git: 3bbd8dc96b44 - vendor/openssh - Vendor import of OpenSSH 8.4p1
Ed Maste
emaste at FreeBSD.org
Sun Feb 14 21:11:29 UTC 2021
The branch vendor/openssh has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=3bbd8dc96b4466d8e4f850fc0adf7d02e1df2dc7
commit 3bbd8dc96b4466d8e4f850fc0adf7d02e1df2dc7
Author: Ed Maste <emaste at FreeBSD.org>
AuthorDate: 2021-02-14 21:09:58 +0000
Commit: Ed Maste <emaste at FreeBSD.org>
CommitDate: 2021-02-14 21:09:58 +0000
Vendor import of OpenSSH 8.4p1
---
.depend | 6 +-
.github/run_test.sh | 34 +
.github/setup_ci.sh | 51 +
.github/workflows/c-cpp.yml | 39 +
.gitignore | 3 +
.skipped-commit-ids | 2 +
ChangeLog | 16487 +++++++++----------
INSTALL | 16 +-
Makefile.in | 23 +-
PROTOCOL | 6 +-
PROTOCOL.agent | 2 +
PROTOCOL.sshsig | 3 +-
PROTOCOL.u2f | 130 +-
README | 2 +-
aclocal.m4 | 193 +-
auth-options.c | 20 +-
auth-options.h | 4 +-
auth-pam.c | 6 +-
auth.c | 9 +-
auth2-pubkey.c | 18 +-
auth2.c | 26 +-
authfd.c | 6 +-
authfd.h | 6 +-
authfile.c | 10 +-
channels.c | 9 +-
channels.h | 9 +-
clientloop.c | 38 +-
compat.c | 44 +-
compat.h | 8 +-
config.h.in | 21 +
configure | 734 +-
configure.ac | 94 +-
contrib/gnome-ssh-askpass2.c | 99 +-
contrib/redhat/openssh.spec | 7 +-
contrib/ssh-copy-id | 158 +-
contrib/ssh-copy-id.1 | 2 +-
contrib/suse/openssh.spec | 6 +-
defines.h | 4 -
hostfile.c | 54 +-
hostfile.h | 5 +-
kex.c | 6 +-
kexdh.c | 3 +-
krl.c | 7 +-
log.c | 10 +-
loginrec.c | 3 +
m4/openssh.m4 | 199 +
match.c | 12 +-
match.h | 6 +-
misc.c | 263 +-
misc.h | 6 +-
moduli | 867 +-
moduli.0 | 2 +-
monitor.c | 21 +-
monitor_wrap.c | 4 +-
monitor_wrap.h | 5 +-
msg.c | 4 +-
mux.c | 14 +-
openbsd-compat/bcrypt_pbkdf.c | 4 +-
openbsd-compat/memmem.c | 216 +-
openbsd-compat/port-net.c | 7 +-
openbsd-compat/sys-queue.h | 375 +-
packet.c | 11 +-
readconf.c | 113 +-
readconf.h | 3 +-
readpass.c | 46 +-
regress/Makefile | 5 +-
regress/addrmatch.sh | 14 +-
regress/agent-subprocess.sh | 22 +
regress/agent.sh | 73 +-
regress/misc/sk-dummy/sk-dummy.c | 2 +-
regress/multiplex.sh | 14 +-
regress/netcat.c | 38 +-
regress/percent.sh | 51 +-
regress/servcfginclude.sh | 36 +-
regress/unittests/Makefile | 4 +-
regress/unittests/match/tests.c | 4 +-
regress/unittests/misc/tests.c | 88 +-
regress/unittests/sshkey/mktestdata.sh | 53 +-
regress/unittests/sshkey/test_file.c | 133 +-
regress/unittests/sshkey/test_fuzz.c | 4 +-
regress/unittests/sshkey/test_sshkey.c | 9 +-
regress/unittests/sshkey/testdata/ecdsa_sk1 | 13 +
.../unittests/sshkey/testdata/ecdsa_sk1-cert.fp | 1 +
.../unittests/sshkey/testdata/ecdsa_sk1-cert.pub | 1 +
regress/unittests/sshkey/testdata/ecdsa_sk1.fp | 1 +
regress/unittests/sshkey/testdata/ecdsa_sk1.fp.bb | 1 +
regress/unittests/sshkey/testdata/ecdsa_sk1.pub | 1 +
regress/unittests/sshkey/testdata/ecdsa_sk1_pw | 14 +
regress/unittests/sshkey/testdata/ecdsa_sk2 | 13 +
regress/unittests/sshkey/testdata/ecdsa_sk2.fp | 1 +
regress/unittests/sshkey/testdata/ecdsa_sk2.fp.bb | 1 +
regress/unittests/sshkey/testdata/ecdsa_sk2.pub | 1 +
regress/unittests/sshkey/testdata/ed25519_sk1 | 8 +
.../unittests/sshkey/testdata/ed25519_sk1-cert.fp | 1 +
.../unittests/sshkey/testdata/ed25519_sk1-cert.pub | 1 +
regress/unittests/sshkey/testdata/ed25519_sk1.fp | 1 +
.../unittests/sshkey/testdata/ed25519_sk1.fp.bb | 1 +
regress/unittests/sshkey/testdata/ed25519_sk1.pub | 1 +
regress/unittests/sshkey/testdata/ed25519_sk1_pw | 9 +
regress/unittests/sshkey/testdata/ed25519_sk2 | 8 +
regress/unittests/sshkey/testdata/ed25519_sk2.fp | 1 +
.../unittests/sshkey/testdata/ed25519_sk2.fp.bb | 1 +
regress/unittests/sshkey/testdata/ed25519_sk2.pub | 1 +
regress/unittests/sshsig/Makefile | 25 +
regress/unittests/sshsig/mktestdata.sh | 42 +
regress/unittests/sshsig/testdata/dsa | 12 +
regress/unittests/sshsig/testdata/dsa.pub | 1 +
regress/unittests/sshsig/testdata/dsa.sig | 13 +
regress/unittests/sshsig/testdata/ecdsa | 5 +
regress/unittests/sshsig/testdata/ecdsa.pub | 1 +
regress/unittests/sshsig/testdata/ecdsa.sig | 7 +
regress/unittests/sshsig/testdata/ecdsa_sk | 13 +
regress/unittests/sshsig/testdata/ecdsa_sk.pub | 1 +
regress/unittests/sshsig/testdata/ecdsa_sk.sig | 8 +
.../sshsig/testdata/ecdsa_sk_webauthn.pub | 1 +
.../sshsig/testdata/ecdsa_sk_webauthn.sig | 13 +
regress/unittests/sshsig/testdata/ed25519 | 7 +
regress/unittests/sshsig/testdata/ed25519.pub | 1 +
regress/unittests/sshsig/testdata/ed25519.sig | 6 +
regress/unittests/sshsig/testdata/ed25519_sk | 8 +
regress/unittests/sshsig/testdata/ed25519_sk.pub | 1 +
regress/unittests/sshsig/testdata/ed25519_sk.sig | 7 +
regress/unittests/sshsig/testdata/namespace | 1 +
regress/unittests/sshsig/testdata/rsa | 39 +
regress/unittests/sshsig/testdata/rsa.pub | 1 +
regress/unittests/sshsig/testdata/rsa.sig | 19 +
regress/unittests/sshsig/testdata/signed-data | 1 +
regress/unittests/sshsig/tests.c | 139 +
regress/unittests/sshsig/webauthn.html | 692 +
scp.0 | 7 +-
scp.1 | 11 +-
scp.c | 20 +-
servconf.c | 85 +-
servconf.h | 11 +-
serverloop.c | 4 +-
session.c | 43 +-
sftp-client.c | 4 +-
sftp-server.0 | 22 +-
sftp-server.8 | 22 +-
sftp-server.c | 39 +-
sftp.0 | 7 +-
sftp.1 | 11 +-
sftp.c | 11 +-
sk-api.h | 7 +-
sk-usbhid.c | 626 +-
ssh-add.0 | 20 +-
ssh-add.1 | 35 +-
ssh-add.c | 92 +-
ssh-agent.0 | 20 +-
ssh-agent.1 | 23 +-
ssh-agent.c | 158 +-
ssh-ecdsa-sk.c | 169 +-
ssh-keygen.0 | 47 +-
ssh-keygen.1 | 41 +-
ssh-keygen.c | 336 +-
ssh-keyscan.0 | 2 +-
ssh-keyscan.c | 18 +-
ssh-keysign.0 | 2 +-
ssh-keysign.c | 4 +-
ssh-pkcs11-helper.0 | 2 +-
ssh-pkcs11.c | 5 +-
ssh-sk-helper.c | 13 +-
ssh-sk.c | 47 +-
ssh.0 | 12 +-
ssh.1 | 23 +-
ssh.c | 128 +-
ssh.h | 7 +-
ssh_api.c | 14 +-
ssh_config | 3 +-
ssh_config.0 | 67 +-
ssh_config.5 | 85 +-
sshbuf-getput-basic.c | 4 +-
sshbuf-misc.c | 47 +-
sshbuf.h | 6 +-
sshconnect.c | 10 +-
sshconnect2.c | 107 +-
sshd.0 | 7 +-
sshd.8 | 11 +-
sshd.c | 120 +-
sshd_config.0 | 27 +-
sshd_config.5 | 25 +-
sshkey.c | 26 +-
sshkey.h | 11 +-
sshsig.c | 17 +-
sshsig.h | 9 +-
version.h | 4 +-
186 files changed, 14315 insertions(+), 10715 deletions(-)
diff --git a/.depend b/.depend
index 1ccc1dcc75c2..f05bd9d7483c 100644
--- a/.depend
+++ b/.depend
@@ -60,7 +60,7 @@ gss-serv-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd
gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
hash.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h
hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h digest.h hmac.h
-hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h misc.h ssherr.h digest.h hmac.h
+hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h misc.h pathnames.h ssherr.h digest.h hmac.h
kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h ssh2.h atomicio.h version.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h log.h match.h
kex.o: misc.h monitor.h ssherr.h sshbuf.h digest.h
kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ssherr.h ssh2.h
@@ -125,8 +125,8 @@ sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c
sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h pathnames.h misc.h utf8.h sftp.h ssherr.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h
sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sntrup4591761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h
-ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h ssherr.h digest.h ssh-sk.h
-ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h compat.h log.h misc.h digest.h ssherr.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h
+ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h ssherr.h digest.h ssh-sk.h sk-api.h
+ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h misc.h digest.h ssherr.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h
ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h sshbuf.h ssherr.h digest.h sshkey.h
ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
diff --git a/.github/run_test.sh b/.github/run_test.sh
new file mode 100755
index 000000000000..93c3a5e9ed9d
--- /dev/null
+++ b/.github/run_test.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+TARGETS=$@
+
+TEST_TARGET="tests"
+LTESTS="" # all tests by default
+
+set -ex
+
+for TARGET in $TARGETS; do
+ case $TARGET in
+ --without-openssl)
+ # When built without OpenSSL we can't do the file-based RSA key tests.
+ TEST_TARGET=t-exec
+ ;;
+ esac
+done
+
+if [ -z "$LTESTS" ]; then
+ make $TEST_TARGET
+ result=$?
+else
+ make $TEST_TARGET LTESTS="$LTESTS"
+ result=$?
+fi
+
+if [ "$result" -ne "0" ]; then
+ for i in regress/failed*; do
+ echo -------------------------------------------------------------------------
+ echo LOGFILE $i
+ cat $i
+ echo -------------------------------------------------------------------------
+ done
+fi
diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh
new file mode 100755
index 000000000000..e2474ccd7460
--- /dev/null
+++ b/.github/setup_ci.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+TARGETS=$@
+
+PACKAGES=""
+INSTALL_FIDO_PPA="no"
+
+#echo "Setting up for '$TARGETS'"
+
+set -ex
+
+lsb_release -a
+
+for TARGET in $TARGETS; do
+ case $TARGET in
+ ""|--without-openssl|--without-zlib)
+ # nothing to do
+ ;;
+ "--with-kerberos5")
+ PACKAGES="$PACKAGES heimdal-dev"
+ #PACKAGES="$PACKAGES libkrb5-dev"
+ ;;
+ "--with-libedit")
+ PACKAGES="$PACKAGES libedit-dev"
+ ;;
+ "--with-pam")
+ PACKAGES="$PACKAGES libpam0g-dev"
+ ;;
+ "--with-security-key-builtin")
+ INSTALL_FIDO_PPA="yes"
+ PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev"
+ ;;
+ "--with-selinux")
+ PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"
+ ;;
+ *) echo "Invalid option"
+ exit 1
+ ;;
+ esac
+done
+
+if [ "yes" == "$INSTALL_FIDO_PPA" ]; then
+ sudo apt update -qq
+ sudo apt install software-properties-common
+ sudo apt-add-repository ppa:yubico/stable
+fi
+
+if [ "x" != "x$PACKAGES" ]; then
+ sudo apt update -qq
+ sudo apt install -qy $PACKAGES
+fi
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
new file mode 100644
index 000000000000..2189756bbf8f
--- /dev/null
+++ b/.github/workflows/c-cpp.yml
@@ -0,0 +1,39 @@
+name: C/C++ CI
+
+on:
+ push:
+ branches: [ master, ci ]
+ pull_request:
+ branches: [ master ]
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+
+ strategy:
+ matrix:
+ configs:
+ - ""
+ - "--with-kerberos5"
+ - "--with-libedit"
+ - "--with-pam"
+ - "--with-security-key-builtin"
+ - "--with-selinux"
+ - "--with-kerberos5 --with-libedit --with-pam --with-security-key-builtin --with-selinux"
+ - "--without-openssl --without-zlib"
+
+ steps:
+ - uses: actions/checkout at v2
+ - name: setup CI system
+ run: ./.github/setup_ci.sh ${{ matrix.configs }}
+ - name: autoreconf
+ run: autoreconf
+ - name: configure
+ run: ./configure ${{ matrix.configs }}
+ - name: make
+ run: make
+ - name: make tests
+ run: ./.github/run_test.sh ${{ matrix.configs }}
+ env:
+ TEST_SSH_UNSAFE_PERMISSIONS: 1
diff --git a/.gitignore b/.gitignore
index 34a95721dc66..5e4ae5a60d06 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,9 +2,11 @@ Makefile
buildpkg.sh
config.h
config.h.in
+config.h.in~
config.log
config.status
configure
+aclocal.m4
openbsd-compat/Makefile
openbsd-compat/regress/Makefile
openssh.xml
@@ -30,4 +32,5 @@ ssh-pkcs11-helper
ssh-sk-helper
sshd
!regress/misc/fuzz-harness/Makefile
+!regress/unittests/sshsig/Makefile
tags
diff --git a/.skipped-commit-ids b/.skipped-commit-ids
index 611d1093d1b8..6abbb99bca55 100644
--- a/.skipped-commit-ids
+++ b/.skipped-commit-ids
@@ -19,6 +19,8 @@ d9b910e412d139141b072a905e66714870c38ac0 Makefile.inc
7b7b619c1452a459310b0cf4391c5757c6bdbc0f moduli update
5010ff08f7ad92082e87dde098b20f5c24921a8f moduli regen script update
3bcae7a754db3fc5ad3cab63dd46774edb35b8ae moduli regen script update
+52ff0e3205036147b2499889353ac082e505ea54 moduli update
+07b5031e9f49f2b69ac5e85b8da4fc9e393992a0 Makefile.inc
Old upstream tree:
diff --git a/ChangeLog b/ChangeLog
index f283a8b3f455..bcaa38f94386 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,12677 +1,12492 @@
-commit 9ca7e9c861775dd6c6312bc8aaab687403d24676
+commit 279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29
Author: Damien Miller <djm at mindrot.org>
-Date: Wed May 27 10:38:00 2020 +1000
+Date: Sun Sep 27 17:25:01 2020 +1000
- depend
+ update version numbers
-commit b6d251ed9af90e16c08a72c4aac2cb8ace8f94b1
+commit 58ca6ab6ff035ed12b5078e3e9c7199fe72c8587
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Mon May 18 04:29:35 2020 +0000
+Date: Sun Sep 27 07:22:05 2020 +0000
- upstream: avoid possible NULL deref; from Pedro Martelletto
+ upstream: openssh 8.4
- OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721
+ OpenBSD-Commit-ID: a29e5b372d2c00e297da8a35a3b87c9beb3b4a58
-commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d
+commit 9bb8a303ce05ff13fb421de991b495930be103c3
Author: Damien Miller <djm at mindrot.org>
-Date: Thu May 14 12:22:09 2020 +1000
+Date: Tue Sep 22 10:07:43 2020 +1000
- prefer ln to cp for temporary copy of sshd
-
- I saw failures on the reexec fallback test on Darwin 19.4 where
- fork()ed children of a process that had it's executable removed
- would instantly fail. Using ln to preserve the inode avoids this.
+ sync with upstream ssh-copy-id rev f0da1a1b7
-commit f700d316c6b15a9cfbe87230d2dca81a5d916279
-Author: Darren Tucker <dtucker at dtucker.net>
-Date: Wed May 13 15:24:51 2020 +1000
+commit 0a4a5571ada76b1b012bec9cf6ad1203fc19ec8d
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Mon Sep 21 07:29:09 2020 +0000
- Actually skip pty tests when needed.
+ upstream: close stdin when forking after authentication too; ok markus
+
+ OpenBSD-Commit-ID: 43db17e4abc3e6b4a7b033aa8cdab326a7cb6c24
-commit 08ce6b2210f46f795e7db747809f8e587429dfd2
-Author: Darren Tucker <dtucker at dtucker.net>
-Date: Wed May 13 13:56:45 2020 +1000
+commit d14fe25e6c3b89f8af17e2894046164ac3b45688
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Sun Sep 20 23:31:46 2020 +0000
- Skip building sk-dummy library if no SK support.
+ upstream: close stdout/stderr after "ssh -f ..." forking
+
+ bz#3137, ok markus
+
+ OpenBSD-Commit-ID: e2d83cc4dea1665651a7aa924ad1ed6bcaaab3e2
-commit 102d106bc2e50347d0e545fad6ff5ce408d67247
+commit 53a33a0d745179c02108589e1722457ca8ae4372
Author: Damien Miller <djm at mindrot.org>
-Date: Wed May 13 12:08:34 2020 +1000
+Date: Sun Sep 20 15:57:09 2020 +1000
- explicitly manage .depend and .depend.bak
+ .depend
+
+commit 107eb3eeafcd390e1fa7cc7672a05e994d14013e
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Sun Sep 20 05:47:25 2020 +0000
+
+ upstream: cap channel input buffer size at 16MB; avoids high memory use
- Bring back removal of .depend to give the file a known state before
- running makedepend, but manually move aside the current .depend file
- and restore it as .depend.bak afterwards so the stale .depend check
- works as expected.
+ when peer advertises a large window but is slow to consume the data we send
+ (e.g. because of a slow network)
+
+ reported by Pierre-Yves David
+
+ fix with & ok markus@
+
+ OpenBSD-Commit-ID: 1452771f5e5e768876d3bfe2544e3866d6ade216
-commit 83a6dc6ba1e03b3fa39d12a8522b8b0e68dd6390
+commit acfe2ac5fe033e227ad3a56624fbbe4af8b5da04
Author: Damien Miller <djm at mindrot.org>
-Date: Wed May 13 12:03:42 2020 +1000
+Date: Fri Sep 18 22:02:53 2020 +1000
- make depend
+ libfido2 1.5.0 is recommended
-commit 7c0bbed967abed6301a63e0267cc64144357a99a
-Author: Damien Miller <djm at mindrot.org>
-Date: Wed May 13 12:01:10 2020 +1000
+commit 52a03e9fca2d74eef953ddd4709250f365ca3975
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Fri Sep 18 08:16:38 2020 +0000
- revert removal of .depend before makedepend
+ upstream: handle multiple messages in a single read()
- Commit 83657eac4 started removing .depend before running makedepend
- to reset the contents of .depend to a known state. Unfortunately
- this broke the depend-check step as now .depend.bak would only ever
- be created as an empty file.
+ PR#183 by Dennis Kaarsemaker; feedback and ok markus@
- ok dtucker
+ OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
-commit 58ad004acdcabf3b9f40bc3aaa206b25d998db8c
-Author: Damien Miller <djm at mindrot.org>
-Date: Tue May 12 12:58:46 2020 +1000
+commit dc098405b2939146e17567a25b08fc6122893cdf
+Author: pedro martelletto <pedro at ambientworks.net>
+Date: Fri Sep 18 08:57:29 2020 +0200
- prepare for 8.3 release
+ configure.ac: add missing includes
+
+ when testing, make sure to include the relevant header files that
+ declare the types of the functions used by the test:
+
+ - stdio.h for printf();
+ - stdlib.h for exit();
+ - string.h for strcmp();
+ - unistd.h for unlink(), _exit(), fork(), getppid(), sleep().
-commit 4fa9e048c2af26beb7dc2ee9479ff3323e92a7b5
-Author: Darren Tucker <dtucker at dtucker.net>
-Date: Fri May 8 21:50:43 2020 +1000
+commit b3855ff053f5078ec3d3c653cdaedefaa5fc362d
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Fri Sep 18 05:23:03 2020 +0000
- Ensure SA_SIGNAL test only signals itself.
+ upstream: tweak the client hostkey preference ordering algorithm to
- When the test's child signals its parent and it exits the result of
- getppid changes. On Ubuntu 20.04 this results in the ppid being that
- of the GDM session, causing it to exit. Analysis and testing from pedro
- at ambientworks.net
+ prefer the default ordering if the user has a key that matches the
+ best-preference default algorithm.
+
+ feedback and ok markus@
+
+ OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
-commit dc2da29aae76e170d22f38bb36f1f5d1edd5ec2b
+commit f93b187ab900c7d12875952cc63350fe4de8a0a8
Author: Damien Miller <djm at mindrot.org>
-Date: Fri May 8 13:31:53 2020 +1000
+Date: Fri Sep 18 14:55:48 2020 +1000
- sync config.guess/config.sub with latest versions
+ control over the colours in gnome-ssh-askpass[23]
- ok dtucker@
+ Optionally set the textarea colours via $GNOME_SSH_ASKPASS_FG_COLOR and
+ $GNOME_SSH_ASKPASS_BG_COLOR. These accept the usual three or six digit
+ hex colours.
-commit a8265bd64c14881fc7f4fa592f46dfc66b911f17
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed May 6 20:58:01 2020 +0000
+commit 9d3d36bdb10b66abd1af42e8655502487b6ba1fa
+Author: Damien Miller <djm at mindrot.org>
+Date: Fri Sep 18 14:50:38 2020 +1000
- upstream: openssh-8.3; ok deraadt@
+ focus improvement for gnome-ssh-askpass[23]
- OpenBSD-Commit-ID: c8831ec88b9c750f5816aed9051031fb535d22c1
+ When serving a SSH_ASKPASS_PROMPT=none information dialog, ensure
+ then <enter> doesn't immediately close the dialog. Instead, require an
+ explicit <tab> to reach the close button, or <esc>.
-commit 955854cafca88e0cdcd3d09ca1ad4ada465364a1
+commit d6f507f37e6c75a899db0ef8224e72797c5563b6
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Wed Sep 16 03:07:31 2020 +0000
+
+ upstream: Remove unused buf, last user was removed when switching
+
+ to the sshbuf API. Patch from Sebastian Andrzej Siewior.
+
+ OpenBSD-Commit-ID: 250fa17f0cec01039cc4abd95917d9746e24c889
+
+commit c3c786c3a0973331ee0922b2c51832a3b8d7f20f
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Wed May 6 20:57:38 2020 +0000
+Date: Wed Sep 9 21:57:27 2020 +0000
- upstream: another case where a utimes() failure could make scp send
+ upstream: For the hostkey confirmation message:
- a desynchronising error; reminded by Aymeric Vincent ok deraadt markus
+ > Are you sure you want to continue connecting (yes/no/[fingerprint])?
- OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381
+ compare the fingerprint case sensitively; spotted Patrik Lundin
+ ok dtucker
+
+ OpenBSD-Commit-ID: 73097afee1b3a5929324e345ba4a4a42347409f2
-commit 59d531553fd90196946743da391f3a27cf472f4e
+commit f2950baf0bafe6aa20dfe2e8d1ca4b23528df617
Author: Darren Tucker <dtucker at dtucker.net>
-Date: Thu May 7 15:34:12 2020 +1000
+Date: Fri Sep 11 14:45:23 2020 +1000
- Check if -D_REENTRANT is needed for localtime_r.
-
- On at least HP-UX 11.11, the localtime_r declararation is behind
- ifdef _REENTRANT. Check for and add if needed.
+ New config-build-time dependency on automake.
-commit c13403e55de8cdbb9da628ed95017b1d4c0f205f
+commit 600c1c27abd496372bd0cf83d21a1c119dfdf9a5
Author: Darren Tucker <dtucker at dtucker.net>
-Date: Tue May 5 11:32:43 2020 +1000
+Date: Sun Sep 6 21:56:36 2020 +1000
- Skip security key tests if ENABLE_SK not set.
+ Add aclocal.m4 and config.h.in~ to .gitignore.
+
+ aclocal.m4 is now generated by autoreconf.
-commit 4da393f87cd52d788c84112ee3f2191c9bcaaf30
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri May 1 04:03:14 2020 +0000
+commit 4bf7e1d00b1dcd3a6b3239f77465c019e61c6715
+Author: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Sat Sep 5 17:50:03 2020 +0200
- upstream: sure enough, some of the test data that we though were in
+ Quote the definition of OSSH_CHECK_HEADER_FOR_FIELD
- new format were actually in the old format; fix from Michael Forney
+ autoreconf complains about underquoted definition of
+ OSSH_CHECK_HEADER_FOR_FIELD after aclocal.m4 has been and now is beeing
+ recreated.
- OpenBSD-Regress-ID: a41a5c43a61b0f0b1691994dbf16dfb88e8af933
+ Quote OSSH_CHECK_HEADER_FOR_FIELD as suggested.
+
+ Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
-commit 15bfafc1db4c8792265ada9623a96f387990f732
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri May 1 04:00:29 2020 +0000
+commit a2f3ae386b5f7938ed3c565ad71f30c4f7f010f1
+Author: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Sat Sep 5 17:50:02 2020 +0200
- upstream: make mktestdata.sh generate old/new format keys that we
+ Move the local m4 macros
- expect. This script was written before OpenSSH switched to new-format private
- keys by default and was never updated to the change (until now) From Michael
- Forney
+ The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is
+ present.
+ Move the current aclocal.m4 which contains local macros into the m4/
+ folder. With this change the aclocal.m4 will be re-created during
+ changes to the m4/ macro.
+ This is needed so the `aclocal' can fetch m4 macros from the system if
+ they are references in the configure script. This is a prerequisite to
+ use PKG_CHECK_MODULES.
- OpenBSD-Regress-ID: 38cf354715c96852e5b71c2393fb6e7ad28b7ca7
+ Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
-commit 7882d2eda6ad3eb82220a85294de545d20ef82db
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri May 1 03:58:02 2020 +0000
+commit 8372bff3a895b84fd78a81dc39da10928b662f5a
+Author: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Sat Sep 5 17:50:01 2020 +0200
- upstream: portability fix for sed that always emil a newline even
+ Remove HAVE_MMAP and BROKEN_MMAP
- if the input does not contain one; from Michael Forney
+ BROKEN_MMAP is no longer defined since commit
+ 1cfd5c06efb12 ("Remove portability support for mmap")
- OpenBSD-Regress-ID: 9190c3ddf0d2562ccc02c4a95fce0e392196bfc7
+ this commit also removed other HAVE_MMAP user. I didn't find anything
+ that defines HAVE_MMAP. The check does not trigger because compression
+ on server side is by default COMP_DELAYED (2) so it never triggers.
+
+ Remove remaining HAVE_MMAP and BROKEN_MMAP bits.
+
+ Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
-commit 8074f9499e454df0acdacea33598858a1453a357
+commit bbf20ac8065905f9cb9aeb8f1df57fcab52ee2fb
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri May 1 03:36:25 2020 +0000
+Date: Wed Sep 9 03:10:21 2020 +0000
- upstream: remove obsolete RSA1 test keys; spotted by Michael Forney
+ upstream: adapt to SSH_SK_VERSION_MAJOR crank
- OpenBSD-Regress-ID: 6384ba889594e217d166908ed8253718ab0866da
+ OpenBSD-Regress-ID: 0f3e76bdc8f9dbd9d22707c7bdd86051d5112ab8
-commit c697e46c314aa94574af0d393d80f23e0ebc9748
-Author: Darren Tucker <dtucker at dtucker.net>
-Date: Sat May 2 18:34:47 2020 +1000
-
- Update .depend.
-
-commit 83657eac42941f270c4b02b2c46d9a21f616ef99
-Author: Darren Tucker <dtucker at dtucker.net>
-Date: Sat May 2 18:29:40 2020 +1000
+commit 9afe2a150893b20bdf9eab764978d817b9a7b783
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Aug 28 03:17:13 2020 +0000
- Remove use of tail for 'make depend'.
+ upstream: Ensure that address/mask mismatches are flagged at
- Not every tail supports +N and we can do with out it so just remove it.
- Prompted by mforney at mforney.org.
+ config-check time. ok djm@
+
+ OpenBSD-Regress-ID: 8f5f4c2c0bf00e6ceae7a1755a444666de0ea5c2
-commit d25d630d24c5a1c64d4e646510e79dc22d6d7b88
+commit c76773524179cb654ff838dd43ba1ddb155bafaa
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Sat May 2 07:19:43 2020 +0000
+Date: Wed Sep 9 03:08:01 2020 +0000
- upstream: we have a sshkey_save_public() function to save public keys;
+ upstream: when writing an attestation blob for a FIDO key, record all
- use it and save a bunch of redundant code.
+ the data needed to verify the attestation. Previously we were missing the
+ "authenticator data" that is included in the signature.
- Patch from loic AT venez.fr; ok markus@ djm@
+ spotted by Ian Haken
+ feedback Pedro Martelletto and Ian Haken; ok markus@
- OpenBSD-Commit-ID: f93e030a0ebcd0fd9054ab30db501ec63454ea5f
+ OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
-commit e9dc9863723e111ae05e353d69df857f0169544a
-Author: Darren Tucker <dtucker at dtucker.net>
-Date: Fri May 1 18:32:25 2020 +1000
+commit c1c44eeecddf093a7983bd91e70b446de789b363
+Author: pedro martelletto <pedro at ambientworks.net>
+Date: Tue Sep 1 17:01:55 2020 +0200
- Use LONG_LONG_MAX and friends if available.
+ configure.ac: fix libfido2 back-compat
- If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX}
- then use those instead. We do calculate these values in configure,
- but it turns out that at least one compiler (old HP ANSI C) can't
- parse "-9223372036854775808LL" without mangling it. (It can parse
- "-9223372036854775807LL" which is presumably why its limits.h defines
- LONG_LONG_MIN as the latter minus 1.)
-
- Fixes rekey test when compiled with the aforementioned compiler.
+ - HAVE_FIDO_CRED_PROD -> HAVE_FIDO_CRED_PROT;
+ - check for fido_dev_get_touch_begin(), so that
+ HAVE_FIDO_DEV_GET_TOUCH_BEGIN gets defined.
-commit aad87b88fc2536b1ea023213729aaf4eaabe1894
+commit 785f0f315bf7ac5909e988bb1ac3e019fb5e1594
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri May 1 06:31:42 2020 +0000
+Date: Mon Aug 31 04:33:17 2020 +0000
- upstream: when receving a file in sink(), be careful to send at
-
- most a single error response after the file has been opened. Otherwise the
- source() and sink() can become desyncronised. Reported by Daniel Goujot,
- Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.
+ upstream: refuse to add verify-required (PINful) FIDO keys to
- ok deraadt@ markus@
+ ssh-agent until the agent supports them properly
- OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035
+ OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e
-commit 31909696c4620c431dd55f6cd15db65c4e9b98da
+commit 39e88aeff9c7cb6862b37ad1a87a03ebbb38c233
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri May 1 06:28:52 2020 +0000
+Date: Mon Aug 31 00:17:41 2020 +0000
- upstream: expose vasnmprintf(); ok (as part of other commit) markus
+ upstream: Add RCS IDs to the few files that are missing them; from
- deraadt
+ Pedro Martelletto
- OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5
+ OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3
-commit 99ce9cefbe532ae979744c6d956b49f4b02aff82
-Author: djm at openbsd.org <djm at openbsd.org>
-Date: Fri May 1 04:23:11 2020 +0000
+commit 72730249b38a676da94a1366b54a6e96e6928bcb
+Author: dtucker at openbsd.org <dtucker at openbsd.org>
+Date: Fri Aug 28 03:15:52 2020 +0000
- upstream: avoid NULL dereference when attempting to convert invalid
+ upstream: Check that the addresses supplied to Match Address and
- ssh.com private keys using "ssh-keygen -i"; spotted by Michael Forney
+ Match LocalAddress are valid when parsing in config-test mode. This will
+ catch address/mask mismatches before they cause problems at runtime. Found by
+ Daniel Stocker, ok djm@
- OpenBSD-Commit-ID: 2e56e6d26973967d11d13f56ea67145f435bf298
+ OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b
-commit 6c6072ba8b079e6f5caa38b011a6f4570c14ed38
-Author: Darren Tucker <dtucker at dtucker.net>
-Date: Fri May 1 15:09:26 2020 +1000
+commit 2a3a9822311a565a9df48ed3b6a3c972f462bd7d
+Author: jmc at openbsd.org <jmc at openbsd.org>
+Date: Thu Aug 27 12:34:00 2020 +0000
- See if SA_RESTART signals will interrupt select().
-
- On some platforms (at least older HP-UXes such as 11.11, possibly others)
- setting SA_RESTART on signal handers will cause it to not interrupt
- select(), at least for calls that do not specify a timeout. Try to
- detect this and if found, don't use SA_RESTART.
+ upstream: sentence fix; from pedro martelletto
- POSIX says "If SA_RESTART has been set for the interrupting signal, it
- is implementation-dependent whether select() restarts or returns with
- [EINTR]" so this behaviour is within spec.
+ OpenBSD-Commit-ID: f95b84a1e94e9913173229f3787448eea2f8a575
-commit 90a0b434ed41f9c505662dba8782591818599cb3
+commit ce178be0d954b210c958bc2b9e998cd6a7aa73a9
Author: Damien Miller <djm at mindrot.org>
-Date: Fri May 1 13:55:03 2020 +1000
+Date: Thu Aug 27 20:01:52 2020 +1000
- fix reversed test
+ tweak back-compat for older libfido2
-commit c0dfd18dd1c2107c73d18f70cd164f7ebd434b08
-Author: Damien Miller <djm at mindrot.org>
-Date: Fri May 1 13:29:16 2020 +1000
+commit d6f45cdde031acdf434bbb27235a1055621915f4
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Thu Aug 27 09:46:04 2020 +0000
- wrap sha2.h inclusion in #ifdef HAVE_SHA2_H
+ upstream: debug()-print a little info about FIDO-specific key
+
+ fields via "ssh-keygen -vyf /path/key"
+
+ OpenBSD-Commit-ID: cf315c4fe77db43947d111b00155165cb6b577cf
-commit a01817a9f63dbcbbc6293aacc4019993a4cdc7e3
+commit b969072cc3d62d05cb41bc6d6f3c22c764ed932f
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Apr 28 04:59:29 2020 +0000
+Date: Thu Aug 27 09:43:28 2020 +0000
- upstream: adapt dummy FIDO middleware to API change; ok markus@
+ upstream: skip a bit more FIDO token selection logic when only a
- OpenBSD-Regress-ID: 8bb84ee500c2eaa5616044314dd0247709a1790f
+ single token is attached.
+
+ with Pedro Martelletto
+
+ OpenBSD-Commit-ID: e4a324bd9814227ec1faa8cb619580e661cca9ac
-commit 261571ddf02ea38fdb5e4a97c69ee53f847ca5b7
+commit 744df42a129d7d7db26947b7561be32edac89f88
Author: jmc at openbsd.org <jmc at openbsd.org>
-Date: Thu Apr 30 18:28:37 2020 +0000
+Date: Thu Aug 27 06:15:22 2020 +0000
- upstream: tweak previous; ok markus
+ upstream: tweak previous;
- OpenBSD-Commit-ID: 41895450ce2294ec44a5713134491cc31f0c09fd
+ OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7
-commit 5de21c82e1d806d3e401b5338371e354b2e0a66f
-Author: markus at openbsd.org <markus at openbsd.org>
-Date: Thu Apr 30 17:12:20 2020 +0000
+commit e32479645ce649b444ba5c6e7151304306a09654
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Thu Aug 27 03:55:22 2020 +0000
- upstream: bring back debug() removed in rev 1.74; noted by pradeep
+ upstream: adapt to API changes
- kumar
-
- OpenBSD-Commit-ID: 8d134d22ab25979078a3b48d058557d49c402e65
+ OpenBSD-Regress-ID: 5f147990cb67094fe554333782ab268a572bb2dd
-commit ea14103ce9a5e13492e805f7e9277516ff5a4273
-Author: markus at openbsd.org <markus at openbsd.org>
-Date: Thu Apr 30 17:07:10 2020 +0000
+commit bbcc858ded3fbc46abfa7760e40389e3ca93884c
+Author: Damien Miller <djm at mindrot.org>
+Date: Thu Aug 27 12:37:12 2020 +1000
- upstream: run the 2nd ssh with BatchMode for scp -3
-
- OpenBSD-Commit-ID: 77994fc8c7ca02d88e6d0d06d0f0fe842a935748
+ degrade semi-gracefully when libfido2 is too old
-commit 59d2de956ed29aa5565ed5e5947a7abdb27ac013
+commit 9cbbdc12cb6a2ab1e9ffe9974cca91d213c185c2
Author: djm at openbsd.org <djm at openbsd.org>
-Date: Tue Apr 28 04:02:29 2020 +0000
+Date: Thu Aug 27 01:15:36 2020 +0000
- upstream: when signing a challenge using a FIDO toke, perform the
+ upstream: dummy firmware needs to match API version numner crank (for
- hashing in the middleware layer rather than in ssh code. This allows
- middlewares that call APIs that perform the hashing implicitly (including
- Microsoft's AFAIK). ok markus@
+ verify-required resident keys) even though it doesn't implement this feature
- OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
+ OpenBSD-Regress-ID: 86579ea2891e18e822e204413d011b2ae0e59657
-commit c9d10dbc0ccfb1c7568bbb784f7aeb7a0b5ded12
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Sun Apr 26 09:38:14 2020 +0000
+commit c1e76c64956b424ba260fd4eec9970e5b5859039
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Thu Aug 27 02:11:09 2020 +0000
- upstream: Fix comment typo. Patch from mforney at mforney.org.
+ upstream: remove unreachable code I forgot to delete in r1.334
- OpenBSD-Commit-ID: 3565f056003707a5e678e60e03f7a3efd0464a2b
+ OpenBSD-Commit-ID: 9ed6078251a0959ee8deda443b9ae42484fd8b18
-commit 4d2c87b4d1bde019cdd0f00552fcf97dd8b39940
-Author: dtucker at openbsd.org <dtucker at openbsd.org>
-Date: Sat Apr 25 06:59:36 2020 +0000
+commit 0caff05350bd5fc635674c9e051a0322faba5ae3
+Author: djm at openbsd.org <djm at openbsd.org>
+Date: Thu Aug 27 01:08:45 2020 +0000
- upstream: We've standardized on memset over bzero, replace a couple
+ upstream: Request PIN ahead of time for certain FIDO actions
- that had slipped in. ok deraadt markus djm.
+ When we know that a particular action will require a PIN, such as
+ downloading resident keys or generating a verify-required key, request
+ the PIN before attempting it.
- OpenBSD-Commit-ID: f5be055554ee93e6cc66b0053b590bef3728dbd6
+ joint work with Pedro Martelletto; ok markus@
+
+ OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727
-commit 7f23f42123d64272a7b00754afa6b0841d676691
-Author: Darren Tucker <dtucker at dtucker.net>
*** 35149 LINES SKIPPED ***
More information about the dev-commits-src-all
mailing list