Date: Sun, 14 Feb 2021 21:11:28 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org Subject: git: 3bbd8dc96b44 - vendor/openssh - Vendor import of OpenSSH 8.4p1 Message-ID: <202102142111.11ELBSNs033969@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch vendor/openssh has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=3bbd8dc96b4466d8e4f850fc0adf7d02e1df2dc7 commit 3bbd8dc96b4466d8e4f850fc0adf7d02e1df2dc7 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2021-02-14 21:09:58 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2021-02-14 21:09:58 +0000 Vendor import of OpenSSH 8.4p1 --- .depend | 6 +- .github/run_test.sh | 34 + .github/setup_ci.sh | 51 + .github/workflows/c-cpp.yml | 39 + .gitignore | 3 + .skipped-commit-ids | 2 + ChangeLog | 16487 +++++++++---------- INSTALL | 16 +- Makefile.in | 23 +- PROTOCOL | 6 +- PROTOCOL.agent | 2 + PROTOCOL.sshsig | 3 +- PROTOCOL.u2f | 130 +- README | 2 +- aclocal.m4 | 193 +- auth-options.c | 20 +- auth-options.h | 4 +- auth-pam.c | 6 +- auth.c | 9 +- auth2-pubkey.c | 18 +- auth2.c | 26 +- authfd.c | 6 +- authfd.h | 6 +- authfile.c | 10 +- channels.c | 9 +- channels.h | 9 +- clientloop.c | 38 +- compat.c | 44 +- compat.h | 8 +- config.h.in | 21 + configure | 734 +- configure.ac | 94 +- contrib/gnome-ssh-askpass2.c | 99 +- contrib/redhat/openssh.spec | 7 +- contrib/ssh-copy-id | 158 +- contrib/ssh-copy-id.1 | 2 +- contrib/suse/openssh.spec | 6 +- defines.h | 4 - hostfile.c | 54 +- hostfile.h | 5 +- kex.c | 6 +- kexdh.c | 3 +- krl.c | 7 +- log.c | 10 +- loginrec.c | 3 + m4/openssh.m4 | 199 + match.c | 12 +- match.h | 6 +- misc.c | 263 +- misc.h | 6 +- moduli | 867 +- moduli.0 | 2 +- monitor.c | 21 +- monitor_wrap.c | 4 +- monitor_wrap.h | 5 +- msg.c | 4 +- mux.c | 14 +- openbsd-compat/bcrypt_pbkdf.c | 4 +- openbsd-compat/memmem.c | 216 +- openbsd-compat/port-net.c | 7 +- openbsd-compat/sys-queue.h | 375 +- packet.c | 11 +- readconf.c | 113 +- readconf.h | 3 +- readpass.c | 46 +- regress/Makefile | 5 +- regress/addrmatch.sh | 14 +- regress/agent-subprocess.sh | 22 + regress/agent.sh | 73 +- regress/misc/sk-dummy/sk-dummy.c | 2 +- regress/multiplex.sh | 14 +- regress/netcat.c | 38 +- regress/percent.sh | 51 +- regress/servcfginclude.sh | 36 +- regress/unittests/Makefile | 4 +- regress/unittests/match/tests.c | 4 +- regress/unittests/misc/tests.c | 88 +- regress/unittests/sshkey/mktestdata.sh | 53 +- regress/unittests/sshkey/test_file.c | 133 +- regress/unittests/sshkey/test_fuzz.c | 4 +- regress/unittests/sshkey/test_sshkey.c | 9 +- regress/unittests/sshkey/testdata/ecdsa_sk1 | 13 + .../unittests/sshkey/testdata/ecdsa_sk1-cert.fp | 1 + .../unittests/sshkey/testdata/ecdsa_sk1-cert.pub | 1 + regress/unittests/sshkey/testdata/ecdsa_sk1.fp | 1 + regress/unittests/sshkey/testdata/ecdsa_sk1.fp.bb | 1 + regress/unittests/sshkey/testdata/ecdsa_sk1.pub | 1 + regress/unittests/sshkey/testdata/ecdsa_sk1_pw | 14 + regress/unittests/sshkey/testdata/ecdsa_sk2 | 13 + regress/unittests/sshkey/testdata/ecdsa_sk2.fp | 1 + regress/unittests/sshkey/testdata/ecdsa_sk2.fp.bb | 1 + regress/unittests/sshkey/testdata/ecdsa_sk2.pub | 1 + regress/unittests/sshkey/testdata/ed25519_sk1 | 8 + .../unittests/sshkey/testdata/ed25519_sk1-cert.fp | 1 + .../unittests/sshkey/testdata/ed25519_sk1-cert.pub | 1 + regress/unittests/sshkey/testdata/ed25519_sk1.fp | 1 + .../unittests/sshkey/testdata/ed25519_sk1.fp.bb | 1 + regress/unittests/sshkey/testdata/ed25519_sk1.pub | 1 + regress/unittests/sshkey/testdata/ed25519_sk1_pw | 9 + regress/unittests/sshkey/testdata/ed25519_sk2 | 8 + regress/unittests/sshkey/testdata/ed25519_sk2.fp | 1 + .../unittests/sshkey/testdata/ed25519_sk2.fp.bb | 1 + regress/unittests/sshkey/testdata/ed25519_sk2.pub | 1 + regress/unittests/sshsig/Makefile | 25 + regress/unittests/sshsig/mktestdata.sh | 42 + regress/unittests/sshsig/testdata/dsa | 12 + regress/unittests/sshsig/testdata/dsa.pub | 1 + regress/unittests/sshsig/testdata/dsa.sig | 13 + regress/unittests/sshsig/testdata/ecdsa | 5 + regress/unittests/sshsig/testdata/ecdsa.pub | 1 + regress/unittests/sshsig/testdata/ecdsa.sig | 7 + regress/unittests/sshsig/testdata/ecdsa_sk | 13 + regress/unittests/sshsig/testdata/ecdsa_sk.pub | 1 + regress/unittests/sshsig/testdata/ecdsa_sk.sig | 8 + .../sshsig/testdata/ecdsa_sk_webauthn.pub | 1 + .../sshsig/testdata/ecdsa_sk_webauthn.sig | 13 + regress/unittests/sshsig/testdata/ed25519 | 7 + regress/unittests/sshsig/testdata/ed25519.pub | 1 + regress/unittests/sshsig/testdata/ed25519.sig | 6 + regress/unittests/sshsig/testdata/ed25519_sk | 8 + regress/unittests/sshsig/testdata/ed25519_sk.pub | 1 + regress/unittests/sshsig/testdata/ed25519_sk.sig | 7 + regress/unittests/sshsig/testdata/namespace | 1 + regress/unittests/sshsig/testdata/rsa | 39 + regress/unittests/sshsig/testdata/rsa.pub | 1 + regress/unittests/sshsig/testdata/rsa.sig | 19 + regress/unittests/sshsig/testdata/signed-data | 1 + regress/unittests/sshsig/tests.c | 139 + regress/unittests/sshsig/webauthn.html | 692 + scp.0 | 7 +- scp.1 | 11 +- scp.c | 20 +- servconf.c | 85 +- servconf.h | 11 +- serverloop.c | 4 +- session.c | 43 +- sftp-client.c | 4 +- sftp-server.0 | 22 +- sftp-server.8 | 22 +- sftp-server.c | 39 +- sftp.0 | 7 +- sftp.1 | 11 +- sftp.c | 11 +- sk-api.h | 7 +- sk-usbhid.c | 626 +- ssh-add.0 | 20 +- ssh-add.1 | 35 +- ssh-add.c | 92 +- ssh-agent.0 | 20 +- ssh-agent.1 | 23 +- ssh-agent.c | 158 +- ssh-ecdsa-sk.c | 169 +- ssh-keygen.0 | 47 +- ssh-keygen.1 | 41 +- ssh-keygen.c | 336 +- ssh-keyscan.0 | 2 +- ssh-keyscan.c | 18 +- ssh-keysign.0 | 2 +- ssh-keysign.c | 4 +- ssh-pkcs11-helper.0 | 2 +- ssh-pkcs11.c | 5 +- ssh-sk-helper.c | 13 +- ssh-sk.c | 47 +- ssh.0 | 12 +- ssh.1 | 23 +- ssh.c | 128 +- ssh.h | 7 +- ssh_api.c | 14 +- ssh_config | 3 +- ssh_config.0 | 67 +- ssh_config.5 | 85 +- sshbuf-getput-basic.c | 4 +- sshbuf-misc.c | 47 +- sshbuf.h | 6 +- sshconnect.c | 10 +- sshconnect2.c | 107 +- sshd.0 | 7 +- sshd.8 | 11 +- sshd.c | 120 +- sshd_config.0 | 27 +- sshd_config.5 | 25 +- sshkey.c | 26 +- sshkey.h | 11 +- sshsig.c | 17 +- sshsig.h | 9 +- version.h | 4 +- 186 files changed, 14315 insertions(+), 10715 deletions(-) diff --git a/.depend b/.depend index 1ccc1dcc75c2..f05bd9d7483c 100644 --- a/.depend +++ b/.depend @@ -60,7 +60,7 @@ gss-serv-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h hash.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h digest.h hmac.h -hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h misc.h ssherr.h digest.h hmac.h +hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h misc.h pathnames.h ssherr.h digest.h hmac.h kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h ssh2.h atomicio.h version.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h log.h match.h kex.o: misc.h monitor.h ssherr.h sshbuf.h digest.h kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ssherr.h ssh2.h @@ -125,8 +125,8 @@ sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h pathnames.h misc.h utf8.h sftp.h ssherr.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sntrup4591761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h -ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h ssherr.h digest.h ssh-sk.h -ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h compat.h log.h misc.h digest.h ssherr.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h +ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h ssherr.h digest.h ssh-sk.h sk-api.h +ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h misc.h digest.h ssherr.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h sshbuf.h ssherr.h digest.h sshkey.h ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h diff --git a/.github/run_test.sh b/.github/run_test.sh new file mode 100755 index 000000000000..93c3a5e9ed9d --- /dev/null +++ b/.github/run_test.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +TARGETS=$@ + +TEST_TARGET="tests" +LTESTS="" # all tests by default + +set -ex + +for TARGET in $TARGETS; do + case $TARGET in + --without-openssl) + # When built without OpenSSL we can't do the file-based RSA key tests. + TEST_TARGET=t-exec + ;; + esac +done + +if [ -z "$LTESTS" ]; then + make $TEST_TARGET + result=$? +else + make $TEST_TARGET LTESTS="$LTESTS" + result=$? +fi + +if [ "$result" -ne "0" ]; then + for i in regress/failed*; do + echo ------------------------------------------------------------------------- + echo LOGFILE $i + cat $i + echo ------------------------------------------------------------------------- + done +fi diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh new file mode 100755 index 000000000000..e2474ccd7460 --- /dev/null +++ b/.github/setup_ci.sh @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +TARGETS=$@ + +PACKAGES="" +INSTALL_FIDO_PPA="no" + +#echo "Setting up for '$TARGETS'" + +set -ex + +lsb_release -a + +for TARGET in $TARGETS; do + case $TARGET in + ""|--without-openssl|--without-zlib) + # nothing to do + ;; + "--with-kerberos5") + PACKAGES="$PACKAGES heimdal-dev" + #PACKAGES="$PACKAGES libkrb5-dev" + ;; + "--with-libedit") + PACKAGES="$PACKAGES libedit-dev" + ;; + "--with-pam") + PACKAGES="$PACKAGES libpam0g-dev" + ;; + "--with-security-key-builtin") + INSTALL_FIDO_PPA="yes" + PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev" + ;; + "--with-selinux") + PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev" + ;; + *) echo "Invalid option" + exit 1 + ;; + esac +done + +if [ "yes" == "$INSTALL_FIDO_PPA" ]; then + sudo apt update -qq + sudo apt install software-properties-common + sudo apt-add-repository ppa:yubico/stable +fi + +if [ "x" != "x$PACKAGES" ]; then + sudo apt update -qq + sudo apt install -qy $PACKAGES +fi diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml new file mode 100644 index 000000000000..2189756bbf8f --- /dev/null +++ b/.github/workflows/c-cpp.yml @@ -0,0 +1,39 @@ +name: C/C++ CI + +on: + push: + branches: [ master, ci ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + strategy: + matrix: + configs: + - "" + - "--with-kerberos5" + - "--with-libedit" + - "--with-pam" + - "--with-security-key-builtin" + - "--with-selinux" + - "--with-kerberos5 --with-libedit --with-pam --with-security-key-builtin --with-selinux" + - "--without-openssl --without-zlib" + + steps: + - uses: actions/checkout@v2 + - name: setup CI system + run: ./.github/setup_ci.sh ${{ matrix.configs }} + - name: autoreconf + run: autoreconf + - name: configure + run: ./configure ${{ matrix.configs }} + - name: make + run: make + - name: make tests + run: ./.github/run_test.sh ${{ matrix.configs }} + env: + TEST_SSH_UNSAFE_PERMISSIONS: 1 diff --git a/.gitignore b/.gitignore index 34a95721dc66..5e4ae5a60d06 100644 --- a/.gitignore +++ b/.gitignore @@ -2,9 +2,11 @@ Makefile buildpkg.sh config.h config.h.in +config.h.in~ config.log config.status configure +aclocal.m4 openbsd-compat/Makefile openbsd-compat/regress/Makefile openssh.xml @@ -30,4 +32,5 @@ ssh-pkcs11-helper ssh-sk-helper sshd !regress/misc/fuzz-harness/Makefile +!regress/unittests/sshsig/Makefile tags diff --git a/.skipped-commit-ids b/.skipped-commit-ids index 611d1093d1b8..6abbb99bca55 100644 --- a/.skipped-commit-ids +++ b/.skipped-commit-ids @@ -19,6 +19,8 @@ d9b910e412d139141b072a905e66714870c38ac0 Makefile.inc 7b7b619c1452a459310b0cf4391c5757c6bdbc0f moduli update 5010ff08f7ad92082e87dde098b20f5c24921a8f moduli regen script update 3bcae7a754db3fc5ad3cab63dd46774edb35b8ae moduli regen script update +52ff0e3205036147b2499889353ac082e505ea54 moduli update +07b5031e9f49f2b69ac5e85b8da4fc9e393992a0 Makefile.inc Old upstream tree: diff --git a/ChangeLog b/ChangeLog index f283a8b3f455..bcaa38f94386 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,12677 +1,12492 @@ -commit 9ca7e9c861775dd6c6312bc8aaab687403d24676 +commit 279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29 Author: Damien Miller <djm@mindrot.org> -Date: Wed May 27 10:38:00 2020 +1000 +Date: Sun Sep 27 17:25:01 2020 +1000 - depend + update version numbers -commit b6d251ed9af90e16c08a72c4aac2cb8ace8f94b1 +commit 58ca6ab6ff035ed12b5078e3e9c7199fe72c8587 Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon May 18 04:29:35 2020 +0000 +Date: Sun Sep 27 07:22:05 2020 +0000 - upstream: avoid possible NULL deref; from Pedro Martelletto + upstream: openssh 8.4 - OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721 + OpenBSD-Commit-ID: a29e5b372d2c00e297da8a35a3b87c9beb3b4a58 -commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d +commit 9bb8a303ce05ff13fb421de991b495930be103c3 Author: Damien Miller <djm@mindrot.org> -Date: Thu May 14 12:22:09 2020 +1000 +Date: Tue Sep 22 10:07:43 2020 +1000 - prefer ln to cp for temporary copy of sshd - - I saw failures on the reexec fallback test on Darwin 19.4 where - fork()ed children of a process that had it's executable removed - would instantly fail. Using ln to preserve the inode avoids this. + sync with upstream ssh-copy-id rev f0da1a1b7 -commit f700d316c6b15a9cfbe87230d2dca81a5d916279 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed May 13 15:24:51 2020 +1000 +commit 0a4a5571ada76b1b012bec9cf6ad1203fc19ec8d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 21 07:29:09 2020 +0000 - Actually skip pty tests when needed. + upstream: close stdin when forking after authentication too; ok markus + + OpenBSD-Commit-ID: 43db17e4abc3e6b4a7b033aa8cdab326a7cb6c24 -commit 08ce6b2210f46f795e7db747809f8e587429dfd2 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed May 13 13:56:45 2020 +1000 +commit d14fe25e6c3b89f8af17e2894046164ac3b45688 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 20 23:31:46 2020 +0000 - Skip building sk-dummy library if no SK support. + upstream: close stdout/stderr after "ssh -f ..." forking + + bz#3137, ok markus + + OpenBSD-Commit-ID: e2d83cc4dea1665651a7aa924ad1ed6bcaaab3e2 -commit 102d106bc2e50347d0e545fad6ff5ce408d67247 +commit 53a33a0d745179c02108589e1722457ca8ae4372 Author: Damien Miller <djm@mindrot.org> -Date: Wed May 13 12:08:34 2020 +1000 +Date: Sun Sep 20 15:57:09 2020 +1000 - explicitly manage .depend and .depend.bak + .depend + +commit 107eb3eeafcd390e1fa7cc7672a05e994d14013e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 20 05:47:25 2020 +0000 + + upstream: cap channel input buffer size at 16MB; avoids high memory use - Bring back removal of .depend to give the file a known state before - running makedepend, but manually move aside the current .depend file - and restore it as .depend.bak afterwards so the stale .depend check - works as expected. + when peer advertises a large window but is slow to consume the data we send + (e.g. because of a slow network) + + reported by Pierre-Yves David + + fix with & ok markus@ + + OpenBSD-Commit-ID: 1452771f5e5e768876d3bfe2544e3866d6ade216 -commit 83a6dc6ba1e03b3fa39d12a8522b8b0e68dd6390 +commit acfe2ac5fe033e227ad3a56624fbbe4af8b5da04 Author: Damien Miller <djm@mindrot.org> -Date: Wed May 13 12:03:42 2020 +1000 +Date: Fri Sep 18 22:02:53 2020 +1000 - make depend + libfido2 1.5.0 is recommended -commit 7c0bbed967abed6301a63e0267cc64144357a99a -Author: Damien Miller <djm@mindrot.org> -Date: Wed May 13 12:01:10 2020 +1000 +commit 52a03e9fca2d74eef953ddd4709250f365ca3975 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 18 08:16:38 2020 +0000 - revert removal of .depend before makedepend + upstream: handle multiple messages in a single read() - Commit 83657eac4 started removing .depend before running makedepend - to reset the contents of .depend to a known state. Unfortunately - this broke the depend-check step as now .depend.bak would only ever - be created as an empty file. + PR#183 by Dennis Kaarsemaker; feedback and ok markus@ - ok dtucker + OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1 -commit 58ad004acdcabf3b9f40bc3aaa206b25d998db8c -Author: Damien Miller <djm@mindrot.org> -Date: Tue May 12 12:58:46 2020 +1000 +commit dc098405b2939146e17567a25b08fc6122893cdf +Author: pedro martelletto <pedro@ambientworks.net> +Date: Fri Sep 18 08:57:29 2020 +0200 - prepare for 8.3 release + configure.ac: add missing includes + + when testing, make sure to include the relevant header files that + declare the types of the functions used by the test: + + - stdio.h for printf(); + - stdlib.h for exit(); + - string.h for strcmp(); + - unistd.h for unlink(), _exit(), fork(), getppid(), sleep(). -commit 4fa9e048c2af26beb7dc2ee9479ff3323e92a7b5 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 8 21:50:43 2020 +1000 +commit b3855ff053f5078ec3d3c653cdaedefaa5fc362d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 18 05:23:03 2020 +0000 - Ensure SA_SIGNAL test only signals itself. + upstream: tweak the client hostkey preference ordering algorithm to - When the test's child signals its parent and it exits the result of - getppid changes. On Ubuntu 20.04 this results in the ppid being that - of the GDM session, causing it to exit. Analysis and testing from pedro - at ambientworks.net + prefer the default ordering if the user has a key that matches the + best-preference default algorithm. + + feedback and ok markus@ + + OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f -commit dc2da29aae76e170d22f38bb36f1f5d1edd5ec2b +commit f93b187ab900c7d12875952cc63350fe4de8a0a8 Author: Damien Miller <djm@mindrot.org> -Date: Fri May 8 13:31:53 2020 +1000 +Date: Fri Sep 18 14:55:48 2020 +1000 - sync config.guess/config.sub with latest versions + control over the colours in gnome-ssh-askpass[23] - ok dtucker@ + Optionally set the textarea colours via $GNOME_SSH_ASKPASS_FG_COLOR and + $GNOME_SSH_ASKPASS_BG_COLOR. These accept the usual three or six digit + hex colours. -commit a8265bd64c14881fc7f4fa592f46dfc66b911f17 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed May 6 20:58:01 2020 +0000 +commit 9d3d36bdb10b66abd1af42e8655502487b6ba1fa +Author: Damien Miller <djm@mindrot.org> +Date: Fri Sep 18 14:50:38 2020 +1000 - upstream: openssh-8.3; ok deraadt@ + focus improvement for gnome-ssh-askpass[23] - OpenBSD-Commit-ID: c8831ec88b9c750f5816aed9051031fb535d22c1 + When serving a SSH_ASKPASS_PROMPT=none information dialog, ensure + then <enter> doesn't immediately close the dialog. Instead, require an + explicit <tab> to reach the close button, or <esc>. -commit 955854cafca88e0cdcd3d09ca1ad4ada465364a1 +commit d6f507f37e6c75a899db0ef8224e72797c5563b6 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Sep 16 03:07:31 2020 +0000 + + upstream: Remove unused buf, last user was removed when switching + + to the sshbuf API. Patch from Sebastian Andrzej Siewior. + + OpenBSD-Commit-ID: 250fa17f0cec01039cc4abd95917d9746e24c889 + +commit c3c786c3a0973331ee0922b2c51832a3b8d7f20f Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed May 6 20:57:38 2020 +0000 +Date: Wed Sep 9 21:57:27 2020 +0000 - upstream: another case where a utimes() failure could make scp send + upstream: For the hostkey confirmation message: - a desynchronising error; reminded by Aymeric Vincent ok deraadt markus + > Are you sure you want to continue connecting (yes/no/[fingerprint])? - OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381 + compare the fingerprint case sensitively; spotted Patrik Lundin + ok dtucker + + OpenBSD-Commit-ID: 73097afee1b3a5929324e345ba4a4a42347409f2 -commit 59d531553fd90196946743da391f3a27cf472f4e +commit f2950baf0bafe6aa20dfe2e8d1ca4b23528df617 Author: Darren Tucker <dtucker@dtucker.net> -Date: Thu May 7 15:34:12 2020 +1000 +Date: Fri Sep 11 14:45:23 2020 +1000 - Check if -D_REENTRANT is needed for localtime_r. - - On at least HP-UX 11.11, the localtime_r declararation is behind - ifdef _REENTRANT. Check for and add if needed. + New config-build-time dependency on automake. -commit c13403e55de8cdbb9da628ed95017b1d4c0f205f +commit 600c1c27abd496372bd0cf83d21a1c119dfdf9a5 Author: Darren Tucker <dtucker@dtucker.net> -Date: Tue May 5 11:32:43 2020 +1000 +Date: Sun Sep 6 21:56:36 2020 +1000 - Skip security key tests if ENABLE_SK not set. + Add aclocal.m4 and config.h.in~ to .gitignore. + + aclocal.m4 is now generated by autoreconf. -commit 4da393f87cd52d788c84112ee3f2191c9bcaaf30 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 1 04:03:14 2020 +0000 +commit 4bf7e1d00b1dcd3a6b3239f77465c019e61c6715 +Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sat Sep 5 17:50:03 2020 +0200 - upstream: sure enough, some of the test data that we though were in + Quote the definition of OSSH_CHECK_HEADER_FOR_FIELD - new format were actually in the old format; fix from Michael Forney + autoreconf complains about underquoted definition of + OSSH_CHECK_HEADER_FOR_FIELD after aclocal.m4 has been and now is beeing + recreated. - OpenBSD-Regress-ID: a41a5c43a61b0f0b1691994dbf16dfb88e8af933 + Quote OSSH_CHECK_HEADER_FOR_FIELD as suggested. + + Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> -commit 15bfafc1db4c8792265ada9623a96f387990f732 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 1 04:00:29 2020 +0000 +commit a2f3ae386b5f7938ed3c565ad71f30c4f7f010f1 +Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sat Sep 5 17:50:02 2020 +0200 - upstream: make mktestdata.sh generate old/new format keys that we + Move the local m4 macros - expect. This script was written before OpenSSH switched to new-format private - keys by default and was never updated to the change (until now) From Michael - Forney + The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is + present. + Move the current aclocal.m4 which contains local macros into the m4/ + folder. With this change the aclocal.m4 will be re-created during + changes to the m4/ macro. + This is needed so the `aclocal' can fetch m4 macros from the system if + they are references in the configure script. This is a prerequisite to + use PKG_CHECK_MODULES. - OpenBSD-Regress-ID: 38cf354715c96852e5b71c2393fb6e7ad28b7ca7 + Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> -commit 7882d2eda6ad3eb82220a85294de545d20ef82db -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 1 03:58:02 2020 +0000 +commit 8372bff3a895b84fd78a81dc39da10928b662f5a +Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sat Sep 5 17:50:01 2020 +0200 - upstream: portability fix for sed that always emil a newline even + Remove HAVE_MMAP and BROKEN_MMAP - if the input does not contain one; from Michael Forney + BROKEN_MMAP is no longer defined since commit + 1cfd5c06efb12 ("Remove portability support for mmap") - OpenBSD-Regress-ID: 9190c3ddf0d2562ccc02c4a95fce0e392196bfc7 + this commit also removed other HAVE_MMAP user. I didn't find anything + that defines HAVE_MMAP. The check does not trigger because compression + on server side is by default COMP_DELAYED (2) so it never triggers. + + Remove remaining HAVE_MMAP and BROKEN_MMAP bits. + + Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> -commit 8074f9499e454df0acdacea33598858a1453a357 +commit bbf20ac8065905f9cb9aeb8f1df57fcab52ee2fb Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 1 03:36:25 2020 +0000 +Date: Wed Sep 9 03:10:21 2020 +0000 - upstream: remove obsolete RSA1 test keys; spotted by Michael Forney + upstream: adapt to SSH_SK_VERSION_MAJOR crank - OpenBSD-Regress-ID: 6384ba889594e217d166908ed8253718ab0866da + OpenBSD-Regress-ID: 0f3e76bdc8f9dbd9d22707c7bdd86051d5112ab8 -commit c697e46c314aa94574af0d393d80f23e0ebc9748 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat May 2 18:34:47 2020 +1000 - - Update .depend. - -commit 83657eac42941f270c4b02b2c46d9a21f616ef99 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat May 2 18:29:40 2020 +1000 +commit 9afe2a150893b20bdf9eab764978d817b9a7b783 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Aug 28 03:17:13 2020 +0000 - Remove use of tail for 'make depend'. + upstream: Ensure that address/mask mismatches are flagged at - Not every tail supports +N and we can do with out it so just remove it. - Prompted by mforney at mforney.org. + config-check time. ok djm@ + + OpenBSD-Regress-ID: 8f5f4c2c0bf00e6ceae7a1755a444666de0ea5c2 -commit d25d630d24c5a1c64d4e646510e79dc22d6d7b88 +commit c76773524179cb654ff838dd43ba1ddb155bafaa Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat May 2 07:19:43 2020 +0000 +Date: Wed Sep 9 03:08:01 2020 +0000 - upstream: we have a sshkey_save_public() function to save public keys; + upstream: when writing an attestation blob for a FIDO key, record all - use it and save a bunch of redundant code. + the data needed to verify the attestation. Previously we were missing the + "authenticator data" that is included in the signature. - Patch from loic AT venez.fr; ok markus@ djm@ + spotted by Ian Haken + feedback Pedro Martelletto and Ian Haken; ok markus@ - OpenBSD-Commit-ID: f93e030a0ebcd0fd9054ab30db501ec63454ea5f + OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a -commit e9dc9863723e111ae05e353d69df857f0169544a -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 1 18:32:25 2020 +1000 +commit c1c44eeecddf093a7983bd91e70b446de789b363 +Author: pedro martelletto <pedro@ambientworks.net> +Date: Tue Sep 1 17:01:55 2020 +0200 - Use LONG_LONG_MAX and friends if available. + configure.ac: fix libfido2 back-compat - If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX} - then use those instead. We do calculate these values in configure, - but it turns out that at least one compiler (old HP ANSI C) can't - parse "-9223372036854775808LL" without mangling it. (It can parse - "-9223372036854775807LL" which is presumably why its limits.h defines - LONG_LONG_MIN as the latter minus 1.) - - Fixes rekey test when compiled with the aforementioned compiler. + - HAVE_FIDO_CRED_PROD -> HAVE_FIDO_CRED_PROT; + - check for fido_dev_get_touch_begin(), so that + HAVE_FIDO_DEV_GET_TOUCH_BEGIN gets defined. -commit aad87b88fc2536b1ea023213729aaf4eaabe1894 +commit 785f0f315bf7ac5909e988bb1ac3e019fb5e1594 Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 1 06:31:42 2020 +0000 +Date: Mon Aug 31 04:33:17 2020 +0000 - upstream: when receving a file in sink(), be careful to send at - - most a single error response after the file has been opened. Otherwise the - source() and sink() can become desyncronised. Reported by Daniel Goujot, - Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache. + upstream: refuse to add verify-required (PINful) FIDO keys to - ok deraadt@ markus@ + ssh-agent until the agent supports them properly - OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035 + OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e -commit 31909696c4620c431dd55f6cd15db65c4e9b98da +commit 39e88aeff9c7cb6862b37ad1a87a03ebbb38c233 Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 1 06:28:52 2020 +0000 +Date: Mon Aug 31 00:17:41 2020 +0000 - upstream: expose vasnmprintf(); ok (as part of other commit) markus + upstream: Add RCS IDs to the few files that are missing them; from - deraadt + Pedro Martelletto - OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5 + OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3 -commit 99ce9cefbe532ae979744c6d956b49f4b02aff82 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri May 1 04:23:11 2020 +0000 +commit 72730249b38a676da94a1366b54a6e96e6928bcb +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Aug 28 03:15:52 2020 +0000 - upstream: avoid NULL dereference when attempting to convert invalid + upstream: Check that the addresses supplied to Match Address and - ssh.com private keys using "ssh-keygen -i"; spotted by Michael Forney + Match LocalAddress are valid when parsing in config-test mode. This will + catch address/mask mismatches before they cause problems at runtime. Found by + Daniel Stocker, ok djm@ - OpenBSD-Commit-ID: 2e56e6d26973967d11d13f56ea67145f435bf298 + OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b -commit 6c6072ba8b079e6f5caa38b011a6f4570c14ed38 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri May 1 15:09:26 2020 +1000 +commit 2a3a9822311a565a9df48ed3b6a3c972f462bd7d +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Thu Aug 27 12:34:00 2020 +0000 - See if SA_RESTART signals will interrupt select(). - - On some platforms (at least older HP-UXes such as 11.11, possibly others) - setting SA_RESTART on signal handers will cause it to not interrupt - select(), at least for calls that do not specify a timeout. Try to - detect this and if found, don't use SA_RESTART. + upstream: sentence fix; from pedro martelletto - POSIX says "If SA_RESTART has been set for the interrupting signal, it - is implementation-dependent whether select() restarts or returns with - [EINTR]" so this behaviour is within spec. + OpenBSD-Commit-ID: f95b84a1e94e9913173229f3787448eea2f8a575 -commit 90a0b434ed41f9c505662dba8782591818599cb3 +commit ce178be0d954b210c958bc2b9e998cd6a7aa73a9 Author: Damien Miller <djm@mindrot.org> -Date: Fri May 1 13:55:03 2020 +1000 +Date: Thu Aug 27 20:01:52 2020 +1000 - fix reversed test + tweak back-compat for older libfido2 -commit c0dfd18dd1c2107c73d18f70cd164f7ebd434b08 -Author: Damien Miller <djm@mindrot.org> -Date: Fri May 1 13:29:16 2020 +1000 +commit d6f45cdde031acdf434bbb27235a1055621915f4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 09:46:04 2020 +0000 - wrap sha2.h inclusion in #ifdef HAVE_SHA2_H + upstream: debug()-print a little info about FIDO-specific key + + fields via "ssh-keygen -vyf /path/key" + + OpenBSD-Commit-ID: cf315c4fe77db43947d111b00155165cb6b577cf -commit a01817a9f63dbcbbc6293aacc4019993a4cdc7e3 +commit b969072cc3d62d05cb41bc6d6f3c22c764ed932f Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Apr 28 04:59:29 2020 +0000 +Date: Thu Aug 27 09:43:28 2020 +0000 - upstream: adapt dummy FIDO middleware to API change; ok markus@ + upstream: skip a bit more FIDO token selection logic when only a - OpenBSD-Regress-ID: 8bb84ee500c2eaa5616044314dd0247709a1790f + single token is attached. + + with Pedro Martelletto + + OpenBSD-Commit-ID: e4a324bd9814227ec1faa8cb619580e661cca9ac -commit 261571ddf02ea38fdb5e4a97c69ee53f847ca5b7 +commit 744df42a129d7d7db26947b7561be32edac89f88 Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Thu Apr 30 18:28:37 2020 +0000 +Date: Thu Aug 27 06:15:22 2020 +0000 - upstream: tweak previous; ok markus + upstream: tweak previous; - OpenBSD-Commit-ID: 41895450ce2294ec44a5713134491cc31f0c09fd + OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7 -commit 5de21c82e1d806d3e401b5338371e354b2e0a66f -Author: markus@openbsd.org <markus@openbsd.org> -Date: Thu Apr 30 17:12:20 2020 +0000 +commit e32479645ce649b444ba5c6e7151304306a09654 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 03:55:22 2020 +0000 - upstream: bring back debug() removed in rev 1.74; noted by pradeep + upstream: adapt to API changes - kumar - - OpenBSD-Commit-ID: 8d134d22ab25979078a3b48d058557d49c402e65 + OpenBSD-Regress-ID: 5f147990cb67094fe554333782ab268a572bb2dd -commit ea14103ce9a5e13492e805f7e9277516ff5a4273 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Thu Apr 30 17:07:10 2020 +0000 +commit bbcc858ded3fbc46abfa7760e40389e3ca93884c +Author: Damien Miller <djm@mindrot.org> +Date: Thu Aug 27 12:37:12 2020 +1000 - upstream: run the 2nd ssh with BatchMode for scp -3 - - OpenBSD-Commit-ID: 77994fc8c7ca02d88e6d0d06d0f0fe842a935748 + degrade semi-gracefully when libfido2 is too old -commit 59d2de956ed29aa5565ed5e5947a7abdb27ac013 +commit 9cbbdc12cb6a2ab1e9ffe9974cca91d213c185c2 Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Apr 28 04:02:29 2020 +0000 +Date: Thu Aug 27 01:15:36 2020 +0000 - upstream: when signing a challenge using a FIDO toke, perform the + upstream: dummy firmware needs to match API version numner crank (for - hashing in the middleware layer rather than in ssh code. This allows - middlewares that call APIs that perform the hashing implicitly (including - Microsoft's AFAIK). ok markus@ + verify-required resident keys) even though it doesn't implement this feature - OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d + OpenBSD-Regress-ID: 86579ea2891e18e822e204413d011b2ae0e59657 -commit c9d10dbc0ccfb1c7568bbb784f7aeb7a0b5ded12 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Apr 26 09:38:14 2020 +0000 +commit c1e76c64956b424ba260fd4eec9970e5b5859039 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 02:11:09 2020 +0000 - upstream: Fix comment typo. Patch from mforney at mforney.org. + upstream: remove unreachable code I forgot to delete in r1.334 - OpenBSD-Commit-ID: 3565f056003707a5e678e60e03f7a3efd0464a2b + OpenBSD-Commit-ID: 9ed6078251a0959ee8deda443b9ae42484fd8b18 -commit 4d2c87b4d1bde019cdd0f00552fcf97dd8b39940 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sat Apr 25 06:59:36 2020 +0000 +commit 0caff05350bd5fc635674c9e051a0322faba5ae3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 01:08:45 2020 +0000 - upstream: We've standardized on memset over bzero, replace a couple + upstream: Request PIN ahead of time for certain FIDO actions - that had slipped in. ok deraadt markus djm. + When we know that a particular action will require a PIN, such as + downloading resident keys or generating a verify-required key, request + the PIN before attempting it. - OpenBSD-Commit-ID: f5be055554ee93e6cc66b0053b590bef3728dbd6 + joint work with Pedro Martelletto; ok markus@ + + OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727 -commit 7f23f42123d64272a7b00754afa6b0841d676691 -Author: Darren Tucker <dtucker@dtucker.net> *** 35149 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202102142111.11ELBSNs033969>