git: 676824f5cdf9 - releng/14.0 - ssh: Update to OpenSSH 9.5p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 13 Oct 2023 23:15:55 UTC
The branch releng/14.0 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=676824f5cdf9dfdbfca38c9cfff2398345db9211 commit 676824f5cdf9dfdbfca38c9cfff2398345db9211 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-10-09 17:28:17 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-10-13 23:15:02 +0000 ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit edf8578117e8844e02c0121147f45e4609b30680) (cherry picked from commit b24ca3caa7524e650550d8a2ee1637e6efcb87f1) Approved by: re (gjb) --- crypto/openssh/.github/ci-status.md | 4 + crypto/openssh/.github/configs | 11 + crypto/openssh/.github/setup_ci.sh | 8 + crypto/openssh/.github/workflows/c-cpp.yml | 1 + crypto/openssh/.github/workflows/selfhosted.yml | 3 + crypto/openssh/ChangeLog | 1611 +++++++---------------- crypto/openssh/PROTOCOL | 35 +- crypto/openssh/PROTOCOL.agent | 4 +- crypto/openssh/README | 2 +- crypto/openssh/auth2.c | 11 +- crypto/openssh/channels.c | 35 +- crypto/openssh/channels.h | 4 +- crypto/openssh/clientloop.c | 189 ++- crypto/openssh/configure.ac | 12 +- crypto/openssh/contrib/redhat/openssh.spec | 2 +- crypto/openssh/contrib/suse/openssh.spec | 2 +- crypto/openssh/kex.c | 55 +- crypto/openssh/kex.h | 3 +- crypto/openssh/misc.c | 29 +- crypto/openssh/misc.h | 3 +- crypto/openssh/monitor.c | 7 +- crypto/openssh/openbsd-compat/bsd-closefrom.c | 1 - crypto/openssh/packet.c | 35 +- crypto/openssh/packet.h | 3 +- crypto/openssh/readconf.c | 64 +- crypto/openssh/readconf.h | 8 +- crypto/openssh/regress/Makefile | 5 +- crypto/openssh/regress/match-subsystem.sh | 90 ++ crypto/openssh/regress/scp.sh | 24 +- crypto/openssh/regress/scp3.sh | 19 +- crypto/openssh/scp.c | 50 +- crypto/openssh/servconf.c | 107 +- crypto/openssh/servconf.h | 14 +- crypto/openssh/serverloop.c | 4 +- crypto/openssh/session.c | 15 +- crypto/openssh/sftp-client.c | 409 +++--- crypto/openssh/sftp-client.h | 76 +- crypto/openssh/sftp-glob.c | 28 +- crypto/openssh/sftp-usergroup.c | 8 +- crypto/openssh/sftp.c | 138 +- crypto/openssh/ssh-agent.1 | 8 +- crypto/openssh/ssh.c | 11 +- crypto/openssh/ssh2.h | 7 +- crypto/openssh/ssh_config.5 | 33 +- crypto/openssh/ssh_namespace.h | 3 + crypto/openssh/sshd.8 | 6 +- crypto/openssh/sshd.c | 2 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 2 +- crypto/openssh/sshkey.c | 3 +- crypto/openssh/sshsig.c | 27 +- crypto/openssh/version.h | 6 +- 52 files changed, 1639 insertions(+), 1600 deletions(-) diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md index f3e088fd6043..8d4cea10dba4 100644 --- a/crypto/openssh/.github/ci-status.md +++ b/crypto/openssh/.github/ci-status.md @@ -6,6 +6,10 @@ master : [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable) +9.4 : +[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_4) +[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_4) + 9.3 : [![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_3) [![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_3) diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs index e054eb3196b5..c7d6a55ab962 100755 --- a/crypto/openssh/.github/configs +++ b/crypto/openssh/.github/configs @@ -30,6 +30,13 @@ case "$config" in default|sol64) ;; c89) + # If we don't have LLONG_MAX, configure will figure out that it can + # get it by setting -std=gnu99, at which point we won't be testing + # C89 any more. To avoid this, feed it in via CFLAGS. + llong_max=`gcc -E -dM - </dev/null | \ + awk '$2=="__LONG_LONG_MAX__"{print $3}'` + CPPFLAGS="-DLLONG_MAX=${llong_max}" + CC="gcc" CFLAGS="-Wall -std=c89 -pedantic -Werror=vla" CONFIGFLAGS="--without-zlib" @@ -205,6 +212,10 @@ case "$config" in ;; esac ;; + zlib-develop) + INSTALL_ZLIB=develop + CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath," + ;; *) echo "Unknown configuration $config" exit 1 diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh index 154f51bdc205..010a333a6642 100755 --- a/crypto/openssh/.github/setup_ci.sh +++ b/crypto/openssh/.github/setup_ci.sh @@ -133,6 +133,8 @@ for TARGET in $TARGETS; do valgrind*) PACKAGES="$PACKAGES valgrind" ;; + zlib-*) + ;; *) echo "Invalid option '${TARGET}'" exit 1 ;; @@ -214,3 +216,9 @@ if [ ! -z "${INSTALL_BORINGSSL}" ]; then cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib && cp -r ${HOME}/boringssl/include /opt/boringssl) fi + +if [ ! -z "${INSTALL_ZLIB}" ]; then + (cd ${HOME} && git clone https://github.com/madler/zlib.git && + cd ${HOME}/zlib && ./configure && make && + sudo make install prefix=/opt/zlib) +fi diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml index e4e2a64e05d2..be0c97f84cfd 100644 --- a/crypto/openssh/.github/workflows/c-cpp.yml +++ b/crypto/openssh/.github/workflows/c-cpp.yml @@ -73,6 +73,7 @@ jobs: - { target: ubuntu-latest, config: openssl-3.1.0 } - { target: ubuntu-latest, config: openssl-1.1.1_stable } - { target: ubuntu-latest, config: openssl-3.0 } # stable branch + - { target: ubuntu-latest, config: zlib-develop } - { target: ubuntu-22.04, config: pam } - { target: ubuntu-22.04, config: krb5 } - { target: ubuntu-22.04, config: heimdal } diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml index e84db699ea31..de0a4125bf08 100644 --- a/crypto/openssh/.github/workflows/selfhosted.yml +++ b/crypto/openssh/.github/workflows/selfhosted.yml @@ -40,6 +40,8 @@ jobs: - obsd67 - obsd69 - obsd70 + - obsd72 + - obsd73 - obsdsnap - obsdsnap-i386 - openindiana @@ -76,6 +78,7 @@ jobs: - { target: ARM64, config: default, host: ARM64 } - { target: ARM64, config: pam, host: ARM64 } - { target: debian-riscv64, config: default, host: debian-riscv64 } + - { target: obsd-arm64, config: default, host: obsd-arm64 } - { target: openwrt-mips, config: default, host: openwrt-mips } - { target: openwrt-mipsel, config: default, host: openwrt-mipsel } steps: diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog index 3e16fbfd346d..61725d3a136b 100644 --- a/crypto/openssh/ChangeLog +++ b/crypto/openssh/ChangeLog @@ -1,22 +1,509 @@ -commit daa5b2d869ee5a16f3ef9035aa0ad3c70cf4028e +commit 80a2f64b8c1d27383cc83d182b73920d1e6a91f1 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 4 15:34:10 2023 +1100 + + crank version numbers + +commit f65f187b105d9b5c12fd750a211397d08c17c6d4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 4 04:04:09 2023 +0000 + + upstream: openssh-9.5 + + OpenBSD-Commit-ID: 5e0af680480bd3b6f5560cf840ad032d48fd6b16 + +commit ffe27e54a4bb18d5d3bbd3f4cc93a41b8d94dfd2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 4 04:03:50 2023 +0000 + + upstream: add some cautionary text about % token expansion and + + shell metacharacters; based on report from vinci AT protonmail.ch + + OpenBSD-Commit-ID: aa1450a54fcee2f153ef70368d90edb1e7019113 + +commit 60ec3d54fd1ebfe2dda75893fa1e870b8dffbb0d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Oct 3 23:56:10 2023 +0000 + + upstream: fix link to agent draft; spotted by Jann Horn + + OpenBSD-Commit-ID: ff5bda21a83ec013db683e282256a85201d2dc4b + +commit 12e2d4b13f6f63ce2de13cbfcc9e4d0d4b4ab231 +Author: Damien Miller <djm@mindrot.org> +Date: Wed Oct 4 10:54:04 2023 +1100 + + use portable provider allowlist path in manpage + + spotted by Jann Horn + +commit 6c2c6ffde75df95fd838039850d3dd3d84956d87 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Sep 19 20:37:07 2023 +0000 + + upstream: typo; from Jim Spath + + OpenBSD-Commit-ID: 2f5fba917b5d4fcf93d9e0b0756c7f63189e228e + +commit b6b49130a0089b297245ee39e769231d7c763014 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 10 23:12:32 2023 +0000 + + upstream: rename remote_glob() -> sftp_glob() to match other API + + OpenBSD-Commit-ID: d9dfb3708d824ec02970a84d96cf5937e0887229 + +commit 21b79af6c8d2357c822c84cef3fbdb8001ed263b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 10 03:51:55 2023 +0000 + + upstream: typo in comment + + OpenBSD-Commit-ID: 69285e0ce962a7c6b0ab5f17a293c60a0a360a18 + +commit 41232d25532b4d2ef6c5db62efc0cf50a79d26ca +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Sep 10 15:45:38 2023 +1000 + + Use zero-call-used-regs=used with Apple compilers. + + Apple's versions of clang have version numbers that do not match the + corresponding upstream clang versions. Unfortunately, they do still + have the clang-15 zero-call-used-regs=all bug, so for now use the value + that doesn't result in segfaults. We could allowlist future versions + that are known to work. bz#3584 (and probably also our github CI + failures). + +commit 90ccc5918ea505bf156c31148b6b59a1bf5d6dc6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 10 03:25:53 2023 +0000 + + upstream: randomise keystroke obfuscation intervals and average + + interval rate. ok dtucker@ + + OpenBSD-Commit-ID: 05f61d051ab418fcfc4857ff306e420037502382 + +commit bd1b9e52f5fa94d87223c90905c5fdc1a7c32aa6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 8 06:34:24 2023 +0000 + + upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here + + is char**, so harmless); spotted in CID 416964 + + OpenBSD-Commit-ID: c61caa4a5a667ee20bb1042098861e6c72c69002 + +commit c4f966482983e18601eec70a1563115de836616f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 8 06:10:57 2023 +0000 + + upstream: regress test recursive remote-remote directories copies where + + the directory contains a symlink to another directory. + + also remove errant `set -x` that snuck in at some point + + OpenBSD-Regress-ID: 1c94a48bdbd633ef2285954ee257725cd7bc456f + +commit 5e1dfe5014ebc194641678303e22ab3bba15f4e5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 8 06:10:02 2023 +0000 + + upstream: fix recursive remote-remote copies of directories that + + contain symlinks to other directories (similar to bz3611) + + OpenBSD-Commit-ID: 7e19d2ae09b4f941bf8eecc3955c9120171da37f + +commit 7c0ce2bf98b303b6ad91493ee3247d96c18ba1f6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 8 05:50:57 2023 +0000 + + upstream: regress test for recursive copies of directories containing + + symlinks to other directories. bz3611, ok dtucker@ + + OpenBSD-Regress-ID: eaa4c29cc5cddff4e72a16bcce14aeb1ecfc94b9 + +commit 2de990142a83bf60ef694378b8598706bc654b08 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 8 05:56:13 2023 +0000 + + upstream: the sftp code was one of my first contributions to + + OpenSSH and it shows - the function names are terrible. + + Rename do_blah() to sftp_blah() to make them less so. + + Completely mechanical except for sftp_stat() and sftp_lstat() which + change from returning a pointer to a static variable (error-prone) to + taking a pointer to a caller-provided receiver. + + OpenBSD-Commit-ID: eb54d6a72d0bbba4d623e2175cf5cc4c75dc2ba4 + +commit 249d8bd0472b53e3a2a0e138b4c030a31e83346a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 8 05:50:12 2023 +0000 + + upstream: fix scp in SFTP mode recursive upload and download of + + directories that contain symlinks to other directories. In scp mode, the + links would be followed, but in SFTP mode they were not. bz3611, ok dtucker@ + + OpenBSD-Commit-ID: 9760fda668eaa94a992250d7670dfbc62a45197c + +commit 0e1f4401c466fa4fdaea81b6dadc8dd1fc4cf0af +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 6 23:36:09 2023 +0000 + + upstream: regression test for override of subsystem in match blocks + + OpenBSD-Regress-ID: 5f8135da3bfda71067084c048d717b0e8793e87c + +commit 8a1450c62035e834d8a79a5d0d1c904236f9dcfe +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 6 23:35:35 2023 +0000 + + upstream: allow override of Sybsystem directives in sshd Match + + blocks + + OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722 + +commit 6e52826e2a74d077147a82ead8d4fbd5b54f4e3b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 6 23:26:37 2023 +0000 + + upstream: allocate the subsystems array as necessary and remove the + + fixed limit of subsystems. Saves a few kb of memory in the server and makes + it more like the other options. + + OpenBSD-Commit-ID: e683dfca6bdcbc3cc339bb6c6517c0c4736a547f + +commit e19069c9fac4c111d6496b19c7f7db43b4f07b4f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 6 23:23:53 2023 +0000 + + upstream: preserve quoting of Subsystem commands and arguments. + + This may change behaviour of exotic configurations, but the most common + subsystem configuration (sftp-server) is unlikely to be affected. + + OpenBSD-Commit-ID: 8ffa296aeca981de5b0945242ce75aa6dee479bf + +commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 6 23:21:36 2023 +0000 + + upstream: downgrade duplicate Subsystem directives from being a + + fatal error to being a debug message to match behaviour with just about all + other directives. + + OpenBSD-Commit-ID: fc90ed2cc0c18d4eb8e33d2c5e98d25f282588ce + +commit 1ee0a16e07b6f0847ff463d7b5221c4bf1876e25 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 6 23:18:15 2023 +0000 + + upstream: handle cr+lf (instead of just cr) in sshsig signature + + files + + OpenBSD-Commit-ID: 647460a212b916540016d066568816507375fd7f + +commit e1c284d60a928bcdd60bc575c6f9604663502770 +Author: job@openbsd.org <job@openbsd.org> +Date: Mon Sep 4 10:29:58 2023 +0000 + + upstream: Generate Ed25519 keys when invoked without arguments + + Ed25519 public keys are very convenient due to their small size. + OpenSSH has supported Ed25519 since version 6.5 (January 2014). + + OK djm@ markus@ sthen@ deraadt@ + + OpenBSD-Commit-ID: f498beaad19c8cdcc357381a60df4a9c69858b3f + +commit 694150ad92765574ff82a18f4e86322bd3231e68 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 4 00:08:14 2023 +0000 + + upstream: trigger keystroke timing obfucation only if the channels + + layer enqueud some data in the last poll() cycle; this avoids triggering the + obfuscatior for non-channels data like ClientAlive probes and also fixes a + related problem were the obfucations would be triggered on fully quiescent + connections. + + Based on / tested by naddy@ + + OpenBSD-Commit-ID: d98f32dc62d7663ff4660e4556e184032a0db123 + +commit b5fd97896b59a3a46245cf438cc8b16c795d9f74 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 4 00:04:02 2023 +0000 + + upstream: avoid bogus "obfuscate_keystroke_timing: stopping ..." + + debug messages when keystroke timing obfuscation was never started; spotted + by naddy@ + + OpenBSD-Commit-ID: 5c270d35f7d2974db5c1646e9c64188f9393be31 + +commit ccf7d913db34e49b7a6db1b8331bd402004c840d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 4 00:01:46 2023 +0000 + + upstream: make channel_output_poll() return a flag indicating + + whether channel data was enqueued. Will be used to improve keystroke timing + obfuscation. Problem spotted by / tested by naddy@ + + OpenBSD-Commit-ID: f9776c7b0065ba7c3bbe50431fd3b629f44314d0 + +commit 43254b326ac6e2131dbd750f9464dc62c14bd5a7 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 3 23:59:32 2023 +0000 + + upstream: set interactive mode for ControlPersist sessions if they + + originally requested a tty; enables keystroke timing obfuscation for most + ControlPersist sessions. Spotted by naddy@ + + OpenBSD-Commit-ID: 72783a26254202e2f3f41a2818a19956fe49a772 + +commit ff3eda68ceb2e2bb8f48e3faceb96076c3e85c20 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Aug 31 23:02:35 2023 +1000 + + Set LLONG_MAX for C89 test. + + If we don't have LLONG_MAX, configure will figure out that it can get it + by setting -std=gnu99, at which point we won't be testing C89 any more. + To avoid this, feed it in via CFLAGS. + +commit f98031773db361424d59e3301aa92aacf423d920 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Aug 29 02:50:10 2023 +0000 + + upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@ + + OpenBSD-Commit-ID: dac0c24cb709e3c595b8b4f422a0355dc5a3b4e7 + +commit cfa66857db90cd908de131e0041a50ffc17c7df8 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 28 09:52:09 2023 +0000 + + upstream: descriptive text shouldn't be under .Cm + + OpenBSD-Commit-ID: b1afaeb456a52bc8a58f4f9f8b2f9fa8f6bf651b + +commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 28 09:48:11 2023 +0000 + + upstream: limit artificial login delay to a reasonable maximum (5s) + + and don't delay at all for the "none" authentication mechanism. Patch by + Dmitry Belyavskiy in bz3602 with polish/ok dtucker@ + + OpenBSD-Commit-ID: 85b364676dd84cf1de0e98fc2fbdcb1a844ce515 + +commit 528da5b9d7c5da01ed7a73ff21c722e1b5326006 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Mon Aug 28 05:32:28 2023 +0000 + + upstream: add spacing for punctuation when macro args; + + OpenBSD-Commit-ID: e80343c16ce0420b2aec98701527cf90371bd0db + +commit 3867361ca691d0956ef7d5fb8181cf554a91d84a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 28 04:06:52 2023 +0000 + + upstream: explicit long long type in timing calculations (doesn't + + matter, since the range is pre-clamped) + + OpenBSD-Commit-ID: f786ed902d04a5b8ecc581d068fea1a79aa772de + +commit 7603ba71264e7fa938325c37eca993e2fa61272f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 28 03:31:16 2023 +0000 + + upstream: Add keystroke timing obfuscation to the client. + + This attempts to hide inter-keystroke timings by sending interactive + traffic at fixed intervals (default: every 20ms) when there is only a + small amount of data being sent. It also sends fake "chaff" keystrokes + for a random interval after the last real keystroke. These are + controlled by a new ssh_config ObscureKeystrokeTiming keyword/ + + feedback/ok markus@ + + OpenBSD-Commit-ID: 02231ddd4f442212820976068c34a36e3c1b15be + +commit dce6d80d2ed3cad2c516082682d5f6ca877ef714 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 28 03:28:43 2023 +0000 + + upstream: Introduce a transport-level ping facility + + This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG + to implement a ping capability. These messages use numbers in the "local + extensions" number space and are advertised using a "ping@openssh.com" + ext-info message with a string version number of "0". + + ok markus@ + + OpenBSD-Commit-ID: b6b3c4cb2084c62f85a8dc67cf74954015eb547f + +commit d2d247938b38b928f8a6e1a47a330c5584d3a358 +Author: tobhe@openbsd.org <tobhe@openbsd.org> +Date: Mon Aug 21 21:16:18 2023 +0000 + + upstream: Log errors in kex_exchange_identification() with level + + verbose instead of error to reduce preauth log spam. All of those get logged + with a more generic error message by sshpkt_fatal(). + + feedback from sthen@ + ok djm@ + + OpenBSD-Commit-ID: bd47dab4695b134a44c379f0e9a39eed33047809 + +commit 9d7193a8359639801193ad661a59d1ae4dc3d302 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 21 04:59:54 2023 +0000 + + upstream: correct math for ClientAliveInterval that caused the + + probes to be sent less frequently than configured; from Dawid Majchrzak + + OpenBSD-Commit-ID: 641153e7c05117436ddfc58267aa267ca8b80038 + +commit 3c6ab63b383b0b7630da175941e01de9db32a256 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 25 14:48:02 2023 +1000 + + Include Portable version in sshd version string. + + bz#3608, ok djm@ + +commit 17fa6cd10a26e193bb6f65d21264d2fe553bcd87 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Aug 21 19:47:58 2023 +1000 + + obsd-arm64 host is real hardware... + + so put in the correct config location. + +commit 598ca75c85acaaacee5ef954251e489cc20d7be9 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Aug 21 18:38:36 2023 +1000 + + Add OpenBSD ARM64 test host. + +commit 1acac79bfbe207e8db639e8043524962037c8feb +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Aug 21 18:05:26 2023 +1000 + + Add test for zlib development branch. + +commit 84efebf352fc700e9040c8065707c63caedd36a3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 21 04:36:46 2023 +0000 + + upstream: want stdlib.h for free(3) + + OpenBSD-Commit-ID: 743af3c6e3ce5e6cecd051668f0327a01f44af29 + +commit cb4ed12ffc332d1f72d054ed92655b5f1c38f621 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Aug 19 07:39:08 2023 +1000 + + Fix zlib version check for 1.3 and future version. + + bz#3604. + +commit 25b75e21f16bccdaa472ea1889b293c9bd51a87b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Aug 14 11:10:08 2023 +1000 + + Add 9.4 branch to CI status page. + +commit 803e22eabd3ba75485eedd8b7b44d6ace79f2052 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Aug 18 01:37:41 2023 +0000 + + upstream: fix regression in OpenSSH 9.4 (mux.c r1.99) that caused + + multiplexed sessions to ignore SIGINT under some circumstances. Reported by / + feedback naddy@, ok dtucker@ + + OpenBSD-Commit-ID: 4d5c6c894664f50149153fd4764f21f43e7d7e5a + +commit e706bca324a70f68dadfd0ec69edfdd486eed23a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Aug 16 16:14:11 2023 +0000 + + upstream: defence-in-depth MaxAuthTries check in monitor; ok markus + + OpenBSD-Commit-ID: 65a4225dc708e2dae71315adf93677edace46c21 + +commit d1ab7eb90474df656d5e9935bae6df0bd000d343 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 14 03:37:00 2023 +0000 + + upstream: add message number of SSH2_MSG_NEWCOMPRESS defined in RFC8308 + + OpenBSD-Commit-ID: 6c984171c96ed67effd7b5092f3d3975d55d6028 + +commit fa8da52934cb7dff6f660a143276bdb28bb9bbe1 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Aug 13 15:01:27 2023 +1000 + + Add obsd72 and obsd73 test targets. + +commit f9f18006678d2eac8b0c5a5dddf17ab7c50d1e9f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 10 23:05:48 2023 +0000 + + upstream: better debug logging of sessions' exit status + + OpenBSD-Commit-ID: 82237567fcd4098797cbdd17efa6ade08e1a36b0 + +commit a8c57bcb077f0cfdffcf9f23866bf73bb93e185c +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Thu Aug 10 14:37:32 2023 +0000 + + upstream: drop a wayward comma, ok jmc@ + + OpenBSD-Commit-ID: 5c11fbb9592a29b37bbf36f66df50db9d38182c6 + +commit e962f9b318a238db1becc53c2bf79dd3a49095b4 Author: Damien Miller <djm@mindrot.org> Date: Thu Aug 10 11:10:22 2023 +1000 depend -commit 41bfb63f5101fbacde9d8d2ada863f9ee16df194 +commit 0fcb60bf83130dfa428bc4422b3a3ac20fb528af Author: Damien Miller <djm@mindrot.org> Date: Thu Aug 10 11:05:42 2023 +1000 update versions in RPM specs -commit e598b92b1eecedac21667edf1fe92078eaf8f2b1 +commit d0cee4298491314f09afa1c4383a66d913150b26 Author: Damien Miller <djm@mindrot.org> Date: Thu Aug 10 11:05:14 2023 +1000 update version in README -commit e797e5ffa74377c8696e3b0559a258d836479239 +commit 78b4dc6684f4d35943b46b24ee645edfdb9974f5 Author: djm@openbsd.org <djm@openbsd.org> Date: Thu Aug 10 01:01:07 2023 +0000 @@ -24,6 +511,12 @@ Date: Thu Aug 10 01:01:07 2023 +0000 OpenBSD-Commit-ID: 71fc1e01a4c4ea061b252bd399cda7be757e6e35 +commit 58ca4f0aa8c4306ac0a629c9a85fb1efaf4ff092 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Aug 10 11:30:24 2023 +1000 + + Only include unistd.h once. + commit 3961ed02dc578517a9d2535128cff5c3a5460d28 Author: Damien Miller <djm@mindrot.org> Date: Thu Aug 10 09:08:49 2023 +1000 @@ -9062,1113 +9555,3 @@ Date: Wed Oct 6 13:16:21 2021 +1100 fix broken OPENSSL_HAS_ECC test spotted by dtucker - -commit 16a25414f303cd6790eb967aeb962040e32c9c7a -Author: Damien Miller <djm@mindrot.org> -Date: Fri Oct 1 22:40:06 2021 +1000 - - make sk-dummy.so work without libcrypto installed - -commit dee22129bbc61e25b1003adfa2bc584c5406ef2d -Author: Damien Miller <djm@mindrot.org> -Date: Fri Oct 1 16:35:49 2021 +1000 - - make OPENSSL_HAS_ECC checks more thorough - - ok dtucker - -commit 872595572b6c9a584ed754165e8b7c4c9e7e1d61 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Oct 1 16:35:05 2021 +1000 - - fix FIDO key support for !OPENSSL_HAS_ECC case - - ok dtucker - -commit 489741dc68366940d369ac670b210b4834a6c272 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Oct 1 14:51:37 2021 +1000 - - enable security key support for --without-openssl - -commit c978565c8589acfe4ea37ab5099d39c84158c713 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Oct 1 13:27:50 2021 +1000 - - need stdlib.h for free(3) - -commit 76a398edfb51951b2d65d522d7b02c72304db300 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Sep 30 05:26:26 2021 +0000 - - upstream: Fix up whitespace left by previous - - change removing privsep. No other changes. - - OpenBSD-Regress-ID: 87adec225d8afaee4d6a91b2b71203f52bf14b15 - -commit ddcb53b7a7b29be65d57562302b2d5f41733e8dd -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Sep 30 05:20:08 2021 +0000 - - upstream: Remove references to privsep. - - This removes several do..while loops but does not change the - indentation of the now-shallower loops, which will be done in a separate - whitespace-only commit to keep changes of style and substance separate. - - OpenBSD-Regress-ID: 4bed1a0249df7b4a87c965066ce689e79472a8f7 - -commit ece2fbe486164860de8df3f8b943cccca3085eff -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Sep 30 04:22:50 2021 +0000 - - upstream: Use "skip" instead of "fatal" - - if SUDO isn't set for the *-command tests. This means running "make tests" - without SUDO set will perform all of the tests that it can instead of - failing on the ones it cannot run. - - OpenBSD-Regress-ID: bd4dbbb02f34b2e8c890558ad4a696248def763a - -commit bb754b470c360e787a99fb4e88e2668198e97b41 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Oct 1 04:50:36 2021 +0000 - - upstream: unbreak FIDO sk-ed25519 key enrollment for OPENSSL=no builds; - - ok dtucker@ - - OpenBSD-Commit-ID: 6323a5241728626cbb2bf0452cf6a5bcbd7ff709 - -commit 207648d7a6415dc915260ca75850404dbf9f0a0b -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 20:03:58 2021 +1000 - - Include stdlib.h for arc4random_uniform prototype. - -commit 696aadc854582c164d5fc04933d2f3e212dc0e06 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 20:00:30 2021 +1000 - - Look for clang after cc and gcc. - -commit a3c6375555026d85dbf811fab566b9f76f196144 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 19:30:59 2021 +1000 - - Use backticks instead of $(..) for portability. - - Older shells (eg /bin/sh on Solaris 10) don't support $() syntax. - -commit 958aaa0387133d51f84fe9c8f30bca03025f2867 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 18:53:32 2021 +1000 - - Skip file-based tests by default on Mac OS. - - The file-based tests need OpenSSL so skip them. - -commit 55c8bdf6e9afb0f9fa8e4f10c25c7f0081b48fd0 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 18:42:47 2021 +1000 - - Build without OpenSSL on Mac OS. - - Modern versions don't ship enough libcrypto to build against. - -commit c9172193ea975415facf0afb356d87df21535f88 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 18:33:38 2021 +1000 - - Remove TEST_SSH_ECC. - - Convert the only remaining user of it to runtime detection using ssh -Q. - -commit 5e6d28b7874b0deae95d2c68947c45212d32e599 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 17:48:09 2021 +1000 - - Split c89 test openssl setting out. - -commit c4ac7f98e230e83c015678dc958b1ffe828564ad -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 17:40:50 2021 +1000 - - Expand TEST_SHELL consistently with other vars. - -commit cfe5f7b0eb7621bfb0a756222de0431315c2ab8b -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 17:26:50 2021 +1000 - - Replace `pwd` with make variable in regress cmd. - -commit 899be59da5fbc3372444bd0fbe74af48313bed33 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 17:14:33 2021 +1000 - - Get BUILDDIR from autoconf. - - Use this to replace `pwd`s in regress test command line. - -commit c8d92d3d4f7d560146f2f936156ec4dac3fc5811 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 13:28:56 2021 +1000 - - Add make clean step to tests. - -commit 360fb41ef8359619ab90b0d131c914494e55d3dd -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 11:36:13 2021 +1000 - - Test all available clang and gcc versions. - -commit 4fb49899d7da22952d35a4bc4c9bdb2311087893 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 29 01:32:21 2021 +0000 - - upstream: Test certificate hostkeys held in ssh-agent too. Would have - - caught regression fixed in sshd r1.575 - - ok markus@ - - OpenBSD-Regress-ID: 1f164d7bd89f83762db823eec4ddf2d2556145ed - -commit ce4854e12e749a05646e5775e9deb8cfaf49a755 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 29 01:33:32 2021 +0000 - - upstream: add some debug output showing how many key file/command lines - - were processed. Useful to see whether a file or command actually has keys - present - - OpenBSD-Commit-ID: 0bd9ff94e84e03a22df8e6c12f6074a95d27f23c - -commit 15abdd523501c349b703d9a27e2bb4252ad921ef -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Sep 28 11:14:50 2021 +0000 - - upstream: Make prototype for rijndaelEncrypt match function - - including the bounds. Fixes error in portable where GCC>=11 takes notice of - the bounds. ok deraadt@ - - OpenBSD-Commit-ID: cdd2f05fd1549e1786a70871e513cf9e9cf099a6 - -commit d1d29ea1d1ef1a1a54b209f062ec1dcc8399cf03 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Sep 28 11:10:05 2021 +0000 - - upstream: Import regenerated moduli. - - OpenBSD-Commit-ID: 4bec5db13b736b64b06a0fca704cbecc2874c8e1 - -commit 39f2111b1d5f00206446257377dcce58cc72369f -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Sep 29 10:53:55 2021 +1000 - - Add new compiler hardening flags. - - Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of - compiler hardening flags that configure checks for. These are supported - by clang and gcc, and make ROP gadgets less useful and mitigate - stack-based infoleaks respectively. ok djm@ - -commit bf944e3794eff5413f2df1ef37cddf96918c6bde -Author: Damien Miller <djm@mindrot.org> -Date: Mon Sep 27 00:03:19 2021 +1000 - - initgroups needs grp.h - -commit 8c5b5655149bd76ea21026d7fe73ab387dbc3bc7 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Sep 26 14:01:11 2021 +0000 - - upstream: openssh-8.8 - - OpenBSD-Commit-ID: 12357794602ac979eb7312a1fb190c453f492ec4 - -commit f3cbe43e28fe71427d41cfe3a17125b972710455 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Sep 26 14:01:03 2021 +0000 - - upstream: need initgroups() before setresgid(); reported by anton@, - - ok deraadt@ - - OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce - -commit 8acaff41f7518be40774c626334157b1b1c5583c -Author: Damien Miller <djm@mindrot.org> -Date: Sun Sep 26 22:16:36 2021 +1000 - - update version numbers for release - -commit d39039ddc0010baa91c70a0fa0753a2699bbf435 -Author: kn@openbsd.org <kn@openbsd.org> -Date: Sat Sep 25 09:40:33 2021 +0000 - - upstream: RSA/SHA-1 is not used by default anymore - - OK dtucker deraadt djm - - OpenBSD-Commit-ID: 055c51a221c3f099dd75c95362f902da1b8678c6 - -commit 9b2ee74e3aa8c461eb5552a6ebf260449bb06f7e *** 4738 LINES SKIPPED ***