git: b16cb28aca00 - stable/13 - ssh: Update to OpenSSH 9.7p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 25 Mar 2024 22:39:24 UTC
The branch stable/13 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=b16cb28aca00112db2a7b5c070ee019c100cbc20
commit b16cb28aca00112db2a7b5c070ee019c100cbc20
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-03-18 14:00:57 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-03-25 22:39:14 +0000
ssh: Update to OpenSSH 9.7p1
This release contains mostly bugfixes.
It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.
Full release notes at https://www.openssh.com/txt/release-9.7
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a91a246563dffa876a52f53a98de4af9fa364c52)
(cherry picked from commit 464fa66f639bdc8e340dd3f640af4309530d48ca)
---
crypto/openssh/.github/configs | 21 +-
crypto/openssh/.github/setup_ci.sh | 26 +
crypto/openssh/.github/workflows/c-cpp.yml | 20 +-
crypto/openssh/.github/workflows/selfhosted.yml | 1 +
crypto/openssh/.gitignore | 2 +
crypto/openssh/.skipped-commit-ids | 2 +
crypto/openssh/ChangeLog | 11979 +++++++++----------
crypto/openssh/PROTOCOL | 22 +-
crypto/openssh/PROTOCOL.agent | 4 +-
crypto/openssh/PROTOCOL.mux | 4 +-
crypto/openssh/README | 2 +-
crypto/openssh/README.platform | 9 +-
crypto/openssh/channels.c | 79 +-
crypto/openssh/clientloop.c | 4 +-
crypto/openssh/config.h | 3 +
crypto/openssh/configure.ac | 50 +-
crypto/openssh/contrib/redhat/openssh.spec | 2 +-
crypto/openssh/contrib/suse/openssh.spec | 2 +-
crypto/openssh/gss-genr.c | 8 +-
crypto/openssh/kex.c | 31 +-
crypto/openssh/kex.h | 10 +-
crypto/openssh/m4/openssh.m4 | 12 +-
crypto/openssh/misc.c | 15 +-
crypto/openssh/misc.h | 3 +-
crypto/openssh/nchan.c | 4 +-
crypto/openssh/openbsd-compat/getopt.h | 12 +-
crypto/openssh/openbsd-compat/openbsd-compat.h | 10 +-
crypto/openssh/packet.c | 2 +-
crypto/openssh/packet.h | 2 +-
crypto/openssh/readconf.c | 165 +-
crypto/openssh/readconf.h | 8 +-
crypto/openssh/regress/Makefile | 77 +-
crypto/openssh/regress/channel-timeout.sh | 74 +-
crypto/openssh/regress/dynamic-forward.sh | 9 +-
crypto/openssh/regress/misc/fuzz-harness/Makefile | 8 +-
.../regress/misc/fuzz-harness/agent_fuzz_helper.c | 7 +
crypto/openssh/regress/multiplex.sh | 3 +-
crypto/openssh/regress/putty-ciphers.sh | 51 +-
crypto/openssh/regress/putty-kex.sh | 40 +-
crypto/openssh/regress/putty-transfer.sh | 13 +-
crypto/openssh/regress/test-exec.sh | 28 +-
crypto/openssh/regress/unittests/Makefile.inc | 7 +-
.../regress/unittests/hostkeys/test_iterate.c | 11 +-
crypto/openssh/regress/unittests/kex/test_kex.c | 4 +-
.../openssh/regress/unittests/sshkey/test_file.c | 4 +-
.../openssh/regress/unittests/sshkey/test_fuzz.c | 8 +-
.../openssh/regress/unittests/sshkey/test_sshkey.c | 23 +-
crypto/openssh/regress/unittests/sshsig/tests.c | 4 +-
crypto/openssh/servconf.c | 168 +-
crypto/openssh/session.c | 4 +-
crypto/openssh/sftp.c | 44 +-
crypto/openssh/ssh-add.1 | 14 +-
crypto/openssh/ssh-add.c | 10 +-
crypto/openssh/ssh-agent.c | 48 +-
crypto/openssh/ssh-dss.c | 7 +-
crypto/openssh/ssh-keygen.c | 26 +-
crypto/openssh/ssh-keyscan.c | 8 +-
crypto/openssh/ssh-keysign.c | 7 +-
crypto/openssh/ssh-pkcs11-client.c | 2 +
crypto/openssh/ssh.c | 6 +-
crypto/openssh/ssh_api.c | 14 +-
crypto/openssh/ssh_config | 2 +-
crypto/openssh/ssh_config.5 | 26 +-
crypto/openssh/ssh_namespace.h | 1 +
crypto/openssh/sshbuf-getput-crypto.c | 4 +-
crypto/openssh/sshconnect.c | 4 +-
crypto/openssh/sshconnect2.c | 21 +-
crypto/openssh/sshd.c | 4 +-
crypto/openssh/sshd_config | 2 +-
crypto/openssh/sshd_config.5 | 59 +-
crypto/openssh/sshkey.c | 12 +-
crypto/openssh/sshsig.c | 4 +-
crypto/openssh/version.h | 6 +-
crypto/openssh/xmss_hash.c | 4 +-
74 files changed, 6366 insertions(+), 7026 deletions(-)
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index df82faf5046b..370fe29a3ee4 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -164,6 +164,11 @@ case "$config" in
libressl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
;;
+ putty-*)
+ CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen"
+ # We don't need to rerun the regular tests, just the interop ones.
+ TEST_TARGET=interop-tests
+ ;;
openssl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
@@ -269,20 +274,22 @@ case "${TARGET_HOST}" in
;;
minix3)
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
+ # Unix domain sockets don't work quite like we expect, so also
+ # disable FD passing (and thus multiplexing).
+ CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing"
LIBCRYPTOFLAGS="--without-openssl"
+
# Minix does not have a loopback interface so we have to skip any
# test that relies on one.
# Also, Minix seems to be very limited in the number of select()
# calls that can be operating concurrently, so prune additional tests for that.
T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
- connect connect-uri exit-status forwarding hostkey-agent
- key-options keyscan knownhosts-command login-timeout
+ connect connect-uri dynamic-forward exit-status forwarding
+ forward-control
+ hostkey-agent key-options keyscan knownhosts-command login-timeout
reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
transfer"
- # Unix domain sockets don't work quite like we expect, so also skip any tests
- # that use multiplexing.
- T="$T connection-timeout dynamic-forward forward-control multiplex"
SKIP_LTESTS="$(echo $T)"
TEST_TARGET=t-exec
SUDO=""
@@ -320,6 +327,10 @@ case "$host" in
# modern versions don't ship with libcrypto.
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
+
+ # On some OS X runners we can't write to /var/empty.
+ CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty"
+
case "$host" in
*-darwin22.*)
# sudo -S nobody doesn't work on macos 13 for some reason.
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index d0ba7b4724e9..f0f2761c7107 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -142,6 +142,10 @@ for TARGET in $TARGETS; do
INSTALL_BORINGSSL=1
PACKAGES="${PACKAGES} cmake ninja-build"
;;
+ putty-*)
+ INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
+ PACKAGES="${PACKAGES} cmake"
+ ;;
valgrind*)
PACKAGES="$PACKAGES valgrind"
;;
@@ -241,3 +245,25 @@ if [ ! -z "${INSTALL_ZLIB}" ]; then
cd ${HOME}/zlib && ./configure && make &&
sudo make install prefix=/opt/zlib)
fi
+
+if [ ! -z "${INSTALL_PUTTY}" ]; then
+ ver="${INSTALL_PUTTY}"
+ case "${INSTALL_PUTTY}" in
+ snapshot)
+ tarball=putty.tar.gz
+ (cd /tmp && wget https://tartarus.org/~simon/putty-snapshots/${tarball})
+ ;;
+ *)
+ tarball=putty-${ver}.tar.gz
+ (cd /tmp && wget https://the.earth.li/~sgtatham/putty/${ver}/${tarball})
+ ;;
+ esac
+ (cd ${HOME} && tar xfz /tmp/${tarball} && cd putty-*
+ if [ -f CMakeLists.txt ]; then
+ cmake . && cmake --build . && sudo cmake --build . --target install
+ else
+ ./configure && make && sudo make install
+ fi
+ )
+ /usr/local/bin/plink -V
+fi
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index 8f624d21016c..edb88f23c0fb 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -62,20 +62,32 @@ jobs:
- { target: ubuntu-latest, config: libressl-3.5.3 }
- { target: ubuntu-latest, config: libressl-3.6.1 }
- { target: ubuntu-latest, config: libressl-3.7.2 }
- - { target: ubuntu-latest, config: libressl-3.8.2 }
+ - { target: ubuntu-latest, config: libressl-3.8.3 }
+ - { target: ubuntu-latest, config: libressl-3.9.0 }
- { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec }
- { target: ubuntu-latest, config: openssl-1.1.1 }
- { target: ubuntu-latest, config: openssl-1.1.1t }
- { target: ubuntu-latest, config: openssl-1.1.1w }
- { target: ubuntu-latest, config: openssl-3.0.0 }
- - { target: ubuntu-latest, config: openssl-3.0.12 }
+ - { target: ubuntu-latest, config: openssl-3.0.13 }
- { target: ubuntu-latest, config: openssl-3.1.0 }
- - { target: ubuntu-latest, config: openssl-3.1.4 }
- - { target: ubuntu-latest, config: openssl-3.2.0 }
+ - { target: ubuntu-latest, config: openssl-3.1.5 }
+ - { target: ubuntu-latest, config: openssl-3.2.1 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch
- { target: ubuntu-latest, config: openssl-3.2 } # stable branch
+ - { target: ubuntu-latest, config: putty-0.71 }
+ - { target: ubuntu-latest, config: putty-0.72 }
+ - { target: ubuntu-latest, config: putty-0.73 }
+ - { target: ubuntu-latest, config: putty-0.74 }
+ - { target: ubuntu-latest, config: putty-0.75 }
+ - { target: ubuntu-latest, config: putty-0.76 }
+ - { target: ubuntu-latest, config: putty-0.77 }
+ - { target: ubuntu-latest, config: putty-0.78 }
+ - { target: ubuntu-latest, config: putty-0.79 }
+ - { target: ubuntu-latest, config: putty-0.80 }
+ - { target: ubuntu-latest, config: putty-snapshot }
- { target: ubuntu-latest, config: zlib-develop }
- { target: ubuntu-22.04, config: pam }
- { target: ubuntu-22.04, config: krb5 }
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index be0b4ffec580..4f1c587a5779 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -73,6 +73,7 @@ jobs:
- { target: fbsd14, config: pam, host: libvirt }
- { target: nbsd8, config: pam, host: libvirt }
- { target: nbsd9, config: pam, host: libvirt }
+ - { target: nbsd10, config: pam, host: libvirt }
# VMs with persistent disks that have their own runner.
- { target: win10, config: default, host: win10 }
- { target: win10, config: cygwin-release, host: win10 }
diff --git a/crypto/openssh/.gitignore b/crypto/openssh/.gitignore
index 5e4ae5a60d06..7fccc6fe3dc3 100644
--- a/crypto/openssh/.gitignore
+++ b/crypto/openssh/.gitignore
@@ -18,6 +18,8 @@ survey.sh
**/*.so
**/*.out
**/*.a
+**/*.un~
+**/.*.swp
autom4te.cache/
scp
sftp
diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids
index 59e80518acf2..06303955c566 100644
--- a/crypto/openssh/.skipped-commit-ids
+++ b/crypto/openssh/.skipped-commit-ids
@@ -1,3 +1,4 @@
+509bb19bb9762a4b3b589af98bac2e730541b6d4 clean sshd random relinking kit
5317f294d63a876bfc861e19773b1575f96f027d remove libssh from makefiles
a337e886a49f96701ccbc4832bed086a68abfa85 Makefile changes
f2c9feb26963615c4fece921906cf72e248b61ee more Makefile
@@ -27,6 +28,7 @@ cc12a9029833d222043aecd252d654965c351a69 moduli-gen Makefile
f9a0726d957cf10692a231996a1f34e7f9cdfeb0 moduli update
1e0a2692b7e20b126dda60bf04999d1d30d959d8 sshd relinking makefile changes
e1dc11143f83082e3154d6094f9136d0dc2637ad more relinking makefile tweaks
+5a636f6ca7f25bfe775df4952f7aac90a7fcbbee moduli update
Old upstream tree:
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 981b7ecd94b6..3bbccf5ea3eb 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,9505 +1,8300 @@
-commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99
+commit 86bdd3853f4d32c85e295e6216a2fe0953ad93f0
Author: Damien Miller <djm@mindrot.org>
-Date: Tue Dec 19 01:59:50 2023 +1100
+Date: Mon Mar 11 16:20:49 2024 +1100
- crank versions
+ version number in README
-commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b
+commit 282721418e6465bc39ccfd39bb0133e670ee4423
Author: Damien Miller <djm@mindrot.org>
-Date: Tue Dec 19 01:59:06 2023 +1100
+Date: Mon Mar 11 16:20:08 2024 +1100
- depend
+ crank RPM spec versions
-commit e48cdee8e19059203b1aeeabec2350b8375fa61f
+commit 3876a3bbd2ca84d23ba20f8b69ba83270c04ce3a
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:50:08 2023 +0000
+Date: Mon Mar 11 04:59:47 2024 +0000
- upstream: regress test for agent PKCS#11-backed certificates
+ upstream: openssh-9.7
- OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
+ OpenBSD-Commit-ID: 618ececf58b8cdae016b149787af06240f7b0cbc
-commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:49:39 2023 +0000
+commit 8fc109cc614954a8eb2738c48c0db36a62af9a06
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 11 12:59:26 2024 +1100
- upstream: regress test for constrained PKCS#11 keys
+ Test against current OpenSSL and LibreSSL releases.
- OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff
+ Add LibreSSL 3.9.0, bump older branches to their respective current
+ releases.
-commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:48:44 2023 +0000
+commit 26b09b45fec7b88ba09042c09be4157e58e231e2
+Author: Damien Miller <djm@mindrot.org>
+Date: Sun Mar 10 16:24:57 2024 +1100
- upstream: openssh-9.6
+ quote regexes used to test for algorithm support
- OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b
+ Fixes test failures on Solaris 8 reported by Tom G. Christensen
-commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b
+commit a6a740a4948d10a622b505135bb485c10f21db5e
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:48:08 2023 +0000
+Date: Sat Mar 9 05:12:13 2024 +0000
- upstream: ssh-agent: record failed session-bind attempts
-
- Record failed attempts to session-bind a connection and refuse signing
- operations on that connection henceforth.
-
- Prevents a future situation where we add a new hostkey type that is not
- recognised by an older ssh-agent, that consequently causes session-bind
- to fail (this situation is only likely to arise when people mix ssh(1)
- and ssh-agent(1) of different versions on the same host). Previously,
- after such a failure the agent socket would be considered unbound and
- not subject to restriction.
+ upstream: avoid logging in signal handler by converting mainloop to
- Spotted by Jann Horn
+ ppoll() bz3670, reported by Ben Hamilton; ok dtucker@
- OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
+ OpenBSD-Commit-ID: e58f18042b86425405ca09e6e9d7dfa1df9f5f7f
-commit 7ef3787c84b6b524501211b11a26c742f829af1a
+commit cd82f7526e0481720567ae41db7849ab1c27e27b
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:47:44 2023 +0000
+Date: Fri Mar 8 22:16:32 2024 +0000
- upstream: ban user/hostnames with most shell metacharacters
+ upstream: skip more whitespace, fixes find-principals on
- This makes ssh(1) refuse user or host names provided on the
- commandline that contain most shell metacharacters.
-
- Some programs that invoke ssh(1) using untrusted data do not filter
- metacharacters in arguments they supply. This could create
- interactions with user-specified ProxyCommand and other directives
- that allow shell injection attacks to occur.
+ allowed_signers files with blank lines; reported by Wiktor Kwapisiewicz
- It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
- but getting this stuff right can be tricky, so this should prevent
- most obvious ways of creating risky situations. It however is not
- and cannot be perfect: ssh(1) has no practical way of interpreting
- what shell quoting rules are in use and how they interact with the
- user's specified ProxyCommand.
+ OpenBSD-Commit-ID: b3a22a2afd753d70766f34bc7f309c03706b5298
+
+commit 2f9d2af5cb19905d87f37d1e11c9f035ac5daf3b
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Mar 8 11:34:10 2024 +0000
+
+ upstream: Invoke ProxyCommand that uses stderr redirection via
- To allow configurations that use strange user or hostnames to
- continue to work, this strictness is applied only to names coming
- from the commandline. Names specified using User or Hostname
- directives in ssh_config(5) are not affected.
+ $TEST_SHELL. Fixes test when run by a user whose login shell is tcsh.
+ Found by vinschen at redhat.com.
- feedback/ok millert@ markus@ dtucker@ deraadt@
+ OpenBSD-Regress-ID: f68d79e7f00caa8d216ebe00ee5f0adbb944062a
+
+commit 9b3f0beb4007a7e01dfedabb429097fb593deae6
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Mar 7 17:18:14 2024 +1100
+
+ Prefer openssl binary from --with-ssl-dir directory.
- OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+ Use openssl in the directory specified by --with-ssl-dir as long
+ as it's functional. Reported by The Doctor.
-commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
+commit c47e1c9c7911f38b2fc2fb01b1f6ae3a3121a838
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:47:20 2023 +0000
+Date: Wed Mar 6 02:59:59 2024 +0000
- upstream: stricter handling of channel window limits
-
- This makes ssh/sshd more strict in handling non-compliant peers that
- send more data than the advertised channel window allows. Previously
- the additional data would be silently discarded. This change will
- cause ssh/sshd to terminate the connection if the channel window is
- exceeded by more than a small grace allowance.
+ upstream: fix memory leak in mux proxy mode when requesting forwarding.
- ok markus@
+ found by RASU JSC, reported by Maks Mishin in GHPR#467
- OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
+ OpenBSD-Commit-ID: 97d96a166b1ad4b8d229864a553e3e56d3116860
-commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491
+commit 242742827fea4508e68097c128e802edc79addb5
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:46:56 2023 +0000
+Date: Wed Mar 6 00:31:04 2024 +0000
- upstream: Make it possible to load certs from PKCS#11 tokens
-
- Adds a protocol extension to allow grafting certificates supplied by
- ssh-add to keys loaded from PKCS#11 tokens in the agent.
-
- feedback/ok markus@
+ upstream: wrap a few PKCS#11-specific bits in ENABLE_PKCS11
- OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
+ OpenBSD-Commit-ID: 463e4a69eef3426a43a2b922c4e7b2011885d923
-commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:46:12 2023 +0000
+commit d52b6509210e2043f33e5a1de58dd4a0d5d48c2a
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Mar 6 11:31:36 2024 +1100
- upstream: apply destination constraints to all p11 keys
+ disable RSA tests when algorithm is not supported
- Previously applied only to the first key returned from each token.
+ Unbreaks "make test" when compiled --without-openssl.
- ok markus@
+ Similar treatment to how we do DSA and ECDSA.
+
+commit 668d270a6c77e8b5a1da26ecad2e6de9f62c8fe4
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Mar 6 10:33:20 2024 +1100
+
+ add a --without-retpoline configure option
- OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
+ discussed with deraadt and dtucker a while ago
-commit a7ed931caeb68947d30af8a795f4108b6efad761
+commit 3deb501f86fc47e175ef6a3eaba9b9846a80d444
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:45:49 2023 +0000
+Date: Mon Mar 4 04:13:18 2024 +0000
- upstream: add "ext-info-in-auth@openssh.com" extension
-
- This adds another transport protocol extension to allow a sshd to send
- SSH2_MSG_EXT_INFO during user authentication, after the server has
- learned the username that is being logged in to.
-
- This lets sshd to update the acceptable signature algoritms for public
- key authentication, and allows these to be varied via sshd_config(5)
- "Match" directives, which are evaluated after the server learns the
- username being authenticated.
+ upstream: fix leak of CanonicalizePermittedCNAMEs on error path;
- Full details in the PROTOCOL file
+ spotted by Coverity (CID 438039)
- OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
+ OpenBSD-Commit-ID: 208839699939721f452a4418afc028a9f9d3d8af
-commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
+commit 65a44a8a4f7d902a64d4e60eda84384b2e2a24a2
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 18 14:45:17 2023 +0000
+Date: Mon Mar 4 02:16:11 2024 +0000
- upstream: implement "strict key exchange" in ssh and sshd
+ upstream: Separate parsing of string array options from applying them
- This adds a protocol extension to improve the integrity of the SSH
- transport protocol, particular in and around the initial key exchange
- (KEX) phase.
+ to the active configuration. This fixes the config parser from erroneously
+ rejecting cases like:
- Full details of the extension are in the PROTOCOL file.
+ AuthenticationMethods password
+ Match User ivy
+ AuthenticationMethods any
- with markus@
+ bz3657 ok markus@
- OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
+ OpenBSD-Commit-ID: 7f196cba634c2a3dba115f3fac3c4635a2199491
-commit 59d691b886c79e70b1d1c4ab744e81fd176222fd
+commit 6886e1b1f55c90942e4e6deed930f8ac32e0f938
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 22 17:59:35 2024 +1100
+
+ Add nbsd10 test target.
+
+commit d86bf8a3f6ea4fa7887406c2aa9959db71fa41be
Author: Damien Miller <djm@mindrot.org>
-Date: Mon Dec 18 14:49:11 2023 +1100
+Date: Thu Feb 22 12:06:10 2024 +1100
- better detection of broken -fzero-call-used-regs
+ more descriptive configure test name
+
+commit 9ee335aacc9f5bdc4cc2c19fafb45e27be7d234e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 21 06:17:29 2024 +0000
+
+ upstream: explain arguments of internal-sftp GHPR#454 from Niklas
- Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend
- test program to exercise varargs, which seems to catch more stuff.
+ Hambüchen
+ MIME-Version: 1.0
+ Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit
- ok dtucker@
+ OpenBSD-Commit-ID: 0335d641ae6b5b6201b9ffd5dd06345ebbd0a3f3
-commit aa7b21708511a6d4aed3839fc9f6e82e849dd4a1
+commit d1164cb1001dd208fee88aaa9b43d5e6fd917274
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Dec 13 03:28:19 2023 +0000
+Date: Wed Feb 21 06:06:43 2024 +0000
- upstream: when invoking KnownHostsCommand to determine the order of
-
- host key algorithms to request, ensure that the hostname passed to the
- command is decorated with the port number for ports other than 22.
+ upstream: clarify permissions requirements for ChrootDirectory Part
- This matches the behaviour of KnownHostsCommand when invoked to look
- up the actual host key.
+ of GHPR#454 from Niklas Hambüchen
+ MIME-Version: 1.0
+ Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit
- bz3643, ok dtucker@
+ OpenBSD-Commit-ID: d37bc8786317a11649c62ff5e2936441186ef7a0
+
+commit d410e17d186552d0717f18217d0d049486754365
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 21 06:05:06 2024 +0000
+
+ upstream: .Cm for a keyword. Part of GHPR#454 from Niklas Hambüchen
- OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
+ OpenBSD-Commit-ID: d59c52559f926fa82859035d79749fbb4a3ce18a
-commit 4086bd6652c0badccc020218a62190a7798fb72c
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Fri Dec 8 09:18:39 2023 +0000
+commit ab73f9678ebf06b32d6361b88b50b42775e0565b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 21 06:01:13 2024 +0000
- upstream: prevent leak in sshsig_match_principals; ok djm@
+ upstream: fix typo in match directive predicate (s/tagged/tag) GHPR#462
- OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae
+ from Tobias Manske
+
+ OpenBSD-Commit-ID: 05b23b772677d48aa82eefd7ebebd369ae758908
-commit 19d3ee2f3adf7d9a606ff015c1e153744702c4c9
+commit 9844aa2521ccfb1a2d73745680327b79e0574445
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Dec 6 21:06:48 2023 +0000
+Date: Wed Feb 21 05:57:34 2024 +0000
- upstream: short circuit debug log processing early if we're not going
+ upstream: fix proxy multiplexing mode, broken when keystroke timing
- to log anything. From Kobe Housen
+ obfuscation was added. GHPR#463 from montag451
- OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea
+ OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
-commit 947affad4831df015c498c00c6351ea6f13895d5
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Mon Nov 27 09:37:28 2023 +1100
+commit ee6d932acb532f80b11bb7cf161668c70ec8a117
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 20 04:10:03 2024 +0000
- Add tests for OpenSSL 3.2.0 and 3.2 stable branch.
+ upstream: don't append a gratuitous space to the end of subsystem
+
+ arguments; bz3667
+
+ OpenBSD-Commit-ID: e11023aeb3f30b77a674e37b8292c862926d5dc6
-commit 747dce36206675ca6b885010a835733df469351b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Sat Nov 25 09:03:38 2023 +1100
+commit e27f032aa8fcbae9b2e7c451baaf4b8ac6fa3d45
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Feb 19 09:25:52 2024 +0000
- Use non-zero arg in compiler test program.
+ upstream: Always define puttysetup function.
- Now that we're running the test program, passing zero to the test function
- can cause divide-by-zero exceptions which might show up in logs.
+ OpenBSD-Regress-ID: b4c0ccfa4006a1bc5dfd99ccf21c854d3ce2aee0
-commit 3d44a5c56585d1c351dbc006240a591b6da502b1
+commit 84046f9991abef5f46b040b10cf3d494f933a17b
Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Nov 24 00:31:30 2023 +0000
+Date: Fri Feb 9 08:56:59 2024 +0000
- upstream: Plug mem leak of msg when processing a quit message.
+ upstream: Exapnd PuTTY test coverage.
- Coverity CID#427852, ok djm@
+ Expand the set of ciphers, MACs and KEX methods in the PuTTY interop
+ tests.
- OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7
+ OpenBSD-Regress-ID: dd28d97d48efe7329a396d0d505ee2907bf7fc57
-commit 1d7f9b6e297877bd00973e6dc5c0642dbefc3b5f
+commit bbf541ee2afe07b08a8b56fa0dc6f38fcfceef2a
Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Thu Nov 23 03:37:05 2023 +0000
+Date: Fri Feb 9 08:47:42 2024 +0000
- upstream: Include existing mux path in debug message.
+ upstream: Factor out PuTTY setup.
- OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16
+ Factor out PuTTY and call only when needed.
+
+ This allows us to avoid PuTTY key setup when it's not needed, which
+ speeds up the overall test run by a couple of percent.
+
+ OpenBSD-Regress-ID: c25eaccc3c91bc874400f7c85ce40e9032358c1c
-commit f29934066bd0e561a2e516b7e584fb92d2eedee0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Thu Nov 23 19:41:27 2023 +1100
+commit d31c21c57fb4245271680a1e5043cf6470a96766
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Sat Feb 10 11:28:52 2024 +0000
- Add an Ubuntu 22.04 test VM.
+ upstream: clean sshd random relinking kit; ok miod@
- This is the same version as Github's runners so most of the testing on
- it is over there, but having a local VM makes debugging much easier.
+ OpenBSD-Commit-ID: 509bb19bb9762a4b3b589af98bac2e730541b6d4
-commit a93284a780cd3972afe5f89086b75d564ba157f3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Thu Nov 23 19:36:22 2023 +1100
+commit 4dbc5a363ff53a2fcecf6bc3bcc038badc12f118
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 2 00:13:34 2024 +0000
- Add gcc-12 -Werror test on Ubuntu 22.04.
+ upstream: whitespace
- Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler).
+ OpenBSD-Commit-ID: b24680bc755b621ea801ff8edf6f0f02b68edae1
-commit 670f5a647e98b6fd95ad64f789f87ee3274b481b
+commit efde85dda2130272af24cc346f6c3cd326182ff1
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Thu Nov 23 19:34:57 2023 +1100
+Date: Mon Feb 19 17:29:31 2024 +1100
- Check return value from write to prevent warning.
+ Improve error message for OpenSSL header check.
- ... and since we're testing for flags with -Werror, this caused
- configure to mis-detect compiler flags.
+ bz#3668, ok djm@
-commit cea007d691cfedfa07a5b8599f97ce0511f53fc9
+commit cbbdf868bce431a59e2fa36ca244d5739429408d
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Wed Nov 22 21:18:55 2023 +1100
+Date: Wed Feb 7 13:45:02 2024 +1100
- Run compiler test program when compiling natively.
-
- ok djm@
+ Interop test against PuTTY snapshot and releases.
-commit ee0d305828f13536c0a416bbf9c3e81039d9ea55
+commit 91898bf786b0f149f962c4c96c08a46f29888c10
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Wed Nov 22 21:18:07 2023 +1100
+Date: Tue Feb 6 16:21:05 2024 +1100
- Factor out compiler test program into a macro.
+ Put privsep dir on OS X on /usr/local.
- ok djm@
+ On some runners we can't create /var/empty, so put it some place we can
+ write. Should fix test breakage on Max OS X 11.
-commit de304c76316b029df460673725a9104224b9959b
+commit be5ed8ebed8388c5056bfde4688308cc873c18b9
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Wed Nov 22 08:55:36 2023 +1100
+Date: Tue Feb 6 11:19:42 2024 +1100
- Add fbsd14 VM to test pool.
+ Add --disable-fd-passing option.
+
+ .. and enable for the minix3 test VM. This will cause it to more reliably
+ skip tests that need FD passing and should fix the current test breakage.
-commit 99a2df5e1994cdcb44ba2187b5f34d0e9190be91
+commit 0f6a8a0d0a518fd78c4cbebfdac990a57a1c4e41
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Tue Nov 21 16:19:29 2023 +1100
+Date: Tue Feb 6 11:18:44 2024 +1100
- Expand -fzero-call-used-regs test to cover gcc 11.
-
- It turns out that gcc also has some problems with -fzero-call-used-regs,
- at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE
- was sufficient to catch it with "=all", but not sufficient for "=used".
- Expand the testcase and include it in the other tests for good measure.
- See bz#3629. ok djm@.
+ Use "skip" function instead doing it ourselves.
-commit ff220d4010717f7bfbbc02a2400666fb9d24f250
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Tue Nov 21 14:04:34 2023 +1100
+commit 3ad669f81aabbd2ba9fbd472903f680f598e1e99
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Feb 1 14:01:18 2024 +1100
- Stop using -fzero-call-used-regs=all
+ ignore some vim droppings
+
+commit c283f29d23611a06bbee06bcf458f2fffad721d9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Feb 1 02:37:33 2024 +0000
+
+ upstream: whitespace
- ... since it seems to be problematic with several different versions of
- clang. Only use -fzero-call-used-regs=used which is less
- problematic, except with Apple's clang where we don't use it at all.
- bz#3629, ok djm@
+ OpenBSD-Commit-ID: bf9e4a1049562ee4322684fbdce07142f04fdbb7
-commit 2a19e02f36b16f0f6cc915f7d1e60ead5e36303b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Tue Nov 21 14:02:18 2023 +1100
+commit 0d96b1506b2f4757fefa5d1f884d49e96a6fd4c3
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jan 16 14:40:18 2024 +1100
- Allow for vendor prefix on clang version numbers.
+ skip tests that use multiplexing on Windows
- Correctly detects the version of OpenBSD's native clang, as well as
- Apple's. Spotted tb@, ok djm@.
+ Some tests here use multiplexing, skip these if DISABLE_FD_PASSING
+ is set. Should unbreak tests on Windows.
-commit c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6
+commit 50080fa42f5f744b798ee29400c0710f1b59f50e
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Nov 20 02:50:00 2023 +0000
+Date: Thu Jan 11 04:50:28 2024 +0000
- upstream: set errno=EAFNOSUPPORT when filtering addresses that don't
+ upstream: don't disable RSA test when DSA is disabled; bug introduced
- match AddressFamily; yields slightly better error message if no address
- matches. bz#3526
+ in last commit
- OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
+ OpenBSD-Regress-ID: 8780a7250bf742b33010e9336359a1c516f2d7b5
-commit 26f3f3bbc69196d908cad6558c8c7dc5beb8d74a
+commit 415c94ce17288e0cdcb9e58cc91fba78d33c8457
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 15 23:03:38 2023 +0000
+Date: Thu Jan 11 01:45:58 2024 +0000
- upstream: when connecting via socket (the default case), filter
+ upstream: make DSA testing optional, defaulting to on
- addresses by AddressFamily if one was specified. Fixes the case where, if
- CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
- dtucker
+ ok markus
- OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
+ OpenBSD-Regress-ID: dfc27b5574e3f19dc4043395594cea5f90b8572a
-commit 050c335c8da43741ed0df2570ebfbd5d1dfd0a31
+commit f9311e8921d92c5efca767227a497ab63280ac39
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 15 22:51:49 2023 +0000
+Date: Thu Jan 11 01:51:16 2024 +0000
- upstream: when deciding whether to enable keystroke timing
-
- obfuscation, only consider enabling it when a channel with a tty is open.
+ upstream: ensure key_fd is filled when DSA is disabled; spotted by
- Avoids turning on the obfucation when X11 forwarding only is in use,
- which slows it right down. Reported by Roger Marsh
+ tb@
- OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
+ OpenBSD-Commit-ID: 9dd417b6eec3cf67e870f147464a8d93f076dce7
-commit 676377ce67807a24e08a54cd60ec832946cc6cae
-Author: tobhe@openbsd.org <tobhe@openbsd.org>
-Date: Mon Nov 13 09:18:19 2023 +0000
+commit 4e838120a759d187b036036610402cbda33f3203
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jan 11 01:45:36 2024 +0000
- upstream: Make sure sftp_get_limits() only returns 0 if 'limits'
+ upstream: make DSA key support compile-time optional, defaulting to
- was initialized. This fixes a potential uninitialized use of 'limits' in
- sftp_init() if sftp_get_limits() returned early because of an unexpected
- message type.
+ on
- ok djm@
+ ok markus@
- OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
+ OpenBSD-Commit-ID: 4f8e98fc1fd6de399d0921d5b31b3127a03f581d
-commit 64e0600f23c6dec36c3875392ac95b8a9100c2d6
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Mon Nov 13 20:03:31 2023 +1100
+commit afcc9028bfc411bc26d20bba803b83f90cb84e26
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Wed Jan 10 06:33:13 2024 +0000
- Test current releases of LibreSSL and OpenSSL.
+ upstream: fix incorrect capitalisation;
- Retire some of the older releases.
+ OpenBSD-Commit-ID: cb07eb06e15fa2334660ac73e98f29b6a1931984
-commit c8ed7cc545879ac15f6ce428be4b29c35598bb2a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Nov 1 02:08:38 2023 +0000
+commit 9707c8170c0c1baeb1e06e5a53f604498193885f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 9 22:19:36 2024 +0000
- upstream: Specify ssh binary to use
+ upstream: extend ChannelTimeout regression test to exercise multiplexed
- ... instead of relying on installed one. Fixes test failures in -portable
- when running tests prior to installation.
+ connections and the new "global" timeout type. ok dtucker@
- OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
+ OpenBSD-Regress-ID: f10d19f697024e9941acad7c2057f73d6eacb8a2
-commit e9fc2c48121cada1b4dcc5dadea5d447fe0093c3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date: Wed Nov 1 13:11:31 2023 +1100
+commit b31b12d28de96e1d43581d32f34da8db27e11c03
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 9 22:19:00 2024 +0000
- Put long-running test targets on hipri runners.
+ upstream: add a "global" ChannelTimeout type to ssh(1) and sshd(8)
- Some of the selfhosted test targets take a long time to run for various
- reasons, so label them for "libvirt-hipri" runners so that they can
- start immediately. This should reduce the time to complete all tests.
+ that watches all open channels and will close all open channels if there is
+ no traffic on any of them for the specified interval. This is in addition to
+ the existing per-channel timeouts added a few releases ago.
+
+ This supports use-cases like having a session + x11 forwarding channel
+ open where one may be idle for an extended period but the other is
+ actively used. The global timeout would allow closing both channels when
+ both have been idle for too long.
+
+ ok dtucker@
+
+ OpenBSD-Commit-ID: 0054157d24d2eaa5dc1a9a9859afefc13d1d7eb3
-commit 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2
+commit 602f4beeeda5bb0eca181f8753d923a2997d0a51
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 1 00:29:46 2023 +0000
+Date: Tue Jan 9 21:39:14 2024 +0000
- upstream: add some tests of forced commands overriding Subsystem
+ upstream: adapt ssh_api.c code for kex-strict
- directives
+ from markus@ ok me
- OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
+ OpenBSD-Commit-ID: 4d9f256852af2a5b882b12cae9447f8f00f933ac
-commit fb06f9b5a065dfbbef5916fc4accc03c0bf026dd
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Oct 31 04:15:40 2023 +0000
+commit 42ba34aba8708cf96583ff52975d95a8b47d990d
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 8 16:26:37 2024 +1100
- upstream: Don't try to use sudo inside sshd log wrapper.
-
- We still need to check if we're using sudo since we don't want to chown
- unecessarily, as on some platforms this causes an error which pollutes
- stderr. We also don't want to unnecessarily invoke sudo, since it's
- running in the context of the proxycommand, on *other* platforms it
- may not be able to authenticate, and if we're using SUDO then it should
- already be privileged.
-
- OpenBSD-Regress-ID: 70d58df7503db699de579a9479300e5f3735f4ee
+ nite that recent OSX tun/tap is unsupported
-commit fc3cc33e88c242c704781c6c48087838f1dcfa2a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Oct 31 02:58:45 2023 +0000
+commit 690bc125f9a3b20e47745fa8f5b5e1fd5820247f
+Author: Sevan Janiyan <venture37@geeklan.co.uk>
+Date: Wed Dec 27 04:57:49 2023 +0000
- upstream: Only try to chmod logfile if we have sudo. If we don't have
-
- sudo then we won't need to chmod.
*** 17647 LINES SKIPPED ***