - .set_desc = agp_i810_set_desc, - .dump_regs = agp_sb_dump_regs, - .get_stolen_size = agp_sb_get_stolen_size, - .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries, - .get_gtt_total_entries = agp_sb_get_gtt_total_entries, - .install_gatt = agp_g4x_install_gatt, - .deinstall_gatt = agp_i830_deinstall_gatt, - .write_gtt = agp_sb_write_gtt, - .install_gtt_pte = agp_sb_install_gtt_pte, - .read_gtt_pte = agp_g4x_read_gtt_pte, - .read_gtt_pte_paddr = agp_sb_read_gtt_pte_paddr, - .set_aperture = agp_i915_set_aperture, - .chipset_flush_setup = agp_i810_chipset_flush_setup, - .chipset_flush_teardown = agp_i810_chipset_flush_teardown, - .chipset_flush = agp_i810_chipset_flush, -}; - -static const struct agp_i810_driver agp_i810_valleyview_driver = { - .chiptype = CHIP_SB, - .gen = 7, - .busdma_addr_mask_sz = 40, - .res_spec = agp_g4x_res_spec, - .check_active = agp_sb_check_active, - .set_desc = agp_i810_set_desc, - .dump_regs = agp_sb_dump_regs, - .get_stolen_size = agp_sb_get_stolen_size, - .get_gtt_mappable_entries = agp_i915_get_gtt_mappable_entries, - .get_gtt_total_entries = agp_sb_get_gtt_total_entries, - .install_gatt = agp_g4x_install_gatt, - .deinstall_gatt = agp_i830_deinstall_gatt, - .write_gtt = agp_sb_write_gtt, - .install_gtt_pte = agp_sb_install_gtt_pte, - .read_gtt_pte = agp_g4x_read_gtt_pte, - .read_gtt_pte_paddr = agp_sb_read_gtt_pte_paddr, - .set_aperture = agp_i915_set_aperture, - .chipset_flush_setup = agp_i810_chipset_flush_setup, - .chipset_flush_teardown = agp_i810_chipset_flush_teardown, - .chipset_flush = agp_i810_chipset_flush, -}; - /* For adding new devices, devid is the id of the graphics controller * (pci:0:2:0, for example). The placeholder (usually at pci:0:2:1) for the * second head should never be added. The bridge_offset is the offset to @@ -724,266 +641,6 @@ static const struct agp_i810_match { .driver = &agp_i810_g4x_driver }, { - .devid = 0x01028086, - .name = "SandyBridge desktop GT1 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01128086, - .name = "SandyBridge desktop GT2 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01228086, - .name = "SandyBridge desktop GT2+ IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01068086, - .name = "SandyBridge mobile GT1 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01168086, - .name = "SandyBridge mobile GT2 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01268086, - .name = "SandyBridge mobile GT2+ IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x010a8086, - .name = "SandyBridge server IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01528086, - .name = "IvyBridge desktop GT1 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01628086, - .name = "IvyBridge desktop GT2 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01568086, - .name = "IvyBridge mobile GT1 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x01668086, - .name = "IvyBridge mobile GT2 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x015a8086, - .name = "IvyBridge server GT1 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x016a8086, - .name = "IvyBridge server GT2 IG", - .driver = &agp_i810_sb_driver - }, - { - .devid = 0x04028086, - .name = "Haswell GT1 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x04068086, - .name = "Haswell GT1 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x040A8086, - .name = "Haswell GT1 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x04128086, - .name = "Haswell GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x04168086, - .name = "Haswell GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x041A8086, - .name = "Haswell GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x04228086, - .name = "Haswell GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x04268086, - .name = "Haswell GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x042A8086, - .name = "Haswell GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A028086, - .name = "Haswell ULT GT1 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A068086, - .name = "Haswell ULT GT1 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A0A8086, - .name = "Haswell ULT GT1 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A128086, - .name = "Haswell ULT GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A168086, - .name = "Haswell ULT GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A1A8086, - .name = "Haswell ULT GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A228086, - .name = "Haswell ULT GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A268086, - .name = "Haswell ULT GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0A2A8086, - .name = "Haswell ULT GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C028086, - .name = "Haswell SDV GT1 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C068086, - .name = "Haswell SDV GT1 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C0A8086, - .name = "Haswell SDV GT1 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C128086, - .name = "Haswell SDV GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C168086, - .name = "Haswell SDV GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C1A8086, - .name = "Haswell SDV GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C228086, - .name = "Haswell SDV GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C268086, - .name = "Haswell SDV GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0C2A8086, - .name = "Haswell SDV GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D028086, - .name = "Haswell CRW GT1 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D068086, - .name = "Haswell CRW GT1 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D0A8086, - .name = "Haswell CRW GT1 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D128086, - .name = "Haswell CRW GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D168086, - .name = "Haswell CRW GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D1A8086, - .name = "Haswell CRW GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D228086, - .name = "Haswell CRW GT2 desktop", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D268086, - .name = "Haswell CRW GT2 mobile", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x0D2A8086, - .name = "Haswell CRW GT2 server", - .driver = &agp_i810_hsw_driver - }, - { - .devid = 0x01558086, - .name = "Valleyview (desktop)", - .driver = &agp_i810_valleyview_driver - }, - { - .devid = 0x01578086, - .name = "Valleyview (mobile)", - .driver = &agp_i810_valleyview_driver - }, - { - .devid = 0x0F308086, - .name = "Valleyview (mobile)", - .driver = &agp_i810_valleyview_driver - }, - { .devid = 0, } }; @@ -1061,17 +718,6 @@ agp_i915_check_active(device_t bridge_dev) return (0); } -static int -agp_sb_check_active(device_t bridge_dev) -{ - int deven; - - deven = pci_read_config(bridge_dev, AGP_I915_DEVEN, 4); - if ((deven & AGP_SB_DEVEN_D2EN) == AGP_SB_DEVEN_D2EN_DISABLED) - return (ENXIO); - return (0); -} - static void agp_82852_set_desc(device_t dev, const struct agp_i810_match *match) { @@ -1200,17 +846,6 @@ agp_i965_dump_regs(device_t dev) pci_read_config(sc->bdev, AGP_I965_MSAC, 1)); } -static void -agp_sb_dump_regs(device_t dev) -{ - struct agp_i810_softc *sc = device_get_softc(dev); - - device_printf(dev, "AGP_SNB_GFX_MODE: %08x\n", - bus_read_4(sc->sc_res[0], AGP_SNB_GFX_MODE)); - device_printf(dev, "AGP_SNB_GCC1: 0x%04x\n", - pci_read_config(sc->bdev, AGP_SNB_GCC1, 2)); -} - static int agp_i810_get_stolen_size(device_t dev) { @@ -1236,11 +871,11 @@ agp_i830_get_stolen_size(device_t dev) sc->stolen = (512 - 132) * 1024 / 4096; sc->stolen_size = 512 * 1024; break; - case AGP_I830_GCC1_GMS_STOLEN_1024: + case AGP_I830_GCC1_GMS_STOLEN_1024: sc->stolen = (1024 - 132) * 1024 / 4096; sc->stolen_size = 1024 * 1024; break; - case AGP_I830_GCC1_GMS_STOLEN_8192: + case AGP_I830_GCC1_GMS_STOLEN_8192: sc->stolen = (8192 - 132) * 1024 / 4096; sc->stolen_size = 8192 * 1024; break; @@ -1396,68 +1031,6 @@ agp_i915_get_stolen_size(device_t dev) } static int -agp_sb_get_stolen_size(device_t dev) -{ - struct agp_i810_softc *sc; - uint16_t gmch_ctl; - - sc = device_get_softc(dev); - gmch_ctl = pci_read_config(sc->bdev, AGP_SNB_GCC1, 2); - switch (gmch_ctl & AGP_SNB_GMCH_GMS_STOLEN_MASK) { - case AGP_SNB_GMCH_GMS_STOLEN_32M: - sc->stolen_size = 32 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_64M: - sc->stolen_size = 64 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_96M: - sc->stolen_size = 96 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_128M: - sc->stolen_size = 128 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_160M: - sc->stolen_size = 160 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_192M: - sc->stolen_size = 192 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_224M: - sc->stolen_size = 224 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_256M: - sc->stolen_size = 256 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_288M: - sc->stolen_size = 288 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_320M: - sc->stolen_size = 320 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_352M: - sc->stolen_size = 352 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_384M: - sc->stolen_size = 384 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_416M: - sc->stolen_size = 416 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_448M: - sc->stolen_size = 448 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_480M: - sc->stolen_size = 480 * 1024 * 1024; - break; - case AGP_SNB_GMCH_GMS_STOLEN_512M: - sc->stolen_size = 512 * 1024 * 1024; - break; - } - sc->stolen = (sc->stolen_size - 4) / 4096; - return (0); -} - -static int agp_i810_get_gtt_mappable_entries(device_t dev) { struct agp_i810_softc *sc; @@ -1600,30 +1173,6 @@ agp_gen5_get_gtt_total_entries(device_t dev) } static int -agp_sb_get_gtt_total_entries(device_t dev) -{ - struct agp_i810_softc *sc; - uint16_t gcc1; - - sc = device_get_softc(dev); - - gcc1 = pci_read_config(sc->bdev, AGP_SNB_GCC1, 2); - switch (gcc1 & AGP_SNB_GTT_SIZE_MASK) { - default: - case AGP_SNB_GTT_SIZE_0M: - printf("Bad GTT size mask: 0x%04x\n", gcc1); - return (ENXIO); - case AGP_SNB_GTT_SIZE_1M: - sc->gtt_total_entries = 1024 * 1024 / 4; - break; - case AGP_SNB_GTT_SIZE_2M: - sc->gtt_total_entries = 2 * 1024 * 1024 / 4; - break; - } - return (0); -} - -static int agp_i810_install_gatt(device_t dev) { struct agp_i810_softc *sc; @@ -2024,38 +1573,6 @@ agp_g4x_write_gtt(device_t dev, u_int index, uint32_t pte) CTR2(KTR_AGP_I810, "g4x_pte %x %x", index, pte); } -static void -agp_sb_install_gtt_pte(device_t dev, u_int index, vm_offset_t physical, - int flags) -{ - int type_mask, gfdt; - uint32_t pte; - - pte = (u_int32_t)physical | I810_PTE_VALID; - type_mask = flags & ~AGP_USER_CACHED_MEMORY_GFDT; - gfdt = (flags & AGP_USER_CACHED_MEMORY_GFDT) != 0 ? GEN6_PTE_GFDT : 0; - - if (type_mask == AGP_USER_MEMORY) - pte |= GEN6_PTE_UNCACHED; - else if (type_mask == AGP_USER_CACHED_MEMORY_LLC_MLC) - pte |= GEN6_PTE_LLC_MLC | gfdt; - else - pte |= GEN6_PTE_LLC | gfdt; - - pte |= (physical & 0x000000ff00000000ull) >> 28; - agp_sb_write_gtt(dev, index, pte); -} - -static void -agp_sb_write_gtt(device_t dev, u_int index, uint32_t pte) -{ - struct agp_i810_softc *sc; - - sc = device_get_softc(dev); - bus_write_4(sc->sc_res[0], index * 4 + (2 * 1024 * 1024), pte); - CTR2(KTR_AGP_I810, "sb_pte %x %x", index, pte); -} - static int agp_i810_bind_page(device_t dev, vm_offset_t offset, vm_offset_t physical) { @@ -2165,19 +1682,6 @@ agp_i915_read_gtt_pte_paddr(device_t dev, u_int index) return (res); } -static vm_paddr_t -agp_sb_read_gtt_pte_paddr(device_t dev, u_int index) -{ - struct agp_i810_softc *sc; - u_int32_t pte; - vm_paddr_t res; - - sc = device_get_softc(dev); - pte = sc->match->driver->read_gtt_pte(dev, index); - res = (pte & ~PAGE_MASK) | ((pte & 0xff0) << 28); - return (res); -} - /* * Writing via memory mapped registers already flushes all TLBs. */ diff --git a/sys/dev/agp/agpreg.h b/sys/dev/agp/agpreg.h index dfa93a5..3f473da 100644 --- a/sys/dev/agp/agpreg.h +++ b/sys/dev/agp/agpreg.h @@ -296,9 +296,19 @@ #define AGP_I915_IFPADDR 0x60 /* + * G33 registers + */ +#define AGP_G33_MGGC_GGMS_MASK (3 << 8) +#define AGP_G33_MGGC_GGMS_SIZE_1M (1 << 8) +#define AGP_G33_MGGC_GGMS_SIZE_2M (2 << 8) +#define AGP_G33_GCC1_GMS_STOLEN_128M 0x80 +#define AGP_G33_GCC1_GMS_STOLEN_256M 0x90 + +/* * G965 registers */ #define AGP_I965_GTTMMADR 0x10 +#define AGP_I965_APBASE 0x18 #define AGP_I965_MSAC 0x62 #define AGP_I965_MSAC_GMASIZE_128 0x00 #define AGP_I965_MSAC_GMASIZE_256 0x02 @@ -310,20 +320,8 @@ #define AGP_I965_IFPADDR 0x70 /* - * G33 registers - */ -#define AGP_G33_MGGC_GGMS_MASK (3 << 8) -#define AGP_G33_MGGC_GGMS_SIZE_1M (1 << 8) -#define AGP_G33_MGGC_GGMS_SIZE_2M (2 << 8) -#define AGP_G33_GCC1_GMS_STOLEN_128M 0x80 -#define AGP_G33_GCC1_GMS_STOLEN_256M 0x90 - -/* * G4X registers */ -#define AGP_G4X_GMADR 0x20 -#define AGP_G4X_MMADR 0x10 -#define AGP_G4X_GTTADR 0x18 #define AGP_G4X_GCC1_GMS_STOLEN_96M 0xa0 #define AGP_G4X_GCC1_GMS_STOLEN_160M 0xb0 #define AGP_G4X_GCC1_GMS_STOLEN_224M 0xc0 -- cgit v1.1 From 5d06908346a0d9e815ab557d810bf06c3ed08665 Mon Sep 17 00:00:00 2001 From: dumbbell Date: Sat, 12 Mar 2016 11:54:58 +0000 Subject: drm/i915: Fix page fault handler failure ... when __wait_seqno() is interrupted by a signal. In this case, __wait_seqno() returns -ERESTARTSYS. Like we already do in drm_ioctl(), we need to convert this error to a common code such as -EINTR, so the page fault handler is restarted. Reported by: Frederic Chardon Tested by: Frederic Chardon --- sys/dev/drm2/i915/i915_gem.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys/dev/drm2/i915/i915_gem.c b/sys/dev/drm2/i915/i915_gem.c index 625c8a6..7789e36 100644 --- a/sys/dev/drm2/i915/i915_gem.c +++ b/sys/dev/drm2/i915/i915_gem.c @@ -1619,6 +1619,13 @@ out: KASSERT(ret != 0, ("i915_gem_pager_fault: wrong return")); CTR4(KTR_DRM, "fault_fail %p %jx %x err %d", gem_obj, offset, prot, -ret); + if (ret == -ERESTARTSYS) { + /* + * NOTE Linux<->FreeBSD: Convert Linux' -ERESTARTSYS to + * the more common -EINTR, so the page fault is retried. + */ + ret = -EINTR; + } if (ret == -EAGAIN || ret == -EIO || ret == -EINTR) { kern_yield(PRI_USER); goto retry; -- cgit v1.1 From 3c057e4b1fa0583a4ca025153e05a66869a4396e Mon Sep 17 00:00:00 2001 From: dumbbell Date: Sat, 12 Mar 2016 11:57:32 +0000 Subject: drm/i915: Call i915_gem_gtt_fini() when the device is detached This fixes several memory leaks. Apparently, this problem exists in Linux 3.8 but the code changed in Linux 3.9 so it may be fixed upstream already. Still, this is something we need to pay attention to. --- sys/dev/drm2/i915/i915_dma.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/dev/drm2/i915/i915_dma.c b/sys/dev/drm2/i915/i915_dma.c index e2d8e4c..97a0eb9 100644 --- a/sys/dev/drm2/i915/i915_dma.c +++ b/sys/dev/drm2/i915/i915_dma.c @@ -1810,6 +1810,12 @@ int i915_driver_unload(struct drm_device *dev) if (dev_priv->mmio_map != NULL) drm_rmmap(dev, dev_priv->mmio_map); + /* + * NOTE Linux<->FreeBSD: Linux forgots to call + * i915_gem_gtt_fini(), causing memory leaks. + */ + i915_gem_gtt_fini(dev); + if (dev_priv->wq != NULL) taskqueue_free(dev_priv->wq); -- cgit v1.1 From c25914807466d1029480aca4fac687af6e2e1918 Mon Sep 17 00:00:00 2001 From: kib Date: Sat, 12 Mar 2016 14:54:34 +0000 Subject: Fix handling of umtxp resource limit in sh(1)/ulimit(1), limits(1), add login.conf(5) support. Reviewed by: jilles Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D5610 --- bin/sh/miscbltin.c | 2 +- bin/sh/sh.1 | 7 ++++++- etc/login.conf | 1 + lib/libutil/login.conf.5 | 1 + lib/libutil/login_class.3 | 1 + lib/libutil/login_class.c | 1 + usr.bin/limits/limits.1 | 20 ++++++++++++++------ usr.bin/limits/limits.c | 5 +++-- 8 files changed, 28 insertions(+), 10 deletions(-) diff --git a/bin/sh/miscbltin.c b/bin/sh/miscbltin.c index 9dae4cb..1537196 100644 --- a/bin/sh/miscbltin.c +++ b/bin/sh/miscbltin.c @@ -452,7 +452,7 @@ ulimitcmd(int argc __unused, char **argv __unused) struct rlimit limit; what = 'f'; - while ((optc = nextopt("HSatfdsmcnuvlbpwk")) != '\0') + while ((optc = nextopt("HSatfdsmcnuvlbpwko")) != '\0') switch (optc) { case 'H': how = HARD; diff --git a/bin/sh/sh.1 b/bin/sh/sh.1 index 9406779..1f2d67b 100644 --- a/bin/sh/sh.1 +++ b/bin/sh/sh.1 @@ -2615,7 +2615,7 @@ and not found. For aliases the alias expansion is printed; for commands and tracked aliases the complete pathname of the command is printed. -.It Ic ulimit Oo Fl HSabcdfklmnpstuvw Oc Op Ar limit +.It Ic ulimit Oo Fl HSabcdfklmnopstuvw Oc Op Ar limit Set or display resource limits (see .Xr getrlimit 2 ) . If @@ -2674,6 +2674,11 @@ kilobytes. The maximal resident set size of a process, in kilobytes. .It Fl n Ar nofiles The maximal number of descriptors that could be opened by a process. +.It Fl o Ar umtxp +The maximal number of process-shared locks +(see +.Xr pthread 3 ) +for this user ID. .It Fl p Ar pseudoterminals The maximal number of pseudo-terminals for this user ID. .It Fl s Ar stacksize diff --git a/etc/login.conf b/etc/login.conf index 2cc6730..e352f7f 100644 --- a/etc/login.conf +++ b/etc/login.conf @@ -43,6 +43,7 @@ default:\ :swapuse=unlimited:\ :pseudoterminals=unlimited:\ :kqueues=unlimited:\ + :umtxp=unlimited:\ :priority=0:\ :ignoretime@:\ :umask=022: diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5 index e780940..1c3cfee 100644 --- a/lib/libutil/login.conf.5 +++ b/lib/libutil/login.conf.5 @@ -199,6 +199,7 @@ notation may be used. .It "stacksize size Maximum stack size limit." .It "pseudoterminals number Maximum number of pseudo-terminals." .It "swapuse size Maximum swap space size limit." +.It "umtxp number Maximum number of process-shared pthread locks." .El .Pp These resource limit entries actually specify both the maximum diff --git a/lib/libutil/login_class.3 b/lib/libutil/login_class.3 index c87faae..ab2e8af 100644 --- a/lib/libutil/login_class.3 +++ b/lib/libutil/login_class.3 @@ -119,6 +119,7 @@ vmemoryuse RLIMIT_VMEM pseudoterminals RLIMIT_NPTS swapuse RLIMIT_SWAP kqueues RLIMIT_KQUEUES +umtxp RLIMIT_UMTXP .Ed .It LOGIN_SETPRIORITY Set the scheduling priority for the current process based on the diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c index 9ffca8e..ceee5c8 100644 --- a/lib/libutil/login_class.c +++ b/lib/libutil/login_class.c @@ -67,6 +67,7 @@ static struct login_res { { "pseudoterminals", login_getcapnum, RLIMIT_NPTS }, { "swapuse", login_getcapsize, RLIMIT_SWAP }, { "kqueues", login_getcapsize, RLIMIT_KQUEUES }, + { "umtxp", login_getcapnum, RLIMIT_UMTXP }, { NULL, 0, 0 } }; diff --git a/usr.bin/limits/limits.1 b/usr.bin/limits/limits.1 index 3962fef..99136a4 100644 --- a/usr.bin/limits/limits.1 +++ b/usr.bin/limits/limits.1 @@ -30,11 +30,11 @@ .Op Fl C Ar class | Fl P Ar pid | Fl U Ar user .Op Fl SHB .Op Fl ea -.Op Fl bcdfklmnstuvpw Op Ar val +.Op Fl bcdfklmnopstuvw Op Ar val .Nm .Op Fl C Ar class | Fl U Ar user .Op Fl SHB -.Op Fl bcdfklmnstuvpw Op Ar val +.Op Fl bcdfklmnopstuvw Op Ar val .Op Fl E .Oo .Op Ar name Ns = Ns Ar value ... @@ -233,6 +233,18 @@ system is limited to the value displayed by the .Va kern.maxfiles .Xr sysctl 8 variable. +.It Fl o Op Ar val +Select or set the +.Va umtxp +resource limit. +The limit determines the maximal number of the process-shared locks +which may be simultaneously created by the processes owned by the +user, see +.Xr pthread 3 . +.It Fl p Op Ar val +Select or set the +.Va pseudoterminals +resource limit. .It Fl s Op Ar val Select or set the .Va stacksize @@ -266,10 +278,6 @@ and is inclusive of text, data, bss, stack, and .Xr mmap 2 Ns 'd space. -.It Fl p Op Ar val -Select or set the -.Va pseudoterminals -resource limit. .It Fl w Op Ar val Select or set the .Va swapuse diff --git a/usr.bin/limits/limits.c b/usr.bin/limits/limits.c index 093a367..3dd7a71 100644 --- a/usr.bin/limits/limits.c +++ b/usr.bin/limits/limits.c @@ -254,7 +254,7 @@ static struct { * to be modified accordingly! */ -#define RCS_STRING "tfdscmlunbvpwk" +#define RCS_STRING "tfdscmlunbvpwko" static rlim_t resource_num(int which, int ch, const char *str); static void usage(void); @@ -551,7 +551,7 @@ usage(void) { (void)fprintf(stderr, "usage: limits [-C class|-P pid|-U user] [-eaSHBE] " - "[-bcdflmnstuvpwk [val]] [[name=val ...] cmd]\n"); + "[-bcdfklmnostuvpw [val]] [[name=val ...] cmd]\n"); exit(EXIT_FAILURE); } @@ -660,6 +660,7 @@ resource_num(int which, int ch, const char *str) case RLIMIT_NOFILE: case RLIMIT_NPTS: case RLIMIT_KQUEUES: + case RLIMIT_UMTXP: res = strtoq(s, &e, 0); s = e; break; -- cgit v1.1 From dfbb383c5ce133fcd1dd2362aec9a2f753ea8435 Mon Sep 17 00:00:00 2001 From: dim Date: Sat, 12 Mar 2016 15:10:30 +0000 Subject: Fix gcc warnings about possibly uninitialized variables in gpioctl.c. Noticed by: bz --- usr.sbin/gpioctl/gpioctl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr.sbin/gpioctl/gpioctl.c b/usr.sbin/gpioctl/gpioctl.c index 42287e9..f786ef6 100644 --- a/usr.sbin/gpioctl/gpioctl.c +++ b/usr.sbin/gpioctl/gpioctl.c @@ -41,7 +41,6 @@ __FBSDID("$FreeBSD$"); #include -#define PIN_TYPE_UNKNOWN 0 #define PIN_TYPE_NUMBER 1 #define PIN_TYPE_NAME 2 @@ -271,7 +270,7 @@ main(int argc, char **argv) /* Find the pin number by the name */ switch (pin_type) { - case PIN_TYPE_UNKNOWN: + default: /* First test if it is a pin number */ pinn = str2int(argv[0], &ok); if (ok) { -- cgit v1.1 From 83673368eb402bc1f387b2f7636e72be33f9d8be Mon Sep 17 00:00:00 2001 From: dim Date: Sat, 12 Mar 2016 18:38:51 +0000 Subject: Fix the following gcc warnings on sparc64, when TCP_OFFLOAD is not defined: sys/dev/cxgbe/t4_main.c:7474: warning: 'sysctl_tp_tick' defined but not used sys/dev/cxgbe/t4_main.c:7505: warning: 'sysctl_tp_dack_timer' defined but not used sys/dev/cxgbe/t4_main.c:7519: warning: 'sysctl_tp_timer' defined but not used This just adds a bunch of #ifdef TCP_OFFLOAD in the right places. Reviewed by: np Differential Revision: https://reviews.freebsd.org/D5620 --- sys/dev/cxgbe/t4_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index 3ff8a66..77777f8 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -491,9 +491,11 @@ static int sysctl_tx_rate(SYSCTL_HANDLER_ARGS); static int sysctl_ulprx_la(SYSCTL_HANDLER_ARGS); static int sysctl_wcwr_stats(SYSCTL_HANDLER_ARGS); #endif +#ifdef TCP_OFFLOAD static int sysctl_tp_tick(SYSCTL_HANDLER_ARGS); static int sysctl_tp_dack_timer(SYSCTL_HANDLER_ARGS); static int sysctl_tp_timer(SYSCTL_HANDLER_ARGS); +#endif static uint32_t fconf_iconf_to_mode(uint32_t, uint32_t); static uint32_t mode_to_fconf(uint32_t); static uint32_t mode_to_iconf(uint32_t); @@ -7455,6 +7457,7 @@ sysctl_wcwr_stats(SYSCTL_HANDLER_ARGS) } #endif +#ifdef TCP_OFFLOAD static void unit_conv(char *buf, size_t len, u_int val, u_int factor) { @@ -7538,6 +7541,7 @@ sysctl_tp_timer(SYSCTL_HANDLER_ARGS) return (sysctl_handle_long(oidp, &v, 0, req)); } +#endif static uint32_t fconf_iconf_to_mode(uint32_t fconf, uint32_t iconf) -- cgit v1.1 From 1fb02e9971093f9764f66a4536187ab32c7f3937 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Sat, 12 Mar 2016 18:41:27 +0000 Subject: Follow-up r296709: Fix build32 not properly building all libraries. Pointyhat to: bdrewery Reported by: antoine --- Makefile.libcompat | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.libcompat b/Makefile.libcompat index 8a1fbec..32075fe 100644 --- a/Makefile.libcompat +++ b/Makefile.libcompat @@ -85,9 +85,9 @@ LIBCOMPATCFLAGS+= --sysroot=${WORLDTMP} .endif _LC_LIBDIRS.yes= lib gnu/lib -_LC_LIBDIRS.${MK_CDDL:tl}= cddl/lib -_LC_LIBDIRS.${MK_CRYPT:tl}= secure/lib -_LC_LIBDIRS.${MK_KERBEROS:tl}= kerberos5/lib +_LC_LIBDIRS.${MK_CDDL:tl}+= cddl/lib +_LC_LIBDIRS.${MK_CRYPT:tl}+= secure/lib +_LC_LIBDIRS.${MK_KERBEROS:tl}+= kerberos5/lib # Shared logic build${libcompat}: .PHONY -- cgit v1.1 From 20fb85e2e73ed071ee263c91bf614c1175a5905e Mon Sep 17 00:00:00 2001 From: emaste Date: Sat, 12 Mar 2016 19:05:41 +0000 Subject: Bump __FreeBSD_version for libelf cross-endian fix in r296685 --- sys/sys/param.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/sys/param.h b/sys/sys/param.h index 28ee0a2..9108576 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -58,7 +58,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 1100101 /* Master, propagated to newvers */ +#define __FreeBSD_version 1100102 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD, -- cgit v1.1 From 9d989258128bd09f363394aaa3b50067f2c9c197 Mon Sep 17 00:00:00 2001 From: emaste Date: Sat, 12 Mar 2016 19:08:13 +0000 Subject: Bump BOOTSTRAPPING test for libelf after cross-endian fix in r296685 --- Makefile.inc1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile.inc1 b/Makefile.inc1 index daf33f4..980c718 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -1272,7 +1272,8 @@ update: # # ELF Tool Chain libraries are needed for ELF tools and dtrace tools. -.if ${BOOTSTRAPPING} < 1100006 +# r296685 fix cross-endian objcopy +.if ${BOOTSTRAPPING} < 1100102 _elftoolchain_libs= lib/libelf lib/libdwarf .endif -- cgit v1.1 From 7888d5e7540a2f6ba2d43fd030d1b9a645fd1b2a Mon Sep 17 00:00:00 2001 From: ngie Date: Sat, 12 Mar 2016 19:41:38 +0000 Subject: Better handle filesystems mounted with -o noexec ftruncate/11, open/20, and truncate/11 copy sleep(1) to a temporary file on the target filesystem, execute the binary, then expect a result. This doesn't work with scenarios where the target binary cannot be executed, e.g. the filesystem was mounted with -o noexec. Ensure the filesystem hasn't been mounted with -o noexec for the testcases before executing them. Differential Revision: https://reviews.freebsd.org/D5622 MFC after: 1 week Reviewed by: markj Sponsored by: EMC / Isilon Storage Division --- contrib/pjdfstest/tests/ftruncate/11.t | 2 ++ contrib/pjdfstest/tests/misc.sh | 34 ++++++++++++++++++++++++++++++++++ contrib/pjdfstest/tests/open/20.t | 2 ++ contrib/pjdfstest/tests/truncate/11.t | 2 ++ 4 files changed, 40 insertions(+) diff --git a/contrib/pjdfstest/tests/ftruncate/11.t b/contrib/pjdfstest/tests/ftruncate/11.t index b00d7b8..8d9f0d5 100644 --- a/contrib/pjdfstest/tests/ftruncate/11.t +++ b/contrib/pjdfstest/tests/ftruncate/11.t @@ -8,6 +8,8 @@ dir=`dirname $0` [ "${os}" = "FreeBSD" ] || quick_exit +requires_exec + echo "1..2" n0=`namegen` diff --git a/contrib/pjdfstest/tests/misc.sh b/contrib/pjdfstest/tests/misc.sh index 8978b5f..654d3dd 100755 --- a/contrib/pjdfstest/tests/misc.sh +++ b/contrib/pjdfstest/tests/misc.sh @@ -219,3 +219,37 @@ create_file() { expect 0 lchmod ${name} ${3} fi } + +# Tests for whether or not a filesystem is mounted with a particular option +# with -o, e.g. `mount -o noexec`. +# +# Parameters: +# - mount_option - noatime, noexec, etc. +# +# Returns: +# - 0 if mounted with the option. +# - 1 otherwise. +has_mount_option() +{ + local IFS=, + local mount_opt + + local mount_option_search=$1 + + # XXX: mountpoint is defined in .../tests/sys/pjdfstest/tests/conf + for mount_opt in $(mount -d -p | awk '$2 == "'$mountpoint'" { print $4 }'); do + if [ "$mount_opt" = "$mount_option_search" ]; then + return 0 + fi + done + return 1 +} + +# Filesystem must be mounted with -o exec +requires_exec() +{ + if has_mount_option noexec; then + echo "1..0 # SKIP filesystem mounted with -o noexec" + exit 0 + fi +} diff --git a/contrib/pjdfstest/tests/open/20.t b/contrib/pjdfstest/tests/open/20.t index 7b94b03..eb4e5f3 100644 --- a/contrib/pjdfstest/tests/open/20.t +++ b/contrib/pjdfstest/tests/open/20.t @@ -8,6 +8,8 @@ dir=`dirname $0` [ "${os}:${fs}" = "FreeBSD:UFS" ] || quick_exit +requires_exec + echo "1..4" n0=`namegen` diff --git a/contrib/pjdfstest/tests/truncate/11.t b/contrib/pjdfstest/tests/truncate/11.t index f4ecb42..6724784 100644 --- a/contrib/pjdfstest/tests/truncate/11.t +++ b/contrib/pjdfstest/tests/truncate/11.t @@ -8,6 +8,8 @@ dir=`dirname $0` [ "${os}" = "FreeBSD" ] || quick_exit +requires_exec + echo "1..2" n0=`namegen` -- cgit v1.1 From b1e2503a5c8eb116ca3d3da924ff104d666788cd Mon Sep 17 00:00:00 2001 From: dumbbell Date: Sat, 12 Mar 2016 20:05:23 +0000 Subject: drm/i915: Import Linux commit 168f83660211b9e059e3bc0638daaa01e9ea0b71 This makes sure the default context of each ring is cleaned up with the ring itself and fixes a memory leak. Author: Mika Kuoppala Date: Fri May 3 16:29:08 2013 +0300 drm/i915: unreference default context on module unload Before module unload is called, gpu_idle() will switch to default context. This will increment ref count of base object as the default context is 'running' on module unload time. Unreference the drm object so that when context is freed, base object is freed as well. v2: added comment to explain the refcounts (Ben Widawsky) Signed-off-by: Mika Kuoppala Reviewed-by: Ben Widawsky Signed-off-by: Daniel Vetter Obtained from: Linux --- sys/dev/drm2/i915/i915_gem_context.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/dev/drm2/i915/i915_gem_context.c b/sys/dev/drm2/i915/i915_gem_context.c index 5ab9af1..4a94c28 100644 --- a/sys/dev/drm2/i915/i915_gem_context.c +++ b/sys/dev/drm2/i915/i915_gem_context.c @@ -297,6 +297,14 @@ void i915_gem_context_fini(struct drm_device *dev) i915_gem_object_unpin(dev_priv->ring[RCS].default_context->obj); + /* When default context is created and switched to, base object refcount + * will be 2 (+1 from object creation and +1 from do_switch()). + * i915_gem_context_fini() will be called after gpu_idle() has switched + * to default context. So we need to unreference the base object once + * to offset the do_switch part, so that i915_gem_context_unreference() + * can then free the base object correctly. */ + drm_gem_object_unreference(&dev_priv->ring[RCS].default_context->obj->base); + do_destroy(dev_priv->ring[RCS].default_context); } -- cgit v1.1 From b1bc033d67e232dcd98d66a976a14c3325cb2c4a Mon Sep 17 00:00:00 2001 From: emaste Date: Sat, 12 Mar 2016 21:44:33 +0000 Subject: boot/efi: Prefer nm to objdump Both objdump and nm are equally capable of reporting undefined symbols. This gets us a step closer to building without binutils as we have an nm implementation from ELF Tool Chain. Reviewed by: bdrewery MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5613 --- sys/boot/efi/boot1/Makefile | 6 +++--- sys/boot/efi/loader/Makefile | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sys/boot/efi/boot1/Makefile b/sys/boot/efi/boot1/Makefile index 0675cca..0c23945 100644 --- a/sys/boot/efi/boot1/Makefile +++ b/sys/boot/efi/boot1/Makefile @@ -73,8 +73,8 @@ LDADD+= -lstand DPADD+= ${LDSCRIPT} +NM?= nm OBJCOPY?= objcopy -OBJDUMP?= objdump .if ${MACHINE_CPUARCH} == "amd64" EFI_TARGET= efi-app-x86_64 @@ -85,8 +85,8 @@ EFI_TARGET= binary .endif boot1.efi: ${PROG} - if [ `${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*' | wc -l` != 0 ]; then \ - ${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*'; \ + if ${NM} ${.ALLSRC} | grep ' U '; then \ + echo "Undefined symbols in ${.ALLSRC}"; \ exit 1; \ fi ${OBJCOPY} -j .peheader -j .text -j .sdata -j .data \ diff --git a/sys/boot/efi/loader/Makefile b/sys/boot/efi/loader/Makefile index 9246bf2..f4f6cbf 100644 --- a/sys/boot/efi/loader/Makefile +++ b/sys/boot/efi/loader/Makefile @@ -98,8 +98,8 @@ NEWVERSWHAT= "EFI loader" ${MACHINE} vers.c: ${.CURDIR}/../../common/newvers.sh ${.CURDIR}/../../efi/loader/version sh ${.CURDIR}/../../common/newvers.sh ${.CURDIR}/version ${NEWVERSWHAT} +NM?= nm OBJCOPY?= objcopy -OBJDUMP?= objdump .if ${MACHINE_CPUARCH} == "amd64" EFI_TARGET= efi-app-x86_64 @@ -110,8 +110,8 @@ EFI_TARGET= binary .endif loader.efi: ${PROG} - if [ `${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*' | wc -l` != 0 ]; then \ - ${OBJDUMP} -t ${.ALLSRC} | fgrep '*UND*'; \ + if ${NM} ${.ALLSRC} | grep ' U '; then \ + echo "Undefined symbols in ${.ALLSRC}"; \ exit 1; \ fi ${OBJCOPY} -j .peheader -j .text -j .sdata -j .data \ -- cgit v1.1 From 6079e1fc86aa6547c3ac7d3fa6f7b428fcad771e Mon Sep 17 00:00:00 2001 From: bdrewery Date: Sat, 12 Mar 2016 22:21:02 +0000 Subject: Stop looking up these values in every subdir on install. This was slowing down installkernel since it was rerunning this in every module directory. Sponsored by: EMC / Isilon Storage Division --- sys/conf/config.mk | 3 ++- sys/conf/kern.opts.mk | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/conf/config.mk b/sys/conf/config.mk index b95b781..35df003 100644 --- a/sys/conf/config.mk +++ b/sys/conf/config.mk @@ -49,6 +49,7 @@ KERN_OPTS+= INET6 .if ${MK_EISA} != "no" KERN_OPTS+= DEV_EISA .endif -.else +.elif !defined(KERN_OPTS) KERN_OPTS!=cat ${KERNBUILDDIR}/opt*.h | awk '{print $$2;}' | sort -u +.export KERN_OPTS .endif diff --git a/sys/conf/kern.opts.mk b/sys/conf/kern.opts.mk index a1906cf..834916c 100644 --- a/sys/conf/kern.opts.mk +++ b/sys/conf/kern.opts.mk @@ -144,7 +144,10 @@ MK_${var}:= no MK_${var}_SUPPORT:= no .else .if defined(KERNBUILDDIR) # See if there's an opt_foo.h +.if !defined(OPT_${var}) OPT_${var}!= cat ${KERNBUILDDIR}/opt_${var:tl}.h; echo +.export OPT_${var} +.endif .if ${OPT_${var}} == "" # nothing -> no MK_${var}_SUPPORT:= no .else -- cgit v1.1 From c409724b3a2293734ba298a195e4d8406bb72e25 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Sat, 12 Mar 2016 22:21:14 +0000 Subject: Reduce duplicated logic from r291744. Sponsored by: EMC / Isilon Storage Division --- sys/conf/config.mk | 5 +++++ sys/conf/kmod.mk | 6 +----- sys/modules/Makefile | 6 ------ 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/sys/conf/config.mk b/sys/conf/config.mk index 35df003..433f420 100644 --- a/sys/conf/config.mk +++ b/sys/conf/config.mk @@ -53,3 +53,8 @@ KERN_OPTS+= DEV_EISA KERN_OPTS!=cat ${KERNBUILDDIR}/opt*.h | awk '{print $$2;}' | sort -u .export KERN_OPTS .endif + +.if !defined(__MPATH) +__MPATH!=find ${SYSDIR:tA}/ -name \*_if.m +.export __MPATH +.endif diff --git a/sys/conf/kmod.mk b/sys/conf/kmod.mk index 03ccc60..9eb91d0 100644 --- a/sys/conf/kmod.mk +++ b/sys/conf/kmod.mk @@ -386,11 +386,7 @@ vnode_if_typedef.h: .endif # Build _if.[ch] from _if.m, and clean them when we're done. -# This is duplicated in sys/modules/Makefile. -.if !defined(__MPATH) -__MPATH!=find ${SYSDIR:tA}/ -name \*_if.m -.export __MPATH -.endif +# __MPATH defined in config.mk _MFILES=${__MPATH:T:O} _MPATH=${__MPATH:H:O:u} .PATH.m: ${_MPATH} diff --git a/sys/modules/Makefile b/sys/modules/Makefile index f2cf93a..8d9e499 100644 --- a/sys/modules/Makefile +++ b/sys/modules/Makefile @@ -775,12 +775,6 @@ afterinstall: .include "${SYSDIR}/conf/config.mk" -# Use sys/conf/kmod.mk's MPATH to avoid redundantly running in every subdir. -.if !defined(__MPATH) -__MPATH!=find ${SYSDIR:tA}/ -name \*_if.m -.export __MPATH -.endif - SUBDIR:= ${SUBDIR:u:O} .include -- cgit v1.1 From a1663bc720d866f6835e6de1151f950fb8b4e8be Mon Sep 17 00:00:00 2001 From: bdrewery Date: Sat, 12 Mar 2016 22:25:10 +0000 Subject: Enable FAST_DEPEND by default. Missed in r296668. Discussed on: arch Sponsored by: EMC / Isilon Storage Division --- sys/conf/kern.opts.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/conf/kern.opts.mk b/sys/conf/kern.opts.mk index 834916c..d1d2d04 100644 --- a/sys/conf/kern.opts.mk +++ b/sys/conf/kern.opts.mk @@ -30,6 +30,7 @@ __DEFAULT_YES_OPTIONS = \ CDDL \ CRYPT \ CUSE \ + FAST_DEPEND \ FORMAT_EXTENSIONS \ INET \ INET6 \ @@ -45,7 +46,6 @@ __DEFAULT_YES_OPTIONS = \ __DEFAULT_NO_OPTIONS = \ EISA \ - FAST_DEPEND \ NAND \ OFED -- cgit v1.1 From 419b17235aa0153df1221d0c4c03ef4b91e0bc94 Mon Sep 17 00:00:00 2001 From: jhb Date: Sat, 12 Mar 2016 22:53:46 +0000 Subject: Do not include system call wrappers in libc for old FreeBSD system calls. The base system libc is only used to run binaries built on FreeBSD 7.0 and later. It does not need to include system call wrappers for system calls only used by FreeBSD binaries built on versions older than 7.0. This was already true for "COMPAT" system calls, but now wrappers for system calls used on FreeBSD 4 and 6 are excluded as well. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D5597 --- sys/kern/makesyscalls.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/kern/makesyscalls.sh b/sys/kern/makesyscalls.sh index 75289e5..e586602 100644 --- a/sys/kern/makesyscalls.sh +++ b/sys/kern/makesyscalls.sh @@ -131,7 +131,7 @@ s/\$//g printf "/*\n * System call numbers.\n *\n" > syshdr printf " * DO NOT EDIT-- this file is automatically generated.\n" > syshdr printf " * $%s$\n", "FreeBSD" > syshdr - printf "# FreeBSD system call names.\n" > sysmk + printf "# FreeBSD system call object files.\n" > sysmk printf "# DO NOT EDIT-- this file is automatically generated.\n" > sysmk printf "# $%s$\n", "FreeBSD" > sysmk @@ -559,9 +559,9 @@ s/\$//g printf("/* %d = %s %s */\n", syscall, descr, funcalias) > sysent printf("\t\"%s.%s\",\t\t/* %d = %s %s */\n", wrap, funcalias, syscall, descr, funcalias) > sysnames - if (flag("COMPAT")) { - printf("\t\t\t\t/* %d is old %s */\n", - syscall, funcalias) > syshdr + if (flag("COMPAT") || flag("COMPAT4") || flag("COMPAT6")) { + printf("\t\t\t\t/* %d is %s %s */\n", + syscall, descr, funcalias) > syshdr } else if (!flag("NODEF")) { printf("#define\t%s%s%s\t%d\n", syscallprefix, prefix, funcalias, syscall) > syshdr -- cgit v1.1 From eeddd376ff2271d2ee40373d9226e40097392c45 Mon Sep 17 00:00:00 2001 From: jhb Date: Sat, 12 Mar 2016 22:55:07 +0000 Subject: Regen. --- sys/compat/freebsd32/freebsd32_syscall.h | 32 +++++++++++++-------------- sys/sys/syscall.h | 38 ++++++++++++++++---------------- sys/sys/syscall.mk | 21 +----------------- 3 files changed, 36 insertions(+), 55 deletions(-) diff --git a/sys/compat/freebsd32/freebsd32_syscall.h b/sys/compat/freebsd32/freebsd32_syscall.h index 54851d3..ce56b15 100644 --- a/sys/compat/freebsd32/freebsd32_syscall.h +++ b/sys/compat/freebsd32/freebsd32_syscall.h @@ -24,7 +24,7 @@ #define FREEBSD32_SYS_chmod 15 #define FREEBSD32_SYS_chown 16 #define FREEBSD32_SYS_break 17 -#define FREEBSD32_SYS_freebsd4_freebsd32_getfsstat 18 + /* 18 is freebsd4 freebsd32_getfsstat */ /* 19 is old freebsd32_lseek */ #define FREEBSD32_SYS_getpid 20 #define FREEBSD32_SYS_mount 21 @@ -155,8 +155,8 @@ /* 149 is obsolete oquota */ /* 150 is obsolete ogetsockname */ /* 156 is old freebsd32_getdirentries */ -#define FREEBSD32_SYS_freebsd4_freebsd32_statfs 157 -#define FREEBSD32_SYS_freebsd4_freebsd32_fstatfs 158 + /* 157 is freebsd4 freebsd32_statfs */ + /* 158 is freebsd4 freebsd32_fstatfs */ #define FREEBSD32_SYS_getfh 161 /* 162 is obsolete getdomainname */ /* 163 is obsolete setdomainname */ @@ -166,8 +166,8 @@ #define FREEBSD32_SYS_freebsd32_semsys 169 #define FREEBSD32_SYS_freebsd32_msgsys 170 #define FREEBSD32_SYS_freebsd32_shmsys 171 -#define FREEBSD32_SYS_freebsd6_freebsd32_pread 173 -#define FREEBSD32_SYS_freebsd6_freebsd32_pwrite 174 + /* 173 is freebsd6 freebsd32_pread */ + /* 174 is freebsd6 freebsd32_pwrite */ #define FREEBSD32_SYS_ntp_adjtime 176 #define FREEBSD32_SYS_setgid 181 #define FREEBSD32_SYS_setegid 182 @@ -180,11 +180,11 @@ #define FREEBSD32_SYS_getrlimit 194 #define FREEBSD32_SYS_setrlimit 195 #define FREEBSD32_SYS_freebsd32_getdirentries 196 -#define FREEBSD32_SYS_freebsd6_freebsd32_mmap 197 + /* 197 is freebsd6 freebsd32_mmap */ #define FREEBSD32_SYS___syscall 198 -#define FREEBSD32_SYS_freebsd6_freebsd32_lseek 199 -#define FREEBSD32_SYS_freebsd6_freebsd32_truncate 200 -#define FREEBSD32_SYS_freebsd6_freebsd32_ftruncate 201 + /* 199 is freebsd6 freebsd32_lseek */ + /* 200 is freebsd6 freebsd32_truncate */ + /* 201 is freebsd6 freebsd32_ftruncate */ #define FREEBSD32_SYS_freebsd32_sysctl 202 #define FREEBSD32_SYS_mlock 203 #define FREEBSD32_SYS_munlock 204 @@ -234,7 +234,7 @@ #define FREEBSD32_SYS_nlstat 280 #define FREEBSD32_SYS_freebsd32_preadv 289 #define FREEBSD32_SYS_freebsd32_pwritev 290 -#define FREEBSD32_SYS_freebsd4_freebsd32_fhstatfs 297 + /* 297 is freebsd4 freebsd32_fhstatfs */ #define FREEBSD32_SYS_fhopen 298 #define FREEBSD32_SYS_fhstat 299 #define FREEBSD32_SYS_modnext 300 @@ -255,9 +255,9 @@ #define FREEBSD32_SYS_freebsd32_aio_suspend 315 #define FREEBSD32_SYS_aio_cancel 316 #define FREEBSD32_SYS_freebsd32_aio_error 317 -#define FREEBSD32_SYS_freebsd6_freebsd32_aio_read 318 -#define FREEBSD32_SYS_freebsd6_freebsd32_aio_write 319 -#define FREEBSD32_SYS_freebsd6_freebsd32_lio_listio 320 + /* 318 is freebsd6 freebsd32_aio_read */ + /* 319 is freebsd6 freebsd32_aio_write */ + /* 320 is freebsd6 freebsd32_lio_listio */ #define FREEBSD32_SYS_yield 321 /* 322 is obsolete thr_sleep */ /* 323 is obsolete thr_wakeup */ @@ -273,14 +273,14 @@ #define FREEBSD32_SYS_sched_get_priority_min 333 #define FREEBSD32_SYS_sched_rr_get_interval 334 #define FREEBSD32_SYS_utrace 335 -#define FREEBSD32_SYS_freebsd4_freebsd32_sendfile 336 + /* 336 is freebsd4 freebsd32_sendfile */ #define FREEBSD32_SYS_kldsym 337 #define FREEBSD32_SYS_freebsd32_jail 338 #define FREEBSD32_SYS_sigprocmask 340 #define FREEBSD32_SYS_sigsuspend 341 -#define FREEBSD32_SYS_freebsd4_freebsd32_sigaction 342 + /* 342 is freebsd4 freebsd32_sigaction */ #define FREEBSD32_SYS_sigpending 343 -#define FREEBSD32_SYS_freebsd4_freebsd32_sigreturn 344 + /* 344 is freebsd4 freebsd32_sigreturn */ #define FREEBSD32_SYS_freebsd32_sigtimedwait 345 #define FREEBSD32_SYS_freebsd32_sigwaitinfo 346 #define FREEBSD32_SYS___acl_get_file 347 diff --git a/sys/sys/syscall.h b/sys/sys/syscall.h index ff2e219..fef33b8 100644 --- a/sys/sys/syscall.h +++ b/sys/sys/syscall.h @@ -24,7 +24,7 @@ #define SYS_chmod 15 #define SYS_chown 16 #define SYS_break 17 -#define SYS_freebsd4_getfsstat 18 + /* 18 is freebsd4 getfsstat */ /* 19 is old lseek */ #define SYS_getpid 20 #define SYS_mount 21 @@ -157,20 +157,20 @@ #define SYS_nlm_syscall 154 #define SYS_nfssvc 155 /* 156 is old getdirentries */ -#define SYS_freebsd4_statfs 157 -#define SYS_freebsd4_fstatfs 158 + /* 157 is freebsd4 statfs */ + /* 158 is freebsd4 fstatfs */ #define SYS_lgetfh 160 #define SYS_getfh 161 -#define SYS_freebsd4_getdomainname 162 -#define SYS_freebsd4_setdomainname 163 -#define SYS_freebsd4_uname 164 + /* 162 is freebsd4 getdomainname */ + /* 163 is freebsd4 setdomainname */ + /* 164 is freebsd4 uname */ #define SYS_sysarch 165 #define SYS_rtprio 166 #define SYS_semsys 169 #define SYS_msgsys 170 #define SYS_shmsys 171 -#define SYS_freebsd6_pread 173 -#define SYS_freebsd6_pwrite 174 + /* 173 is freebsd6 pread */ + /* 174 is freebsd6 pwrite */ #define SYS_setfib 175 #define SYS_ntp_adjtime 176 #define SYS_setgid 181 @@ -184,11 +184,11 @@ #define SYS_getrlimit 194 #define SYS_setrlimit 195 #define SYS_getdirentries 196 -#define SYS_freebsd6_mmap 197 + /* 197 is freebsd6 mmap */ #define SYS___syscall 198 -#define SYS_freebsd6_lseek 199 -#define SYS_freebsd6_truncate 200 -#define SYS_freebsd6_ftruncate 201 + /* 199 is freebsd6 lseek */ + /* 200 is freebsd6 truncate */ + /* 201 is freebsd6 ftruncate */ #define SYS___sysctl 202 #define SYS_mlock 203 #define SYS_munlock 204 @@ -239,7 +239,7 @@ #define SYS_nlstat 280 #define SYS_preadv 289 #define SYS_pwritev 290 -#define SYS_freebsd4_fhstatfs 297 + /* 297 is freebsd4 fhstatfs */ #define SYS_fhopen 298 #define SYS_fhstat 299 #define SYS_modnext 300 @@ -260,9 +260,9 @@ #define SYS_aio_suspend 315 #define SYS_aio_cancel 316 #define SYS_aio_error 317 -#define SYS_freebsd6_aio_read 318 -#define SYS_freebsd6_aio_write 319 -#define SYS_freebsd6_lio_listio 320 + /* 318 is freebsd6 aio_read */ + /* 319 is freebsd6 aio_write */ + /* 320 is freebsd6 lio_listio */ #define SYS_yield 321 /* 322 is obsolete thr_sleep */ /* 323 is obsolete thr_wakeup */ @@ -278,15 +278,15 @@ #define SYS_sched_get_priority_min 333 #define SYS_sched_rr_get_interval 334 #define SYS_utrace 335 -#define SYS_freebsd4_sendfile 336 + /* 336 is freebsd4 sendfile */ #define SYS_kldsym 337 #define SYS_jail 338 #define SYS_nnpfs_syscall 339 #define SYS_sigprocmask 340 #define SYS_sigsuspend 341 -#define SYS_freebsd4_sigaction 342 + /* 342 is freebsd4 sigaction */ #define SYS_sigpending 343 -#define SYS_freebsd4_sigreturn 344 + /* 344 is freebsd4 sigreturn */ #define SYS_sigtimedwait 345 #define SYS_sigwaitinfo 346 #define SYS___acl_get_file 347 diff --git a/sys/sys/syscall.mk b/sys/sys/syscall.mk index 379dee5..3f62141 100644 --- a/sys/sys/syscall.mk +++ b/sys/sys/syscall.mk @@ -1,4 +1,4 @@ -# FreeBSD system call names. +# FreeBSD system call object files. # DO NOT EDIT-- this file is automatically generated. # $FreeBSD$ # created from FreeBSD: head/sys/kern/syscalls.master 296572 2016-03-09 19:05:11Z jhb @@ -19,7 +19,6 @@ MIASM = \ chmod.o \ chown.o \ break.o \ - freebsd4_getfsstat.o \ getpid.o \ mount.o \ unmount.o \ @@ -109,20 +108,13 @@ MIASM = \ quotactl.o \ nlm_syscall.o \ nfssvc.o \ - freebsd4_statfs.o \ - freebsd4_fstatfs.o \ lgetfh.o \ getfh.o \ - freebsd4_getdomainname.o \ - freebsd4_setdomainname.o \ - freebsd4_uname.o \ sysarch.o \ rtprio.o \ semsys.o \ msgsys.o \ shmsys.o \ - freebsd6_pread.o \ - freebsd6_pwrite.o \ setfib.o \ ntp_adjtime.o \ setgid.o \ @@ -136,11 +128,7 @@ MIASM = \ getrlimit.o \ setrlimit.o \ getdirentries.o \ - freebsd6_mmap.o \ __syscall.o \ - freebsd6_lseek.o \ - freebsd6_truncate.o \ - freebsd6_ftruncate.o \ __sysctl.o \ mlock.o \ munlock.o \ @@ -191,7 +179,6 @@ MIASM = \ nlstat.o \ preadv.o \ pwritev.o \ - freebsd4_fhstatfs.o \ fhopen.o \ fhstat.o \ modnext.o \ @@ -211,9 +198,6 @@ MIASM = \ aio_suspend.o \ aio_cancel.o \ aio_error.o \ - freebsd6_aio_read.o \ - freebsd6_aio_write.o \ - freebsd6_lio_listio.o \ yield.o \ mlockall.o \ munlockall.o \ @@ -227,15 +211,12 @@ MIASM = \ sched_get_priority_min.o \ sched_rr_get_interval.o \ utrace.o \ - freebsd4_sendfile.o \ kldsym.o \ jail.o \ nnpfs_syscall.o \ sigprocmask.o \ sigsuspend.o \ - freebsd4_sigaction.o \ sigpending.o \ - freebsd4_sigreturn.o \ sigtimedwait.o \ sigwaitinfo.o \ __acl_get_file.o \ -- cgit v1.1 From 453fdfd69aa20f2cf9af21523062f42236269f73 Mon Sep 17 00:00:00 2001 From: gibbs Date: Sat, 12 Mar 2016 23:02:53 +0000 Subject: Provide high precision conversion from ns,us,ms -> sbintime in kevent In timer2sbintime(), calculate the second and fractional second portions of the sbintime separately. When calculating the the fractional second portion, use a 64bit multiply to prevent excess truncation. This avoids the ~7% error in the original conversion for ns, and smaller errors of the same type for us and ms. PR: 198139 Reviewed by: jhb MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D5397 --- sys/kern/kern_event.c | 59 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 0b6f7da..5abba16 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -564,34 +564,59 @@ knote_fork(struct knlist *list, int pid) #define NOTE_TIMER_PRECMASK (NOTE_SECONDS|NOTE_MSECONDS|NOTE_USECONDS| \ NOTE_NSECONDS) -static __inline sbintime_t +static sbintime_t timer2sbintime(intptr_t data, int flags) { - sbintime_t modifier; + /* + * Macros for converting to the fractional second portion of an + * sbintime_t using 64bit multiplication to improve precision. + */ +#define NS_TO_SBT(ns) (((ns) * (((uint64_t)1 << 63) / 500000000)) >> 32) +#define US_TO_SBT(us) (((us) * (((uint64_t)1 << 63) / 500000)) >> 32) +#define MS_TO_SBT(ms) (((ms) * (((uint64_t)1 << 63) / 500)) >> 32) switch (flags & NOTE_TIMER_PRECMASK) { case NOTE_SECONDS: - modifier = SBT_1S; - break; +#ifdef __LP64__ + if (data > (SBT_MAX / SBT_1S)) + return SBT_MAX; +#endif + return ((sbintime_t)data << 32); case NOTE_MSECONDS: /* FALLTHROUGH */ case 0: - modifier = SBT_1MS; - break; + if (data >= 1000) { + int64_t secs = data / 1000; +#ifdef __LP64__ + if (secs > (SBT_MAX / SBT_1S)) + return SBT_MAX; +#endif + return (secs << 32 | MS_TO_SBT(data % 1000)); + } + return MS_TO_SBT(data); case NOTE_USECONDS: - modifier = SBT_1US; - break; + if (data >= 1000000) { + int64_t secs = data / 1000000; +#ifdef __LP64__ + if (secs > (SBT_MAX / SBT_1S)) + return SBT_MAX; +#endif + return (secs << 32 | US_TO_SBT(data % 1000000)); + } + return US_TO_SBT(data); case NOTE_NSECONDS: - modifier = SBT_1NS; - break; - default: - return (-1); - } - + if (data >= 1000000000) { + int64_t secs = data / 1000000000; #ifdef __LP64__ - if (data > SBT_MAX / modifier) - return (SBT_MAX); + if (secs > (SBT_MAX / SBT_1S)) + return SBT_MAX; #endif - return (modifier * data); + return (secs << 32 | US_TO_SBT(data % 1000000000)); + } + return NS_TO_SBT(data); + default: + break; + } + return (-1); } static void -- cgit v1.1 From 67cb360f6be001a1d23e62b807c2164836d76015 Mon Sep 17 00:00:00 2001 From: mav Date: Sat, 12 Mar 2016 23:04:10 +0000 Subject: dd report short write as error, so don't halt on it. --- usr.sbin/pc-sysinstall/backend/functions-disk.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/pc-sysinstall/backend/functions-disk.sh b/usr.sbin/pc-sysinstall/backend/functions-disk.sh index 0a2cd26..03b6cde 100755 --- a/usr.sbin/pc-sysinstall/backend/functions-disk.sh +++ b/usr.sbin/pc-sysinstall/backend/functions-disk.sh @@ -619,9 +619,9 @@ wipe_metadata() local SIZE="`diskinfo ${1} | awk '{print int($3/(1024*1024)) }'`" if [ "$SIZE" -gt "5" ] ; then rc_halt "dd if=/dev/zero of=${1} bs=1m count=1" - rc_halt "dd if=/dev/zero of=${1} bs=1m oseek=$((SIZE-4))" + rc_nohalt "dd if=/dev/zero of=${1} bs=1m oseek=$((SIZE-4))" else - rc_halt "dd if=/dev/zero of=${1} bs=128k" + rc_nohalt "dd if=/dev/zero of=${1} bs=128k" fi } ; -- cgit v1.1 From 4e2d26ce1b9182e7d3fa7857dc9a1b4929f32f64 Mon Sep 17 00:00:00 2001 From: imp Date: Sat, 12 Mar 2016 23:25:05 +0000 Subject: Use the newly minted Makefile.libcompat to implement libsoft libraries for the armv6 ABI switch. This also make WITH_LIBSOFT functional on the arm platform. As a transition thing, this seems to work even without switching the ABI (we basically build the same libraries twice when MK_LIBSOFT=yes until the ABI cut over next month). MK_LIBSOFT remains default no. --- Makefile | 3 ++- Makefile.inc1 | 3 +++ Makefile.libcompat | 11 ++++++++++- lib/Makefile | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index e8b3902..a72d5aa 100644 --- a/Makefile +++ b/Makefile @@ -125,7 +125,8 @@ TGTS= all all-man buildenv buildenvvars buildkernel buildworld \ obj objlink rerelease showconfig tags toolchain update \ _worldtmp _legacy _bootstrap-tools _cleanobj _obj \ _build-tools _cross-tools _includes _libraries _depend \ - build32 builddtb distribute32 install32 xdev xdev-build xdev-install \ + build32 distribute32 install32 build32 distribute32 install32 \ + builddtb xdev xdev-build xdev-install \ xdev-links native-xtools installconfig \ TGTS+= ${SUBDIR_TARGETS} diff --git a/Makefile.inc1 b/Makefile.inc1 index 980c718..077789f 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -458,6 +458,9 @@ XCXXFLAGS+= ${BFLAGS} ${TARGET_ARCH} == "powerpc64") LIBCOMPAT= 32 .include "Makefile.libcompat" +.elif ${MK_LIBSOFT} != "no" && ${TARGET_ARCH} == "armv6" +LIBCOMPAT= SOFT +.include "Makefile.libcompat" .endif WMAKE= ${WMAKEENV} ${MAKE} ${WORLD_FLAGS} -f Makefile.inc1 DESTDIR=${WORLDTMP} diff --git a/Makefile.libcompat b/Makefile.libcompat index 32075fe..8a336b9 100644 --- a/Makefile.libcompat +++ b/Makefile.libcompat @@ -40,10 +40,19 @@ LIB32DTRACE= ${DTRACE} -32 LIB32WMAKEFLAGS+= -DCOMPAT_32BIT # ------------------------------------------------------------------- +# soft-fp world +.if ${TARGET_ARCH} == "armv6" +LIBSOFTCFLAGS= -DCOMPAT_SOFTFP +LIBSOFTCPUFLAGS= -mfloat-abi=softfp +LIBSOFTWMAKEENV= CPUTYPE=soft MACHINE=arm MACHINE_ARCH=armv6 +LIBSOFTWMAKEFLAGS= -DCOMPAT_SOFTFP +.endif + +# ------------------------------------------------------------------- # Generic code for each type. # Set defaults based on type. libcompat= ${LIBCOMPAT:tl} -_LIBCOMPAT_MAKEVARS= _OBJTREE TMP CFLAGS WMAKEENV WMAKEFLAGS WMAKE +_LIBCOMPAT_MAKEVARS= _OBJTREE TMP CPUFLAGS CFLAGS WMAKEENV WMAKEFLAGS WMAKE .for _var in ${_LIBCOMPAT_MAKEVARS} .if !empty(LIB${LIBCOMPAT}${_var}) LIBCOMPAT${_var}?= ${LIB${LIBCOMPAT}${_var}} diff --git a/lib/Makefile b/lib/Makefile index cfa0ea9..57fb3c3 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -172,7 +172,7 @@ _libbsnmp= libbsnmp _libcasper= libcasper .endif -.if ${MK_CLANG} != "no" && !defined(COMPAT_32BIT) +.if ${MK_CLANG} != "no" && !defined(COMPAT_32BIT) && !defined(COMPAT_SOFTFP) _clang= clang .endif -- cgit v1.1 From 3a646edfc863a2daaaf9efe0f197f96d52fdfb8c Mon Sep 17 00:00:00 2001 From: jmcneill Date: Sun, 13 Mar 2016 01:47:42 +0000 Subject: Fix display output for non-HDMI display devices. Only set the display to HDMI mode if a CEA-861 extension block was found on the connected display. PR: 207912 Approved by: gonzo (mentor) --- sys/arm/allwinner/a10_hdmi.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/sys/arm/allwinner/a10_hdmi.c b/sys/arm/allwinner/a10_hdmi.c index cf36ea9..9bb9869 100644 --- a/sys/arm/allwinner/a10_hdmi.c +++ b/sys/arm/allwinner/a10_hdmi.c @@ -203,6 +203,7 @@ struct a10hdmi_softc { uint8_t edid[EDID_LENGTH]; + int has_hdmi; int has_audio; }; @@ -371,27 +372,29 @@ a10hdmi_ddc_read(struct a10hdmi_softc *sc, int block, uint8_t *edid) return (0); } -static int -a10hdmi_detect_audio(struct a10hdmi_softc *sc) +static void +a10hdmi_detect_hdmi(struct a10hdmi_softc *sc, int *phdmi, int *paudio) { struct edid_info ei; uint8_t edid[EDID_LENGTH]; int block; + *phdmi = *paudio = 0; + if (edid_parse(sc->edid, &ei) != 0) - return (0); + return; /* Scan through extension blocks, looking for a CEA-861 block. */ for (block = 1; block <= ei.edid_ext_block_count; block++) { if (a10hdmi_ddc_read(sc, block, edid) != 0) - break; + return; - if (edid[EXT_TAG] == CEA_TAG_ID) - return ((edid[CEA_DTD] & DTD_BASIC_AUDIO) != 0); + if (edid[EXT_TAG] == CEA_TAG_ID) { + *phdmi = 1; + *paudio = ((edid[CEA_DTD] & DTD_BASIC_AUDIO) != 0); + return; + } } - - /* No CEA-861 block found */ - return (0); } static int @@ -426,9 +429,9 @@ a10hdmi_get_edid(device_t dev, uint8_t **edid, uint32_t *edid_len) } if (error == 0) - sc->has_audio = a10hdmi_detect_audio(sc); + a10hdmi_detect_hdmi(sc, &sc->has_hdmi, &sc->has_audio); else - sc->has_audio = 0; + sc->has_hdmi = sc->has_audio = 0; return (error); } @@ -515,7 +518,9 @@ a10hdmi_set_videomode(device_t dev, const struct videomode *mode) PLLCTRL0_VCO_S); /* Setup display settings */ - val = VID_CTRL_HDMI_MODE; + val = 0; + if (sc->has_hdmi) + val |= VID_CTRL_HDMI_MODE; if (mode->flags & VID_INTERLACE) val |= VID_CTRL_INTERLACE; if (mode->flags & VID_DBLSCAN) -- cgit v1.1 From 79f4718df457c435cc85624476fba1c5c069af40 Mon Sep 17 00:00:00 2001 From: jmcneill Date: Sun, 13 Mar 2016 01:49:36 +0000 Subject: Add HDMI device nodes to Banana Pi dts. PR: 207912 Approved by: gonzo (mentor) --- sys/boot/fdt/dts/arm/bananapi.dts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/sys/boot/fdt/dts/arm/bananapi.dts b/sys/boot/fdt/dts/arm/bananapi.dts index 0bd1b38..a101720 100644 --- a/sys/boot/fdt/dts/arm/bananapi.dts +++ b/sys/boot/fdt/dts/arm/bananapi.dts @@ -74,6 +74,21 @@ ahci: sata@01c18000 { status = "okay"; }; + + hdmi: hdmi@01c16000 { + compatible = "allwinner,sun7i-a20-hdmi"; + reg = <0x01c16000 0x1000>; + }; + + hdmiaudio { + compatible = "allwinner,sun7i-a20-hdmiaudio"; + }; + + fb: fb@01e60000 { + compatible = "allwinner,sun7i-a20-fb"; + reg = <0x01e60000 0x10000>, /* DEBE0 */ + <0x01c0c000 0x1000>; /* LCD0 */ + }; }; leds { -- cgit v1.1 From f291714326a254d61e9dc1458f3b103faab9b394 Mon Sep 17 00:00:00 2001 From: trasz Date: Sun, 13 Mar 2016 14:17:23 +0000 Subject: Remove name length limitation from autofs(5). The linear search with strlens is somewhat suboptimal, but it's a temporary measure that will be replaced with red-black trees later on. PR: 204417 Reviewed by: kib@ MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5266 --- sys/fs/autofs/autofs.h | 7 -- sys/fs/autofs/autofs_vnops.c | 150 +++++++++++++++++++++++++++++-------------- 2 files changed, 101 insertions(+), 56 deletions(-) diff --git a/sys/fs/autofs/autofs.h b/sys/fs/autofs/autofs.h index 4d16509..27e380b 100644 --- a/sys/fs/autofs/autofs.h +++ b/sys/fs/autofs/autofs.h @@ -120,13 +120,6 @@ struct autofs_softc { int sc_last_request_id; }; -/* - * Limits and constants - */ -#define AUTOFS_NAMELEN 24 -#define AUTOFS_FSNAMELEN 16 /* equal to MFSNAMELEN */ -#define AUTOFS_DELEN (8 + AUTOFS_NAMELEN) - int autofs_init(struct vfsconf *vfsp); int autofs_uninit(struct vfsconf *vfsp); int autofs_trigger(struct autofs_node *anp, const char *component, diff --git a/sys/fs/autofs/autofs_vnops.c b/sys/fs/autofs/autofs_vnops.c index 2a2dd1a..515d228 100644 --- a/sys/fs/autofs/autofs_vnops.c +++ b/sys/fs/autofs/autofs_vnops.c @@ -330,26 +330,52 @@ autofs_mkdir(struct vop_mkdir_args *ap) return (error); } +/* + * Write out a single 'struct dirent', based on 'name' and 'fileno' arguments. + */ static int -autofs_readdir_one(struct uio *uio, const char *name, int fileno) +autofs_readdir_one(struct uio *uio, const char *name, int fileno, + size_t *reclenp) { struct dirent dirent; - int error, i; + size_t namlen, padded_namlen, reclen; + int error; + + namlen = strlen(name); + padded_namlen = roundup2(namlen + 1, __alignof(struct dirent)); + KASSERT(padded_namlen <= MAXNAMLEN, ("%zd > MAXNAMLEN", padded_namlen)); + reclen = offsetof(struct dirent, d_name) + padded_namlen; + + if (reclenp != NULL) + *reclenp = reclen; + + if (uio == NULL) + return (0); + + if (uio->uio_resid < reclen) + return (EINVAL); - memset(&dirent, 0, sizeof(dirent)); - dirent.d_type = DT_DIR; - dirent.d_reclen = AUTOFS_DELEN; dirent.d_fileno = fileno; - /* PFS_DELEN was picked to fit PFS_NAMLEN */ - for (i = 0; i < AUTOFS_NAMELEN - 1 && name[i] != '\0'; ++i) - dirent.d_name[i] = name[i]; - dirent.d_name[i] = 0; - dirent.d_namlen = i; + dirent.d_reclen = reclen; + dirent.d_type = DT_DIR; + dirent.d_namlen = namlen; + memcpy(dirent.d_name, name, namlen); + memset(dirent.d_name + namlen, 0, padded_namlen - namlen); + error = uiomove(&dirent, reclen, uio); - error = uiomove(&dirent, AUTOFS_DELEN, uio); return (error); } +static size_t +autofs_dirent_reclen(const char *name) +{ + size_t reclen; + + autofs_readdir_one(NULL, name, -1, &reclen); + + return (reclen); +} + static int autofs_readdir(struct vop_readdir_args *ap) { @@ -357,13 +383,15 @@ autofs_readdir(struct vop_readdir_args *ap) struct autofs_mount *amp; struct autofs_node *anp, *child; struct uio *uio; - off_t offset; - int error, i, resid; + size_t reclen, reclens; + ssize_t initial_resid; + int error; vp = ap->a_vp; amp = VFSTOAUTOFS(vp->v_mount); anp = vp->v_data; uio = ap->a_uio; + initial_resid = ap->a_uio->uio_resid; KASSERT(vp->v_type == VDIR, ("!VDIR")); @@ -381,70 +409,94 @@ autofs_readdir(struct vop_readdir_args *ap) } } - /* only allow reading entire entries */ - offset = uio->uio_offset; - resid = uio->uio_resid; - if (offset < 0 || offset % AUTOFS_DELEN != 0 || - (resid && resid < AUTOFS_DELEN)) + if (uio->uio_offset < 0) return (EINVAL); - if (resid == 0) - return (0); if (ap->a_eofflag != NULL) - *ap->a_eofflag = TRUE; + *ap->a_eofflag = FALSE; - if (offset == 0 && resid >= AUTOFS_DELEN) { - error = autofs_readdir_one(uio, ".", anp->an_fileno); + /* + * Write out the directory entry for ".". This is conditional + * on the current offset into the directory; same applies to the + * other two cases below. + */ + if (uio->uio_offset == 0) { + error = autofs_readdir_one(uio, ".", anp->an_fileno, &reclen); if (error != 0) - return (error); - offset += AUTOFS_DELEN; - resid -= AUTOFS_DELEN; + goto out; } + reclens = autofs_dirent_reclen("."); - if (offset == AUTOFS_DELEN && resid >= AUTOFS_DELEN) { + /* + * Write out the directory entry for "..". + */ + if (uio->uio_offset <= reclens) { + if (uio->uio_offset != reclens) + return (EINVAL); if (anp->an_parent == NULL) { - /* - * XXX: Right? - */ - error = autofs_readdir_one(uio, "..", anp->an_fileno); + error = autofs_readdir_one(uio, "..", + anp->an_fileno, &reclen); } else { error = autofs_readdir_one(uio, "..", - anp->an_parent->an_fileno); + anp->an_parent->an_fileno, &reclen); } if (error != 0) - return (error); - offset += AUTOFS_DELEN; - resid -= AUTOFS_DELEN; + goto out; } - i = 2; /* Account for "." and "..". */ + reclens += autofs_dirent_reclen(".."); + + /* + * Write out the directory entries for subdirectories. + */ AUTOFS_SLOCK(amp); TAILQ_FOREACH(child, &anp->an_children, an_next) { - if (resid < AUTOFS_DELEN) { - if (ap->a_eofflag != NULL) - *ap->a_eofflag = 0; - break; + /* + * Check the offset to skip entries returned by previous + * calls to getdents(). + */ + if (uio->uio_offset > reclens) { + reclens += autofs_dirent_reclen(child->an_name); + continue; } /* - * Skip entries returned by previous call to getdents(). + * Prevent seeking into the middle of dirent. */ - i++; - if (i * AUTOFS_DELEN <= offset) - continue; + if (uio->uio_offset != reclens) { + AUTOFS_SUNLOCK(amp); + return (EINVAL); + } error = autofs_readdir_one(uio, child->an_name, - child->an_fileno); + child->an_fileno, &reclen); + reclens += reclen; if (error != 0) { AUTOFS_SUNLOCK(amp); - return (error); + goto out; } - offset += AUTOFS_DELEN; - resid -= AUTOFS_DELEN; } - AUTOFS_SUNLOCK(amp); + + if (ap->a_eofflag != NULL) + *ap->a_eofflag = TRUE; + return (0); + +out: + /* + * Return error if the initial buffer was too small to do anything. + */ + if (uio->uio_resid == initial_resid) + return (error); + + /* + * Don't return an error if we managed to copy out some entries. + */ + if (uio->uio_resid < reclen) + return (0); + + return (error); } static int -- cgit v1.1 From 5d2092c908f0a7d5e3de057b88a882b586634cc5 Mon Sep 17 00:00:00 2001 From: ian Date: Sun, 13 Mar 2016 14:53:12 +0000 Subject: Fix a bug in bsdgrep that caused the program to hang in a tight loop for some combinations of command line options and search patterns. The code was examining regexec flags looking for a regcomp flag value. The fix is to look in the struct field where the decoded regcomp flag was stored when the regex was compiled. With this fix, it's possible to build WITHOUT_GNU_GREP_COMPAT and WITH_BSDGREP and have a usable GPL-free grep (which of course lacks gnugrep extensions). It now passes the kyua tests except for one test that requires the -z/--null-data gnu extension, and one test involving outputting context lines across multiple files which appears to sometimes output an extra delimiter line ("--") between matches (a rather obscure failure of a rather obscure feature, so bsdgrep should be generally usable now). --- usr.bin/grep/regex/glue.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.bin/grep/regex/glue.h b/usr.bin/grep/regex/glue.h index 2fea4fd..0c54e98 100644 --- a/usr.bin/grep/regex/glue.h +++ b/usr.bin/grep/regex/glue.h @@ -50,7 +50,7 @@ typedef enum { STR_WIDE, STR_BYTE, STR_MBS, STR_USER } tre_str_type_t; if ((long long)pmatch[0].rm_eo - pmatch[0].rm_so < 0) \ return REG_NOMATCH; \ ret = fn; \ - for (unsigned i = 0; (!(eflags & REG_NOSUB) && (i < nmatch)); i++)\ + for (unsigned i = 0; (!preg->nosub && (i < nmatch)); i++) \ { \ pmatch[i].rm_so += offset; \ pmatch[i].rm_eo += offset; \ -- cgit v1.1 From c53e82adb111478a70ea7d494a59b6f88b44912a Mon Sep 17 00:00:00 2001 From: bdrewery Date: Sun, 13 Mar 2016 19:17:48 +0000 Subject: We only support GCC 4.8 for these flags. - 4.7 introduced maybe-uninitialized - 4.8 introduced aggressive-loop-optimizations Sponsored by: EMC / Isilon Storage Division --- sys/conf/kern.mk | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk index 085d78f..f561f8a 100644 --- a/sys/conf/kern.mk +++ b/sys/conf/kern.mk @@ -42,10 +42,9 @@ CLANG_NO_IAS34= -no-integrated-as .endif .if ${COMPILER_TYPE} == "gcc" -.if ${COMPILER_VERSION} >= 40300 +.if ${COMPILER_VERSION} >= 40800 # Catch-all for all the things that are in our tree, but for which we're -# not yet ready for this compiler. Note: we likely only really "support" -# building with gcc 4.8 and newer. Nothing older has been tested. +# not yet ready for this compiler. CWARNEXTRA?= -Wno-error=inline -Wno-error=enum-compare -Wno-error=unused-but-set-variable \ -Wno-error=aggressive-loop-optimizations -Wno-error=maybe-uninitialized \ -Wno-error=array-bounds -Wno-error=address \ -- cgit v1.1 From 4f8c2039d8be63a0418cf26f53ba68c401a87cda Mon Sep 17 00:00:00 2001 From: rwatson Date: Sun, 13 Mar 2016 19:27:46 +0000 Subject: Put IPSec's anouncement of its successful intialisation under bootverbose: now that it's a default kernel option, we don't really need to tell the world about it on every boot, especially as it won't be used by most users. --- sys/netipsec/key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index ff580c7..865a630 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -7640,7 +7640,8 @@ key_init(void) /* initialize key statistics */ keystat.getspi_count = 1; - printf("IPsec: Initialized Security Association Processing.\n"); + if (bootverbose) + printf("IPsec: Initialized Security Association Processing.\n"); } #ifdef VIMAGE -- cgit v1.1 From 7f24107ea95b16cfda12da80fdc8a7172085e603 Mon Sep 17 00:00:00 2001 From: ian Date: Sun, 13 Mar 2016 19:42:59 +0000 Subject: Require firewall setup before running rc.d/netwait, otherwise the ping packets sent by netwait may not get through. PR: 207916 Submitted by: John.Marshall@riverwillow.com.au (ipfw), ian@ (pf, ipfilter) --- etc/rc.d/netwait | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/rc.d/netwait b/etc/rc.d/netwait index 6ccca04..e9c23ca 100755 --- a/etc/rc.d/netwait +++ b/etc/rc.d/netwait @@ -3,7 +3,7 @@ # $FreeBSD$ # # PROVIDE: netwait -# REQUIRE: devd routing +# REQUIRE: devd ipfilter ipfw pf routing # KEYWORD: nojail # # The netwait script helps handle two situations: -- cgit v1.1 From e4bdb83e76cddde5e496546bbf6fd34d08f39bd2 Mon Sep 17 00:00:00 2001 From: jceel Date: Sun, 13 Mar 2016 19:50:17 +0000 Subject: Check value returned from ucl_parser_add_file(). Reviewed by: trasz Approved by: trasz (mentor) MFC after: 1 month Sponsored by: iXsystems, Inc. --- usr.sbin/ctld/uclparse.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr.sbin/ctld/uclparse.c b/usr.sbin/ctld/uclparse.c index fb2cce0..3cf95cf 100644 --- a/usr.sbin/ctld/uclparse.c +++ b/usr.sbin/ctld/uclparse.c @@ -886,9 +886,8 @@ uclparse_conf(struct conf *newconf, const char *path) conf = newconf; parser = ucl_parser_new(0); - ucl_parser_add_file(parser, path); - if (ucl_parser_get_error(parser)) { + if (!ucl_parser_add_file(parser, path)) { log_warn("unable to parse configuration file %s: %s", path, ucl_parser_get_error(parser)); return (1); -- cgit v1.1 From 94e9e924f73543b44ec6c79d2f758cdd047f9dfd Mon Sep 17 00:00:00 2001 From: bdrewery Date: Sun, 13 Mar 2016 20:51:45 +0000 Subject: Follow-up r296700: Fix incorrectly declaring these as .MAIN. This broke bootstrap-tools at least for DIRDEPS_BUILD. Sponsored by: EMC / Isilon Storage Division --- share/mk/local.sys.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/share/mk/local.sys.mk b/share/mk/local.sys.mk index 59d6899..ae022a1 100644 --- a/share/mk/local.sys.mk +++ b/share/mk/local.sys.mk @@ -33,9 +33,9 @@ META_COOKIE= ${COOKIE.${.TARGET}:U${.OBJDIR}/${.TARGET}} META_COOKIE_RM= @rm -f ${META_COOKIE} META_COOKIE_TOUCH= @touch ${META_COOKIE} CLEANFILES+= ${META_TARGETS} -_meta_dep_before: .USEBEFORE +_meta_dep_before: .USEBEFORE .NOTMAIN ${META_COOKIE_RM} -_meta_dep_after: .USE +_meta_dep_after: .USE .NOTMAIN ${META_COOKIE_TOUCH} # Attach this to a target to allow it to benefit from meta mode's # not rerunning a command if it doesn't need to be considering its -- cgit v1.1 From bd7cbc7f20b157f6c712deaebba1cfb4f619cfcd Mon Sep 17 00:00:00 2001 From: sobomax Date: Sun, 13 Mar 2016 21:09:08 +0000 Subject: In the de-duplication mode, when found matching md5 checksum also read back block and compare actual content. Just output original block instead of back reference in the unlikely event of collision. --- usr.bin/mkuzip/mkuz_blockcache.c | 49 ++++++++++++++++++++++++++++++++++++++-- usr.bin/mkuzip/mkuzip.c | 2 +- 2 files changed, 48 insertions(+), 3 deletions(-) diff --git a/usr.bin/mkuzip/mkuz_blockcache.c b/usr.bin/mkuzip/mkuz_blockcache.c index a3ac564..204fce2 100644 --- a/usr.bin/mkuzip/mkuz_blockcache.c +++ b/usr.bin/mkuzip/mkuz_blockcache.c @@ -29,7 +29,9 @@ __FBSDID("$FreeBSD$"); #include +#include #include +#include #include #include #include @@ -49,6 +51,35 @@ struct mkuz_blkcache { static struct mkuz_blkcache blkcache; +static int +verify_match(int fd, off_t data_offset, void *data, ssize_t len, + struct mkuz_blkcache *bcep) +{ + void *vbuf; + ssize_t rlen; + int rval; + + rval = -1; + vbuf = malloc(len); + if (vbuf == NULL) { + goto e0; + } + if (lseek(fd, bcep->data_offset, SEEK_SET) < 0) { + goto e1; + } + rlen = read(fd, vbuf, len); + if (rlen != len) { + goto e2; + } + rval = (memcmp(data, vbuf, len) == 0) ? 1 : 0; +e2: + lseek(fd, data_offset, SEEK_SET); +e1: + free(vbuf); +e0: + return (rval); +} + struct mkuz_blkcache_hit * mkuz_blkcache_regblock(int fd, uint32_t blkno, off_t offset, ssize_t len, void *data) @@ -57,6 +88,7 @@ mkuz_blkcache_regblock(int fd, uint32_t blkno, off_t offset, ssize_t len, MD5_CTX mcontext; off_t data_offset; unsigned char mdigest[16]; + int rval; data_offset = lseek(fd, 0, SEEK_CUR); if (data_offset < 0) { @@ -76,10 +108,23 @@ mkuz_blkcache_regblock(int fd, uint32_t blkno, off_t offset, ssize_t len, } } if (bcep != NULL) { + rval = verify_match(fd, data_offset, data, len, bcep); + if (rval == 1) { +#if defined(MKUZ_DEBUG) + fprintf(stderr, "cache hit %d, %d, %d\n", + (int)bcep->hit.offset, (int)data_offset, (int)len); +#endif + return (&bcep->hit); + } + if (rval == 0) { #if defined(MKUZ_DEBUG) - printf("cache hit %d, %d, %d\n", (int)bcep->hit.offset, (int)data_offset, (int)len); + fprintf(stderr, "block MD5 collision, you should try lottery, " + "man!\n"); #endif - return (&bcep->hit); + return (NULL); + } + warn("verify_match"); + return (NULL); } bcep = malloc(sizeof(struct mkuz_blkcache)); if (bcep == NULL) diff --git a/usr.bin/mkuzip/mkuzip.c b/usr.bin/mkuzip/mkuzip.c index fa73653..c436075 100644 --- a/usr.bin/mkuzip/mkuzip.c +++ b/usr.bin/mkuzip/mkuzip.c @@ -221,7 +221,7 @@ int main(int argc, char **argv) } toc = mkuz_safe_malloc((hdr.nblocks + 1) * sizeof(*toc)); - fdw = open(oname, O_WRONLY | O_TRUNC | O_CREAT, + fdw = open(oname, (en_dedup ? O_RDWR : O_WRONLY) | O_TRUNC | O_CREAT, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); if (fdw < 0) { err(1, "open(%s)", oname); -- cgit v1.1 From 21613a57af9500acca9b3528958312dd3ae12bb4 Mon Sep 17 00:00:00 2001 From: bz Date: Sun, 13 Mar 2016 21:26:18 +0000 Subject: Remove duplicate external declaration of tcprexmtthresh making gcc compiles barf. --- sys/netinet/tcp_stacks/fastpath.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/netinet/tcp_stacks/fastpath.c b/sys/netinet/tcp_stacks/fastpath.c index 5eddccf..a447b88 100644 --- a/sys/netinet/tcp_stacks/fastpath.c +++ b/sys/netinet/tcp_stacks/fastpath.c @@ -124,8 +124,6 @@ __FBSDID("$FreeBSD$"); #include -extern const int tcprexmtthresh; - VNET_DECLARE(int, tcp_autorcvbuf_inc); #define V_tcp_autorcvbuf_inc VNET(tcp_autorcvbuf_inc) VNET_DECLARE(int, tcp_autorcvbuf_max); -- cgit v1.1 From adf4768f5af774c81558db775f0ac527b1785af4 Mon Sep 17 00:00:00 2001 From: jilles Date: Sun, 13 Mar 2016 22:54:14 +0000 Subject: sh: Fix copying uninitialized field 'special'. This just copied uninitialized data and did not depend on it later, so it should not be dangerous. Found by: clang static analyzer --- bin/sh/exec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/sh/exec.c b/bin/sh/exec.c index ab86b76..79dad6c 100644 --- a/bin/sh/exec.c +++ b/bin/sh/exec.c @@ -332,6 +332,7 @@ find_command(const char *name, struct cmdentry *entry, int act, if (strchr(name, '/') != NULL) { entry->cmdtype = CMDNORMAL; entry->u.index = 0; + entry->special = 0; return; } @@ -408,6 +409,7 @@ find_command(const char *name, struct cmdentry *entry, int act, cmdp = &loc_cmd; cmdp->cmdtype = CMDNORMAL; cmdp->param.index = idx; + cmdp->special = 0; INTON; goto success; } @@ -420,6 +422,7 @@ find_command(const char *name, struct cmdentry *entry, int act, } entry->cmdtype = CMDUNKNOWN; entry->u.index = 0; + entry->special = 0; return; success: @@ -588,6 +591,7 @@ addcmdentry(const char *name, struct cmdentry *entry) } cmdp->cmdtype = entry->cmdtype; cmdp->param = entry->u; + cmdp->special = entry->special; INTON; } @@ -604,6 +608,7 @@ defun(const char *name, union node *func) INTOFF; entry.cmdtype = CMDFUNCTION; entry.u.func = copyfunc(func); + entry.special = 0; addcmdentry(name, &entry); INTON; } -- cgit v1.1 From 3d8720ff799fbd99cbd49536db33d966c305435f Mon Sep 17 00:00:00 2001 From: pfg Date: Mon, 14 Mar 2016 00:34:12 +0000 Subject: libdtrace: use calloc(3) instead of malloc(3) when it makes sense. calloc(3) is faster and occasionally safer than malloc(3) + bzero(3). In one case, pointed out by Mark[1], this also cleans up a calculation. Reviewed by: markj [1] MFC after: 1 week --- cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c | 14 +++++--------- cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c | 7 ++++--- cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c | 7 +++++-- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c index 77f9223..5fe2565 100644 --- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c +++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_module.c @@ -24,6 +24,7 @@ */ /* * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2016, Pedro Giffuni. All rights reserved. */ #include @@ -721,22 +722,20 @@ dt_module_load_proc(dtrace_hdl_t *dtp, dt_module_t *dmp) return (dt_set_errno(dtp, EDT_CANTLOAD)); } - dmp->dm_libctfp = malloc(sizeof (ctf_file_t *) * arg.dpa_count); + dmp->dm_libctfp = calloc(arg.dpa_count, sizeof (ctf_file_t *)); if (dmp->dm_libctfp == NULL) { dt_proc_unlock(dtp, p); dt_proc_release(dtp, p); return (dt_set_errno(dtp, EDT_NOMEM)); } - bzero(dmp->dm_libctfp, sizeof (ctf_file_t *) * arg.dpa_count); - dmp->dm_libctfn = malloc(sizeof (char *) * arg.dpa_count); + dmp->dm_libctfn = calloc(arg.dpa_count, sizeof (char *)); if (dmp->dm_libctfn == NULL) { free(dmp->dm_libctfp); dt_proc_unlock(dtp, p); dt_proc_release(dtp, p); return (dt_set_errno(dtp, EDT_NOMEM)); } - bzero(dmp->dm_libctfn, sizeof (char *) * arg.dpa_count); dmp->dm_nctflibs = arg.dpa_count; @@ -817,17 +816,14 @@ dt_module_load(dtrace_hdl_t *dtp, dt_module_t *dmp) dmp->dm_nsymbuckets = _dtrace_strbuckets; dmp->dm_symfree = 1; /* first free element is index 1 */ - dmp->dm_symbuckets = malloc(sizeof (uint_t) * dmp->dm_nsymbuckets); - dmp->dm_symchains = malloc(sizeof (dt_sym_t) * dmp->dm_nsymelems + 1); + dmp->dm_symbuckets = calloc(dmp->dm_nsymbuckets, sizeof (uint_t)); + dmp->dm_symchains = calloc(dmp->dm_nsymelems + 1, sizeof (dt_sym_t)); if (dmp->dm_symbuckets == NULL || dmp->dm_symchains == NULL) { dt_module_unload(dtp, dmp); return (dt_set_errno(dtp, EDT_NOMEM)); } - bzero(dmp->dm_symbuckets, sizeof (uint_t) * dmp->dm_nsymbuckets); - bzero(dmp->dm_symchains, sizeof (dt_sym_t) * dmp->dm_nsymelems + 1); - /* * Iterate over the symbol table data buffer and insert each symbol * name into the name hash if the name and type are valid. Then diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c index 0c747ed..a630d30 100644 --- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c +++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_regset.c @@ -27,6 +27,7 @@ /* * Copyright (c) 2012 by Delphix. All rights reserved. + * Copyright (c) 2016 Pedro Giffuni. All rights reserved. */ #include @@ -47,15 +48,15 @@ dt_regset_create(ulong_t nregs) if (drp == NULL) return (NULL); - drp->dr_bitmap = malloc(sizeof (ulong_t) * n); - drp->dr_size = nregs; + drp->dr_bitmap = calloc(n, sizeof (ulong_t)); if (drp->dr_bitmap == NULL) { dt_regset_destroy(drp); return (NULL); } - bzero(drp->dr_bitmap, sizeof (ulong_t) * n); + drp->dr_size = nregs; + return (drp); } diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c index cf6bc48..21669c8 100644 --- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c +++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_strtab.c @@ -24,6 +24,10 @@ * Use is subject to license terms. */ +/* + * Portions Copyright 2016 Pedro Giffuni. All rights reserved. + */ + #pragma ident "%Z%%M% %I% %E% SMI" #include @@ -70,12 +74,11 @@ dt_strtab_create(size_t bufsz) return (NULL); bzero(sp, sizeof (dt_strtab_t)); - sp->str_hash = malloc(nbuckets * sizeof (dt_strhash_t *)); + sp->str_hash = calloc(nbuckets, sizeof (dt_strhash_t *)); if (sp->str_hash == NULL) goto err; - bzero(sp->str_hash, nbuckets * sizeof (dt_strhash_t *)); sp->str_hashsz = nbuckets; sp->str_bufs = NULL; sp->str_ptr = NULL; -- cgit v1.1 From a08fbac3add3c4a7054f28fedccdd8bd59381a0a Mon Sep 17 00:00:00 2001 From: bdrewery Date: Mon, 14 Mar 2016 00:51:45 +0000 Subject: Reword SX_NOADAPTIVE description to be clear that adaptive is default. The default changed in r193011. MFC after: 1 week --- share/man/man9/sx.9 | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/share/man/man9/sx.9 b/share/man/man9/sx.9 index 49a064e..a9931a9 100644 --- a/share/man/man9/sx.9 +++ b/share/man/man9/sx.9 @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 13, 2014 +.Dd March 13, 2016 .Dt SX 9 .Os .Sh NAME @@ -124,12 +124,10 @@ specifies a set of optional flags to alter the behavior of It contains one or more of the following flags: .Bl -tag -width SX_NOADAPTIVE .It Dv SX_NOADAPTIVE -If the kernel is not compiled with -.Cd "options NO_ADAPTIVE_SX" , -then lock operations for -.Fa sx -will spin instead of sleeping while an exclusive lock holder is executing on -another CPU. +Disable adaptive spinning, rather than sleeping, for lock operations +while an exclusive lock holder is executing on another CPU. +Adaptive spinning is the default unless the kernel is compiled with +.Cd "options NO_ADAPTIVE_SX" . .It Dv SX_DUPOK Witness should not log messages about duplicate locks being acquired. .It Dv SX_NOWITNESS -- cgit v1.1 From 9f278f3fc9d55dda28e1abbf196eaea235573e94 Mon Sep 17 00:00:00 2001 From: adrian Date: Mon, 14 Mar 2016 04:39:35 +0000 Subject: [net80211] handle unlisted information elements. This displays the IE names in ifconfig but it doesn't yet decode things. Submitted by: Idwer Vollering Differential Revision: https://reviews.freebsd.org/D3782 --- sbin/ifconfig/ifieee80211.c | 2 ++ sys/net80211/ieee80211.h | 75 ++++++++++++++++++++++++++++++++++++++++++ sys/net80211/ieee80211_input.c | 4 +++ 3 files changed, 81 insertions(+) diff --git a/sbin/ifconfig/ifieee80211.c b/sbin/ifconfig/ifieee80211.c index 72145d1..5ababf3 100644 --- a/sbin/ifconfig/ifieee80211.c +++ b/sbin/ifconfig/ifieee80211.c @@ -3072,6 +3072,7 @@ iename(int elemid) case IEEE80211_ELEMID_CFPARMS: return " CFPARMS"; case IEEE80211_ELEMID_TIM: return " TIM"; case IEEE80211_ELEMID_IBSSPARMS:return " IBSSPARMS"; + case IEEE80211_ELEMID_BSSLOAD: return " BSSLOAD"; case IEEE80211_ELEMID_CHALLENGE:return " CHALLENGE"; case IEEE80211_ELEMID_PWRCNSTR: return " PWRCNSTR"; case IEEE80211_ELEMID_PWRCAP: return " PWRCAP"; @@ -3083,6 +3084,7 @@ iename(int elemid) case IEEE80211_ELEMID_MEASREP: return " MEASREP"; case IEEE80211_ELEMID_QUIET: return " QUIET"; case IEEE80211_ELEMID_IBSSDFS: return " IBSSDFS"; + case IEEE80211_ELEMID_APCHANREP:return " APCHANREP"; case IEEE80211_ELEMID_TPC: return " TPC"; case IEEE80211_ELEMID_CCKM: return " CCKM"; } diff --git a/sys/net80211/ieee80211.h b/sys/net80211/ieee80211.h index 925b451..7364db1 100644 --- a/sys/net80211/ieee80211.h +++ b/sys/net80211/ieee80211.h @@ -708,6 +708,7 @@ enum { IEEE80211_ELEMID_TIM = 5, IEEE80211_ELEMID_IBSSPARMS = 6, IEEE80211_ELEMID_COUNTRY = 7, + IEEE80211_ELEMID_BSSLOAD = 11, IEEE80211_ELEMID_CHALLENGE = 16, /* 17-31 reserved for challenge text extension */ IEEE80211_ELEMID_PWRCNSTR = 32, @@ -725,6 +726,7 @@ enum { IEEE80211_ELEMID_QOS = 46, IEEE80211_ELEMID_RSN = 48, IEEE80211_ELEMID_XRATES = 50, + IEEE80211_ELEMID_APCHANREP = 51, IEEE80211_ELEMID_HTINFO = 61, IEEE80211_ELEMID_TPC = 150, IEEE80211_ELEMID_CCKM = 156, @@ -749,6 +751,7 @@ enum { IEEE80211_ELEMID_MESHGANN = 125, IEEE80211_ELEMID_MESHRANN = 126, /* 127 Extended Capabilities */ + IEEE80211_ELEMID_MESHEXTCAP = 127, /* 128-129 reserved */ IEEE80211_ELEMID_MESHPREQ = 130, IEEE80211_ELEMID_MESHPREP = 131, @@ -783,6 +786,78 @@ struct ieee80211_country_ie { #define IEEE80211_COUNTRY_MAX_SIZE \ (sizeof(struct ieee80211_country_ie) + 3*(IEEE80211_COUNTRY_MAX_BANDS-1)) +struct ieee80211_bss_load_ie { + uint8_t ie; + uint8_t len; + uint16_t sta_count; /* station count */ + uint8_t chan_load; /* channel utilization */ + uint8_t aac; /* available admission capacity */ +} __packed; + +struct ieee80211_ap_chan_report_ie { + uint8_t ie; + uint8_t len; + uint8_t class; /* operating class */ + /* Annex E, E.1 Country information and operating classes */ + uint8_t chan_list[0]; +} __packed; + +#define IEEE80211_EXTCAP_CMS (1ULL << 0) /* 20/40 BSS coexistence management support */ +#define IEEE80211_EXTCAP_RSVD_1 (1ULL << 1) +#define IEEE80211_EXTCAP_ECS (1ULL << 2) /* extended channel switching */ +#define IEEE80211_EXTCAP_RSVD_3 (1ULL << 3) +#define IEEE80211_EXTCAP_PSMP_CAP (1ULL << 4) /* PSMP capability */ +#define IEEE80211_EXTCAP_RSVD_5 (1ULL << 5) +#define IEEE80211_EXTCAP_S_PSMP_SUPP (1ULL << 6) +#define IEEE80211_EXTCAP_EVENT (1ULL << 7) +#define IEEE80211_EXTCAP_DIAGNOSTICS (1ULL << 8) +#define IEEE80211_EXTCAP_MCAST_DIAG (1ULL << 9) +#define IEEE80211_EXTCAP_LOC_TRACKING (1ULL << 10) +#define IEEE80211_EXTCAP_FMS (1ULL << 11) +#define IEEE80211_EXTCAP_PROXY_ARP (1ULL << 12) +#define IEEE80211_EXTCAP_CIR (1ULL << 13) /* collocated interference reporting */ +#define IEEE80211_EXTCAP_CIVIC_LOC (1ULL << 14) +#define IEEE80211_EXTCAP_GEOSPATIAL_LOC (1ULL << 15) +#define IEEE80211_EXTCAP_TFS (1ULL << 16) +#define IEEE80211_EXTCAP_WNM_SLEEPMODE (1ULL << 17) +#define IEEE80211_EXTCAP_TIM_BROADCAST (1ULL << 18) +#define IEEE80211_EXTCAP_BSS_TRANSITION (1ULL << 19) +#define IEEE80211_EXTCAP_QOS_TRAF_CAP (1ULL << 20) +#define IEEE80211_EXTCAP_AC_STA_COUNT (1ULL << 21) +#define IEEE80211_EXTCAP_M_BSSID (1ULL << 22) /* multiple BSSID field */ +#define IEEE80211_EXTCAP_TIMING_MEAS (1ULL << 23) +#define IEEE80211_EXTCAP_CHAN_USAGE (1ULL << 24) +#define IEEE80211_EXTCAP_SSID_LIST (1ULL << 25) +#define IEEE80211_EXTCAP_DMS (1ULL << 26) +#define IEEE80211_EXTCAP_UTC_TSF_OFFSET (1ULL << 27) +#define IEEE80211_EXTCAP_TLDS_BUF_STA_SUPP (1ULL << 28) /* TDLS peer U-APSP buffer STA support */ +#define IEEE80211_EXTCAP_TLDS_PPSM_SUPP (1ULL << 29) /* TDLS peer PSM support */ +#define IEEE80211_EXTCAP_TLDS_CH_SW (1ULL << 30) /* TDLS channel switching */ +#define IEEE80211_EXTCAP_INTERWORKING (1ULL << 31) +#define IEEE80211_EXTCAP_QOSMAP (1ULL << 32) +#define IEEE80211_EXTCAP_EBR (1ULL << 33) +#define IEEE80211_EXTCAP_SSPN_IF (1ULL << 34) +#define IEEE80211_EXTCAP_RSVD_35 (1ULL << 35) +#define IEEE80211_EXTCAP_MSGCF_CAP (1ULL << 36) +#define IEEE80211_EXTCAP_TLDS_SUPP (1ULL << 37) +#define IEEE80211_EXTCAP_TLDS_PROHIB (1ULL << 38) +#define IEEE80211_EXTCAP_TLDS_CH_SW_PROHIB (1ULL << 39) /* TDLS channel switching prohibited */ +#define IEEE80211_EXTCAP_RUF (1ULL << 40) /* reject unadmitted frame */ +/* service interval granularity */ +#define IEEE80211_EXTCAP_SIG \ + ((1ULL << 41) | (1ULL << 42) | (1ULL << 43)) +#define IEEE80211_EXTCAP_ID_LOC (1ULL << 44) +#define IEEE80211_EXTCAP_U_APSD_COEX (1ULL << 45) +#define IEEE80211_EXTCAP_WNM_NOTIFICATION (1ULL << 46) +#define IEEE80211_EXTCAP_RSVD_47 (1ULL << 47) +#define IEEE80211_EXTCAP_SSID (1ULL << 48) /* UTF-8 SSID */ +/* bits 49-n are reserved */ + +struct ieee80211_extcap_ie { + uint8_t ie; + uint8_t len; +} __packed; + /* * 802.11h Quiet Time Element. */ diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index f1f70a2..3b4379f 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -570,6 +570,8 @@ ieee80211_parse_beacon(struct ieee80211_node *ni, struct mbuf *m, case IEEE80211_ELEMID_IBSSPARMS: case IEEE80211_ELEMID_CFPARMS: case IEEE80211_ELEMID_PWRCNSTR: + case IEEE80211_ELEMID_BSSLOAD: + case IEEE80211_ELEMID_APCHANREP: /* NB: avoid debugging complaints */ break; case IEEE80211_ELEMID_XRATES: @@ -601,6 +603,8 @@ ieee80211_parse_beacon(struct ieee80211_node *ni, struct mbuf *m, case IEEE80211_ELEMID_MESHCONF: scan->meshconf = frm; break; + case IEEE80211_ELEMID_MESHEXTCAP: + break; #endif case IEEE80211_ELEMID_VENDOR: if (iswpaoui(frm)) -- cgit v1.1 From 42f0174557e14915d527a5cbba5bd40d9b6e7732 Mon Sep 17 00:00:00 2001 From: wma Date: Mon, 14 Mar 2016 06:30:37 +0000 Subject: Fix GIC interrupt decoding in INTRNG code Bug was already fixed in not-INTRNG code, it needs to be corrected here as well. Source: https://reviews.freebsd.org/rS294422 Submitted by: Bartosz Szczepanek Obtained from: Semihalf Sponsored by: Stormshield Reviewed by: cognet, wma Approved by: cognet (mentor) Differential Revision: https://reviews.freebsd.org/D5029 --- sys/arm/arm/gic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/arm/arm/gic.c b/sys/arm/arm/gic.c index 2b0abf6..cf72820 100644 --- a/sys/arm/arm/gic.c +++ b/sys/arm/arm/gic.c @@ -755,7 +755,7 @@ gic_map_fdt(struct arm_gic_softc *sc, struct intr_irqsrc *isrc, u_int *irqp) * The hardware only supports active-high-level or rising-edge. */ tripol = isrc->isrc_cells[2]; - if (tripol & 0x0a) { + if (tripol & 0x0a && irq >= GIC_FIRST_SPI) { device_printf(sc->gic_dev, "unsupported trigger/polarity configuration " "0x%02x\n", tripol & 0x0f); -- cgit v1.1 From 5715f97c308d18a485f4faf6bb9c9051b18f8f59 Mon Sep 17 00:00:00 2001 From: wma Date: Mon, 14 Mar 2016 07:05:41 +0000 Subject: Make MPIC compatible with ARM_INTRNG After ARM_INTRNG introduction, MPIC code needed several modifications: - IRQ resource and its handler added - several DEVMETHODs of INTRNG interface implemented - defines enhanced to ensure code compiles as well for AXP as for A38X - added dummy MSI_IRQ, ERR_IRQ defines for Armada38x - MPIC driver was added to files.armada38x, ARM_INTRNG option enabled in kernconf file and regs of MPIC corrected in dts file. Instead of modifying Armada38X DTS, offsets to CPU registers defined in driver were changed. That required restoring 'reg' property of mpic node in ArmadaXP to state compliant with Linux DTS. Additionally, required ARM_INTRNG definitions were added to mv_common.c. Submitted by: Bartosz Szczepanek Obtained from: Semihalf Sponsored by: Stormshield Reviewed by: adrian, andrew, ian, skra Approved by: cognet (mentor) Differential Revision: https://reviews.freebsd.org/D5030 --- sys/arm/conf/ARMADA38X | 1 + sys/arm/mv/armada38x/files.armada38x | 1 + sys/arm/mv/mpic.c | 346 +++++++++++++++++++++++++++++------ sys/arm/mv/mvreg.h | 5 +- sys/boot/fdt/dts/arm/db78460.dts | 2 +- 5 files changed, 300 insertions(+), 55 deletions(-) diff --git a/sys/arm/conf/ARMADA38X b/sys/arm/conf/ARMADA38X index d6b3664..c36187c 100644 --- a/sys/arm/conf/ARMADA38X +++ b/sys/arm/conf/ARMADA38X @@ -23,6 +23,7 @@ options SCHED_ULE # ULE scheduler #options SCHED_4BSD # 4BSD scheduler options SMP +options ARM_INTRNG # Debugging #options DEBUG diff --git a/sys/arm/mv/armada38x/files.armada38x b/sys/arm/mv/armada38x/files.armada38x index e246f58..599919d 100644 --- a/sys/arm/mv/armada38x/files.armada38x +++ b/sys/arm/mv/armada38x/files.armada38x @@ -1,4 +1,5 @@ # $FreeBSD$ +arm/mv/mpic.c standard arm/mv/armada38x/armada38x.c standard arm/mv/armada38x/armada38x_mp.c optional smp diff --git a/sys/arm/mv/mpic.c b/sys/arm/mv/mpic.c index ebd1477..e81820c 100644 --- a/sys/arm/mv/mpic.c +++ b/sys/arm/mv/mpic.c @@ -33,14 +33,20 @@ #include __FBSDID("$FreeBSD$"); +#include "opt_platform.h" + #include #include #include #include #include #include +#include #include +#include +#include #include +#include #include #include @@ -48,11 +54,16 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include +#ifdef ARM_INTRNG +#include "pic_if.h" +#endif + #ifdef DEBUG #define debugf(fmt, args...) do { printf("%s(): ", __func__); \ printf(fmt,##args); } while (0) @@ -60,46 +71,63 @@ __FBSDID("$FreeBSD$"); #define debugf(fmt, args...) #endif -#define MPIC_INT_ERR 4 -#define MPIC_INT_MSI 96 +#define MPIC_INT_ERR 4 +#define MPIC_INT_MSI 96 -#define IRQ_MASK 0x3ff +#define IRQ_MASK 0x3ff -#define MPIC_CTRL 0x0 -#define MPIC_SOFT_INT 0x4 -#define MPIC_SOFT_INT_DRBL1 (1 << 5) -#define MPIC_ERR_CAUSE 0x20 -#define MPIC_ISE 0x30 -#define MPIC_ICE 0x34 +#define MPIC_CTRL 0x0 +#define MPIC_SOFT_INT 0x4 +#define MPIC_SOFT_INT_DRBL1 (1 << 5) +#define MPIC_ERR_CAUSE 0x20 +#define MPIC_ISE 0x30 +#define MPIC_ICE 0x34 +#define MPIC_INT_CTL(irq) (0x100 + (irq)*4) +#define MPIC_INT_IRQ_FIQ_MASK(cpuid) (0x101 << (cpuid)) +#define MPIC_CTRL_NIRQS(ctrl) (((ctrl) >> 2) & 0x3ff) -#define MPIC_IN_DRBL 0x78 -#define MPIC_IN_DRBL_MASK 0x7c -#define MPIC_CTP 0xb0 -#define MPIC_CTP 0xb0 -#define MPIC_IIACK 0xb4 -#define MPIC_ISM 0xb8 -#define MPIC_ICM 0xbc -#define MPIC_ERR_MASK 0xec0 +#define MPIC_IN_DRBL 0x08 +#define MPIC_IN_DRBL_MASK 0x0c +#define MPIC_PPI_CAUSE 0x10 +#define MPIC_CTP 0x40 +#define MPIC_IIACK 0x44 +#define MPIC_ISM 0x48 +#define MPIC_ICM 0x4c +#define MPIC_ERR_MASK 0xe50 + +#define MPIC_PPI 32 struct mv_mpic_softc { device_t sc_dev; - struct resource * mpic_res[3]; + struct resource * mpic_res[4]; bus_space_tag_t mpic_bst; bus_space_handle_t mpic_bsh; bus_space_tag_t cpu_bst; bus_space_handle_t cpu_bsh; bus_space_tag_t drbl_bst; bus_space_handle_t drbl_bsh; + struct mtx mtx; + + struct intr_irqsrc ** mpic_isrcs; + int nirqs; + void * intr_hand; }; static struct resource_spec mv_mpic_spec[] = { { SYS_RES_MEMORY, 0, RF_ACTIVE }, { SYS_RES_MEMORY, 1, RF_ACTIVE }, - { SYS_RES_MEMORY, 2, RF_ACTIVE }, + { SYS_RES_MEMORY, 2, RF_ACTIVE | RF_OPTIONAL }, + { SYS_RES_IRQ, 0, RF_ACTIVE | RF_OPTIONAL }, { -1, 0 } }; +static struct ofw_compat_data compat_data[] = { + {"mrvl,mpic", true}, + {"marvell,mpic", true}, + {NULL, false} +}; + static struct mv_mpic_softc *mv_mpic_sc = NULL; void mpic_send_ipi(int cpus, u_int ipi); @@ -109,9 +137,21 @@ static int mv_mpic_attach(device_t); uint32_t mv_mpic_get_cause(void); uint32_t mv_mpic_get_cause_err(void); uint32_t mv_mpic_get_msi(void); +static void mpic_unmask_irq(uintptr_t nb); +static void mpic_mask_irq(uintptr_t nb); +static void mpic_mask_irq_err(uintptr_t nb); +static void mpic_unmask_irq_err(uintptr_t nb); +static int mpic_intr(void *arg); +static void mpic_unmask_msi(void); +#ifndef ARM_INTRNG static void arm_mask_irq_err(uintptr_t); static void arm_unmask_irq_err(uintptr_t); -static void arm_unmask_msi(void); +#endif + +#define MPIC_WRITE(softc, reg, val) \ + bus_space_write_4((softc)->mpic_bst, (softc)->mpic_bsh, (reg), (val)) +#define MPIC_READ(softc, reg) \ + bus_space_read_4((softc)->mpic_bst, (softc)->mpic_bsh, (reg)) #define MPIC_CPU_WRITE(softc, reg, val) \ bus_space_write_4((softc)->cpu_bst, (softc)->cpu_bsh, (reg), (val)) @@ -130,7 +170,7 @@ mv_mpic_probe(device_t dev) if (!ofw_bus_status_okay(dev)) return (ENXIO); - if (!ofw_bus_is_compatible(dev, "mrvl,mpic")) + if (!ofw_bus_search_compatible(dev, compat_data)->ocd_data) return (ENXIO); device_set_desc(dev, "Marvell Integrated Interrupt Controller"); @@ -142,6 +182,7 @@ mv_mpic_attach(device_t dev) { struct mv_mpic_softc *sc; int error; + uint32_t val; sc = (struct mv_mpic_softc *)device_get_softc(dev); @@ -151,11 +192,20 @@ mv_mpic_attach(device_t dev) sc->sc_dev = dev; + mtx_init(&sc->mtx, "MPIC lock", NULL, MTX_SPIN); + error = bus_alloc_resources(dev, mv_mpic_spec, sc->mpic_res); if (error) { device_printf(dev, "could not allocate resources\n"); return (ENXIO); } +#ifdef ARM_INTRNG + if (sc->mpic_res[3] == NULL) + device_printf(dev, "No interrupt to use.\n"); + else + bus_setup_intr(dev, sc->mpic_res[3], INTR_TYPE_CLK, + mpic_intr, NULL, sc, &sc->intr_hand); +#endif sc->mpic_bst = rman_get_bustag(sc->mpic_res[0]); sc->mpic_bsh = rman_get_bushandle(sc->mpic_res[0]); @@ -163,21 +213,182 @@ mv_mpic_attach(device_t dev) sc->cpu_bst = rman_get_bustag(sc->mpic_res[1]); sc->cpu_bsh = rman_get_bushandle(sc->mpic_res[1]); - sc->drbl_bst = rman_get_bustag(sc->mpic_res[2]); - sc->drbl_bsh = rman_get_bushandle(sc->mpic_res[2]); + if (sc->mpic_res[2] != NULL) { + /* This is required only if MSIs are used. */ + sc->drbl_bst = rman_get_bustag(sc->mpic_res[2]); + sc->drbl_bsh = rman_get_bushandle(sc->mpic_res[2]); + } bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh, MPIC_CTRL, 1); MPIC_CPU_WRITE(mv_mpic_sc, MPIC_CTP, 0); - arm_unmask_msi(); + val = MPIC_READ(mv_mpic_sc, MPIC_CTRL); + sc->nirqs = MPIC_CTRL_NIRQS(val); + +#ifdef ARM_INTRNG + sc->mpic_isrcs = malloc(sc->nirqs * sizeof (*sc->mpic_isrcs), M_DEVBUF, + M_WAITOK | M_ZERO); + + if (intr_pic_register(dev, OF_xref_from_device(dev)) != 0) { + device_printf(dev, "could not register PIC\n"); + bus_release_resources(dev, mv_mpic_spec, sc->mpic_res); + return (ENXIO); + } +#endif + + mpic_unmask_msi(); + + return (0); +} + +#ifdef ARM_INTRNG +static int +mpic_intr(void *arg) +{ + struct mv_mpic_softc *sc; + struct trapframe *tf; + struct intr_irqsrc *isrc; + uint32_t cause, irqsrc; + unsigned int irq; + u_int cpuid; + + sc = arg; + tf = curthread->td_intr_frame; + cpuid = PCPU_GET(cpuid); + irq = 0; + + for (cause = MPIC_CPU_READ(sc, MPIC_PPI_CAUSE); cause > 0; + cause >>= 1, irq++) { + if (cause & 1) { + irqsrc = MPIC_READ(sc, MPIC_INT_CTL(irq)); + if ((irqsrc & MPIC_INT_IRQ_FIQ_MASK(cpuid)) == 0) + continue; + isrc = sc->mpic_isrcs[irq]; + if (isrc == NULL) { + device_printf(sc->sc_dev, "Stray interrupt %u detected\n", irq); + mpic_mask_irq(irq); + continue; + } + intr_irq_dispatch(isrc, tf); + } + } + + return (FILTER_HANDLED); +} + +static int +mpic_attach_isrc(struct mv_mpic_softc *sc, struct intr_irqsrc *isrc, u_int irq) +{ + const char *name; + + mtx_lock_spin(&sc->mtx); + if (sc->mpic_isrcs[irq] != NULL) { + mtx_unlock_spin(&sc->mtx); + return (sc->mpic_isrcs[irq] == isrc ? 0 : EEXIST); + } + sc->mpic_isrcs[irq] = isrc; + isrc->isrc_data = irq; + mtx_unlock_spin(&sc->mtx); + + name = device_get_nameunit(sc->sc_dev); + intr_irq_set_name(isrc, "%s", name); + + return (0); +} + +#ifdef FDT +static int +mpic_map_fdt(struct mv_mpic_softc *sc, struct intr_irqsrc *isrc, u_int *irqp) +{ + u_int irq; + int error; + + if (isrc->isrc_ncells != 1) + return (EINVAL); + + irq = isrc->isrc_cells[0]; + + error = mpic_attach_isrc(sc, isrc, irq); + if (error != 0) + return (error); + + isrc->isrc_nspc_num = irq; + isrc->isrc_trig = INTR_TRIGGER_CONFORM; + isrc->isrc_pol = INTR_POLARITY_CONFORM; + isrc->isrc_nspc_type = INTR_IRQ_NSPC_PLAIN; + + *irqp = irq; return (0); } +#endif + +static int +mpic_register(device_t dev, struct intr_irqsrc *isrc, boolean_t *is_percpu) +{ + struct mv_mpic_softc *sc; + int error; + u_int irq = 0; + + sc = device_get_softc(dev); + +#ifdef FDT + if (isrc->isrc_type == INTR_ISRCT_FDT) + error = mpic_map_fdt(sc, isrc, &irq); + else +#endif + error = EINVAL; + + if (error == 0) + *is_percpu = irq < MPIC_PPI; + + return (error); +} + +static void +mpic_disable_source(device_t dev, struct intr_irqsrc *isrc) +{ + u_int irq; + + irq = isrc->isrc_data; + mpic_mask_irq(irq); +} + +static void +mpic_enable_source(device_t dev, struct intr_irqsrc *isrc) +{ + u_int irq; + + irq = isrc->isrc_data; + mpic_unmask_irq(irq); +} +static void +mpic_pre_ithread(device_t dev, struct intr_irqsrc *isrc) +{ + + mpic_disable_source(dev, isrc); +} + +static void +mpic_post_ithread(device_t dev, struct intr_irqsrc *isrc) +{ + + mpic_enable_source(dev, isrc); +} +#endif static device_method_t mv_mpic_methods[] = { DEVMETHOD(device_probe, mv_mpic_probe), DEVMETHOD(device_attach, mv_mpic_attach), + +#ifdef ARM_INTRNG + DEVMETHOD(pic_register, mpic_register), + DEVMETHOD(pic_disable_source, mpic_disable_source), + DEVMETHOD(pic_enable_source, mpic_enable_source), + DEVMETHOD(pic_post_ithread, mpic_post_ithread), + DEVMETHOD(pic_pre_ithread, mpic_pre_ithread), +#endif { 0, 0 } }; @@ -189,8 +400,10 @@ static driver_t mv_mpic_driver = { static devclass_t mv_mpic_devclass; -DRIVER_MODULE(mpic, simplebus, mv_mpic_driver, mv_mpic_devclass, 0, 0); +EARLY_DRIVER_MODULE(mpic, simplebus, mv_mpic_driver, mv_mpic_devclass, 0, 0, + BUS_PASS_INTERRUPT); +#ifndef ARM_INTRNG int arm_get_next_irq(int last) { @@ -219,49 +432,42 @@ void arm_mask_irq(uintptr_t nb) { - MPIC_CPU_WRITE(mv_mpic_sc, MPIC_CTP, 1); - - if (nb < ERR_IRQ) { - bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh, - MPIC_ICE, nb); - MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ISM, nb); - } else if (nb < MSI_IRQ) - arm_mask_irq_err(nb); + mpic_mask_irq(nb); } static void arm_mask_irq_err(uintptr_t nb) { - uint32_t mask; - uint8_t bit_off; - bit_off = nb - ERR_IRQ; - mask = MPIC_CPU_READ(mv_mpic_sc, MPIC_ERR_MASK); - mask &= ~(1 << bit_off); - MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ERR_MASK, mask); + mpic_mask_irq_err(nb); } void arm_unmask_irq(uintptr_t nb) { - MPIC_CPU_WRITE(mv_mpic_sc, MPIC_CTP, 0); - - if (nb < ERR_IRQ) { - bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh, - MPIC_ISE, nb); - MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ICM, nb); - } else if (nb < MSI_IRQ) - arm_unmask_irq_err(nb); - - if (nb == 0) - MPIC_CPU_WRITE(mv_mpic_sc, MPIC_IN_DRBL_MASK, 0xffffffff); + mpic_unmask_irq(nb); } void arm_unmask_irq_err(uintptr_t nb) { + + mpic_unmask_irq_err(nb); +} +#endif + +static void +mpic_unmask_msi(void) +{ + + mpic_unmask_irq(MPIC_INT_MSI); +} + +static void +mpic_unmask_irq_err(uintptr_t nb) +{ uint32_t mask; uint8_t bit_off; @@ -276,10 +482,42 @@ arm_unmask_irq_err(uintptr_t nb) } static void -arm_unmask_msi(void) +mpic_mask_irq_err(uintptr_t nb) +{ + uint32_t mask; + uint8_t bit_off; + + bit_off = nb - ERR_IRQ; + mask = MPIC_CPU_READ(mv_mpic_sc, MPIC_ERR_MASK); + mask &= ~(1 << bit_off); + MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ERR_MASK, mask); +} + +static void +mpic_unmask_irq(uintptr_t nb) +{ + + if (nb < ERR_IRQ) { + bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh, + MPIC_ISE, nb); + MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ICM, nb); + } else if (nb < MSI_IRQ) + mpic_unmask_irq_err(nb); + + if (nb == 0) + MPIC_CPU_WRITE(mv_mpic_sc, MPIC_IN_DRBL_MASK, 0xffffffff); +} + +static void +mpic_mask_irq(uintptr_t nb) { - arm_unmask_irq(MPIC_INT_MSI); + if (nb < ERR_IRQ) { + bus_space_write_4(mv_mpic_sc->mpic_bst, mv_mpic_sc->mpic_bsh, + MPIC_ICE, nb); + MPIC_CPU_WRITE(mv_mpic_sc, MPIC_ISM, nb); + } else if (nb < MSI_IRQ) + mpic_mask_irq_err(nb); } uint32_t @@ -313,6 +551,7 @@ mv_mpic_get_msi(void) uint32_t cause; uint8_t bit_off; + KASSERT(mv_mpic_sc->drbl_bst != NULL, ("No doorbell in mv_mpic_get_msi")); cause = MPIC_DRBL_READ(mv_mpic_sc, 0); if (cause) @@ -359,7 +598,8 @@ mv_msi_data(int irq, uint64_t *addr, uint32_t *data) return (0); } -#if defined(SMP) + +#if defined(SMP) && defined(SOC_MV_ARMADAXP) void intr_pic_init_secondary(void) { diff --git a/sys/arm/mv/mvreg.h b/sys/arm/mv/mvreg.h index 65151c1..abfefc1 100644 --- a/sys/arm/mv/mvreg.h +++ b/sys/arm/mv/mvreg.h @@ -67,7 +67,10 @@ #elif defined (SOC_MV_ARMADAXP) #define IRQ_CAUSE 0x18 #define IRQ_MASK 0x30 -#else /* !SOC_MV_DISCOVERY && !SOC_MV_LOKIPLUS */ +#elif defined (SOC_MV_ARMADA38X) +#define MSI_IRQ 0x3ff +#define ERR_IRQ 0x3ff +#else #define IRQ_CAUSE 0x0 #define IRQ_MASK 0x4 #define FIQ_MASK 0x8 diff --git a/sys/boot/fdt/dts/arm/db78460.dts b/sys/boot/fdt/dts/arm/db78460.dts index 8bc04f8..9b4d08f 100644 --- a/sys/boot/fdt/dts/arm/db78460.dts +++ b/sys/boot/fdt/dts/arm/db78460.dts @@ -75,7 +75,7 @@ interrupt-controller; #address-cells = <0>; #interrupt-cells = <1>; - reg = <0x20a00 0x500 0x21000 0x800 0x20400 0x100>; + reg = <0x20a00 0x500 0x21870 0x58 0x20400 0x100>; compatible = "mrvl,mpic"; }; -- cgit v1.1 From 62eed3882c15fad33ee35465eb76ac08bb19da14 Mon Sep 17 00:00:00 2001 From: wma Date: Mon, 14 Mar 2016 07:14:34 +0000 Subject: Add support for USB3.0 on Armada38x This commit provides attachment of xhci-platform for A38X boards, making it possible to mount FreeBSD world from USB3.0 flash. 'xhci' device was added to files.mv (as optional) and kernconf of Armada38x was enhanced. It was also necessary to open programmable memory windows of USB3.0. fdt_win_setup needed improvement so it's able to traverse through children of internal-regs node. Submitted by: Bartosz Szczepanek Obtained from: Semihalf Sponsored by: Stormshield Reviewed by: hselasky Approved by: cognet (mentor) Differential Revision: https://reviews.freebsd.org/D5031 --- sys/arm/conf/ARMADA38X | 1 + sys/arm/mv/files.mv | 1 + sys/arm/mv/mv_common.c | 105 ++++++++++++++++++++++++++++++++++++++++++++++++- sys/arm/mv/mvwin.h | 4 ++ 4 files changed, 109 insertions(+), 2 deletions(-) diff --git a/sys/arm/conf/ARMADA38X b/sys/arm/conf/ARMADA38X index c36187c..7cc7702 100644 --- a/sys/arm/conf/ARMADA38X +++ b/sys/arm/conf/ARMADA38X @@ -71,6 +71,7 @@ device mpcore_timer # USB device usb device ehci +device xhci device umass device scbus device pass diff --git a/sys/arm/mv/files.mv b/sys/arm/mv/files.mv index 29edffb..635173d 100644 --- a/sys/arm/mv/files.mv +++ b/sys/arm/mv/files.mv @@ -27,5 +27,6 @@ dev/nand/nfc_mv.c optional nand dev/mvs/mvs_soc.c optional mvs dev/uart/uart_dev_ns8250.c optional uart dev/usb/controller/ehci_mv.c optional ehci +dev/usb/controller/xhci_mv.c optional xhci kern/kern_clocksource.c standard diff --git a/sys/arm/mv/mv_common.c b/sys/arm/mv/mv_common.c index 31fa748..a1d2a2d 100644 --- a/sys/arm/mv/mv_common.c +++ b/sys/arm/mv/mv_common.c @@ -79,6 +79,7 @@ static int win_eth_can_remap(int i); static int decode_win_cpu_valid(void); #endif static int decode_win_usb_valid(void); +static int decode_win_usb3_valid(void); static int decode_win_eth_valid(void); static int decode_win_pcie_valid(void); static int decode_win_sata_valid(void); @@ -93,6 +94,7 @@ static void decode_win_cpu_setup(void); static int decode_win_sdram_fixup(void); #endif static void decode_win_usb_setup(u_long); +static void decode_win_usb3_setup(u_long); static void decode_win_eth_setup(u_long); static void decode_win_sata_setup(u_long); @@ -100,6 +102,7 @@ static void decode_win_idma_setup(u_long); static void decode_win_xor_setup(u_long); static void decode_win_usb_dump(u_long); +static void decode_win_usb3_dump(u_long); static void decode_win_eth_dump(u_long base); static void decode_win_idma_dump(u_long base); static void decode_win_xor_dump(u_long base); @@ -134,6 +137,7 @@ struct soc_node_spec { static struct soc_node_spec soc_nodes[] = { { "mrvl,ge", &decode_win_eth_setup, &decode_win_eth_dump }, { "mrvl,usb-ehci", &decode_win_usb_setup, &decode_win_usb_dump }, + { "marvell,armada-380-xhci", &decode_win_usb3_setup, &decode_win_usb3_dump }, { "mrvl,sata", &decode_win_sata_setup, NULL }, { "mrvl,xor", &decode_win_xor_setup, &decode_win_xor_dump }, { "mrvl,idma", &decode_win_idma_setup, &decode_win_idma_dump }, @@ -559,7 +563,7 @@ soc_decode_win(void) if (!decode_win_cpu_valid() || !decode_win_usb_valid() || !decode_win_eth_valid() || !decode_win_idma_valid() || !decode_win_pcie_valid() || !decode_win_sata_valid() || - !decode_win_xor_valid()) + !decode_win_xor_valid() || !decode_win_usb3_valid()) return (EINVAL); decode_win_cpu_setup(); @@ -567,7 +571,7 @@ soc_decode_win(void) if (!decode_win_usb_valid() || !decode_win_eth_valid() || !decode_win_idma_valid() || !decode_win_pcie_valid() || !decode_win_sata_valid() || - !decode_win_xor_valid()) + !decode_win_xor_valid() || !decode_win_usb3_valid()) return (EINVAL); #endif if (MV_DUMP_WIN) @@ -600,6 +604,13 @@ WIN_REG_BASE_IDX_RD(win_usb, br, MV_WIN_USB_BASE) WIN_REG_BASE_IDX_WR(win_usb, cr, MV_WIN_USB_CTRL) WIN_REG_BASE_IDX_WR(win_usb, br, MV_WIN_USB_BASE) +#ifdef SOC_MV_ARMADA38X +WIN_REG_BASE_IDX_RD(win_usb3, cr, MV_WIN_USB3_CTRL) +WIN_REG_BASE_IDX_RD(win_usb3, br, MV_WIN_USB3_BASE) +WIN_REG_BASE_IDX_WR(win_usb3, cr, MV_WIN_USB3_CTRL) +WIN_REG_BASE_IDX_WR(win_usb3, br, MV_WIN_USB3_BASE) +#endif + WIN_REG_BASE_IDX_RD(win_eth, br, MV_WIN_ETH_BASE) WIN_REG_BASE_IDX_RD(win_eth, sz, MV_WIN_ETH_SIZE) WIN_REG_BASE_IDX_RD(win_eth, har, MV_WIN_ETH_REMAP) @@ -1118,6 +1129,85 @@ decode_win_usb_setup(u_long base) } /************************************************************************** + * USB3 windows routines + **************************************************************************/ +#ifdef SOC_MV_ARMADA38X +static int +decode_win_usb3_valid(void) +{ + + return (decode_win_can_cover_ddr(MV_WIN_USB3_MAX)); +} + +static void +decode_win_usb3_dump(u_long base) +{ + int i; + + for (i = 0; i < MV_WIN_USB3_MAX; i++) + printf("USB3.0 window#%d: c 0x%08x, b 0x%08x\n", i, + win_usb3_cr_read(base, i), win_usb3_br_read(base, i)); +} + +/* + * Set USB3 decode windows + */ +static void +decode_win_usb3_setup(u_long base) +{ + uint32_t br, cr; + int i, j; + + for (i = 0; i < MV_WIN_USB3_MAX; i++) { + win_usb3_cr_write(base, i, 0); + win_usb3_br_write(base, i, 0); + } + + /* Only access to active DRAM banks is required */ + for (i = 0; i < MV_WIN_DDR_MAX; i++) { + if (ddr_is_active(i)) { + br = ddr_base(i); + cr = (((ddr_size(i) - 1) & + (IO_WIN_SIZE_MASK << IO_WIN_SIZE_SHIFT)) | + (ddr_attr(i) << IO_WIN_ATTR_SHIFT) | + (ddr_target(i) << IO_WIN_TGT_SHIFT) | + IO_WIN_ENA_MASK); + + /* Set the first free USB3.0 window */ + for (j = 0; j < MV_WIN_USB3_MAX; j++) { + if (win_usb3_cr_read(base, j) & IO_WIN_ENA_MASK) + continue; + + win_usb3_br_write(base, j, br); + win_usb3_cr_write(base, j, cr); + break; + } + } + } +} +#else +/* + * Provide dummy functions to satisfy the build + * for SoCs not equipped with USB3 + */ +static int +decode_win_usb3_valid(void) +{ + + return (1); +} + +static void +decode_win_usb3_setup(u_long base) +{ +} + +static void +decode_win_usb3_dump(u_long base) +{ +} +#endif +/************************************************************************** * ETH windows routines **************************************************************************/ @@ -2077,6 +2167,17 @@ fdt_win_setup(void) return (ENXIO); child = OF_child(node); } + /* + * Next, move one more level down to internal-regs node (if + * it is present) and its children. This node also have + * "simple-bus" compatible. + */ + if ((child == 0) && (node == OF_finddevice("simple-bus"))) { + node = fdt_find_compatible(node, "simple-bus", 0); + if (node == 0) + return (0); + child = OF_child(node); + } } return (0); diff --git a/sys/arm/mv/mvwin.h b/sys/arm/mv/mvwin.h index a7a5bf3..a9c2b8c 100644 --- a/sys/arm/mv/mvwin.h +++ b/sys/arm/mv/mvwin.h @@ -242,6 +242,10 @@ #define MV_WIN_USB_BASE(n) (0x10 * (n) + 0x324) #define MV_WIN_USB_MAX 4 +#define MV_WIN_USB3_CTRL(n) (0x8 * (n)) +#define MV_WIN_USB3_BASE(n) (0x8 * (n) + 0x4) +#define MV_WIN_USB3_MAX 8 + #define MV_WIN_ETH_BASE(n) (0x8 * (n) + 0x200) #define MV_WIN_ETH_SIZE(n) (0x8 * (n) + 0x204) #define MV_WIN_ETH_REMAP(n) (0x4 * (n) + 0x280) -- cgit v1.1 From e71ffe7d77bfef641b6ce0567c4fd76f86687cce Mon Sep 17 00:00:00 2001 From: wma Date: Mon, 14 Mar 2016 07:24:08 +0000 Subject: Add xhci_mv.c Add missing xhci driver for Marvell systems. Submitted by: Bartosz Szczepanek Obtained from: Semihalf Sponsored by: Stormshield Reviewed by: hselasky Approved by: cognet (mentor) Differential Revision: https://reviews.freebsd.org/D5031 --- sys/dev/usb/controller/xhci_mv.c | 232 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) create mode 100644 sys/dev/usb/controller/xhci_mv.c diff --git a/sys/dev/usb/controller/xhci_mv.c b/sys/dev/usb/controller/xhci_mv.c new file mode 100644 index 0000000..06b35ce --- /dev/null +++ b/sys/dev/usb/controller/xhci_mv.c @@ -0,0 +1,232 @@ +/*- + * Copyright (c) 2015 Semihalf. + * Copyright (c) 2015 Stormshield. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +__FBSDID("$FreeBSD$"); + +#include "opt_bus.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include + +#include +#include +#include +#include + +#include +#include +#include +#include + +#define XHCI_HC_DEVSTR "Marvell Integrated USB 3.0 controller" +#define XHCI_HC_VENDOR "Marvell" + +#define IS_DMA_32B 1 + +static device_attach_t xhci_attach; +static device_detach_t xhci_detach; + +static struct ofw_compat_data compat_data[] = { + {"marvell,armada-380-xhci", true}, + {NULL, false} +}; + +static int +xhci_probe(device_t dev) +{ + + if (!ofw_bus_status_okay(dev)) + return (ENXIO); + + if (!ofw_bus_search_compatible(dev, compat_data)->ocd_data) + return (ENXIO); + + device_set_desc(dev, XHCI_HC_DEVSTR); + + return (BUS_PROBE_DEFAULT); +} + +static int +xhci_attach(device_t dev) +{ + struct xhci_softc *sc = device_get_softc(dev); + int err = 0, rid = 0; + + sc->sc_bus.parent = dev; + sc->sc_bus.devices = sc->sc_devices; + sc->sc_bus.devices_max = XHCI_MAX_DEVICES; + + sc->sc_io_res = bus_alloc_resource_any(dev, SYS_RES_MEMORY, &rid, + RF_ACTIVE); + if (sc->sc_io_res == NULL) { + device_printf(dev, "Failed to map memory\n"); + xhci_detach(dev); + return (ENXIO); + } + + sc->sc_io_tag = rman_get_bustag(sc->sc_io_res); + sc->sc_io_hdl = rman_get_bushandle(sc->sc_io_res); + sc->sc_io_size = rman_get_size(sc->sc_io_res); + + sc->sc_irq_res = bus_alloc_resource_any(dev, SYS_RES_IRQ, &rid, + RF_SHAREABLE | RF_ACTIVE); + if (sc->sc_irq_res == NULL) { + device_printf(dev, "Failed to allocate IRQ\n"); + xhci_detach(dev); + return (ENXIO); + } + + sc->sc_bus.bdev = device_add_child(dev, "usbus", -1); + if (sc->sc_bus.bdev == NULL) { + device_printf(dev, "Failed to add USB device\n"); + xhci_detach(dev); + return (ENXIO); + } + + device_set_ivars(sc->sc_bus.bdev, &sc->sc_bus); + + sprintf(sc->sc_vendor, XHCI_HC_VENDOR); + device_set_desc(sc->sc_bus.bdev, XHCI_HC_DEVSTR); + + err = bus_setup_intr(dev, sc->sc_irq_res, INTR_TYPE_BIO | INTR_MPSAFE, + NULL, (driver_intr_t *)xhci_interrupt, sc, &sc->sc_intr_hdl); + if (err != 0) { + device_printf(dev, "Failed to setup error IRQ, %d\n", err); + sc->sc_intr_hdl = NULL; + xhci_detach(dev); + return (err); + } + + err = xhci_init(sc, dev, IS_DMA_32B); + if (err != 0) { + device_printf(dev, "Failed to init XHCI, with error %d\n", err); + xhci_detach(dev); + return (ENXIO); + } + + err = xhci_start_controller(sc); + if (err != 0) { + device_printf(dev, "Failed to start XHCI controller, with error %d\n", err); + xhci_detach(dev); + return (ENXIO); + } + + err = device_probe_and_attach(sc->sc_bus.bdev); + if (err != 0) { + device_printf(dev, "Failed to initialize USB, with error %d\n", err); + xhci_detach(dev); + return (ENXIO); + } + + return (0); +} + +static int +xhci_detach(device_t dev) +{ + struct xhci_softc *sc = device_get_softc(dev); + device_t bdev; + int err; + + if (sc->sc_bus.bdev != NULL) { + bdev = sc->sc_bus.bdev; + device_detach(bdev); + device_delete_child(dev, bdev); + } + + /* during module unload there are lots of children leftover */ + device_delete_children(dev); + + if (sc->sc_irq_res != NULL && sc->sc_intr_hdl != NULL) { + err = bus_teardown_intr(dev, sc->sc_irq_res, sc->sc_intr_hdl); + if (err != 0) + device_printf(dev, "Could not tear down irq, %d\n", + err); + sc->sc_intr_hdl = NULL; + } + + if (sc->sc_irq_res != NULL) { + bus_release_resource(dev, SYS_RES_IRQ, + rman_get_rid(sc->sc_irq_res), sc->sc_irq_res); + sc->sc_irq_res = NULL; + } + + if (sc->sc_io_res != NULL) { + bus_release_resource(dev, SYS_RES_MEMORY, + rman_get_rid(sc->sc_io_res), sc->sc_io_res); + sc->sc_io_res = NULL; + } + + xhci_uninit(sc); + + return (0); +} + +static device_method_t xhci_methods[] = { + /* Device interface */ + DEVMETHOD(device_probe, xhci_probe), + DEVMETHOD(device_attach, xhci_attach), + DEVMETHOD(device_detach, xhci_detach), + DEVMETHOD(device_suspend, bus_generic_suspend), + DEVMETHOD(device_resume, bus_generic_resume), + DEVMETHOD(device_shutdown, bus_generic_shutdown), + + DEVMETHOD_END +}; + +static driver_t xhci_driver = { + "xhci", + xhci_methods, + sizeof(struct xhci_softc), +}; + +static devclass_t xhci_devclass; + +DRIVER_MODULE(xhci, simplebus, xhci_driver, xhci_devclass, 0, 0); +MODULE_DEPEND(xhci, usb, 1, 1, 1); -- cgit v1.1 From ca92c5bf0943ec24b4a2a0e0b943e40322d9faa4 Mon Sep 17 00:00:00 2001 From: wma Date: Mon, 14 Mar 2016 07:26:38 +0000 Subject: pmap arm64: fixing pmap_invalidate_range It seems that if range within one page is given this page will not be invalidated at all. Clean it up. Submitted by: Dominik Ermel Obtained from: Semihalf Sponsored by: Cavium Reviewed by: wma, zbb Approved by: cognet (mentor) Differential Revision: https://reviews.freebsd.org/D5569 --- sys/arm64/arm64/pmap.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index abc6581..5db731d 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -772,12 +772,10 @@ pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva) vm_offset_t addr; sched_pin(); - sva >>= PAGE_SHIFT; - eva >>= PAGE_SHIFT; __asm __volatile("dsb sy"); - for (addr = sva; addr < eva; addr++) { + for (addr = sva; addr < eva; addr += PAGE_SIZE) { __asm __volatile( - "tlbi vaae1is, %0" : : "r"(addr)); + "tlbi vaae1is, %0" : : "r"(addr >> PAGE_SHIFT)); } __asm __volatile( "dsb sy \n" -- cgit v1.1 From 0b28197a44cdf8f13c5ae1f0eafb4a1baa7946ab Mon Sep 17 00:00:00 2001 From: gnn Date: Mon, 14 Mar 2016 08:48:16 +0000 Subject: Fix typo: nmd->cur_tx_ring should be used in pci_vtnet_netmap_writev() The buffer length should be checked to avoid overflow, but there is no API to get the slot length, so the hardcoded value is used. Return the currently-first request chain back to the available queue if there are no more packets. Report the link as up if we managed to open vale port. Use consistent coding style. Submitted by: btw MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D5595 --- usr.sbin/bhyve/pci_virtio_net.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/usr.sbin/bhyve/pci_virtio_net.c b/usr.sbin/bhyve/pci_virtio_net.c index 6f264a7..9f220d1 100644 --- a/usr.sbin/bhyve/pci_virtio_net.c +++ b/usr.sbin/bhyve/pci_virtio_net.c @@ -381,7 +381,7 @@ pci_vtnet_tap_rx(struct pci_vtnet_softc *sc) vq_endchains(vq, 1); } -static int +static __inline int pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt) { int r, i; @@ -396,7 +396,7 @@ pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt) r++; if (r > nmd->last_tx_ring) r = nmd->first_tx_ring; - if (r == nmd->cur_rx_ring) + if (r == nmd->cur_tx_ring) break; continue; } @@ -405,6 +405,8 @@ pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt) buf = NETMAP_BUF(ring, idx); for (i = 0; i < iovcnt; i++) { + if (len + iov[i].iov_len > 2048) + break; memcpy(&buf[len], iov[i].iov_base, iov[i].iov_len); len += iov[i].iov_len; } @@ -418,7 +420,7 @@ pci_vtnet_netmap_writev(struct nm_desc *nmd, struct iovec *iov, int iovcnt) return (len); } -static inline int +static __inline int pci_vtnet_netmap_readv(struct nm_desc *nmd, struct iovec *iov, int iovcnt) { int len = 0; @@ -548,6 +550,7 @@ pci_vtnet_netmap_rx(struct pci_vtnet_softc *sc) * No more packets, but still some avail ring * entries. Interrupt if needed/appropriate. */ + vq_retchain(vq); vq_endchains(vq, 0); return; } @@ -884,8 +887,9 @@ pci_vtnet_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts) pci_set_cfgdata16(pi, PCIR_SUBDEV_0, VIRTIO_TYPE_NET); pci_set_cfgdata16(pi, PCIR_SUBVEND_0, VIRTIO_VENDOR); - /* Link is up if we managed to open tap device. */ - sc->vsc_config.status = (opts == NULL || sc->vsc_tapfd >= 0); + /* Link is up if we managed to open tap device or vale port. */ + sc->vsc_config.status = (opts == NULL || sc->vsc_tapfd >= 0 || + sc->vsc_nmd != NULL); /* use BAR 1 to map MSI-X table and PBA, if we're using MSI-X */ if (vi_intr_init(&sc->vsc_vs, 1, fbsdrun_virtio_msix())) -- cgit v1.1 From 4503cb7236ea626a42d4c158fe822c2466b8050f Mon Sep 17 00:00:00 2001 From: bz Date: Mon, 14 Mar 2016 14:55:15 +0000 Subject: Only check for SYS_freebsd6_lseek if the syscall code is defined. Whether this is the right or best solution is unclear but it fixes the build for now. --- sys/arm/arm/vm_machdep.c | 11 ++++++++--- sys/powerpc/powerpc/exec_machdep.c | 7 +++++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/sys/arm/arm/vm_machdep.c b/sys/arm/arm/vm_machdep.c index 6a70cbf..70d6c70 100644 --- a/sys/arm/arm/vm_machdep.c +++ b/sys/arm/arm/vm_machdep.c @@ -40,6 +40,8 @@ * Utah $Hdr: vm_machdep.c 1.16.1.1 89/06/23$ */ +#include "opt_compat.h" + #include __FBSDID("$FreeBSD$"); @@ -180,7 +182,7 @@ cpu_set_syscall_retval(struct thread *td, int error) /* * __syscall returns an off_t while most other syscalls return an * int. As an off_t is 64-bits and an int is 32-bits we need to - * place the returned data into r1. As the lseek and frerebsd6_lseek + * place the returned data into r1. As the lseek and freebsd6_lseek * syscalls also return an off_t they do not need this fixup. */ call = frame->tf_r7; @@ -189,8 +191,11 @@ cpu_set_syscall_retval(struct thread *td, int error) register_t code = ap[_QUAD_LOWWORD]; if (td->td_proc->p_sysent->sv_mask) code &= td->td_proc->p_sysent->sv_mask; - fixup = (code != SYS_freebsd6_lseek && code != SYS_lseek) - ? 1 : 0; + fixup = ( +#if defined(COMPAT_FREEBSD6) && defined(SYS_freebsd6_lseek) + code != SYS_freebsd6_lseek && +#endif + code != SYS_lseek) ? 1 : 0; } #endif diff --git a/sys/powerpc/powerpc/exec_machdep.c b/sys/powerpc/powerpc/exec_machdep.c index 4e56429..1acc180 100644 --- a/sys/powerpc/powerpc/exec_machdep.c +++ b/sys/powerpc/powerpc/exec_machdep.c @@ -879,8 +879,11 @@ cpu_set_syscall_retval(struct thread *td, int error) int code = tf->fixreg[FIRSTARG + 1]; if (p->p_sysent->sv_mask) code &= p->p_sysent->sv_mask; - fixup = (code != SYS_freebsd6_lseek && code != SYS_lseek) ? - 1 : 0; + fixup = ( +#if defined(COMPAT_FREEBSD6) && defined(SYS_freebsd6_lseek) + code != SYS_freebsd6_lseek && +#endif + code != SYS_lseek) ? 1 : 0; } else fixup = 0; -- cgit v1.1 From e174e366c39ecdad427766b27a523866b68a3467 Mon Sep 17 00:00:00 2001 From: bz Date: Mon, 14 Mar 2016 16:19:50 +0000 Subject: Fix the printf for PAE kernels where it'd be long long to unbreak the build. --- sys/dev/drm2/i915/i915_gem_gtt.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sys/dev/drm2/i915/i915_gem_gtt.c b/sys/dev/drm2/i915/i915_gem_gtt.c index 4b8163d..f0e7f7a 100644 --- a/sys/dev/drm2/i915/i915_gem_gtt.c +++ b/sys/dev/drm2/i915/i915_gem_gtt.c @@ -565,9 +565,10 @@ void i915_gem_init_global_gtt(struct drm_device *dev, i915_ggtt_clear_range(dev, start / PAGE_SIZE, (end-start) / PAGE_SIZE); device_printf(dev->dev, - "taking over the fictitious range 0x%lx-0x%lx\n", - dev_priv->mm.gtt_base_addr + start, - dev_priv->mm.gtt_base_addr + start + dev_priv->mm.mappable_gtt_total); + "taking over the fictitious range 0x%jx-0x%jx\n", + (uintmax_t)(dev_priv->mm.gtt_base_addr + start), + (uintmax_t)(dev_priv->mm.gtt_base_addr + start + + dev_priv->mm.mappable_gtt_total)); vm_phys_fictitious_reg_range(dev_priv->mm.gtt_base_addr + start, dev_priv->mm.gtt_base_addr + start + dev_priv->mm.mappable_gtt_total, VM_MEMATTR_WRITE_COMBINING); -- cgit v1.1 From 48389930731c6f05e9da399fe426bf955751bd2a Mon Sep 17 00:00:00 2001 From: trasz Date: Mon, 14 Mar 2016 16:27:43 +0000 Subject: Add myself to MAINTAINERS. MFC after: 1 month Sponsored by: The FreeBSD Foundation --- MAINTAINERS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 07d0c16..4b2cd3f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -102,3 +102,6 @@ usr.sbin/dpv dteske Pre-commit review requested. Keep in sync with libdpv. usr.sbin/pkg pkg@ Please coordinate behavior or flag changes with pkg team. usr.sbin/sysrc dteske Pre-commit phabricator review requested. Keep in sync with bsdconfig(8) sysrc.subr. vmm(4) neel,grehan Pre-commit review requested. +autofs(5) trasz Pre-commit review recommended. +iscsi(4) trasz Pre-commit review recommended. +rctl(8) trasz Pre-commit review recommended. -- cgit v1.1 From cf71765763cf9f8e2ca479db2820a0ef093a05cd Mon Sep 17 00:00:00 2001 From: adrian Date: Mon, 14 Mar 2016 16:52:05 +0000 Subject: class -> i_class. Thanks C++. Noticed by: jbeich@ --- sys/net80211/ieee80211.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/net80211/ieee80211.h b/sys/net80211/ieee80211.h index 7364db1..0a25392 100644 --- a/sys/net80211/ieee80211.h +++ b/sys/net80211/ieee80211.h @@ -797,7 +797,7 @@ struct ieee80211_bss_load_ie { struct ieee80211_ap_chan_report_ie { uint8_t ie; uint8_t len; - uint8_t class; /* operating class */ + uint8_t i_class; /* operating class */ /* Annex E, E.1 Country information and operating classes */ uint8_t chan_list[0]; } __packed; -- cgit v1.1 From 0d936d56361bdcc2139fc4e2e0e9f57ecca8151b Mon Sep 17 00:00:00 2001 From: rstone Date: Mon, 14 Mar 2016 17:41:17 +0000 Subject: Clean up repeated "All rights reserved" --- sys/dev/pci/pci_iov.c | 2 +- sys/dev/pci/pci_iov_private.h | 2 +- sys/dev/pci/pci_iov_schema.c | 2 +- sys/dev/pci/schema_private.h | 2 +- sys/sys/iov.h | 2 +- sys/sys/iov_schema.h | 2 +- usr.sbin/iovctl/iovctl.c | 2 +- usr.sbin/iovctl/iovctl.h | 2 +- usr.sbin/iovctl/parse.c | 2 +- usr.sbin/iovctl/validate.c | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/sys/dev/pci/pci_iov.c b/sys/dev/pci/pci_iov.c index 6d66498..8189ffb 100644 --- a/sys/dev/pci/pci_iov.c +++ b/sys/dev/pci/pci_iov.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2013-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/sys/dev/pci/pci_iov_private.h b/sys/dev/pci/pci_iov_private.h index 99fff1a..6938e2e 100644 --- a/sys/dev/pci/pci_iov_private.h +++ b/sys/dev/pci/pci_iov_private.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2013-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/sys/dev/pci/pci_iov_schema.c b/sys/dev/pci/pci_iov_schema.c index 36d56d0..e324a1d 100644 --- a/sys/dev/pci/pci_iov_schema.c +++ b/sys/dev/pci/pci_iov_schema.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2014-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/sys/dev/pci/schema_private.h b/sys/dev/pci/schema_private.h index 6650331..a61fa1c 100644 --- a/sys/dev/pci/schema_private.h +++ b/sys/dev/pci/schema_private.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2014 Sandvine Inc. All rights reserved. + * Copyright (c) 2014 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/sys/sys/iov.h b/sys/sys/iov.h index 139bf4e..6dfed1b 100644 --- a/sys/sys/iov.h +++ b/sys/sys/iov.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2013-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/sys/sys/iov_schema.h b/sys/sys/iov_schema.h index 45c08af..7157f63 100644 --- a/sys/sys/iov_schema.h +++ b/sys/sys/iov_schema.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2014-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/usr.sbin/iovctl/iovctl.c b/usr.sbin/iovctl/iovctl.c index 6c69f52..e25320e 100644 --- a/usr.sbin/iovctl/iovctl.c +++ b/usr.sbin/iovctl/iovctl.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2013-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/usr.sbin/iovctl/iovctl.h b/usr.sbin/iovctl/iovctl.h index 21d7e5c..20b2da0 100644 --- a/usr.sbin/iovctl/iovctl.h +++ b/usr.sbin/iovctl/iovctl.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2013-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2013-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/usr.sbin/iovctl/parse.c b/usr.sbin/iovctl/parse.c index b2ec395..347b35f 100644 --- a/usr.sbin/iovctl/parse.c +++ b/usr.sbin/iovctl/parse.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2014-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/usr.sbin/iovctl/validate.c b/usr.sbin/iovctl/validate.c index 789175a..6658a8c 100644 --- a/usr.sbin/iovctl/validate.c +++ b/usr.sbin/iovctl/validate.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2014-2015 Sandvine Inc. All rights reserved. + * Copyright (c) 2014-2015 Sandvine Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without -- cgit v1.1 From 40281bf8c8df2d1c9f1eae426caf6b0359cafd51 Mon Sep 17 00:00:00 2001 From: trasz Date: Mon, 14 Mar 2016 17:45:39 +0000 Subject: Fix autofs handling of filesystem labels containing plus signs and slashes. MFC after: 1 month Sponsored by: The FreeBSD Foundation --- etc/autofs/special_media | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/autofs/special_media b/etc/autofs/special_media index 2a654b1..32f9478 100755 --- a/etc/autofs/special_media +++ b/etc/autofs/special_media @@ -19,6 +19,9 @@ print_available() { _fstype="${_fstype_and_label%% *}" if [ "${_fstype}" != "${_fstype_and_label}" ]; then _label="${_fstype_and_label#* }" + # Replace plus signs and slashes with minuses; + # leading plus signs have special meaning in maps, + _label="$(echo ${_label} | sed 's,[+/],-,g')" echo "${_label}" continue fi @@ -54,6 +57,10 @@ print_one() { fi _label="${_fstype_and_label#* }" + # Replace plus signs and slashes with minuses; + # leading plus signs have special meaning in maps, + # and multi-component keys are just not supported. + _label="$(echo ${_label} | sed 's,[+/],-,g')" if [ "${_label}" != "${_key}" ]; then # Labels don't match, try another device. continue -- cgit v1.1 From 36673fece0f08007e5d5267e4ff62c038bbe6d29 Mon Sep 17 00:00:00 2001 From: glebius Date: Mon, 14 Mar 2016 18:06:59 +0000 Subject: Comment fix: statistics are not read-only. --- sys/netinet/tcp_var.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index 32aa0bb..2f23881 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -666,7 +666,7 @@ struct xtcpcb { */ #define TCPCTL_DO_RFC1323 1 /* use RFC-1323 extensions */ #define TCPCTL_MSSDFLT 3 /* MSS default */ -#define TCPCTL_STATS 4 /* statistics (read-only) */ +#define TCPCTL_STATS 4 /* statistics */ #define TCPCTL_RTTDFLT 5 /* default RTT estimate */ #define TCPCTL_KEEPIDLE 6 /* keepalive idle timer */ #define TCPCTL_KEEPINTVL 7 /* interval to send keepalives */ -- cgit v1.1 From aab6aadc586e30f7b3512d20c6a5f780bddc2de3 Mon Sep 17 00:00:00 2001 From: glebius Date: Mon, 14 Mar 2016 18:07:59 +0000 Subject: Remove useless cast in SYSCTL_ADD_COUNTER_U64 macro. --- sys/sys/sysctl.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h index ec40d29..7c1e79c 100644 --- a/sys/sys/sysctl.h +++ b/sys/sys/sysctl.h @@ -640,12 +640,11 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry); #define SYSCTL_ADD_COUNTER_U64(ctx, parent, nbr, name, access, ptr, descr) \ ({ \ - counter_u64_t *__ptr = (ptr); \ CTASSERT(((access) & CTLTYPE) == 0 || \ ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_U64); \ sysctl_add_oid(ctx, parent, nbr, name, \ CTLTYPE_U64 | CTLFLAG_MPSAFE | (access), \ - __ptr, 0, sysctl_handle_counter_u64, "QU", __DESCR(descr)); \ + ptr, 0, sysctl_handle_counter_u64, "QU", __DESCR(descr)); \ }) /* Oid for an opaque object. Specified by a pointer and a length. */ -- cgit v1.1