From 36b354d74be5adbb73d7dcd2ceb49b5105145d02 Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Thu, 16 Mar 2023 08:41:22 -0400 Subject: [PATCH] Vendor import of OpenSSH 9.3p1 --- .depend | 51 +- .github/ci-status.md | 7 +- .github/configs | 2 +- .github/run_test.sh | 2 +- .github/setup_ci.sh | 6 +- .github/workflows/c-cpp.yml | 1 + .github/workflows/selfhosted.yml | 3 + .github/workflows/upstream.yml | 1 + ChangeLog | 1694 ++++++++++++------------ Makefile.in | 5 + README | 3 +- README.md | 1 + auth-pam.c | 15 +- auth-shadow.c | 14 +- auth.c | 3 +- auth2-hostbased.c | 9 +- auth2-none.c | 3 +- auth2-pubkey.c | 8 +- auth2-pubkeyfile.c | 3 +- auth2.c | 5 +- authfd.c | 9 +- authfile.c | 4 +- canohost.c | 5 +- channels.c | 42 +- channels.h | 4 +- clientloop.c | 14 +- compat.c | 53 +- compat.h | 14 +- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- dispatch.c | 3 +- dns.c | 8 +- dns.h | 4 +- hostfile.c | 15 +- kex.c | 72 +- kex.h | 5 +- kexgexs.c | 3 +- krl.c | 3 +- misc.c | 5 +- misc.h | 5 +- moduli.c | 13 +- monitor.c | 11 +- mux.c | 4 +- openbsd-compat/bsd-getentropy.c | 2 +- openbsd-compat/bsd-snprintf.c | 90 +- openbsd-compat/getopt.h | 3 + openbsd-compat/getopt_long.c | 14 + openbsd-compat/getrrsetbyname.c | 47 +- openbsd-compat/libressl-api-compat.c | 14 +- openbsd-compat/mktemp.c | 23 + openbsd-compat/openbsd-compat.h | 3 + packet.c | 4 +- progressmeter.c | 99 +- readconf.c | 11 +- regress/Makefile | 6 +- regress/agent-getpeereid.sh | 3 +- regress/agent-restrict.sh | 6 +- regress/agent.sh | 4 +- regress/dhgex.sh | 6 +- regress/integrity.sh | 4 +- regress/keygen-sshfp.sh | 22 +- regress/knownhosts.sh | 20 +- regress/multiplex.sh | 4 +- regress/sshd-log-wrapper.sh | 12 - regress/test-exec.sh | 88 +- regress/timestamp.c | 46 + regress/unittests/kex/test_proposal.c | 47 +- regress/unittests/kex/tests.c | 8 +- regress/unittests/misc/test_ptimeout.c | 6 +- sandbox-seccomp-filter.c | 93 +- scp.c | 8 +- servconf.c | 15 +- serverloop.c | 5 +- session.c | 4 +- sftp-client.c | 3 +- sftp-server.c | 4 +- sftp.c | 14 +- ssh-add.c | 9 +- ssh-agent.c | 8 +- ssh-dss.c | 3 +- ssh-ecdsa-sk.c | 3 +- ssh-ecdsa.c | 4 +- ssh-keygen.0 | 10 +- ssh-keygen.1 | 19 +- ssh-keygen.c | 42 +- ssh-keyscan.0 | 15 +- ssh-keyscan.1 | 19 +- ssh-keyscan.c | 22 +- ssh-pkcs11.c | 8 +- ssh-rsa.c | 3 +- ssh.c | 3 +- ssh_config.0 | 14 +- ssh_config.5 | 6 +- sshconnect.c | 5 +- sshconnect2.c | 81 +- sshd.0 | 14 +- sshd.8 | 20 +- sshd.c | 92 +- sshd_config.0 | 18 +- sshd_config.5 | 18 +- umac.c | 5 +- version.h | 4 +- 102 files changed, 1902 insertions(+), 1417 deletions(-) delete mode 100644 regress/sshd-log-wrapper.sh create mode 100644 regress/timestamp.c diff --git a/.depend b/.depend index 5226523aa2ad..259bf3b2f136 100644 --- a/.depend +++ b/.depend @@ -16,21 +16,20 @@ auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h ssherr.h misc.h xmalloc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -auth.o: authfile.h monitor_wrap.h compat.h channels.h +auth.o: authfile.h monitor_wrap.h channels.h auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h groupaccess.h log.h ssherr.h sshbuf.h misc.h servconf.h openbsd-compat/sys-queue.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h canohost.h uidswap.h packet.h dispatch.h auth2-chall.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h misc.h servconf.h auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -auth2-hostbased.o: canohost.h monitor_wrap.h pathnames.h match.h -auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h +auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h canohost.h +auth2-hostbased.o: monitor_wrap.h pathnames.h match.h auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h log.h ssherr.h misc.h servconf.h -auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h misc.h servconf.h compat.h ssh2.h monitor_wrap.h +auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h misc.h servconf.h ssh2.h monitor_wrap.h auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h -auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h compat.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h -auth2.o: digest.h -auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h -authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h compat.h log.h ssherr.h atomicio.h misc.h +auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h +auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h +authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h log.h ssherr.h atomicio.h misc.h authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h ssherr.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h krl.h bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h canohost.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h canohost.h misc.h @@ -44,11 +43,11 @@ cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat cleanup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h sshbuf.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h clientloop.o: myproposal.h log.h ssherr.h misc.h readconf.h clientloop.h sshconnect.h authfd.h atomicio.h sshpty.h match.h msg.h hostfile.h -compat.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h log.h ssherr.h match.h kex.h mac.h crypto_api.h +compat.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h log.h ssherr.h match.h dh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h digest-libc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h digest.h digest-openssl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -dispatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh2.h log.h ssherr.h dispatch.h packet.h openbsd-compat/sys-queue.h compat.h +dispatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh2.h log.h ssherr.h dispatch.h packet.h openbsd-compat/sys-queue.h dns.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h ssherr.h dns.h log.h digest.h ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h entropy.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h @@ -61,7 +60,7 @@ hash.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h digest.h hmac.h hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h ssherr.h misc.h pathnames.h digest.h hmac.h sshbuf.h kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h ssh2.h atomicio.h version.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h log.h ssherr.h -kex.o: match.h misc.h monitor.h sshbuf.h digest.h +kex.o: match.h misc.h monitor.h myproposal.h sshbuf.h digest.h xmalloc.h kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ssherr.h ssh2.h kexdh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h kexecdh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h @@ -94,8 +93,8 @@ platform-tracing.o: includes.h config.h defines.h platform.h openbsd-compat/open platform.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h misc.h servconf.h openbsd-compat/sys-queue.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h poly1305.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h poly1305.h progressmeter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h progressmeter.h atomicio.h misc.h utf8.h -readconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h ssherr.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h pathnames.h log.h sshkey.h misc.h readconf.h match.h kex.h mac.h crypto_api.h -readconf.o: uidswap.h myproposal.h digest.h +readconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h ssherr.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h pathnames.h log.h sshkey.h misc.h readconf.h match.h kex.h mac.h crypto_api.h uidswap.h +readconf.o: myproposal.h digest.h readpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h misc.h pathnames.h log.h ssherr.h ssh.h uidswap.h rijndael.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h rijndael.h sandbox-capsicum.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h @@ -107,12 +106,12 @@ sandbox-seccomp-filter.o: includes.h config.h defines.h platform.h openbsd-compa sandbox-solaris.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sandbox-systrace.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h atomicio.h pathnames.h log.h ssherr.h misc.h progressmeter.h utf8.h sftp.h sftp-common.h sftp-client.h -servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h -servconf.o: kex.h mac.h crypto_api.h match.h channels.h groupaccess.h canohost.h packet.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h -serverloop.o: cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h -serverloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h packet.h dispatch.h sshbuf.h log.h ssherr.h misc.h servconf.h canohost.h sshpty.h channels.h compat.h ssh2.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h -session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h sshbuf.h ssherr.h match.h uidswap.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h -session.o: rijndael.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfd.h pathnames.h log.h misc.h servconf.h sshlogin.h serverloop.h canohost.h session.h kex.h mac.h crypto_api.h monitor_wrap.h sftp.h atomicio.h +servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h ssherr.h sshbuf.h misc.h servconf.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h +servconf.o: mac.h crypto_api.h match.h channels.h groupaccess.h canohost.h packet.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h +serverloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h packet.h dispatch.h sshbuf.h log.h ssherr.h misc.h servconf.h canohost.h sshpty.h channels.h ssh2.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h +serverloop.o: rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h +session.o: hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfd.h pathnames.h log.h misc.h servconf.h sshlogin.h serverloop.h canohost.h session.h kex.h mac.h crypto_api.h monitor_wrap.h sftp.h atomicio.h +session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h sshbuf.h ssherr.h match.h uidswap.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sftp-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h sshbuf.h log.h atomicio.h progressmeter.h misc.h utf8.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-common.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssherr.h sshbuf.h log.h misc.h sftp.h sftp-common.h sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h @@ -125,7 +124,7 @@ sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h hostfile.h -ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h myproposal.h +ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h myproposal.h ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h sshbuf.h ssherr.h digest.h sshkey.h ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h @@ -133,8 +132,8 @@ ssh-ed25519-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbs ssh-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h log.h ssherr.h sshbuf.h sshkey.h ssh.h ssh-keygen.o: cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h authfile.h sshbuf.h pathnames.h log.h ssherr.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h sshsig.h ssh-sk.h sk-api.h cipher.h -ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h compat.h myproposal.h packet.h dispatch.h log.h -ssh-keyscan.o: ssherr.h atomicio.h misc.h hostfile.h ssh_api.h ssh2.h dns.h addr.h +ssh-keyscan.o: dispatch.h log.h ssherr.h atomicio.h misc.h hostfile.h ssh_api.h ssh2.h dns.h addr.h +ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h kex.h mac.h crypto_api.h compat.h myproposal.h packet.h ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h sshkey.h ssh.h ssh2.h misc.h sshbuf.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h ssh-pkcs11-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh-pkcs11-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h sshbuf.h log.h ssherr.h misc.h sshkey.h authfd.h ssh-pkcs11.h @@ -153,12 +152,12 @@ sshbuf-getput-crypto.o: includes.h config.h defines.h platform.h openbsd-compat/ sshbuf-io.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h atomicio.h sshbuf-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h sshbuf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h misc.h -sshconnect.o: authfd.h kex.h mac.h crypto_api.h -sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h sshkey.h sshconnect.h log.h ssherr.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h +sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h sshkey.h sshconnect.h log.h ssherr.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h authfd.h +sshconnect.o: kex.h mac.h crypto_api.h sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h -sshconnect2.o: myproposal.h sshconnect.h authfile.h dh.h authfd.h log.h ssherr.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h utf8.h ssh-sk.h sk-api.h +sshconnect2.o: sshconnect.h authfile.h dh.h authfd.h log.h ssherr.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h utf8.h ssh-sk.h sk-api.h sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h -sshd.o: poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h myproposal.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h sk-api.h srclimit.h dh.h +sshd.o: poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h sk-api.h srclimit.h dh.h ssherr.o: ssherr.h sshkey-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh2.h ssherr.h misc.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h match.h ssh-sk.h openbsd-compat/openssl-compat.h diff --git a/.github/ci-status.md b/.github/ci-status.md index d13bbfa8c038..c57c3d83d11a 100644 --- a/.github/ci-status.md +++ b/.github/ci-status.md @@ -4,7 +4,8 @@ master : [![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master) [![CIFuzz](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) +[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable) -9.1 : -[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_1) -[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_1) +9.2 : +[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_2)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_2) +[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_2)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_2) diff --git a/.github/configs b/.github/configs index bdd5ddbdfaf0..8f21fc54a268 100755 --- a/.github/configs +++ b/.github/configs @@ -221,7 +221,7 @@ case "${TARGET_HOST}" in # test run does not time out. # The agent-restrict test fails due to some quoting issue when run # with sh or ksh so specify bash for now. - TEST_TARGET="t-exec TEST_SHELL=bash" + TEST_TARGET="t-exec unit TEST_SHELL=bash" SKIP_LTESTS="rekey sftp" ;; debian-riscv64) diff --git a/.github/run_test.sh b/.github/run_test.sh index 8eeaf5e9b09d..d5fd487d9009 100755 --- a/.github/run_test.sh +++ b/.github/run_test.sh @@ -21,7 +21,7 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then fi output_failed_logs() { - for i in regress/failed*; do + for i in regress/failed*.log; do if [ -f "$i" ]; then echo ------------------------------------------------------------------------- echo LOGFILE $i diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh index e4480e614f31..691c70dd7ed6 100755 --- a/.github/setup_ci.sh +++ b/.github/setup_ci.sh @@ -7,10 +7,10 @@ PACKAGES="" case "`./config.guess`" in *cygwin) PACKAGER=setup - echo Setting CYGWIN sustem environment variable. + echo Setting CYGWIN system environment variable. setx CYGWIN "binmode" - chmod -R go-rw /cygdrive/d/a - umask 077 + echo Removing extended ACLs so umask works as expected. + setfacl -b . regress PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core" PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel" ;; diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml index e6ea49550f71..f3163884a037 100644 --- a/.github/workflows/c-cpp.yml +++ b/.github/workflows/c-cpp.yml @@ -123,3 +123,4 @@ jobs: regress/valgrind-out/ regress/asan.log.* regress/msan.log.* + regress/log/* diff --git a/.github/workflows/selfhosted.yml b/.github/workflows/selfhosted.yml index 50bc9fffb723..d38cba520500 100644 --- a/.github/workflows/selfhosted.yml +++ b/.github/workflows/selfhosted.yml @@ -21,6 +21,7 @@ jobs: matrix: target: - alpine + - centos7 - debian-i386 - dfly30 - dfly48 @@ -51,6 +52,7 @@ jobs: include: # Then we include extra libvirt test configs. - { target: aix51, config: default, host: libvirt } + - { target: centos7, config: pam, host: libvirt } - { target: debian-i386, config: pam, host: libvirt } - { target: dfly30, config: without-openssl, host: libvirt} - { target: dfly48, config: pam ,host: libvirt } @@ -109,6 +111,7 @@ jobs: config.h config.log regress/*.log + regress/log/* regress/valgrind-out/ - name: shutdown VM if: always() diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index 1e2c2acb7ac0..b280793d31f3 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -46,6 +46,7 @@ jobs: name: ${{ matrix.target }}-${{ matrix.config }}-logs path: | /usr/obj/regress/usr.bin/ssh/obj/*.log + /usr/obj/regress/usr.bin/ssh/obj/log/* - name: shutdown VM if: always() run: vmshutdown diff --git a/ChangeLog b/ChangeLog index 4251831a1732..f1d1b37d583c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,871 @@ +commit cb30fbdbee869f1ce11f06aa97e1cb8717a0b645 +Author: Damien Miller +Date: Thu Mar 16 08:28:19 2023 +1100 + + depend + +commit 1dba63eb10c40b6fda9f5012ed6ae87e2d3d028e +Author: Damien Miller +Date: Thu Mar 16 08:27:54 2023 +1100 + + crank version + +commit ba7532d0dac9aaf0ad7270664c43837fc9f64a5f +Author: djm@openbsd.org +Date: Wed Mar 15 21:19:57 2023 +0000 + + upstream: openssh-9.3 + + OpenBSD-Commit-ID: 8011495f2449c1029bb316bd015eab2e00509848 + +commit 6fd4daafb949b66bf555f3100f715a9ec64c3390 +Author: dtucker@openbsd.org +Date: Tue Mar 14 07:28:47 2023 +0000 + + upstream: Free KRL ptr in addition to its contents. + + From Coverity CID 291841, ok djm@ + + OpenBSD-Commit-ID: f146ba08b1b43af4e0d7ad8c4dae3748b4fa31b6 + +commit 1d270bd303afaf6d94e9098cbbf18e5e539e2088 +Author: dtucker@openbsd.org +Date: Tue Mar 14 07:26:25 2023 +0000 + + upstream: Check pointer for NULL before deref. + + None of the existing callers seem to do that, but it's worth checking. + From Coverity CID 291834, ok djm@ + + OpenBSD-Commit-ID: a0a97113f192a7cb1a2c97b932f677f573cda7a4 + +commit d95af508e78c0cd3dce56b83853baaa59ae295cf +Author: dtucker@openbsd.org +Date: Sun Mar 12 10:40:39 2023 +0000 + + upstream: Limit number of entries in SSH2_MSG_EXT_INFO + + request. This is already constrained by the maximum SSH packet size but this + makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@ + + OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09 + +commit 8f287ba60d342b3e2f750e7332d2131e3ec7ecd0 +Author: dtucker@openbsd.org +Date: Sun Mar 12 09:41:18 2023 +0000 + + upstream: calloc can return NULL but xcalloc can't. + + From Coverity CID 291881, ok djm@ + + OpenBSD-Commit-ID: 50204b755f66b2ec7ac3cfe379d07d85ca161d2b + +commit 83a56a49fd50f4acf900f934279482e4ef329715 +Author: dtucker@openbsd.org +Date: Fri Mar 10 07:17:08 2023 +0000 + + upstream: Explicitly ignore return from fcntl + + (... FD_CLOEXEC) here too. Coverity CID 291853. + + OpenBSD-Commit-ID: 99d8b3da9d0be1d07ca8dd8e98800a890349e9b5 + +commit 0fda9d704d3bbf54a5e64ce02a6fecb11fe7f047 +Author: Damien Miller +Date: Fri Mar 10 15:59:46 2023 +1100 + + bounds checking for getrrsetbyname() replacement; + + Spotted by Coverity in CID 405033; ok millert@ + +commit 89b8df518f21677045599df0ad3e5dd0f39909b5 +Author: dtucker@openbsd.org +Date: Fri Mar 10 04:06:21 2023 +0000 + + upstream: Plug mem leak on error path. Coverity CID 405026, ok djm@. + + OpenBSD-Commit-ID: 8212ca05d01966fb5e72205c592b2257708a2aac + +commit bf4dae0ad192c3e2f03f7223834b00d88ace3d3e +Author: Darren Tucker +Date: Fri Mar 10 14:46:57 2023 +1100 + + Add prototypes for mkstemp replacements. + + Should prevent warnings due to our wrapper function. + +commit 4e04d68d6a33cdc73b831fd4b5e6124175555d3d +Author: dtucker@openbsd.org +Date: Fri Mar 10 03:01:51 2023 +0000 + + upstream: Expliticly ignore return code from fcntl(.. FD_CLOEXEC) since + + there's not much we can do anyway. From Coverity CID 291857, ok djm@ + + OpenBSD-Commit-ID: 051429dd07af8db3fec10d82cdc78d90bb051729 + +commit d6d38fd77cbe091c59e1bb720c3a494df4990640 +Author: djm@openbsd.org +Date: Fri Mar 10 02:32:04 2023 +0000 + + upstream: Like sshd_config, some ssh_config options are not + + first-match-wins. sshd_config.5 was fixed in r1.348, this is the same for + this file + + OpenBSD-Commit-ID: 7be55b9351cde449b136afcc52d07aa4113b215e + +commit 7187d3f86bf8f2066cc9941f217d23b0cacae25e +Author: dtucker@openbsd.org +Date: Fri Mar 10 02:24:56 2023 +0000 + + upstream: Remove no-op (int) > INT_MAX checks + + since they can never be true. From Coverity CID 405031, ok djm@ + + OpenBSD-Commit-ID: 9df3783b181e056595e2bb9edf7ed41d61cf8e84 + +commit 77adde4305542ebe3005dd456122624fe2347b01 +Author: Darren Tucker +Date: Fri Mar 10 13:27:29 2023 +1100 + + Wrap mkstemp calls with umask set/restore. + + glibc versions 2.06 and earlier did not set a umask on files created by + mkstemp created the world-writable. Wrap mkstemp to set and restore + the umask. From Coverity (CIDs 291826 291886 291891), ok djm@ + +commit 633d3dc2a1e9e2a013d019a0576a0771c8423713 +Author: jcs@openbsd.org +Date: Thu Mar 9 21:06:24 2023 +0000 + + upstream: modify parentheses in conditionals to make it clearer what is + + being assigned and what is being checked + + ok djm dtucker + + OpenBSD-Commit-ID: 19c10baa46ae559474409f75a5cb3d0eade7a9b8 + +commit 733030840c4772f858de95d5940ec0c37663e8b0 +Author: dtucker@openbsd.org +Date: Thu Mar 9 07:11:05 2023 +0000 + + upstream: Re-split the merge of the reorder-hostkeys test. + + In the kex_proposal_populate_entries change I merged the the check for + reordering hostkeys with the actual reordering, but kex_assemble_names + mutates options.hostkeyalgorithms which renders the check ineffective. + Put the check back where it was. Spotted and tested by jsg@, ok djm@ + + OpenBSD-Commit-ID: a7469f25a738db5567395d1881e32479a7ffc9de + +commit 54ac4ab2b53ce9fcb66b8250dee91c070e4167ed +Author: djm@openbsd.org +Date: Thu Mar 9 06:58:26 2023 +0000 + + upstream: include destination constraints for smartcard keys too. + + Spotted by Luci Stanescu; ok deraadt@ markus@ + + OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f + +commit bfd1ad01d974a316b60622759ad17537fa2d92b4 +Author: Darren Tucker +Date: Thu Mar 9 18:24:54 2023 +1100 + + Limit the number of PAM environment variables. + + xcalloc has its own limits, but these are specific to PAM. From + Coverity CID 405198, ok djm@ + +commit a231414970e01a35f45a295d5f93698fa1249b28 +Author: Darren Tucker +Date: Thu Mar 9 18:19:44 2023 +1100 + + Limit the number of PAM environment variables. + + From Coverity CID 405194, tweaks and ok djm@ + +commit 36c6c3eff5e4a669ff414b9daf85f919666e8e03 +Author: dtucker@openbsd.org +Date: Wed Mar 8 06:21:32 2023 +0000 + + upstream: Plug mem leak. Coverity CID 405196, ok djm@ + + OpenBSD-Commit-ID: 175f09349387c292f626da68f65f334faaa085f2 + +commit dfb9b736e1ccf9e6b03eea21cd961f4fd0634c98 +Author: tb@openbsd.org +Date: Wed Mar 8 05:33:53 2023 +0000 + + upstream: ssh-pkcs11: synchronize error messages with errors + + A handful of error messages contained incorrect function names or + otherwise inaccurate descriptions. Fix them to match reality. + + input/ok djm + + OpenBSD-Commit-ID: 165a15db52f75b31e1804b043480c36af09f3411 + +commit 51875897b81b5c21b80c256a29597916edbde454 +Author: guenther@openbsd.org +Date: Wed Mar 8 04:43:12 2023 +0000 + + upstream: Delete obsolete /* ARGSUSED */ lint comments. + + ok miod@ millert@ + + OpenBSD-Commit-ID: 7be168a570264d59e96a7d2d22e927d45fee0e4c + +commit a76085bda883c2104afb33ab0334eca190927362 +Author: Darren Tucker +Date: Wed Mar 8 17:25:37 2023 +1100 + + Extra brackets to prevent warning. + +commit 147ae57d4dfa0508109f93b78a7d8b92819e1f83 +Author: djm@openbsd.org +Date: Wed Mar 8 00:05:58 2023 +0000 + + upstream: use RSA/SHA256 when testing usability of private key in + + agent; with/ok dtucker + + OpenBSD-Commit-ID: fe1382e2fdf23fcae631308e72342bad56066a56 + +commit 27fd251bc906a763e70ce0f27c8abdf8bbd1e416 +Author: djm@openbsd.org +Date: Wed Mar 8 00:05:37 2023 +0000 + + upstream: use RSA/SHA256 when testing usability of private key; + + based on fix in bz3546 by Dmitry Belyavskiy; with/ok dtucker + + OpenBSD-Commit-ID: 0ef414cc363a832f9fab92a5da0234448bce2eba + +commit eee9f3fc3d52ae7d2106929bb06b7f291fb0b81a +Author: djm@openbsd.org +Date: Tue Mar 7 21:47:42 2023 +0000 + + upstream: refactor to be more readable top to bottom. Prompted by + + Coverity CID 405048 which was a false-positive fd leak; ok dtucker@ + + OpenBSD-Commit-ID: fc55ec2af622a017defb9b768bf26faefc792c00 + +commit 42a06b29a4c99272bf690f9b3be520b08b448dc5 +Author: Darren Tucker +Date: Tue Mar 7 18:34:41 2023 +1100 + + Add header changes missed in previous. + +commit 4710077096edff2e6926dd5b15bf586491d317db +Author: dtucker@openbsd.org +Date: Tue Mar 7 06:09:14 2023 +0000 + + upstream: Fix mem leak in environment setup. + + From jjelen at redhat.com via bz#2687, ok djm@ + + OpenBSD-Commit-ID: 9f9e4ba3cac003e6f81da3bcebd1b9ec43e7f353 + +commit 03acc50d0ccb78fc91d1570de1cd0fdfea646028 +Author: dtucker@openbsd.org +Date: Mon Mar 6 12:15:47 2023 +0000 + + upstream: Unit test for kex_proposal_populate_entries. + + OpenBSD-Regress-ID: bdb211d80d572a08bf14b49fe2a58b9ff265c006 + +commit 3f9231c2e1f374ebb08016ba00ea97b47c0ed20b +Author: djm@openbsd.org +Date: Tue Mar 7 05:37:26 2023 +0000 + + upstream: fix memory leak in process_read() path; Spotted by James + + Robinson in GHPR363; ok markus@ + + OpenBSD-Commit-ID: cdc2d98e6478b7e7f3a36976845adae3820429d8 + +commit c5e6e890839ec520ab9301a92cba56303749dea2 +Author: djm@openbsd.org +Date: Tue Mar 7 01:30:52 2023 +0000 + + upstream: correct size for array argument when changing + + UMAC_OUTPUT_LEN Coverity CID 291845; ok dtucker@ + + OpenBSD-Commit-ID: 2eb017d10705bb623d4418691f961c930eafaec0 + +commit 9641753e0fd146204d57b2a4165f552a81afade4 +Author: dtucker@openbsd.org +Date: Mon Mar 6 12:14:48 2023 +0000 + + upstream: Refactor creation of KEX proposal. + + This adds kex_proposal_populate_entries (and corresponding free) which + populates the KEX proposal array with dynamically allocated strings. + This replaces the previous mix of static and dynamic that has been the + source of previous leaks and bugs. Remove unused compat functions. + With & ok djm@. + + OpenBSD-Commit-ID: f2f99da4aae2233cb18bf9c749320c5e040a9c7b + +commit aa59d6a489fb20973fa461d0fdb1110db412947b +Author: dtucker@openbsd.org +Date: Sun Mar 5 09:24:35 2023 +0000 + + upstream: Fix mem and FILE leaks in moduli screening. + + If multiple -Ocheckpoint= options are passed, the earlier ones would + be overwritten and leaked. If we use an input file that wasn't stdin, + close that. From Coverity CIDs 291884 and 291894. + + OpenBSD-Commit-ID: a4d9d15f572926f841788912e2b282485ad09e8b + +commit 23b8cb41767af99a1aac24589d1882d9c8c2c205 +Author: dtucker@openbsd.org +Date: Sun Mar 5 08:18:58 2023 +0000 + + upstream: Plug mem leak in moduli checkpoint option parsing. + + From Coverity CID 291894. + + OpenBSD-Commit-ID: 9b1aba2d049741ae21c8dc4560a7e29ab17310f4 + +commit fc7f8f2188d4a4fc8ba77eddbe863c7665666db5 +Author: dtucker@openbsd.org +Date: Sun Mar 5 05:34:09 2023 +0000 + + upstream: Remove unused compat.h includes. + + We've previously removed a lot of the really old compatibility code, + and with it went the need to include compat.h in most of the files that + have it. + + OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4 + +commit 6c165c36246d8004c20e1df5cec4961a5ac422d6 +Author: dtucker@openbsd.org +Date: Sat Mar 4 03:22:59 2023 +0000 + + upstream: Use time_t for x11 timeout. + + Use time_t instead of u_int for remaining x11 timeout checks for 64bit + time_t safety. From Coverity CIDs 405197 and 405028, ok djm@ + + OpenBSD-Commit-ID: 356685bfa1fc3d81bd95722d3fc47101cc1a4972 + +commit 4a3918f51bd2d968387e7aa87e33b32c78077fb4 +Author: dtucker@openbsd.org +Date: Fri Mar 3 10:23:42 2023 +0000 + + upstream: Ensure ms_remain is always initialized + + similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen + at redhat.com. + + OpenBSD-Commit-ID: a50e0541cf823f8d1c72f71ccde925d3dbe6dfac + +commit e44846a4487d2885ac7f2610be09b1e2bf52249b +Author: dtucker@openbsd.org +Date: Fri Mar 3 09:48:51 2023 +0000 + + upstream: Check for non-NULL before string + + comparison. From jjelen at redhat.com via bz#2687. + + OpenBSD-Commit-ID: 0d9b2e0cac88a311b5766b1aef737082583c285f + +commit 1842d523fae63b862ce8e60725c9b606cddb86a6 +Author: djm@openbsd.org +Date: Fri Mar 3 05:00:34 2023 +0000 + + upstream: guard against getsockname(-1, ...) from Coverity CID + + 291832 + + OpenBSD-Commit-ID: e58d5227327917d189229b7f0b37d2780f360d5f + +commit 78571a5fe9847d40d7f220c92b707574ae9ec4ce +Author: djm@openbsd.org +Date: Fri Mar 3 04:36:20 2023 +0000 + + upstream: some options are not first-match-wins. Mention that there + + are exceptions at the start of the manpage and label some of them in the + option description. + + OpenBSD-Commit-ID: 3b74728446fa6fc8742769eeb8c3674e233e84c4 + +commit d1c1b3272e8895a96c4f5889bd6e07a8525bd9f1 +Author: djm@openbsd.org +Date: Fri Mar 3 04:34:49 2023 +0000 + + upstream: actually print "channeltimeout none" in config dump mode; + + spotted via Coverity CID 405022 + + OpenBSD-Commit-ID: b074b52bf138b75f08264e8da15880b29c7a630f + +commit 8bf61e95610b48192d4e1720cc15d9004617301d +Author: Darren Tucker +Date: Fri Mar 3 14:50:03 2023 +1100 + + Add Coverity badges. + +commit 93291bd723959adf462b1df958106cf07a7734dd +Author: dtucker@openbsd.org +Date: Fri Mar 3 03:12:24 2023 +0000 + + upstream: Check return values of dup2. Spotted by Coverity, ok djm@ + + OpenBSD-Commit-ID: 19fb1b53072826d00c67df677731d2f6c1dd602b + +commit e37261dff33af23f37202cfce0848d36f5c1055c +Author: dtucker@openbsd.org +Date: Fri Mar 3 02:37:58 2023 +0000 + + upstream: Use time_t for x11_refuse_time timeout. We need + + SSH_TIME_T_MAX for this, so move from misc.c to misc.h so it's available. + Fixes a Coverity warning for 64bit time_t safety, ok djm@ + + OpenBSD-Commit-ID: c69c4c3152cdaab953706db4ccf4d5fd682f7d8d + +commit 32755a98c29114b13f4c9d47454bbb265b932ad7 +Author: dtucker@openbsd.org +Date: Fri Mar 3 02:34:29 2023 +0000 + + upstream: Check return value from fctnl and warn on failure. + + Spotted by Coverity, ok djm@ + + OpenBSD-Commit-ID: 2097c7db3cf657f1e3a6c5077041bacc63143cab + +commit 5fc60e8246c36b8255f72a937ebe9787b39648c6 +Author: dtucker@openbsd.org +Date: Thu Mar 2 11:10:27 2023 +0000 + + upstream: Remove SUDO in proxy command wrapper. Anything that needs + + sudo is already run by it, and it breaks if root isn't in sudoers. + + OpenBSD-Regress-ID: 6cf22fda32a89c16915f31a6ed9bbdbef2a3bac9 + +commit 0d514659b23a257247491179cfbb53a6dd64e164 +Author: dtucker@openbsd.org +Date: Thu Mar 2 08:24:41 2023 +0000 + + upstream: Fix breakage on dhgex test. + + This was due to the sshd logs being written to the wrong log file. + While there, make save_debug_logs less verbose, write the name of the + tarball to regress.log and use $SUDO to remove the old symlinks (which + shouldn't be needed, but won't hurt). Initial problem spotted by anton@. + + OpenBSD-Regress-ID: 9c44fb9cd418e6ff31165e7a6c1f9f11a6d19f5b + +commit 860201201d4ae655702807966901682cff30a171 +Author: dtucker@openbsd.org +Date: Thu Mar 2 08:14:52 2023 +0000 + + upstream: Quote grep and log message better. + + OpenBSD-Regress-ID: 3823d9063127169736aa274b1784cb28e15b64d4 + +commit 03a03c6002525f5ad9c8fc874a5d5826a35d9858 +Author: dtucker@openbsd.org +Date: Thu Mar 2 06:41:56 2023 +0000 + + upstream: Always call fclose on checkpoints. + + In the case of an fprintf failure we would not call fclose which would + leak the FILE pointer. While we're there, try to clean up the temp file + on failure. Spotted by Coverity, ok djm@ + + OpenBSD-Commit-ID: 73c7ccc5d4fcc235f54c6b20767a2815408525ef + +commit 13fe8f9785e6d90400ce548939a0b0ddc11fcb3c +Author: dtucker@openbsd.org +Date: Wed Mar 1 21:54:50 2023 +0000 + + upstream: Remove old log symlinks + + before creating new ones. In -portable some platforms don't like + overwriting existing symlinks. + + OpenBSD-Regress-ID: 7e7ddc0beb73e945e1c4c58d51c8a125b518120f + +commit 131fcbcaffd1e3bcf5ab766ec497b5d768955310 +Author: Darren Tucker +Date: Wed Mar 1 23:23:02 2023 +1100 + + Adjust test jobs for new log directory. + +commit a6f4ac8a2baf77e5361cfa017d0dc250d1409bec +Author: dtucker@openbsd.org +Date: Wed Mar 1 09:29:32 2023 +0000 + + upstream: Rework logging for the regression tests. + + Previously we would log to ssh.log and sshd.log, but that is insufficient + for tests that have more than one concurent ssh/sshd. + + Instead, we'll log to separate datestamped files in a $OBJ/log/ and + leave a symlink at the previous location pointing at the most recent + instance with an entry in regress.log showing which files were created + at each point. This should be sufficient to reconstruct what happened + even for tests that use multiple instances of each program. If the test + fails, tar up all of the logs for later analysis. + + This will let us also capture the output from some of the other tools + which was previously sent to /dev/null although most of those will be + in future commits. + + OpenBSD-Regress-ID: f802aa9e7fa51d1a01225c05fb0412d015c33e24 + +commit 8ead62ed5e86c7df597d8604f332f49cd1527b85 +Author: dtucker@openbsd.org +Date: Tue Feb 28 21:31:50 2023 +0000 + + upstream: fatal out if allocating banner string fails to avoid + + potential null deref later in sscanf. Spotted by Coverity, ok deraadt@ + + OpenBSD-Commit-ID: 74e8d228ac00552e96e9e968dfcccf8dd1f46ad5 + +commit 44ca56ba0b3f531f1d85730cc701097cd49e6868 +Author: dtucker@openbsd.org +Date: Tue Feb 28 08:45:24 2023 +0000 + + upstream: Explicitly ignore return from fchmod + + similar to other calls to prevent warning. + + OpenBSD-Commit-ID: fdc5287dcee0860b5a493186414226c655b0eb0a + +commit 803392933a3a6f09f834aa5f0c2aab06a3b382f4 +Author: dtucker@openbsd.org +Date: Mon Feb 27 22:12:40 2023 +0000 + + upstream: Plug mem leak on globbed ls error path. + + Spotted by Coverity, ok deraadt@ + + OpenBSD-Commit-ID: de28476025db29820a9a2e56e98b964d8a02861c + +commit aa33b4d396abf47a2a45f982f28d054fb1dcb5c3 +Author: Darren Tucker +Date: Mon Feb 27 21:04:22 2023 +1100 + + Cast time_t's in debug output to long long. + + Should fix Coverity warning about truncation of 64bit time_t. + +commit b0fd60a9de62a03189ad57d0c07f0ac51dc00e95 +Author: Darren Tucker +Date: Mon Feb 27 17:28:59 2023 +1100 + + Do shadow expiry calcs using "long long". + + Coverity flags these as potentially not 64bit time_t safe so use + long long for the calculations and debug output. ok djm@ + +commit 01dbeb3084d714bbd001ff9d03b9de542e8cdf58 +Author: Damien Miller +Date: Mon Feb 27 17:07:52 2023 +1100 + + avoid clash between for getopt's struct option + + Since we don't use getopt_long() nothing outside the getopt() + implementation itself uses this structure, so move it into the + source to remove it from visibility and clashes with libc's + + ok dtucker@ + +commit eb88d07c43afe407094e7d609248d85a15e148ef +Author: Darren Tucker +Date: Sat Feb 25 14:45:41 2023 +1100 + + Revert explicit chmods on private keys. + + This should no longer be needed on Cygwin test runners due to previous + commit. + +commit 52b75db61030a6c8baf66b73644380cf3f58e26a +Author: Darren Tucker +Date: Sat Feb 25 14:43:28 2023 +1100 + + Remove extended ACLs from working dirs. + + This should allow umask to work as expected and prevent tests from + failing due to excessive permissions on private keys. + +commit 0c5d4c843df5605b043a758d69f9a611ef63c479 +Author: Darren Tucker +Date: Fri Feb 24 13:44:13 2023 +1100 + + Explicitly set permissions on user and host keys. + + On cygwin, the umask might not be sufficient. Should fix tests on + Github runners. + +commit 6c9fc9d7a9f7abf82c3294d74e6d4a25735862ce +Author: djm@openbsd.org +Date: Wed Feb 22 03:56:43 2023 +0000 + + upstream: fix progressmeter corruption on wide displays; bz3534 + + feedback/ok dtucker@ + + OpenBSD-Commit-ID: f4affee067cec7c182f3e0b307d758e0472762a3 + +commit fe0bd3cde9665d364e5eedd2c2c2e60d4cdc3786 +Author: dtucker@openbsd.org +Date: Tue Feb 21 06:48:18 2023 +0000 + + upstream: fseek to end of known_hosts before writing to it. + + POSIX and ANSI C require that applications call fseek or similar between + read and writing to a RW file. OpenBSD doesn't enforce this, but some + (System V derived) platforms need this to prevent it from writing a + spurious extra byte (in this case, a newline). ok djm@ deraadt@ + + OpenBSD-Commit-ID: 33e680dcd8110582a93a40a8491024e961f45137 + +commit 357fb8ae14c07cd025eeed66e73de91bab569849 +Author: Darren Tucker +Date: Tue Feb 21 17:51:09 2023 +1100 + + Also run unit tests on AIX VMs. + + In the past these tests took too long, but these days it only adds + about 5 min to the run. + +commit 17781aaa5188ee1477f7779b280d105512e3dbed +Author: Darren Tucker +Date: Tue Feb 21 17:38:55 2023 +1100 + + Wrap stdint.h inside ifdef. + +commit ef798bad38505f7bf1b5fa5c0843dfc5a2b192b9 +Author: Mayank Sharma +Date: Mon Feb 20 17:37:15 2023 +0530 + + Add includes to ptimeout test. + + Fixes test failures on AIX due to type mismatches. + +commit ab69dda05d5268454209f529fa80f477e60d846a +Author: Darren Tucker +Date: Mon Feb 20 18:24:39 2023 +1100 + + Always use the openssl binary configure tells us. + + This fixes tests on platforms that do not have the openssl tool + installed at all. + +commit 2a7e3449908571af601a4c2d12ab140096442e47 +Author: dtucker@openbsd.org +Date: Fri Feb 17 04:22:50 2023 +0000 + + upstream: Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code + + to set this was removed in OpenSSH 7.7 when support for SSH implementations + dating back to before RFC standardization were removed. "burn it all" djm@ + + OpenBSD-Commit-ID: 6330935fbe23dd00be79891505e06d1ffdac7cda + +commit 0833ccf2c8b7ae08b296c06f17bd53e3ab94b0b0 +Author: dtucker@openbsd.org +Date: Fri Feb 17 03:06:18 2023 +0000 + + upstream: Remove now-unused compat bit SSH_BUG_BIGENDIANAES. This + + was previously set for OpenSSH 2.3 (released in 2000) but this check was + removed in OpenSSH 7.7 (2018). ok djm@ deraadt@ + + OpenBSD-Commit-ID: 326426ea328707fc9e83305291ab135c87f678af + +commit c81c2bea6e828d52b62b448b4ffdd3c163177975 +Author: Damien Miller +Date: Fri Feb 17 10:12:40 2023 +1100 + + whitespace fixes + +commit 500f90b39db5f0014e6b0c49ff1f45c994b69293 +Author: Damien Miller +Date: Fri Feb 17 10:02:08 2023 +1100 + + whitespace at EOL + +commit 68350152406339170721c15e97afdf827a5e4001 +Author: dtucker@openbsd.org +Date: Thu Feb 16 10:10:00 2023 +0000 + + upstream: Remove SSH_BUG_PASSWORDPAD compat bit + + since it's no longer used. ok markus@ + + OpenBSD-Commit-ID: b92c21f56fe4b7f9a54790d6a9650725c226820b + +commit 537cccd804eaf65f32bdce037cc31db4e0ab0f44 +Author: dtucker@openbsd.org +Date: Thu Feb 16 07:55:15 2023 +0000 + + upstream: Remove SSH_BUG_IGNOREMSG compat flag + + since it's only applicable to SSH1 and thus no longer used. ok markus@ + "kill it with fire" djm@ + + OpenBSD-Commit-ID: ea13318b1937795d9db4790d3ce0a6ed01584dab + +commit 285cf6cd4b91a0a0ce33193c358c99085af33e43 +Author: jmc@openbsd.org +Date: Fri Feb 10 06:41:53 2023 +0000 + + upstream: space between macro and punctuation; sort usage(); + + OpenBSD-Commit-ID: 6141610cfca037700730e41f868d1d9124958f8c + +commit d39a96f70f81878c77336ed35f5c648c1804b71a +Author: jmc@openbsd.org +Date: Fri Feb 10 06:40:48 2023 +0000 + + upstream: space between macro and punctuation; + + OpenBSD-Commit-ID: abc95e550be9e6d9a7ff64b65c104c7be21ab19e + +commit 16e82bf53fc34e43e3b948d43b68d5b27a7335e6 +Author: jmc@openbsd.org +Date: Fri Feb 10 06:39:27 2023 +0000 + + upstream: sort SYNOPSIS; + + OpenBSD-Commit-ID: dacd9da33277d5669a51213d880632599c890c1e + +commit d9685121ff6d57b8797411f3cb123884a4b96e30 +Author: Darren Tucker +Date: Sat Feb 11 12:32:19 2023 +1100 + + Improve seccomp compat on older systems. + + Check if flags to mmap and madvise are defined before using them. + Should fix problems building on older Linux systems that don't have + these. bz#3537, with & ok djm@. + +commit 6180b0fa4f7996687678702806257e661fd5931e +Author: djm@openbsd.org +Date: Fri Feb 10 05:06:03 2023 +0000 + + upstream: test -Ohashalg=... and that the default output contains both + + specified hash algorithms; prompted by dtucker@ + + OpenBSD-Regress-ID: 26f309208c8d8b8fa9c5f419767b85f1e9b22f51 + +commit d651f5c9fe37e61491eee46c49ba9fa03dbc0e6a +Author: djm@openbsd.org +Date: Fri Feb 10 04:56:30 2023 +0000 + + upstream: let ssh-keygen and ssh-keyscan accept + + -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm + selection. bz3493 ok dtucker@ + + OpenBSD-Commit-ID: e6e07fe21318a873bd877f333e189eb963a11b3d + +commit 18938d11a90b74d63c20b2d3c965d5bd64786ab1 +Author: djm@openbsd.org +Date: Fri Feb 10 04:47:19 2023 +0000 + + upstream: add a `sshd -G` option that parses and prints the + + effective configuration without attempting to load private keys and perform + other checks. This allows usage of the option before keys have been + generated. + + bz3460 feedback/ok dtucker@ + + OpenBSD-Commit-ID: 774504f629023fc25a559ab1d95401adb3a7fb29 + +commit df7d3dbf7194db8e97730ee0425d4d9d7bdb8b10 +Author: djm@openbsd.org +Date: Fri Feb 10 04:40:28 2023 +0000 + + upstream: make `ssh -Q CASignatureAlgorithms` work as the manpage says + + it should bz3532 + + OpenBSD-Commit-ID: 0ddb17b3fcbd99bfb5baea4ac5e449620cbd3adc + +commit d3b8d4198b6595f23b5859d43dc8fc701f97429b +Author: Darren Tucker +Date: Fri Feb 10 14:26:44 2023 +1100 + + Add CentOS 7 test targets. + +commit 22efb01e355bba4755b730ed417f91c081445bfc +Author: dtucker@openbsd.org +Date: Thu Feb 9 09:55:33 2023 +0000 + + upstream: Test adding terminating newline to known_hosts. + + OpenBSD-Regress-ID: 5fc3010ac450195b3fbdeb68e875564968800365 + +commit caec6da1a583ed8c32c6ad3b81bbcaab46ac8b61 +Author: dtucker@openbsd.org +Date: Wed Feb 8 08:06:03 2023 +0000 + + upstream: ssh-agent doesn't actually take -v, + + so the recently-added ones will result in the test not cleaning up + after itself. Patch from cjwatson at debian.org vi bz#3536. + + OpenBSD-Regress-ID: 1fc8283568f5bf2f918517c2c1e778072cf61b1a + +commit 3c379c9a849a635cc7f05cbe49fe473ccf469ef9 +Author: dtucker@openbsd.org +Date: Thu Feb 9 09:54:11 2023 +0000 + + upstream: Ensure that there is a terminating newline when adding a new + + entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@ + markus@ + + OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0 + +commit 95b6bbd2553547260b324b39d602061c88b774bc +Author: Darren Tucker +Date: Tue Feb 7 08:43:47 2023 +1100 + + Replace 9.1 with 9.2 on CI status page. + +commit 195313dfe10a23c82e9d56d5fdd2f59beee1bdcf +Author: Damien Miller +Date: Fri Feb 3 16:33:09 2023 +1100 + + harden Linux seccomp sandbox + + Linux mmap(2) and madvise(2) syscalls support quite a number of funky + flags that we don't expect that sshd/libc will ever need. We can + exclude this kernel attack surface by filtering the mmap(2) flags + and the madvise(2) advice arguments. + + Similarly, the sandboxed process in sshd is a single-threaded program + that does not use shared memory for synchronisation or communication. + Therefore, there should be no reason for the advanced priority + inheritance futex(2) operations to be necessary. These can also be + excluded. + + Motivated by Jann Horn pointing out that there have been kernel bugs + in nearby Linux kernel code, e.g. CVE-2020-29368, CVE-2020-29374 and + CVE-2022-42703. + + Feedback Jann Horn, ok dtucker@ + commit 6dfb65de949cdd0a5d198edee9a118f265924f33 Author: Damien Miller Date: Thu Feb 2 23:21:54 2023 +1100 @@ -10368,829 +11236,3 @@ Date: Tue Mar 16 06:15:43 2021 +0000 upstream: don't let logging clobber errno before use OpenBSD-Commit-ID: ce6cca370005c270c277c51c111bb6911e1680ec - -commit 5ca8a9216559349c56e09039c4335636fd85c241 -Author: Darren Tucker -Date: Sat Mar 13 14:40:43 2021 +1100 - - Only call dh_set_moduli_file if using OpenSSL. - - Fixes link failure when configuring --without-openssl since dh.c is not - linked in. - -commit 867a7dcf003c51d5a83f83565771a35f0d9530ac -Author: Darren Tucker -Date: Sat Mar 13 13:52:53 2021 +1100 - - Don't install moduli during tests. - - Now that we have TEST_SSH_MODULI_FILE pointing to the moduli in the - soure directory we don't need to install the file to prevent warnings - about it being missing. - -commit 0c054538fccf92b4a028008321d3711107bee6d5 -Author: Darren Tucker -Date: Sat Mar 13 13:51:26 2021 +1100 - - Point TEST_SSH_MODULI_FILE at our own moduli. - - This will allow the test to run without requiring a moduli file - installed at the configured default path. - -commit 4d48219c72ab0c71238806f057f0e9630b7dd25c -Author: jsg@openbsd.org -Date: Fri Mar 12 05:18:01 2021 +0000 - - upstream: spelling - - OpenBSD-Commit-ID: 478bc3db04f62f1048ed6e1765400f3ab325e60f - -commit 88057eb6df912abf2678ea5c846d9d9cbc92752c -Author: dtucker@openbsd.org -Date: Fri Mar 12 04:08:19 2021 +0000 - - upstream: Add ModuliFile keyword to sshd_config to specify the - - location of the "moduli" file containing the groups for DH-GEX. This will - allow us to run tests against arbitrary moduli files without having to - install them. ok djm@ - - OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66 - -commit f07519a2af96109325b5a48b1af18b57601074ca -Author: djm@openbsd.org -Date: Fri Mar 12 03:43:40 2021 +0000 - - upstream: pwcopy() struct passwd that we're going to reuse across a - - bunch of library calls; bz3273 ok dtucker@ - - OpenBSD-Commit-ID: b6eafa977b2e44607b1b121f5de855107809b762 - -commit 69d6d4b0c8a88d3d1288415605f36e2df61a2f12 -Author: dtucker@openbsd.org -Date: Wed Mar 10 06:32:27 2021 +0000 - - upstream: Import regenerated moduli file. - - OpenBSD-Commit-ID: 7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b - -commit e5895e8ecfac65086ea6b34d0d168409a66a15e1 -Author: djm@openbsd.org -Date: Wed Mar 10 04:58:45 2021 +0000 - - upstream: no need to reset buffer after send_msg() as that is done - - for us; patch from Mike Frysinger - - OpenBSD-Commit-ID: 565516495ff8362a38231e0f1a087b8ae66da59c - -commit 721948e67488767df0fa0db71ff2578ee2bb9210 -Author: dtucker@openbsd.org -Date: Sat Mar 13 01:52:16 2021 +0000 - - upstream: Add TEST_SSH_MODULI_FILE variable to allow overriding of the - - moduli file used during the test run. - - OpenBSD-Regress-ID: be10f785263120edb64fc87db0e0d6570a10220a - -commit 82fef71e20ffef425b932bec26f5bc46aa1ed41c -Author: Darren Tucker -Date: Fri Mar 12 15:58:57 2021 +1100 - - Allow (but return EACCES) fstatat64 in sandbox. - - This is apparently used in some configurations of OpenSSL when glibc - has getrandom(). bz#3276, patch from Kris Karas, ok djm@ - -commit 1cd67ee15ce3d192ab51be22bc4872a6a7a4b6d9 -Author: Darren Tucker -Date: Fri Mar 12 13:16:10 2021 +1100 - - Move generic includes outside of ifdef. - - This ensures that the macros in log.h are defined in the case where - either of --with-solaris-projects or --with-solaris-privs are used - without --with-solaris-contracts. bz#3278. - -commit 2421a567a8862fe5102a4e7d60003ebffd1313dd -Author: Darren Tucker -Date: Wed Mar 10 17:41:21 2021 +1100 - - Import regenerated moduli file. - -commit e99080c05d9d48dbbdb022538533d53ae1bd567d -Author: millert@openbsd.org -Date: Sat Mar 6 20:36:31 2021 +0000 - - upstream: Fix PRINT macro, the suffix param to sshlog() was missing. - - Also remove redundant __func__ prefix from PRINT calls as the macro already - adds __FILE__, __func__ and __LINE__. From Christos Zoulas. OK dtucker@ - - OpenBSD-Commit-ID: 01fdfa9c5541151b5461d9d7d6ca186a3413d949 - -commit 160db17fc678ceb5e3fd4a7e006cc73866f484aa -Author: djm@openbsd.org -Date: Wed Mar 3 22:41:49 2021 +0000 - - upstream: don't sshbuf_get_u32() into an enum; reported by goetze - - AT dovetail.com via bz3269 - - OpenBSD-Commit-ID: 99a30a8f1df9bd72be54e21eee5c56a0f050921a - -commit cffd033817a5aa388764b6661855dcdaabab0588 -Author: sthen@openbsd.org -Date: Wed Mar 3 21:40:16 2021 +0000 - - upstream: typo in other_hostkeys_message() display output, ok djm - - OpenBSD-Commit-ID: 276f58afc97b6f5826e0be58380b737603dbf5f5 - -commit 7fe141b96b13bd7dc67ca985e14d55b9bd8a03fd -Author: djm@openbsd.org -Date: Wed Mar 3 08:42:52 2021 +0000 - - upstream: needs FILE*; from Mike Frysinger - - OpenBSD-Commit-ID: dddb3aa9cb5792eeeaa37a1af67b5a3f25ded41d - -commit d2afd717e62d76bb41ab5f3ab4ce6f885c8edc98 -Author: Damien Miller -Date: Tue Mar 2 21:31:47 2021 +1100 - - update depend - -commit f0c4eddf7cf224ebcac1f07ac8afdb30c6e9fe0a -Author: Damien Miller -Date: Tue Mar 2 21:30:14 2021 +1100 - - update relnotes URL - -commit 67a8bb7fe62a381634db4c261720092e7d514a3d -Author: Damien Miller -Date: Tue Mar 2 21:29:54 2021 +1100 - - update RPM spec version numbers - -commit 0a4b23b11b9a4e6eec332dd5c6ab2ac6f62aa164 -Author: djm@openbsd.org -Date: Tue Mar 2 01:48:18 2021 +0000 - - upstream: openssh-8.5 - - OpenBSD-Commit-ID: 185e85d60fe042b8f8fa1ef29d4ef637bdf397d6 - -commit de3866383b6720ad4cad83be76fe4c8aa111a249 -Author: Darren Tucker -Date: Mon Mar 1 21:13:24 2021 +1100 - - Only upload config logs if configure fails. - -commit 85ff2a564ce838f8690050081176c1de1fb33116 -Author: dtucker@openbsd.org -Date: Sun Feb 28 22:56:30 2021 +0000 - - upstream: Add %k to list of keywords. From - - =?UTF-8?q?=20Eero=20H=C3=A4kkinenvia=20bz#3267?= - MIME-Version: 1.0 - Content-Type: text/plain; charset=UTF-8 - Content-Transfer-Encoding: 8bit - - OpenBSD-Commit-ID: 9c87f39a048cee2a7d1c8bab951b2f716256865e - -commit e774bac35933e71f924f4301786e7fb5bbe1422f -Author: dtucker@openbsd.org -Date: Sun Feb 28 01:50:47 2021 +0000 - - upstream: Do not try to reset signal handler for signal 0 in - - subprocess. Prevents spurious debug message. ok djm@ - - OpenBSD-Commit-ID: 7f9785e292dcf304457566ad4637effd27ad1d46 - -commit 351c5dbbd74ce300c4f058112f9731c867c6e225 -Author: djm@openbsd.org -Date: Sat Feb 27 23:42:37 2021 +0000 - - upstream: fix alphabetic ordering of options; spotted by Iain Morgan - - OpenBSD-Commit-ID: f955fec617d74af0feb5b275831a9fee813d7ad5 - -commit 0d1c9dbe578597f8d45d3ac7690df10d32d743e5 -Author: Darren Tucker -Date: Sat Feb 27 12:25:25 2021 +1100 - - zlib is now optional. - -commit b7c6ee7b437d9adfd19ef49d6c0f19f13f26f9b3 -Author: Jeffrey H. Johnson <61629094+johnsonjh@users.noreply.github.com> -Date: Sat Feb 27 01:04:58 2021 +0000 - - Fix punctuatio and typo in README.md. - - Some very minor fixes, missing 's' and punctuation. - -commit 6248b86074804983e8f7a2058856a516dbfe2924 -Author: Damien Miller -Date: Fri Feb 26 16:45:50 2021 +1100 - - Revert "ssh: optional bind interface if bind address specified." - - This reverts commit 5a878a71a3528c2626aa1d331934fd964782d41c. - - Apologies - I accidentally pushed this. - -commit 493339a940b13be6071629c3c2dd5a3b6fc17023 -Author: Damien Miller -Date: Fri Feb 26 15:45:38 2021 +1100 - - detech BSD libc hash functions in libbsd / libmd - - Some Linux distributions are shipping the BSD-style hashing functions - (e.g. SHA256Update) in libbsd and/or libmd. Detect this situation to - avoid header/replacement clashes later. ok dtucker@ - -commit 5a878a71a3528c2626aa1d331934fd964782d41c -Author: Dmitrii Turlupov -Date: Thu Feb 4 16:27:31 2021 +0300 - - ssh: optional bind interface if bind address specified. - - Allows the -b and -B options to be used together. - For example, when the interface is in the VRF. - -commit 1fe4d70df94d3bcc2b35fd57cad6b5fc4b2d7b16 -Author: djm@openbsd.org -Date: Fri Feb 26 04:18:42 2021 +0000 - - upstream: remove this KEX fuzzer; it's awkward to use and doesn't play - - nice with popular fuzzing drivers like libfuzzer. AFAIK nobody has used it - but me. - - OpenBSD-Regress-ID: cad919522b3ce90c147c95abaf81b0492ac296c9 - -commit 24a3a67bd7421740d08803b84bd784e764107928 -Author: Darren Tucker -Date: Fri Feb 26 11:49:19 2021 +1100 - - Remove macos-11.00 PAM test target too. - - These are failing apparently due to some kind of infrastructure problem, - making it look like every commit is busted. - -commit 473201783f732ca8b0ec528b56aa55fa0d8cf717 -Author: djm@openbsd.org -Date: Fri Feb 26 00:16:58 2021 +0000 - - upstream: a bit more debugging behind #ifdef DEBUG_SK - - OpenBSD-Commit-ID: d9fbce14945721061cb322f0084c2165d33d1993 - -commit fd9fa76a344118fe1ef10b9a6c9e85d39599e9a8 -Author: Darren Tucker -Date: Fri Feb 26 01:15:10 2021 +1100 - - Remove macos-11.0 from the test target list. - - It has been consistently failing for the past few days with a github - actions internal error. - -commit 476ac8e9d33dbf96ef97aab812b8d7089d0cdc24 -Author: Philip Hands -Date: Wed Feb 24 23:43:16 2021 +0100 - - tidy the $INSTALLKEY_SH code layout a little - - SSH-Copy-ID-Upstream: 78178aa5017222773e4c23d9001391eeaeca8983 - -commit 983e05ef3b81329d76d6a802b39ad0d1f637c06c -Author: Jakub Jelen -Date: Tue Sep 29 10:02:45 2020 +0000 - - if unable to add a missing newline, fail - - SSH-Copy-ID-Upstream: 76b25e18f55499ea9edb4c4d6dc4a80bebc36d95 - -commit 3594b3b015f6014591da88ba71bf6ff010be7411 -Author: Philip Hands -Date: Tue Oct 13 14:12:58 2020 +0200 - - use $AUTH_KEY_DIR, now that we have it - - since that was a change made since jjelen's commit was written - - also, quote the variables - - SSH-Copy-ID-Upstream: 588cd8e5cbf95f3443d92b9ab27c5d73ceaf6616 - -commit 333e25f7bc43cee6e36f766e39dad6f9918b318c -Author: Jakub Jelen -Date: Tue Sep 29 10:00:01 2020 +0000 - - restorecon the correct directory - - if using different path for authorized_keys file - - SSH-Copy-ID-Upstream: 791a3df47b48412c726bff6f7b1d190721e65d51 - -commit 9beeab8a37a49a9e3ffb1972fff6621ee5bd7a71 -Author: djm@openbsd.org -Date: Thu Feb 25 03:27:34 2021 +0000 - - upstream: s/PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms/ - - OpenBSD-Regress-ID: 3dbc005fa29f69dc23d97e433b6dffed6fe7cb69 - -commit 2dd9870c16ddbd83740adeead5030d6840288c8f -Author: dtucker@openbsd.org -Date: Wed Feb 24 23:12:35 2021 +0000 - - upstream: Rename pubkeyacceptedkeytypes to pubkeyacceptedalgorithms in - - test to match change to config-dump output. - - OpenBSD-Regress-ID: 74c9a4ad50306be873d032819d5e55c24eb74d5d - -commit b9225c3a1c3f5827e31d5d64a71b8e0504a25619 -Author: dtucker@openbsd.org -Date: Wed Feb 24 01:18:08 2021 +0000 - - upstream: Put obsolete aliases for hostbasedalgorithms and - - pubkeyacceptedalgorithms after their current names so that the config-dump - mode finds and uses the current names. Spotted by Phil Pennock. - - OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15 - -commit 8b8b60542d6652b2c91e0ef9e9cc81bcb65e6b42 -Author: djm@openbsd.org -Date: Tue Feb 23 21:55:08 2021 +0000 - - upstream: lots more s/key types/signature algorithms/ mostly in - - HostbasedAcceptedAlgorithms and HostKeyAlgorithms; prompted by Jakub Jelen - - OpenBSD-Commit-ID: 3f719de4385b1a89e4323b2549c66aae050129cb - -commit 0aeb508aaabc4818970c90831e3d21843c3c6d09 -Author: djm@openbsd.org -Date: Tue Feb 23 21:50:18 2021 +0000 - - upstream: Correct reference to signature algorithms as keys; from - - Jakub Jelen - - OpenBSD-Commit-ID: 36f7ecee86fc811aa0f8e21e7a872eee044b4be5 - -commit f186a020f2ba5f9c462a23293750e29ba0a746b1 -Author: Darren Tucker -Date: Tue Feb 23 16:05:22 2021 +1100 - - Add a couple more test VMs. - -commit ffcdd3d90e74176b3bb22937ad1f65a6c1cd3f9d -Author: Darren Tucker -Date: Mon Feb 22 08:09:27 2021 +1100 - - Valgrind test: split and move up list. - - Since the valgrind test takes so long it approaches the limit allowed by - github, move it to the head of the list so it's the first one started and - split the longest tests out into a second instance that runs concurrently - with the first. - -commit c3b1636770785cc2830dedd0f22ef7d3d3491d6d -Author: djm@openbsd.org -Date: Tue Feb 23 00:05:31 2021 +0000 - - upstream: warn when the user specifies a ForwardAgent path that does - - not exist and exit if ExitOnForwardFailure is set; bz3264 - - OpenBSD-Commit-ID: 72f7875865e723e464c71bf8692e83110699bf26 - -commit 5fcb0514949d61aadaf4a89cf16eb78fb47491ec -Author: Darren Tucker -Date: Sat Feb 20 13:34:02 2021 +1100 - - Disable rlimit sandbox, doesn't work with valgrind - - Only run regress tests, runing unit tests as well makes it run longer - than allowed y github. - -commit bb0b9bf45396c19486080d3eb0a159f94de7e6ba -Author: Darren Tucker -Date: Sat Feb 20 13:06:25 2021 +1100 - - Upload valgrind logs on failure. - -commit ebb3b75e974cb241c6b9b9f5881b09c7bd32b651 -Author: Darren Tucker -Date: Fri Feb 19 22:18:50 2021 +1100 - - Rename "vm" to "os" in selfhosted to match c-cpp. - - Should make it easier to share code or maybe merge at some point. - -commit 76c0be0fe0465cb2b975dbd409f8d38b55e55bcb -Author: Darren Tucker -Date: Fri Feb 19 22:15:22 2021 +1100 - - Upload regress failure logs in c-cpp too. - -commit 8751b6c3136f5225c40f41bbf29aa29e15795f6e -Author: Darren Tucker -Date: Fri Feb 19 22:13:36 2021 +1100 - - Comment out Solaris 64bit PAM build... - - until I can figure out why it's failing. - -commit e9f6d563c06886b277c6b9abafa99fa80726dc48 -Author: Darren Tucker -Date: Fri Feb 19 10:20:17 2021 +1100 - - Actually run Valgrind tests. - -commit 41d232e226624f1a81c17091c36b44c9010aae62 -Author: Darren Tucker -Date: Fri Feb 19 10:16:56 2021 +1100 - - Add test against Valgrind. - -commit e6528d91f12fba05f0ea64224091c9d0f38bdf1d -Author: Darren Tucker -Date: Thu Feb 18 16:30:01 2021 +1100 - - Add fbsd12 test target. - -commit 6506cb2798d98ff03a7cc06567c392a81f540680 -Author: Darren Tucker -Date: Thu Feb 18 15:21:13 2021 +1100 - - Remove unused arg. - -commit 93c31a623973b0fad508214593aab6ca94b11dcb -Author: Darren Tucker -Date: Thu Feb 18 14:54:07 2021 +1100 - - Add DEBUG_SK to kitchensink builds. - -commit 65085740d3574eeb3289d592f042df62c2689bb0 -Author: Darren Tucker -Date: Thu Feb 18 14:53:14 2021 +1100 - - Add bbone test target (arm32). - -commit 63238f5aed66148b8d6ca7bd5fb347d624200155 -Author: djm@openbsd.org -Date: Thu Feb 18 02:49:35 2021 +0000 - - upstream: Fix the hostkeys rotation extension documentation - - The documentation was lacking the needed want-reply field in the initial - global request. - - https://github.com/openssh/openssh-portable/pull/218 by dbussink - - OpenBSD-Commit-ID: 051824fd78edf6d647a0b9ac011bf88e28775054 - -commit 34c5ef6e2d06d9f0e20cb04a9aebf67a6f96609a -Author: djm@openbsd.org -Date: Thu Feb 18 02:15:07 2021 +0000 - - upstream: make names in function prototypes match those in - - definition from https://github.com/openssh/openssh-portable/pull/225 by - ZenithalHourlyRate - - OpenBSD-Commit-ID: 7c736307bf3f2c7cb24d6f82f244eee959485acd - -commit 88e3d4de31ab4f14cac658e9e0c512043b15b146 -Author: djm@openbsd.org -Date: Thu Feb 18 02:13:58 2021 +0000 - - upstream: unbreak SK_DEBUG builds - - from https://github.com/openssh/openssh-portable/pull/225 by - ZenithalHourlyRate - - OpenBSD-Commit-ID: 28d7259ce1b04d025411464decfa2f1a097b43eb - -commit 788cbc5b74a53956ba9fff11e1ca506271a3597f -Author: djm@openbsd.org -Date: Thu Feb 18 00:30:17 2021 +0000 - - upstream: sftp-server: implement limits@openssh.com extension - - This is a simple extension that allows the server to clearly - communicate transfer limits it is imposing so the client doesn't - have to guess, or force the user to manually tune. This is - particularly useful when an attempt to use too large of a value - causes the server to abort the connection. - - Patch from Mike Frysinger; ok dtucker@ - - OpenBSD-Commit-ID: f96293221e5aa24102d9bf30e4f4ef04d5f4fb51 - -commit 324449a68d510720d0e4dfcc8e9e5a702fe6a48f -Author: Damien Miller -Date: Thu Feb 18 12:06:25 2021 +1100 - - support OpenSSL 3.x cipher IV API change - - OpenSSL renamed the "get current CIPHER_CTX" IV operation in 3.x. - This uses the new name if available. - - https://github.com/openssl/openssl/issues/13411 - - bz#3238 ok dtucker@ - -commit 845fe9811c047063d935eca89188ed55c993626b -Author: Damien Miller -Date: Thu Feb 18 11:25:38 2021 +1100 - - prefer login_getpwclass() to login_getclass() - - FreeBSD has login_getpwclass() that does some special magic for - UID=0. Prefer this to login_getclass() as its easier to emulate - the former with the latter. - - Based on FreeBSD PR 37416 via Ed Maste; ok dtucker@ - -commit d0763c8d566119cce84d9806e419badf20444b02 -Author: Darren Tucker -Date: Thu Feb 18 10:45:27 2021 +1100 - - Fixing quoting for installing moduli on target guest. - -commit b3afc243bc820f323a09e3218e9ec8a30a3c1933 -Author: Darren Tucker -Date: Thu Feb 18 10:27:16 2021 +1100 - - Install moduli on target not host. - -commit f060c2bc85d59d111fa18a12eb3872ee4b9f7e97 -Author: Damien Miller -Date: Thu Feb 18 10:33:58 2021 +1100 - - don't free string returned by login_getcapstr(3) - - OpenBSD and NetBSD require the caller to free strings returned - bu the login_* functions, but FreeBSD requires that callers don't. - - Fortunately in this case, we can harmlessly leak as the process is - about to exec the shell/command. - - From https://reviews.freebsd.org/D28617 via Ed Maste; ok dtucker@ - -commit bc9b0c25703215501da28aa7a6539f96c0fa656f -Author: Darren Tucker -Date: Thu Feb 18 10:10:00 2021 +1100 - - Skip unit tests on sol11 to speed things up. - -commit 161873035c12cc22211fc73d07170ade47746bc5 -Author: Darren Tucker -Date: Thu Feb 18 10:09:27 2021 +1100 - - Remove SKIP_UNIT as it needs to be a make arg. - -commit 1c293868e4b4e8e74e3ea15b8dff90f6b089967a -Author: Darren Tucker -Date: Thu Feb 18 10:05:03 2021 +1100 - - Always intall moduli. - - Allows us to run tests without falling back to a fixed modulus. Ensure that - the directory exists. - -commit 5c8f41ad100601ec2fdcbccdfe92890c31f81bbe -Author: Darren Tucker -Date: Thu Feb 18 09:59:09 2021 +1100 - - Quote SSHD_CONFOPTS in case it contains spaces. - -commit 4653116c1f5384ea7006e6396d9b53c33d218975 -Author: Darren Tucker -Date: Thu Feb 18 09:51:18 2021 +1100 - - Fix labels on targets (dots vs underscores). - -commit 4512047f57ca3c6e8cd68f0cc69be59e98b25287 -Author: Darren Tucker -Date: Wed Feb 17 21:47:48 2021 +1100 - - More compact representation of config matrix. - -commit 0406cd09f05c2e419b113dd4c0eac8bc34ec915b -Author: Darren Tucker -Date: Wed Feb 17 21:19:18 2021 +1100 - - Skip unit tests on hosted VMs to speed things up. - -commit 4582612e6147d766c336198c498740242fb8f1ec -Author: Darren Tucker -Date: Wed Feb 17 20:21:29 2021 +1100 - - Merge macos and ubuntu tests. - -commit 09f4b84654b71099559492e9aed5e1a38bf24815 -Author: Darren Tucker -Date: Wed Feb 17 18:41:30 2021 +1100 - - Convert most github hosted tests to new config structure. - -commit 65380ff7e054be1454e5ab4fd7bb9c66f8fcbaa9 -Author: Darren Tucker -Date: Wed Feb 17 18:27:36 2021 +1100 - - Only run selfhosted tests from selfhosted repo. - -commit f031366535650b88248ed7dbf23033afdf466240 -Author: Darren Tucker -Date: Fri Jan 15 14:11:43 2021 +1100 - - Add self-hosted runners for VMs of other platforms. - - Github only hosts a limited number of platforms, and the runner code - is only supported on slightly wider range of platforms. To increase - our test coverage beyond that, we run the runner natively on a VM host, - where it runs a jobs that boot VMs of other platforms, waits for them - to come up then runs the build and test by ssh'ing into the guest. - This means that the minimum dependencies for the guests are quite low - (basically just sshd, a compiler and make). - - The interface to the VM host is fairly simple (basically 3 scripts: - vmstartup, vmrun and vmshutdown), but those are specific to the VM host - so are not in the public repo. We also mount the working directory on the - host via sshfs, so things like artifact upload by the runner also work. - - As part of this we are moving the per-test-target configs into a single - place (.github/configs) where there will be referenced by a single short - "config" key. I plan to make the github-hosted runners use this too. - - The self-hosted runners are run off a private repo on github since that - prevents third parties from accessing them[0], and since runner quota is - limited on private repos, we avoid running the tests we run on the public - repo. - - [0] https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories - -commit 64bbd7444d658ef7ee14a7ea5ccc7f5810279ee7 -Author: dtucker@openbsd.org -Date: Wed Feb 17 03:59:00 2021 +0000 - - upstream: Make sure puttygen is new enough to successfully run the - - PuTTY interop tests, otherwise skip them. - - OpenBSD-Regress-ID: 34565bb50b8aec58331ed02a5e9e0a9a929bef51 - -commit da0a9afcc446a30ca49dd216612c41ac3cb1f2d4 -Author: markus@openbsd.org -Date: Mon Feb 15 20:43:15 2021 +0000 - - upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding - - with SOCKS ok djm@, dtucker@ - - OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c - -commit b696858a7f9db72a83d02cb6edaca4b30a91b386 -Author: markus@openbsd.org -Date: Mon Feb 15 20:36:35 2021 +0000 - - upstream: factor out opt_array_append; ok djm@ - - OpenBSD-Commit-ID: 571bc5dd35f99c5cf9de6aaeac428b168218e74a - -commit ad74fc127cc45567e170e8c6dfa2cfd9767324ec -Author: dlg@openbsd.org -Date: Mon Feb 15 11:09:22 2021 +0000 - - upstream: ProxyJump takes "none" to disable processing like - - ProxyCommand does - - ok djm@ jmc@ - - OpenBSD-Commit-ID: 941a2399da2193356bdc30b879d6e1692f18b6d3 - -commit 16eacdb016ccf38dd9959c78edd3a6282513aa53 -Author: djm@openbsd.org -Date: Fri Feb 12 03:49:09 2021 +0000 - - upstream: sftp: add missing lsetstat@openssh.com documentation - - patch from Mike Frysinger - - OpenBSD-Commit-ID: 9c114db88d505864075bfe7888b7c8745549715b - -commit e04fd6dde16de1cdc5a4d9946397ff60d96568db -Author: djm@openbsd.org -Date: Fri Feb 12 03:14:18 2021 +0000 - - upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own - - function and remove an unused variable; ok dtucker@ - - OpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559 - -commit 1bb130ed34721d46452529d094d9bbf045607d79 -Author: Darren Tucker -Date: Thu Feb 11 10:18:05 2021 +1100 - - Add __NR_futex_time64 to seccomp sandbox. - - This is apparently needed for (some) 32 bit platforms with glibc 2.33. - Patch from nix at esperi.org.uk and jjelen at redhat.com via bz#3260. - -commit f88a7a431212a16e572ecabd559e632f369c363e -Author: Darren Tucker -Date: Sat Feb 6 09:37:01 2021 +1100 - - Add a hostname function for systems that don't have it. - - Some systems don't have a hostname command (it's not required by POSIX). - The do have uname -n (which is), but as found by tim@ some others (eg - UnixWare) do not report the FQDN from uname -n. - -commit 5e385a71ef2317856f37c91a98658eb12eb5a89c -Author: dtucker@openbsd.org -Date: Fri Feb 5 22:03:40 2021 +0000 - - upstream: Roll back the hostname->uname change in rev 1.10. It turns - - out uname -n doesn't do what we need for some platforms in portable, so we'll - fix the original problem (that some other platforms don't have hostname at - all) by providing wrapper function to implement it. - - OpenBSD-Regress-ID: 827a707d6201d5a8e196a8c28aec1d2c76c52341 - -commit b446c214279de50ed8388e54897eb1be5281c894 -Author: dtucker@openbsd.org -Date: Fri Feb 5 06:01:58 2021 +0000 - - upstream: hostname is not specified by POSIX but uname -n is, so use - - the latter for portability. Patch from Geert Hendrickx via github PR#208. - - OpenBSD-Regress-ID: d6a79c7c4d141a0d05ade4a042eb57dddbce89f3 - -commit 1cb6ce98d658e5fbdae025a3bd65793980e3b5d9 -Author: David Carlier -Date: Sat Nov 21 12:22:23 2020 +0000 - - Using explicit_memset for the explicit_bzero compatibility layer. - - Favoriting the native implementation in this case. - -commit 2e0beff67def2120f4b051b1016d7fbf84823e78 -Author: Luca Weiss -Date: Sun Nov 8 14:19:23 2020 +0100 - - Deny (non-fatal) statx in preauth privsep child. - -commit a35d3e911e193a652bd09eed40907e3e165b0a7b -Author: dtucker@openbsd.org -Date: Fri Feb 5 02:20:23 2021 +0000 - - upstream: Remove debug message from sigchld handler. While this - - works on OpenBSD it can cause problems on other platforms. From kircherlike - at outlook.com via bz#3259, ok djm@ - - OpenBSD-Commit-ID: 3e241d7ac1ee77e3de3651780b5dc47b283a7668 - -commit 69338ab46afe9e3dfb7762ad65351d854077c998 -Author: djm@openbsd.org -Date: Tue Feb 2 22:36:59 2021 +0000 - - upstream: whitespace - - OpenBSD-Commit-ID: 544bb092e03fcbecb420196cd0f70af13ea868ad - -commit f71219a01d8f71c4b3ed7e456337a84ddba1653e -Author: djm@openbsd.org -Date: Tue Feb 2 22:36:46 2021 +0000 - - upstream: fix memleaks in private key deserialisation; enforce more - - consistency between redundant fields in private key certificate and private - key body; ok markus@ - - OpenBSD-Commit-ID: dec344e414d47f0a7adc13aecf3760fe58101240 - -commit 3287790e78bf5b53c4a3cafb67bb5aa03e3910f0 -Author: djm@openbsd.org -Date: Tue Feb 2 22:35:14 2021 +0000 - - upstream: memleak on error path; ok markus@ - - OpenBSD-Commit-ID: 2091a36d6ca3980c81891a6c4bdc544e63cb13a8 diff --git a/Makefile.in b/Makefile.in index c0ebfa041525..70287f51fb81 100644 --- a/Makefile.in +++ b/Makefile.in @@ -517,6 +517,10 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS) $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(TESTLIBS) +regress/timestamp$(EXEEXT): $(srcdir)/regress/timestamp.c $(REGRESSLIBS) + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/timestamp.c \ + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(TESTLIBS) + regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c $(REGRESSLIBS) $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/setuid-allowed.c \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(TESTLIBS) @@ -691,6 +695,7 @@ regress/misc/sk-dummy/sk-dummy.so: $(SK_DUMMY_OBJS) regress-binaries: regress-prep $(LIBCOMPAT) \ regress/modpipe$(EXEEXT) \ + regress/timestamp$(EXEEXT) \ regress/setuid-allowed$(EXEEXT) \ regress/netcat$(EXEEXT) \ regress/check-perm$(EXEEXT) \ diff --git a/README b/README index 89bcddd9e4fc..796101c7abef 100644 --- a/README +++ b/README @@ -1,4 +1,5 @@ -See https://www.openssh.com/releasenotes.html#9.2p1 for the release notes. +See https://www.openssh.com/releasenotes.html#9.3p1 for the release +notes. Please read https://www.openssh.com/report.html for bug reporting instructions and note that we do not use Github for bug reporting or diff --git a/README.md b/README.md index 3da933817989..9431b0ffdd89 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) +[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable) OpenSSH is a complete implementation of the SSH protocol (version 2) for secure remote login, command execution and file transfer. It includes a client ``ssh`` and server ``sshd``, file transfer utilities ``scp`` and ``sftp`` as well as tools for key generation (``ssh-keygen``), run-time key storage (``ssh-agent``) and a number of supporting programs. diff --git a/auth-pam.c b/auth-pam.c index b324953a11c1..f5a06b1f61f5 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -351,11 +351,12 @@ import_environments(struct sshbuf *b) /* Import environment from subprocess */ if ((r = sshbuf_get_u32(b, &num_env)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); - if (num_env > 1024) - fatal("%s: received %u environment variables, expected <= 1024", - __func__, num_env); + if (num_env > 1024) { + fatal_f("received %u environment variables, expected <= 1024", + num_env); + } sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env)); - debug3("PAM: num env strings %d", num_env); + debug3("PAM: num env strings %u", num_env); for(i = 0; i < num_env; i++) { if ((r = sshbuf_get_cstring(b, &(sshpam_env[i]), NULL)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); @@ -365,7 +366,11 @@ import_environments(struct sshbuf *b) /* Import PAM environment from subprocess */ if ((r = sshbuf_get_u32(b, &num_env)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); - debug("PAM: num PAM env strings %d", num_env); + if (num_env > 1024) { + fatal_f("received %u PAM env variables, expected <= 1024", + num_env); + } + debug("PAM: num PAM env strings %u", num_env); for (i = 0; i < num_env; i++) { if ((r = sshbuf_get_cstring(b, &env, NULL)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); diff --git a/auth-shadow.c b/auth-shadow.c index c77ee8da9b48..b1e3aa9fc1b3 100644 --- a/auth-shadow.c +++ b/auth-shadow.c @@ -56,13 +56,13 @@ int auth_shadow_acctexpired(struct spwd *spw) { time_t today; - int daysleft; + long long daysleft; int r; today = time(NULL) / DAY; daysleft = spw->sp_expire - today; - debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today, - (int)spw->sp_expire, daysleft); + debug3("%s: today %lld sp_expire %lld days left %lld", __func__, + (long long)today, (long long)spw->sp_expire, daysleft); if (spw->sp_expire == -1) { debug3("account expiration disabled"); @@ -70,9 +70,9 @@ auth_shadow_acctexpired(struct spwd *spw) logit("Account %.100s has expired", spw->sp_namp); return 1; } else if (daysleft <= spw->sp_warn) { - debug3("account will expire in %d days", daysleft); + debug3("account will expire in %lld days", daysleft); if ((r = sshbuf_putf(loginmsg, - "Your account will expire in %d day%s.\n", daysleft, + "Your account will expire in %lld day%s.\n", daysleft, daysleft == 1 ? "" : "s")) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); } @@ -98,8 +98,8 @@ auth_shadow_pwexpired(Authctxt *ctxt) } today = time(NULL) / DAY; - debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today, - (int)spw->sp_lstchg, (int)spw->sp_max); + debug3_f("today %lld sp_lstchg %lld sp_max %lld", (long long)today, + (long long)spw->sp_lstchg, (long long)spw->sp_max); #if defined(__hpux) && !defined(HAVE_SECUREWARE) if (iscomsec()) { diff --git a/auth.c b/auth.c index 03a777ccee39..3b380d9bbd20 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.159 2022/12/09 00:17:40 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.160 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -74,7 +74,6 @@ #include "authfile.h" #include "monitor_wrap.h" #include "ssherr.h" -#include "compat.h" #include "channels.h" /* import */ diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 6b517db411df..06bb464ffa45 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.50 2022/09/17 10:34:29 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.52 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -40,7 +40,6 @@ #include "log.h" #include "misc.h" #include "servconf.h" -#include "compat.h" #include "sshkey.h" #include "hostfile.h" #include "auth.h" @@ -101,12 +100,6 @@ userauth_hostbased(struct ssh *ssh, const char *method) "(received %d, expected %d)", key->type, pktype); goto done; } - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - error("Refusing RSA key because peer uses unsafe " - "signature format"); - goto done; - } if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) { logit_f("signature algorithm %s not in " "HostbasedAcceptedAlgorithms", pkalg); diff --git a/auth2-none.c b/auth2-none.c index d9f97223c92a..8966fd082f42 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-none.c,v 1.24 2021/12/19 22:12:07 djm Exp $ */ +/* $OpenBSD: auth2-none.c,v 1.25 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -44,7 +44,6 @@ #include "log.h" #include "misc.h" #include "servconf.h" -#include "compat.h" #include "ssh2.h" #include "ssherr.h" #ifdef GSSAPI diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 5d59febc3aef..b4f1f6384053 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.117 2022/09/17 10:34:29 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.118 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -153,12 +153,6 @@ userauth_pubkey(struct ssh *ssh, const char *method) "(received %d, expected %d)", key->type, pktype); goto done; } - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - logit("Refusing RSA key because client uses unsafe " - "signature scheme"); - goto done; - } if (auth2_key_already_used(authctxt, key)) { logit("refusing previously-used %s key", sshkey_type(key)); goto done; diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c index 0cfacac353c0..31e7481fbe55 100644 --- a/auth2-pubkeyfile.c +++ b/auth2-pubkeyfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkeyfile.c,v 1.3 2022/07/01 03:52:57 djm Exp $ */ +/* $OpenBSD: auth2-pubkeyfile.c,v 1.4 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -42,7 +42,6 @@ #include "ssh.h" #include "log.h" #include "misc.h" -#include "compat.h" #include "sshkey.h" #include "digest.h" #include "hostfile.h" diff --git a/auth2.c b/auth2.c index 6c061934bf39..34346e5731de 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.164 2022/02/23 11:18:13 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.166 2023/03/08 04:43:12 guenther Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -46,7 +46,6 @@ #include "sshbuf.h" #include "misc.h" #include "servconf.h" -#include "compat.h" #include "sshkey.h" #include "hostfile.h" #include "auth.h" @@ -178,7 +177,6 @@ do_authentication2(struct ssh *ssh) ssh->authctxt = NULL; } -/*ARGSUSED*/ static int input_service_request(int type, u_int32_t seq, struct ssh *ssh) { @@ -256,7 +254,6 @@ ensure_minimum_time_since(double start, double seconds) nanosleep(&ts, NULL); } -/*ARGSUSED*/ static int input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) { diff --git a/authfd.c b/authfd.c index b633e35eaf8b..25a363664cd2 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.130 2022/04/27 11:08:55 dtucker Exp $ */ +/* $OpenBSD: authfd.c,v 1.133 2023/03/09 21:06:24 jcs Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -55,7 +55,6 @@ #include "sshkey.h" #include "authfd.h" #include "cipher.h" -#include "compat.h" #include "log.h" #include "atomicio.h" #include "misc.h" @@ -491,8 +490,8 @@ encode_dest_constraint(struct sshbuf *m, const struct dest_constraint *dc) if ((b = sshbuf_new()) == NULL) return SSH_ERR_ALLOC_FAIL; - if ((r = encode_dest_constraint_hop(b, &dc->from) != 0) || - (r = encode_dest_constraint_hop(b, &dc->to) != 0) || + if ((r = encode_dest_constraint_hop(b, &dc->from)) != 0 || + (r = encode_dest_constraint_hop(b, &dc->to)) != 0 || (r = sshbuf_put_string(b, NULL, 0)) != 0) /* reserved */ goto out; if ((r = sshbuf_put_stringb(m, b)) != 0) @@ -666,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, struct dest_constraint **dest_constraints, size_t ndest_constraints) { struct sshbuf *msg; - int r, constrained = (life || confirm); + int r, constrained = (life || confirm || dest_constraints); u_char type; if (add) { diff --git a/authfile.c b/authfile.c index 9ed4f4c3a30d..445f2dd54198 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.143 2022/06/21 14:52:13 tobhe Exp $ */ +/* $OpenBSD: authfile.c,v 1.144 2023/03/14 07:26:25 dtucker Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -211,6 +211,8 @@ sshkey_try_load_public(struct sshkey **kp, const char *filename, int r; struct sshkey *k = NULL; + if (kp == NULL) + return SSH_ERR_INVALID_ARGUMENT; *kp = NULL; if (commentp != NULL) *commentp = NULL; diff --git a/canohost.c b/canohost.c index a810da0eeb73..457e9097e159 100644 --- a/canohost.c +++ b/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.75 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: canohost.c,v 1.76 2023/03/03 05:00:34 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -72,6 +72,9 @@ get_socket_address(int sock, int remote, int flags) char ntop[NI_MAXHOST]; int r; + if (sock < 0) + return NULL; + /* Get IP address of client. */ addrlen = sizeof(addr); memset(&addr, 0, sizeof(addr)); diff --git a/channels.c b/channels.c index 0d26358cc65e..d9f59f4666cc 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.427 2023/01/18 02:00:10 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.430 2023/03/10 03:01:51 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -198,7 +198,7 @@ struct ssh_channels { u_int x11_saved_data_len; /* Deadline after which all X11 connections are refused */ - u_int x11_refuse_time; + time_t x11_refuse_time; /* * Fake X11 authentication data. This is what the server will be @@ -387,11 +387,11 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, int val; if (rfd != -1) - fcntl(rfd, F_SETFD, FD_CLOEXEC); + (void)fcntl(rfd, F_SETFD, FD_CLOEXEC); if (wfd != -1 && wfd != rfd) - fcntl(wfd, F_SETFD, FD_CLOEXEC); + (void)fcntl(wfd, F_SETFD, FD_CLOEXEC); if (efd != -1 && efd != rfd && efd != wfd) - fcntl(efd, F_SETFD, FD_CLOEXEC); + (void)fcntl(efd, F_SETFD, FD_CLOEXEC); c->rfd = rfd; c->wfd = wfd; @@ -1258,7 +1258,7 @@ x11_open_helper(struct ssh *ssh, struct sshbuf *b) /* Is this being called after the refusal deadline? */ if (sc->x11_refuse_time != 0 && - (u_int)monotime() >= sc->x11_refuse_time) { + monotime() >= sc->x11_refuse_time) { verbose("Rejected X11 connection after ForwardX11Timeout " "expired"); return -1; @@ -1879,7 +1879,7 @@ port_open_helper(struct ssh *ssh, Channel *c, char *rtype) } void -channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time) +channel_set_x11_refuse_time(struct ssh *ssh, time_t refuse_time) { ssh->chanctxt->x11_refuse_time = refuse_time; } @@ -1986,11 +1986,14 @@ channel_post_connecting(struct ssh *ssh, Channel *c) fatal_f("channel %d: no remote id", c->self); /* for rdynamic the OPEN_CONFIRMATION has been sent already */ isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH); + if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) == -1) { err = errno; error("getsockopt SO_ERROR failed"); } + if (err == 0) { + /* Non-blocking connection completed */ debug("channel %d: connected to %s port %d", c->self, c->connect_ctx.host, c->connect_ctx.port); channel_connect_ctx_free(&c->connect_ctx); @@ -2008,16 +2011,17 @@ channel_post_connecting(struct ssh *ssh, Channel *c) (r = sshpkt_send(ssh)) != 0) fatal_fr(r, "channel %i open confirm", c->self); } - } else { - debug("channel %d: connection failed: %s", - c->self, strerror(err)); - /* Try next address, if any */ - if ((sock = connect_next(&c->connect_ctx)) > 0) { - close(c->sock); - c->sock = c->rfd = c->wfd = sock; - return; - } - /* Exhausted all addresses */ + return; + } + if (err == EINTR || err == EAGAIN || err == EINPROGRESS) + return; + + /* Non-blocking connection failed */ + debug("channel %d: connection failed: %s", c->self, strerror(err)); + + /* Try next address, if any */ + if ((sock = connect_next(&c->connect_ctx)) == -1) { + /* Exhausted all addresses for this destination */ error("connect_to %.100s port %d: failed.", c->connect_ctx.host, c->connect_ctx.port); channel_connect_ctx_free(&c->connect_ctx); @@ -2036,6 +2040,10 @@ channel_post_connecting(struct ssh *ssh, Channel *c) chan_mark_dead(ssh, c); } } + + /* New non-blocking connection in progress */ + close(c->sock); + c->sock = c->rfd = c->wfd = sock; } static int diff --git a/channels.h b/channels.h index 101843a06d15..91cc466cc8d4 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.148 2023/01/18 02:00:10 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.149 2023/03/04 03:22:59 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -375,7 +375,7 @@ int permitopen_port(const char *); /* x11 forwarding */ -void channel_set_x11_refuse_time(struct ssh *, u_int); +void channel_set_x11_refuse_time(struct ssh *, time_t); int x11_connect_display(struct ssh *); int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **); void x11_request_forwarding_with_spoofing(struct ssh *, int, diff --git a/clientloop.c b/clientloop.c index fef9efc6cc3a..3fb72fb2fd7e 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.387 2023/01/06 02:39:59 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.390 2023/03/08 04:43:12 guenther Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -158,7 +158,7 @@ static int connection_in; /* Connection to server (input). */ static int connection_out; /* Connection to server (output). */ static int need_rekeying; /* Set to non-zero if rekeying is requested. */ static int session_closed; /* In SSH2: login session closed. */ -static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ +static time_t x11_refuse_time; /* If >0, refuse x11 opens after this time. */ static time_t server_alive_time; /* Time to do server_alive_check */ static int hostkeys_update_complete; static int session_setup_complete; @@ -215,7 +215,6 @@ quit_message(const char *fmt, ...) * Signal handler for the window change signal (SIGWINCH). This just sets a * flag indicating that the window has changed. */ -/*ARGSUSED */ static void window_change_handler(int sig) { @@ -226,7 +225,6 @@ window_change_handler(int sig) * Signal handler for signals that cause the program to terminate. These * signals must be trapped to restore terminal modes. */ -/*ARGSUSED */ static void signal_handler(int sig) { @@ -376,8 +374,8 @@ client_x11_get_proto(struct ssh *ssh, const char *display, if (timeout != 0 && x11_refuse_time == 0) { now = monotime() + 1; - if (UINT_MAX - timeout < now) - x11_refuse_time = UINT_MAX; + if (SSH_TIME_T_MAX - timeout < now) + x11_refuse_time = SSH_TIME_T_MAX; else x11_refuse_time = now + timeout; channel_set_x11_refuse_time(ssh, @@ -1617,7 +1615,7 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) "malicious server."); return NULL; } - if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { + if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) { verbose("Rejected X11 connection after ForwardX11Timeout " "expired"); return NULL; @@ -2112,7 +2110,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) free(response); response = read_passphrase("Accept updated hostkeys? " "(yes/no): ", RP_ECHO); - if (strcasecmp(response, "yes") == 0) + if (response != NULL && strcasecmp(response, "yes") == 0) break; else if (quit_pending || response == NULL || strcasecmp(response, "no") == 0) { diff --git a/compat.c b/compat.c index 478a9403eeaa..b59f0bfc0630 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.126 2023/03/06 12:14:48 dtucker Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -36,7 +36,6 @@ #include "compat.h" #include "log.h" #include "match.h" -#include "kex.h" /* determine bug flags from SSH protocol banner */ void @@ -77,26 +76,8 @@ compat_banner(struct ssh *ssh, const char *version) { "3.0.*", SSH_BUG_DEBUG }, { "3.0 SecureCRT*", SSH_OLD_SESSIONID }, { "1.7 SecureFX*", SSH_OLD_SESSIONID }, - { "1.2.18*," - "1.2.19*," - "1.2.20*," - "1.2.21*," - "1.2.22*", SSH_BUG_IGNOREMSG }, - { "1.3.2*", /* F-Secure */ - SSH_BUG_IGNOREMSG }, { "Cisco-1.*", SSH_BUG_DHGEX_LARGE| SSH_BUG_HOSTKEYS }, - { "*SSH Compatible Server*", /* Netscreen */ - SSH_BUG_PASSWORDPAD }, - { "*OSU_0*," - "OSU_1.0*," - "OSU_1.1*," - "OSU_1.2*," - "OSU_1.3*," - "OSU_1.4*," - "OSU_1.5alpha1*," - "OSU_1.5alpha2*," - "OSU_1.5alpha3*", SSH_BUG_PASSWORDPAD }, { "*SSH_Version_Mapper*", SSH_BUG_SCANNER }, { "PuTTY_Local:*," /* dev versions < Sep 2014 */ @@ -158,37 +139,7 @@ compat_banner(struct ssh *ssh, const char *version) /* Always returns pointer to allocated memory, caller must free. */ char * -compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) -{ - if (!(ssh->compat & SSH_BUG_BIGENDIANAES)) - return xstrdup(cipher_prop); - debug2_f("original cipher proposal: %s", cipher_prop); - if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL) - fatal("match_filter_denylist failed"); - debug2_f("compat cipher proposal: %s", cipher_prop); - if (*cipher_prop == '\0') - fatal("No supported ciphers found"); - return cipher_prop; -} - -/* Always returns pointer to allocated memory, caller must free. */ -char * -compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) -{ - if (!(ssh->compat & SSH_BUG_RSASIGMD5)) - return xstrdup(pkalg_prop); - debug2_f("original public key proposal: %s", pkalg_prop); - if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) - fatal("match_filter_denylist failed"); - debug2_f("compat public key proposal: %s", pkalg_prop); - if (*pkalg_prop == '\0') - fatal("No supported PK algorithms found"); - return pkalg_prop; -} - -/* Always returns pointer to allocated memory, caller must free. */ -char * -compat_kex_proposal(struct ssh *ssh, char *p) +compat_kex_proposal(struct ssh *ssh, const char *p) { char *cp = NULL, *cp2 = NULL; diff --git a/compat.h b/compat.h index 167409b2bd33..1a19060fc14c 100644 --- a/compat.h +++ b/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.57 2021/06/06 03:40:39 djm Exp $ */ +/* $OpenBSD: compat.h,v 1.62 2023/03/06 12:14:48 dtucker Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -35,12 +35,12 @@ /* #define unused 0x00000020 */ #define SSH_BUG_DEBUG 0x00000040 /* #define unused 0x00000080 */ -#define SSH_BUG_IGNOREMSG 0x00000100 +/* #define unused 0x00000100 */ /* #define unused 0x00000200 */ -#define SSH_BUG_PASSWORDPAD 0x00000400 +/* #define unused 0x00000400 */ #define SSH_BUG_SCANNER 0x00000800 -#define SSH_BUG_BIGENDIANAES 0x00001000 -#define SSH_BUG_RSASIGMD5 0x00002000 +/* #define unused 0x00001000 */ +/* #define unused 0x00002000 */ #define SSH_OLD_DHGEX 0x00004000 #define SSH_BUG_NOREKEY 0x00008000 /* #define unused 0x00010000 */ @@ -61,7 +61,5 @@ struct ssh; void compat_banner(struct ssh *, const char *); -char *compat_cipher_proposal(struct ssh *, char *); -char *compat_pkalg_proposal(struct ssh *, char *); -char *compat_kex_proposal(struct ssh *, char *); +char *compat_kex_proposal(struct ssh *, const char *); #endif diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 423079a03c78..a665aa20bc1f 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%global ver 9.2p1 +%global ver 9.3p1 %global rel 1%{?dist} # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index e533ed542ce1..406b7c0b8606 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 9.2p1 +Version: 9.3p1 URL: https://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/dispatch.c b/dispatch.c index 6e4c501e0573..6118147bf140 100644 --- a/dispatch.c +++ b/dispatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dispatch.c,v 1.32 2019/01/19 21:33:13 djm Exp $ */ +/* $OpenBSD: dispatch.c,v 1.33 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -34,7 +34,6 @@ #include "log.h" #include "dispatch.h" #include "packet.h" -#include "compat.h" #include "ssherr.h" int diff --git a/dns.c b/dns.c index f2310bec2b08..939241440777 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.42 2022/02/01 23:32:51 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.44 2023/03/10 04:06:21 dtucker Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -258,6 +258,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (!dns_read_key(&hostkey_algorithm, &dnskey_digest_type, &hostkey_digest, &hostkey_digest_len, hostkey)) { error("Error calculating key fingerprint."); + free(dnskey_digest); freerrset(fingerprints); return -1; } @@ -301,7 +302,8 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, * Export the fingerprint of a key as a DNS resource record */ int -export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic) +export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic, + int alg) { u_int8_t rdata_pubkey_algorithm = 0; u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED; @@ -311,6 +313,8 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic) int success = 0; for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) { + if (alg != -1 && dtype != alg) + continue; rdata_digest_type = dtype; if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, &rdata_digest, &rdata_digest_len, key)) { diff --git a/dns.h b/dns.h index c9b61c4f28f8..864ab7d00ac7 100644 --- a/dns.h +++ b/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.19 2021/07/19 03:13:28 dtucker Exp $ */ +/* $OpenBSD: dns.h,v 1.20 2023/02/10 04:56:30 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -54,6 +54,6 @@ enum sshfp_hashes { int verify_host_key_dns(const char *, struct sockaddr *, struct sshkey *, int *); -int export_dns_rr(const char *, struct sshkey *, FILE *, int); +int export_dns_rr(const char *, struct sshkey *, FILE *, int, int); #endif /* DNS_H */ diff --git a/hostfile.c b/hostfile.c index bd49e3ac7c48..c5669c703735 100644 --- a/hostfile.c +++ b/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.93 2022/01/06 22:02:52 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.95 2023/02/21 06:48:18 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -515,14 +515,23 @@ add_host_to_hostfile(const char *filename, const char *host, const struct sshkey *key, int store_hash) { FILE *f; - int success; + int success, addnl = 0; if (key == NULL) return 1; /* XXX ? */ hostfile_create_user_ssh_dir(filename, 0); - f = fopen(filename, "a"); + f = fopen(filename, "a+"); if (!f) return 0; + /* Make sure we have a terminating newline. */ + if (fseek(f, -1L, SEEK_END) == 0 && fgetc(f) != '\n') + addnl = 1; + if (fseek(f, 0L, SEEK_END) != 0 || (addnl && fputc('\n', f) != '\n')) { + error("Failed to add terminating newline to %s: %s", + filename, strerror(errno)); + fclose(f); + return 0; + } success = write_host_entry(f, host, NULL, key, store_hash); fclose(f); return success; diff --git a/kex.c b/kex.c index 8cdefcf7cbb9..b4e2ab75f541 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.173 2022/11/07 10:05:38 dtucker Exp $ */ +/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -57,10 +57,12 @@ #include "misc.h" #include "dispatch.h" #include "monitor.h" +#include "myproposal.h" #include "ssherr.h" #include "sshbuf.h" #include "digest.h" +#include "xmalloc.h" /* prototype */ static int kex_choose_conf(struct ssh *); @@ -317,6 +319,61 @@ kex_assemble_names(char **listp, const char *def, const char *all) return r; } +/* + * Fill out a proposal array with dynamically allocated values, which may + * be modified as required for compatibility reasons. + * Any of the options may be NULL, in which case the default is used. + * Array contents must be freed by calling kex_proposal_free_entries. + */ +void +kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX], + const char *kexalgos, const char *ciphers, const char *macs, + const char *comp, const char *hkalgs) +{ + const char *defpropserver[PROPOSAL_MAX] = { KEX_SERVER }; + const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT }; + const char **defprop = ssh->kex->server ? defpropserver : defpropclient; + u_int i; + + if (prop == NULL) + fatal_f("proposal missing"); + + for (i = 0; i < PROPOSAL_MAX; i++) { + switch(i) { + case PROPOSAL_KEX_ALGS: + prop[i] = compat_kex_proposal(ssh, + kexalgos ? kexalgos : defprop[i]); + break; + case PROPOSAL_ENC_ALGS_CTOS: + case PROPOSAL_ENC_ALGS_STOC: + prop[i] = xstrdup(ciphers ? ciphers : defprop[i]); + break; + case PROPOSAL_MAC_ALGS_CTOS: + case PROPOSAL_MAC_ALGS_STOC: + prop[i] = xstrdup(macs ? macs : defprop[i]); + break; + case PROPOSAL_COMP_ALGS_CTOS: + case PROPOSAL_COMP_ALGS_STOC: + prop[i] = xstrdup(comp ? comp : defprop[i]); + break; + case PROPOSAL_SERVER_HOST_KEY_ALGS: + prop[i] = xstrdup(hkalgs ? hkalgs : defprop[i]); + break; + default: + prop[i] = xstrdup(defprop[i]); + } + } +} + +void +kex_proposal_free_entries(char *prop[PROPOSAL_MAX]) +{ + u_int i; + + for (i = 0; i < PROPOSAL_MAX; i++) + free(prop[i]); +} + /* put algorithm proposal into buffer */ int kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) @@ -404,7 +461,6 @@ kex_prop_free(char **proposal) free(proposal); } -/* ARGSUSED */ int kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) { @@ -485,6 +541,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) return r; + if (ninfo >= 1024) { + error("SSH2_MSG_EXT_INFO with too many entries, expected " + "<=1024, received %u", ninfo); + return SSH_ERR_INVALID_FORMAT; + } for (i = 0; i < ninfo; i++) { if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) return r; @@ -585,7 +646,6 @@ kex_send_kexinit(struct ssh *ssh) return 0; } -/* ARGSUSED */ int kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) { @@ -1345,7 +1405,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, } peer_version_string = sshbuf_dup_string(peer_version); if (peer_version_string == NULL) - error_f("sshbuf_dup_string failed"); + fatal_f("sshbuf_dup_string failed"); /* XXX must be same size for sscanf */ if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) { error_f("calloc failed"); @@ -1404,10 +1464,6 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, r = SSH_ERR_CONN_CLOSED; /* XXX */ goto out; } - if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - logit("Remote version \"%.100s\" uses unsafe RSA signature " - "scheme; disabling use of RSA keys", remote_version); - } /* success */ r = 0; out: diff --git a/kex.h b/kex.h index c35329501871..8b54e3f4b912 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.117 2022/01/06 21:55:23 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.118 2023/03/06 12:14:48 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -182,6 +182,9 @@ int kex_names_valid(const char *); char *kex_alg_list(char); char *kex_names_cat(const char *, const char *); int kex_assemble_names(char **, const char *, const char *); +void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX], + const char *, const char *, const char *, const char *, const char *); +void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]); int kex_exchange_identification(struct ssh *, int, const char *); diff --git a/kexgexs.c b/kexgexs.c index 72b444f6906b..676de77ad14e 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.44 2021/12/19 22:08:06 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.45 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -46,7 +46,6 @@ #include "packet.h" #include "dh.h" #include "ssh2.h" -#include "compat.h" #ifdef GSSAPI #include "ssh-gss.h" #endif diff --git a/krl.c b/krl.c index 473a9d737953..1fed42b2249a 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.54 2022/04/28 02:53:31 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.55 2023/03/14 07:28:47 dtucker Exp $ */ #include "includes.h" @@ -191,6 +191,7 @@ ssh_krl_free(struct ssh_krl *krl) TAILQ_REMOVE(&krl->revoked_certs, rc, entry); revoked_certs_free(rc); } + free(krl); } void diff --git a/misc.c b/misc.c index c098dc610b7b..6135b15567a4 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.180 2023/01/06 02:37:04 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.181 2023/03/03 02:37:58 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved. @@ -2452,9 +2452,6 @@ parse_absolute_time(const char *s, uint64_t *tp) return 0; } -/* On OpenBSD time_t is int64_t which is long long. */ -/* #define SSH_TIME_T_MAX LLONG_MAX */ - void format_absolute_time(uint64_t t, char *buf, size_t len) { diff --git a/misc.h b/misc.h index 84d93e059ea9..07408ca13c45 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.101 2023/01/06 02:37:04 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.102 2023/03/03 02:37:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -240,4 +240,7 @@ void notify_complete(struct notifier_ctx *, const char *, ...) typedef void (*sshsig_t)(int); sshsig_t ssh_signal(int, sshsig_t); +/* On OpenBSD time_t is int64_t which is long long. */ +/* #define SSH_TIME_T_MAX LLONG_MAX */ + #endif /* _MISC_H */ diff --git a/moduli.c b/moduli.c index 9f660ef267ee..481ca2aa8ffc 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.38 2022/05/01 23:20:30 djm Exp $ */ +/* $OpenBSD: moduli.c,v 1.39 2023/03/02 06:41:56 dtucker Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -452,7 +452,7 @@ write_checkpoint(char *cpfile, u_int32_t lineno) { FILE *fp; char tmp[PATH_MAX]; - int r; + int r, writeok, closeok; r = snprintf(tmp, sizeof(tmp), "%s.XXXXXXXXXX", cpfile); if (r < 0 || r >= PATH_MAX) { @@ -469,13 +469,16 @@ write_checkpoint(char *cpfile, u_int32_t lineno) close(r); return; } - if (fprintf(fp, "%lu\n", (unsigned long)lineno) > 0 && fclose(fp) == 0 - && rename(tmp, cpfile) == 0) + writeok = (fprintf(fp, "%lu\n", (unsigned long)lineno) > 0); + closeok = (fclose(fp) == 0); + if (writeok && closeok && rename(tmp, cpfile) == 0) { debug3("wrote checkpoint line %lu to '%s'", (unsigned long)lineno, cpfile); - else + } else { logit("failed to write to checkpoint file '%s': %s", cpfile, strerror(errno)); + (void)unlink(tmp); + } } static unsigned long diff --git a/monitor.c b/monitor.c index 91e0e62454b7..fda4a3660be7 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.234 2022/06/15 16:08:25 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.235 2023/02/17 04:22:50 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1097,6 +1097,10 @@ mm_answer_pam_respond(struct ssh *ssh, int sock, struct sshbuf *m) sshpam_authok = NULL; if ((r = sshbuf_get_u32(m, &num)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (num > PAM_MAX_NUM_MSG) { + fatal_f("Too many PAM messages, got %u, expected <= %u", + num, (unsigned)PAM_MAX_NUM_MSG); + } if (num > 0) { resp = xcalloc(num, sizeof(char *)); for (i = 0; i < num; ++i) { @@ -1161,11 +1165,6 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) fatal_fr(r, "parse"); if (key != NULL && authctxt->valid) { - /* These should not make it past the privsep child */ - if (sshkey_type_plain(key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) - fatal_f("passed a SSH_BUG_RSASIGMD5 key"); - switch (type) { case MM_USERKEY: auth_method = "publickey"; diff --git a/mux.c b/mux.c index e7580ac742ab..b3ffde9fe162 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.95 2023/01/06 02:39:59 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.96 2023/03/08 04:43:12 guenther Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -186,7 +186,6 @@ static const struct { }; /* Cleanup callback fired on closure of mux client _session_ channel */ -/* ARGSUSED */ static void mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) { @@ -208,7 +207,6 @@ mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) } /* Cleanup callback fired on closure of mux client _control_ channel */ -/* ARGSUSED */ static void mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) { diff --git a/openbsd-compat/bsd-getentropy.c b/openbsd-compat/bsd-getentropy.c index 554dfad70524..0231e066c5fa 100644 --- a/openbsd-compat/bsd-getentropy.c +++ b/openbsd-compat/bsd-getentropy.c @@ -51,7 +51,7 @@ _ssh_compat_getentropy(void *s, size_t len) size_t o = 0; #ifdef HAVE_GETENTROPY - if (r = getentropy(s, len) == 0) + if ((r = getentropy(s, len)) == 0) return 0; #endif /* HAVE_GETENTROPY */ #ifdef HAVE_GETRANDOM diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c index b9eaee14f3c0..bc505b8387ba 100644 --- a/openbsd-compat/bsd-snprintf.c +++ b/openbsd-compat/bsd-snprintf.c @@ -35,9 +35,9 @@ * original. Also, there is now a builtin-test, just compile with: * gcc -DTEST_SNPRINTF -o snprintf snprintf.c -lm * and run snprintf for results. - * + * * Thomas Roessler 01/27/98 for mutt 0.89i - * The PGP code was using unsigned hexadecimal formats. + * The PGP code was using unsigned hexadecimal formats. * Unfortunately, unsigned formats simply didn't work. * * Michael Elkins 03/05/98 for mutt 0.90.8 @@ -55,20 +55,20 @@ * * date: 2002/12/19 19:56:31; author: herb; state: Exp; lines: +2 -0 * actually print args for %g and %e - * + * * date: 2002/06/03 13:37:52; author: jmcd; state: Exp; lines: +8 -0 * Since includes.h isn't included here, VA_COPY has to be defined here. I don't * see any include file that is guaranteed to be here, so I'm defining it * locally. Fixes AIX and Solaris builds. - * + * * date: 2002/06/03 03:07:24; author: tridge; state: Exp; lines: +5 -13 * put the ifdef for HAVE_VA_COPY in one place rather than in lots of * functions - * + * * date: 2002/05/17 14:51:22; author: jmcd; state: Exp; lines: +21 -4 * Fix usage of va_list passed as an arg. Use __va_copy before using it * when it exists. - * + * * date: 2002/04/16 22:38:04; author: idra; state: Exp; lines: +20 -14 * Fix incorrect zpadlen handling in fmtfp. * Thanks to Ollie Oldham for spotting it. @@ -167,7 +167,7 @@ (pos)++; \ } while (0) -static int dopr(char *buffer, size_t maxlen, const char *format, +static int dopr(char *buffer, size_t maxlen, const char *format, va_list args_in); static int fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, int min, int max); @@ -192,19 +192,19 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) va_list args; VA_COPY(args, args_in); - + state = DP_S_DEFAULT; currlen = flags = cflags = min = 0; max = -1; ch = *format++; - + while (state != DP_S_DONE) { - if (ch == '\0') + if (ch == '\0') state = DP_S_DONE; switch(state) { case DP_S_DEFAULT: - if (ch == '%') + if (ch == '%') state = DP_S_FLAGS; else DOPR_OUTCH(buffer, currlen, maxlen, ch); @@ -253,7 +253,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) if (ch == '.') { state = DP_S_MAX; ch = *format++; - } else { + } else { state = DP_S_MOD; } break; @@ -306,7 +306,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) switch (ch) { case 'd': case 'i': - if (cflags == DP_C_SHORT) + if (cflags == DP_C_SHORT) value = va_arg (args, int); else if (cflags == DP_C_LONG) value = va_arg (args, long int); @@ -489,12 +489,12 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) } } if (maxlen != 0) { - if (currlen < maxlen - 1) + if (currlen < maxlen - 1) buffer[currlen] = '\0'; - else if (maxlen > 0) + else if (maxlen > 0) buffer[maxlen - 1] = '\0'; } - + return currlen < INT_MAX ? (int)currlen : -1; } @@ -514,11 +514,11 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen, for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */ padlen = min - strln; - if (padlen < 0) + if (padlen < 0) padlen = 0; - if (flags & DP_F_MINUS) + if (flags & DP_F_MINUS) padlen = -padlen; /* Left Justify */ - + while ((padlen > 0) && (cnt < max)) { DOPR_OUTCH(buffer, *currlen, maxlen, ' '); --padlen; @@ -550,12 +550,12 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen, int spadlen = 0; /* amount to space pad */ int zpadlen = 0; /* amount to zero pad */ int caps = 0; - + if (max < 0) max = 0; - + uvalue = value; - + if(!(flags & DP_F_UNSIGNED)) { if( value < 0 ) { signvalue = '-'; @@ -567,7 +567,7 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen, signvalue = ' '; } } - + if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */ do { @@ -587,7 +587,7 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen, zpadlen = MAX(zpadlen, spadlen); spadlen = 0; } - if (flags & DP_F_MINUS) + if (flags & DP_F_MINUS) spadlen = -spadlen; /* Left Justifty */ #ifdef DEBUG_SNPRINTF @@ -602,7 +602,7 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen, } /* Sign */ - if (signvalue) + if (signvalue) DOPR_OUTCH(buffer, *currlen, maxlen, signvalue); /* Zeros */ @@ -618,7 +618,7 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen, --place; DOPR_OUTCH(buffer, *currlen, maxlen, convert[place]); } - + /* Left Justified spaces */ while (spadlen < 0) { DOPR_OUTCH(buffer, *currlen, maxlen, ' '); @@ -633,19 +633,19 @@ static LDOUBLE abs_val(LDOUBLE value) if (value < 0) result = -value; - + return result; } static LDOUBLE POW10(int val) { LDOUBLE result = 1; - + while (val) { result *= 10; val--; } - + return result; } @@ -656,7 +656,7 @@ static LLONG ROUND(LDOUBLE value) intpart = (LLONG)value; value = value - intpart; if (value >= 0.5) intpart++; - + return intpart; } @@ -692,7 +692,7 @@ static double my_modf(double x0, double *iptr) ret = my_modf(x0-l*f, &i2); (*iptr) = l*f + i2; return ret; - } + } (*iptr) = l; return x - (*iptr); @@ -710,14 +710,14 @@ fmtfp (char *buffer, size_t *currlen, size_t maxlen, int iplace = 0; int fplace = 0; int padlen = 0; /* amount to pad */ - int zpadlen = 0; + int zpadlen = 0; int caps = 0; int idx; double intpart; double fracpart; double temp; - - /* + + /* * AIX manpage says the default is 0, but Solaris says the default * is 6, and sprintf on AIX defaults to 6 */ @@ -745,8 +745,8 @@ fmtfp (char *buffer, size_t *currlen, size_t maxlen, if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */ #endif - /* - * Sorry, we only support 16 digits past the decimal because of our + /* + * Sorry, we only support 16 digits past the decimal because of our * conversion method */ if (max > 16) @@ -760,7 +760,7 @@ fmtfp (char *buffer, size_t *currlen, size_t maxlen, my_modf(temp, &intpart); fracpart = ROUND((POW10(max)) * (ufvalue - intpart)); - + if (fracpart >= POW10(max)) { intpart++; fracpart -= POW10(max); @@ -794,16 +794,16 @@ fmtfp (char *buffer, size_t *currlen, size_t maxlen, if (fplace == 311) fplace--; } fconvert[fplace] = 0; - + /* -1 for decimal point, another -1 if we are printing a sign */ - padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); + padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); zpadlen = max - fplace; if (zpadlen < 0) zpadlen = 0; - if (padlen < 0) + if (padlen < 0) padlen = 0; - if (flags & DP_F_MINUS) + if (flags & DP_F_MINUS) padlen = -padlen; /* Left Justifty */ - + if ((flags & DP_F_ZERO) && (padlen > 0)) { if (signvalue) { DOPR_OUTCH(buffer, *currlen, maxlen, signvalue); @@ -819,9 +819,9 @@ fmtfp (char *buffer, size_t *currlen, size_t maxlen, DOPR_OUTCH(buffer, *currlen, maxlen, ' '); --padlen; } - if (signvalue) + if (signvalue) DOPR_OUTCH(buffer, *currlen, maxlen, signvalue); - + while (iplace > 0) { --iplace; DOPR_OUTCH(buffer, *currlen, maxlen, iconvert[iplace]); @@ -837,7 +837,7 @@ fmtfp (char *buffer, size_t *currlen, size_t maxlen, */ if (max > 0) { DOPR_OUTCH(buffer, *currlen, maxlen, '.'); - + while (zpadlen > 0) { DOPR_OUTCH(buffer, *currlen, maxlen, '0'); --zpadlen; diff --git a/openbsd-compat/getopt.h b/openbsd-compat/getopt.h index 8eb12447ed64..65c8bc7fb60e 100644 --- a/openbsd-compat/getopt.h +++ b/openbsd-compat/getopt.h @@ -40,6 +40,7 @@ #define required_argument 1 #define optional_argument 2 +#if 0 struct option { /* name of long option */ const char *name; @@ -58,6 +59,8 @@ int getopt_long(int, char * const *, const char *, const struct option *, int *); int getopt_long_only(int, char * const *, const char *, const struct option *, int *); +#endif + #ifndef _GETOPT_DEFINED_ #define _GETOPT_DEFINED_ int getopt(int, char * const *, const char *); diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c index 1a5001f7d98a..c2863a789f6b 100644 --- a/openbsd-compat/getopt_long.c +++ b/openbsd-compat/getopt_long.c @@ -72,6 +72,20 @@ #include "log.h" +struct option { + /* name of long option */ + const char *name; + /* + * one of no_argument, required_argument, and optional_argument: + * whether option takes an argument + */ + int has_arg; + /* if not NULL, set *flag to val when option found */ + int *flag; + /* if flag not NULL, value to set *flag to; else return value */ + int val; +}; + int opterr = 1; /* if error message should be printed */ int optind = 1; /* index into parent argv vector */ int optopt = '?'; /* character checked for validity */ diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 73de5e9482b8..8f593984066e 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c @@ -390,6 +390,9 @@ parse_dns_response(const u_char *answer, int size) struct dns_response *resp; const u_char *cp; + if (size < HFIXEDSZ) + return (NULL); + /* allocate memory for the response */ resp = calloc(1, sizeof(*resp)); if (resp == NULL) @@ -456,14 +459,22 @@ parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count) int i, length; char name[MAXDNAME]; - for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) { +#define NEED(need) \ + do { \ + if (*cp + need > answer + size) \ + goto fail; \ + } while (0) - /* allocate and initialize struct */ - curr = calloc(1, sizeof(struct dns_query)); - if (curr == NULL) { + for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) { + if (*cp >= answer + size) { + fail: free_dns_query(head); return (NULL); } + /* allocate and initialize struct */ + curr = calloc(1, sizeof(struct dns_query)); + if (curr == NULL) + goto fail; if (head == NULL) head = curr; if (prev != NULL) @@ -481,16 +492,20 @@ parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count) free_dns_query(head); return (NULL); } + NEED(length); *cp += length; /* type */ + NEED(INT16SZ); curr->type = _getshort(*cp); *cp += INT16SZ; /* class */ + NEED(INT16SZ); curr->class = _getshort(*cp); *cp += INT16SZ; } +#undef NEED return (head); } @@ -503,14 +518,23 @@ parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int i, length; char name[MAXDNAME]; - for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) { +#define NEED(need) \ + do { \ + if (*cp + need > answer + size) \ + goto fail; \ + } while (0) - /* allocate and initialize struct */ - curr = calloc(1, sizeof(struct dns_rr)); - if (curr == NULL) { + for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) { + if (*cp >= answer + size) { + fail: free_dns_rr(head); return (NULL); } + + /* allocate and initialize struct */ + curr = calloc(1, sizeof(struct dns_rr)); + if (curr == NULL) + goto fail; if (head == NULL) head = curr; if (prev != NULL) @@ -528,25 +552,31 @@ parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, free_dns_rr(head); return (NULL); } + NEED(length); *cp += length; /* type */ + NEED(INT16SZ); curr->type = _getshort(*cp); *cp += INT16SZ; /* class */ + NEED(INT16SZ); curr->class = _getshort(*cp); *cp += INT16SZ; /* ttl */ + NEED(INT32SZ); curr->ttl = _getlong(*cp); *cp += INT32SZ; /* rdata size */ + NEED(INT16SZ); curr->size = _getshort(*cp); *cp += INT16SZ; /* rdata itself */ + NEED(curr->size); curr->rdata = malloc(curr->size); if (curr->rdata == NULL) { free_dns_rr(head); @@ -555,6 +585,7 @@ parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, memcpy(curr->rdata, *cp, curr->size); *cp += curr->size; } +#undef NEED return (head); } diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c index 801a2e8dd3d9..498180dc894b 100644 --- a/openbsd-compat/libressl-api-compat.c +++ b/openbsd-compat/libressl-api-compat.c @@ -10,21 +10,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -39,10 +39,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -54,7 +54,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -75,7 +75,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c index ac922c1ecbe5..cca956a51f65 100644 --- a/openbsd-compat/mktemp.c +++ b/openbsd-compat/mktemp.c @@ -34,6 +34,29 @@ #include #include +#ifdef mkstemp +#undef mkstemp +#endif +int mkstemp(char *); + +/* + * From glibc man page: 'In glibc versions 2.06 and earlier, the file is + * created with permissions 0666, that is, read and write for all users.' + * Provide a wrapper to make sure the mask is reasonable (POSIX requires + * mode 0600, so mask off any other bits). + */ +int +_ssh_mkstemp(char *template) +{ + mode_t mask; + int ret; + + mask = umask(0177); + ret = mkstemp(template); + (void)umask(mask); + return ret; +} + #if !defined(HAVE_MKDTEMP) #define MKTEMP_NAME 0 diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 895ecf9ea111..78faea9629bd 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -141,6 +141,9 @@ int mkstemp(char *path); char *mkdtemp(char *path); #endif +#define mkstemp(x) _ssh_mkstemp(x) +int _ssh_mkstemp(char *); + #ifndef HAVE_DAEMON int daemon(int nochdir, int noclose); #endif diff --git a/packet.c b/packet.c index 3f64d2d32854..fd14f0009e67 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.308 2022/08/31 02:56:40 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.309 2023/03/03 10:23:42 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1324,7 +1324,7 @@ int ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) { struct session_state *state = ssh->state; - int len, r, ms_remain; + int len, r, ms_remain = 0; struct pollfd pfd; char buf[8192]; struct timeval start; diff --git a/progressmeter.c b/progressmeter.c index 8baf798f1813..25da3b2fab1a 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.50 2020/01/23 07:10:22 dtucker Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.52 2023/03/08 04:43:12 guenther Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * @@ -30,8 +30,11 @@ #include #include +#include +#include #include #include +#include #include #include #include @@ -51,10 +54,6 @@ /* determines whether we can output to the terminal */ static int can_output(void); -/* formats and inserts the specified size into the given buffer */ -static void format_size(char *, int, off_t); -static void format_rate(char *, int, off_t); - /* window resizing */ static void sig_winch(int); static void setscreensize(void); @@ -84,10 +83,14 @@ can_output(void) return (getpgrp() == tcgetpgrp(STDOUT_FILENO)); } -static void -format_rate(char *buf, int size, off_t bytes) +/* size needed to format integer type v, using (nbits(v) * log2(10) / 10) */ +#define STRING_SIZE(v) (((sizeof(v) * 8 * 4) / 10) + 1) + +static const char * +format_rate(off_t bytes) { int i; + static char buf[STRING_SIZE(bytes) * 2 + 16]; bytes *= 100; for (i = 0; bytes >= 100*1000 && unit[i] != 'T'; i++) @@ -96,37 +99,40 @@ format_rate(char *buf, int size, off_t bytes) i++; bytes = (bytes + 512) / 1024; } - snprintf(buf, size, "%3lld.%1lld%c%s", + snprintf(buf, sizeof(buf), "%3lld.%1lld%c%s", (long long) (bytes + 5) / 100, (long long) (bytes + 5) / 10 % 10, unit[i], i ? "B" : " "); + return buf; } -static void -format_size(char *buf, int size, off_t bytes) +static const char * +format_size(off_t bytes) { int i; + static char buf[STRING_SIZE(bytes) + 16]; for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++) bytes = (bytes + 512) / 1024; - snprintf(buf, size, "%4lld%c%s", + snprintf(buf, sizeof(buf), "%4lld%c%s", (long long) bytes, unit[i], i ? "B" : " "); + return buf; } void refresh_progress_meter(int force_update) { - char buf[MAX_WINSIZE + 1]; + char *buf = NULL, *obuf = NULL; off_t transferred; double elapsed, now; int percent; off_t bytes_left; int cur_speed; int hours, minutes, seconds; - int file_len; + int file_len, cols; if ((!force_update && !alarm_fired && !win_resized) || !can_output()) return; @@ -164,32 +170,29 @@ refresh_progress_meter(int force_update) } else bytes_per_second = cur_speed; - /* filename */ - buf[0] = '\0'; - file_len = win_size - 36; - if (file_len > 0) { - buf[0] = '\r'; - snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", - file_len, file); - } + last_update = now; + /* Don't bother if we can't even display the completion percentage */ + if (win_size < 4) + return; + + /* filename */ + file_len = cols = win_size - 36; + if (file_len > 0) { + asmprintf(&buf, INT_MAX, &cols, "%-*s", file_len, file); + /* If we used fewer columns than expected then pad */ + if (cols < file_len) + xextendf(&buf, NULL, "%*s", file_len - cols, ""); + } /* percent of transfer done */ if (end_pos == 0 || cur_pos == end_pos) percent = 100; else percent = ((float)cur_pos / end_pos) * 100; - snprintf(buf + strlen(buf), win_size - strlen(buf), - " %3d%% ", percent); - /* amount transferred */ - format_size(buf + strlen(buf), win_size - strlen(buf), - cur_pos); - strlcat(buf, " ", win_size); - - /* bandwidth usage */ - format_rate(buf + strlen(buf), win_size - strlen(buf), - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); + /* percent / amount transferred / bandwidth usage */ + xextendf(&buf, NULL, " %3d%% %s %s/s ", percent, format_size(cur_pos), + format_rate((off_t)bytes_per_second)); /* ETA */ if (!transferred) @@ -198,9 +201,9 @@ refresh_progress_meter(int force_update) stalled = 0; if (stalled >= STALL_TIME) - strlcat(buf, "- stalled -", win_size); + xextendf(&buf, NULL, "- stalled -"); else if (bytes_per_second == 0 && bytes_left) - strlcat(buf, " --:-- ETA", win_size); + xextendf(&buf, NULL, " --:-- ETA"); else { if (bytes_left > 0) seconds = bytes_left / bytes_per_second; @@ -212,24 +215,29 @@ refresh_progress_meter(int force_update) minutes = seconds / 60; seconds -= minutes * 60; - if (hours != 0) - snprintf(buf + strlen(buf), win_size - strlen(buf), - "%d:%02d:%02d", hours, minutes, seconds); - else - snprintf(buf + strlen(buf), win_size - strlen(buf), - " %02d:%02d", minutes, seconds); + if (hours != 0) { + xextendf(&buf, NULL, "%d:%02d:%02d", + hours, minutes, seconds); + } else + xextendf(&buf, NULL, " %02d:%02d", minutes, seconds); if (bytes_left > 0) - strlcat(buf, " ETA", win_size); + xextendf(&buf, NULL, " ETA"); else - strlcat(buf, " ", win_size); + xextendf(&buf, NULL, " "); } - atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1); - last_update = now; + /* Finally, truncate string at window width */ + cols = win_size - 1; + asmprintf(&obuf, INT_MAX, &cols, " %s", buf); + if (obuf != NULL) { + *obuf = '\r'; /* must insert as asmprintf() would escape it */ + atomicio(vwrite, STDOUT_FILENO, obuf, strlen(obuf)); + } + free(buf); + free(obuf); } -/*ARGSUSED*/ static void sig_alarm(int ignore) { @@ -272,7 +280,6 @@ stop_progress_meter(void) atomicio(vwrite, STDOUT_FILENO, "\n", 1); } -/*ARGSUSED*/ static void sig_winch(int sig) { diff --git a/readconf.c b/readconf.c index cf79498848f6..6ded2313df52 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.372 2023/01/13 02:58:20 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.375 2023/03/10 02:24:56 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -54,7 +54,6 @@ #include "xmalloc.h" #include "ssh.h" #include "ssherr.h" -#include "compat.h" #include "cipher.h" #include "pathnames.h" #include "log.h" @@ -617,7 +616,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, } arg = criteria = NULL; this_result = 1; - if ((negate = attrib[0] == '!')) + if ((negate = (attrib[0] == '!'))) attrib++; /* Criterion "all" has no argument and must appear alone */ if (strcasecmp(attrib, "all") == 0) { @@ -2131,15 +2130,13 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host, value2 = 0; /* unlimited lifespan by default */ if (value == 3 && arg2 != NULL) { /* allow "AddKeysToAgent confirm 5m" */ - if ((value2 = convtime(arg2)) == -1 || - value2 > INT_MAX) { + if ((value2 = convtime(arg2)) == -1) { error("%s line %d: invalid time value.", filename, linenum); goto out; } } else if (value == -1 && arg2 == NULL) { - if ((value2 = convtime(arg)) == -1 || - value2 > INT_MAX) { + if ((value2 = convtime(arg)) == -1) { error("%s line %d: unsupported option", filename, linenum); goto out; diff --git a/regress/Makefile b/regress/Makefile index bf1d057aad33..d80bf59fabc2 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.122 2023/01/06 08:07:39 djm Exp $ +# $OpenBSD: Makefile,v 1.124 2023/03/01 09:29:32 dtucker Exp $ tests: prep file-tests t-exec unit @@ -138,8 +138,8 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \ sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \ - t8.out t8.out.pub t9.out t9.out.pub testdata \ - user_*key* user_ca* user_key* + t8.out t8.out.pub t9.out t9.out.pub \ + timestamp testdata user_*key* user_ca* user_key* # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=CFGJRSUX" diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 79e9c7d9e1c0..f6532f0e9af9 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,3 +1,4 @@ +# $OpenBSD: agent-getpeereid.sh,v 1.15 2023/02/08 08:06:03 dtucker Exp $ # $OpenBSD: agent-getpeereid.sh,v 1.13 2021/09/01 00:50:27 dtucker Exp $ # Placed in the Public Domain. @@ -53,7 +54,7 @@ else fi trace "kill agent" - ${SSHAGENT} -vvv -k >>$OBJ/ssh-agent.log 2>&1 + ${SSHAGENT} -k >>$OBJ/ssh-agent.log 2>&1 fi rm -f ${OBJ}/agent diff --git a/regress/agent-restrict.sh b/regress/agent-restrict.sh index a30aed7bf3d5..62cea85225e7 100644 --- a/regress/agent-restrict.sh +++ b/regress/agent-restrict.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-restrict.sh,v 1.5 2022/01/13 04:53:16 dtucker Exp $ +# $OpenBSD: agent-restrict.sh,v 1.6 2023/03/01 09:29:32 dtucker Exp $ # Placed in the Public Domain. tid="agent restrictions" @@ -39,14 +39,14 @@ Host host_$h Hostname host_$h HostkeyAlias host_$h IdentityFile $OBJ/user_$h - ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy_host_$h + ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h _EOF # Variant with no specified keys. cat << _EOF >> $OBJ/ssh_proxy_noid Host host_$h Hostname host_$h HostkeyAlias host_$h - ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy_host_$h + ProxyCommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy_host_$h _EOF done cat $OBJ/ssh_proxy.bak >> $OBJ/ssh_proxy diff --git a/regress/agent.sh b/regress/agent.sh index f187b6757201..5f1060608eb5 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.20 2021/02/25 03:27:34 djm Exp $ +# $OpenBSD: agent.sh,v 1.21 2023/03/01 09:29:32 dtucker Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -9,7 +9,7 @@ if [ $? -ne 2 ]; then fi trace "start agent, args ${EXTRA_AGENT_ARGS} -s" -eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` >`ssh_logfile ssh-agent` r=$? if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" diff --git a/regress/dhgex.sh b/regress/dhgex.sh index 6dd4cfe3f94a..30064f30a9fe 100644 --- a/regress/dhgex.sh +++ b/regress/dhgex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dhgex.sh,v 1.7 2020/12/21 22:48:41 dtucker Exp $ +# $OpenBSD: dhgex.sh,v 1.8 2023/03/02 08:14:52 dtucker Exp $ # Placed in the Public Domain. tid="dhgex" @@ -31,8 +31,8 @@ ssh_test_dhgex() # check what we request grep "SSH2_MSG_KEX_DH_GEX_REQUEST($groupsz) sent" ${LOG} >/dev/null if [ $? != 0 ]; then - got=`egrep "SSH2_MSG_KEX_DH_GEX_REQUEST(.*) sent" ${LOG}` - fail "$tid unexpected GEX sizes, expected $groupsz, got $got" + got="`egrep 'SSH2_MSG_KEX_DH_GEX_REQUEST(.*) sent' ${LOG}`" + fail "$tid unexpected GEX sizes, expected $groupsz, got '$got'" fi # check what we got. gotbits="`awk 'BEGIN{FS="/"}/bits set:/{print $2}' ${LOG} | diff --git a/regress/integrity.sh b/regress/integrity.sh index bc030cb74f35..202483c75f4f 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.24 2020/01/21 08:06:27 djm Exp $ +# $OpenBSD: integrity.sh,v 1.25 2023/03/01 09:29:32 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -18,7 +18,7 @@ macs="$macs `${SSH} -Q cipher-auth`" # >> $OBJ/ssh_proxy # sshd-command for proxy (see test-exec.sh) -cmd="$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" +cmd="$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" sh ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" for m in $macs; do trace "test $tid: mac $m" diff --git a/regress/keygen-sshfp.sh b/regress/keygen-sshfp.sh index 2abf9adecac7..0f5eb8555449 100644 --- a/regress/keygen-sshfp.sh +++ b/regress/keygen-sshfp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-sshfp.sh,v 1.2 2021/07/19 02:29:28 dtucker Exp $ +# $OpenBSD: keygen-sshfp.sh,v 1.3 2023/02/10 05:06:03 djm Exp $ # Placed in the Public Domain. tid="keygen-sshfp" @@ -16,6 +16,25 @@ if [ "$fp" != \ fail "keygen fingerprint sha256" fi +# Expect two lines of output without an explicit algorithm +fp=`${SSHKEYGEN} -r test -f ${SRC}/ed25519_openssh.pub | wc -l` +if [ $(($fp + 0)) -ne 2 ] ; then + fail "incorrect number of SSHFP records $fp (expected 2)" +fi + +# Test explicit algorithm selection +exp="test IN SSHFP 4 1 8a8647a7567e202ce317e62606c799c53d4c121f" +fp=`${SSHKEYGEN} -Ohashalg=sha1 -r test -f ${SRC}/ed25519_openssh.pub` +if [ "x$exp" != "x$fp" ] ; then + fail "incorrect SHA1 SSHFP output" +fi + +exp="test IN SSHFP 4 2 54a506fb849aafb9f229cf78a94436c281efcb4ae67c8a430e8c06afcb5ee18f" +fp=`${SSHKEYGEN} -Ohashalg=sha256 -r test -f ${SRC}/ed25519_openssh.pub` +if [ "x$exp" != "x$fp" ] ; then + fail "incorrect SHA256 SSHFP output" +fi + if ${SSH} -Q key-plain | grep ssh-rsa >/dev/null; then fp=`${SSHKEYGEN} -r test -f ${SRC}/rsa_openssh.pub | awk '$5=="1"{print $6}'` if [ "$fp" != "99c79cc09f5f81069cc017cdf9552cfc94b3b929" ]; then @@ -27,3 +46,4 @@ if ${SSH} -Q key-plain | grep ssh-rsa >/dev/null; then fail "keygen fingerprint sha256" fi fi + diff --git a/regress/knownhosts.sh b/regress/knownhosts.sh index dfc768ac9742..7a9da5b1469e 100644 --- a/regress/knownhosts.sh +++ b/regress/knownhosts.sh @@ -1,4 +1,4 @@ -# $OpenBSD: knownhosts.sh,v 1.1 2021/10/01 05:20:20 dtucker Exp $ +# $OpenBSD: knownhosts.sh,v 1.2 2023/02/09 09:55:33 dtucker Exp $ # Placed in the Public Domain. tid="known hosts" @@ -15,3 +15,21 @@ ${SSH} -ohashknownhosts=yes -o stricthostkeychecking=no $opts somehost true \ trace "test hashed known hosts" ${SSH} $opts somehost true || fail "reconnect with hashed known hosts" + +trace "no newline at end of known_hosts" +printf "something" >$OBJ/known_hosts +${SSH} $opts -ostricthostkeychecking=no somehost true \ + || fail "hostkey update, missing newline, no strict" +${SSH} $opts -ostricthostkeychecking=yes somehost true \ + || fail "reconnect after adding with missing newline" + +trace "newline at end of known_hosts" +printf "something\n" >$OBJ/known_hosts +${SSH} $opts -ostricthostkeychecking=no somehost true \ + || fail "hostkey update, newline, no strict" +${SSH} $opts -ostricthostkeychecking=yes somehost true \ + || fail "reconnect after adding without missing newline" +lines=`wc -l <$OBJ/known_hosts` +if [ $lines -ne 2 ]; then + fail "expected 2 lines in known_hosts, found $lines" +fi diff --git a/regress/multiplex.sh b/regress/multiplex.sh index f9c8fc10bd14..8282d0d940f5 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.35 2023/01/13 04:47:34 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.36 2023/03/01 09:29:32 dtucker Exp $ # Placed in the Public Domain. make_tmpdir @@ -87,7 +87,7 @@ cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" rm -f ${COPY} verbose "test $tid: forward" trace "forward over TCP/IP and check result" -$NC -N -l 127.0.0.1 $((${PORT} + 1)) < ${DATA} > /dev/null & +$NC -N -l 127.0.0.1 $((${PORT} + 1)) < ${DATA} >`ssh_logfile nc` & netcat_pid=$! ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L127.0.0.1:$((${PORT} + 2)):127.0.0.1:$((${PORT} + 1)) otherhost >>$TEST_SSH_LOGFILE 2>&1 sleep 1 # XXX remove once race fixed diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh deleted file mode 100644 index 4b3c91137990..000000000000 --- a/regress/sshd-log-wrapper.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -# $OpenBSD: sshd-log-wrapper.sh,v 1.5 2022/01/04 08:38:53 dtucker Exp $ -# Placed in the Public Domain. -# -# simple wrapper for sshd proxy mode to catch stderr output -# sh sshd-log-wrapper.sh /path/to/logfile /path/to/sshd [args...] - -log=$1 -shift - -echo "Executing: $@" >>$log -exec "$@" -E$log diff --git a/regress/test-exec.sh b/regress/test-exec.sh index df43f021404f..eaa12992d18f 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.94 2023/01/13 04:47:34 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.98 2023/03/02 11:10:27 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -102,7 +102,8 @@ CONCH=conch # Tools used by multiple tests NC=$OBJ/netcat -OPENSSL_BIN="${OPENSSL_BIN:-openssl}" +# Always use the one configure tells us to, even if that's empty. +#OPENSSL_BIN="${OPENSSL_BIN:-openssl}" if [ "x$TEST_SSH_SSH" != "x" ]; then SSH="${TEST_SSH_SSH}" @@ -239,7 +240,13 @@ fi # Logfiles. # SSH_LOGFILE should be the debug output of ssh(1) only # SSHD_LOGFILE should be the debug output of sshd(8) only -# REGRESS_LOGFILE is the output of the test itself stdout and stderr +# REGRESS_LOGFILE is the log of progress of the regress test itself. +# TEST_SSH_LOGDIR will contain datestamped logs of all binaries run in +# chronological order. +if [ "x$TEST_SSH_LOGDIR" = "x" ]; then + TEST_SSH_LOGDIR=$OBJ/log + mkdir -p $TEST_SSH_LOGDIR +fi if [ "x$TEST_SSH_LOGFILE" = "x" ]; then TEST_SSH_LOGFILE=$OBJ/ssh.log fi @@ -275,20 +282,28 @@ if [ "x$TEST_REGRESS_CACHE_DIR" != "x" ]; then fi # truncate logfiles ->$TEST_SSH_LOGFILE ->$TEST_SSHD_LOGFILE >$TEST_REGRESS_LOGFILE -# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." -# because sftp and scp don't handle spaces in arguments. scp and sftp like -# to use -q so we remove those to preserve our debug logging. In the rare -# instance where -q is desirable -qq is equivalent and is not removed. +# Create ssh and sshd wrappers with logging. These create a datestamped +# unique file for every invocation so that we can retain all logs from a +# given test no matter how many times it's invoked. It also leaves a +# symlink with the original name for tests (and people) who look for that. + +# For ssh, e can't just specify "SSH=ssh -E..." because sftp and scp don't +# handle spaces in arguments. scp and sftp like to use -q so we remove those +# to preserve our debug logging. In the rare instance where -q is desirable +# -qq is equivalent and is not removed. SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh cat >$SSHLOGWRAP <>${TEST_SSH_LOGFILE} +timestamp="\`$OBJ/timestamp\`" +logfile="${TEST_SSH_LOGDIR}/\${timestamp}.ssh.\$\$.log" +echo "Executing: ${SSH} \$@" log \${logfile} >>$TEST_REGRESS_LOGFILE +echo "Executing: ${SSH} \$@" >>\${logfile} for i in "\$@";do shift;case "\$i" in -q):;; *) set -- "\$@" "\$i";;esac;done -exec ${SSH} -E${TEST_SSH_LOGFILE} "\$@" +rm -f $TEST_SSH_LOGFILE +ln -f -s \${logfile} $TEST_SSH_LOGFILE +exec ${SSH} -E\${logfile} "\$@" EOD chmod a+rx $OBJ/ssh-log-wrapper.sh @@ -296,6 +311,28 @@ REAL_SSH="$SSH" REAL_SSHD="$SSHD" SSH="$SSHLOGWRAP" +SSHDLOGWRAP=$OBJ/sshd-log-wrapper.sh +cat >$SSHDLOGWRAP <>$TEST_REGRESS_LOGFILE +echo "Executing: ${SSHD} \$@" >>\${logfile} +exec ${SSHD} -E\${logfile} "\$@" +EOD +chmod a+rx $OBJ/sshd-log-wrapper.sh + +ssh_logfile () +{ + tool="$1" + timestamp="`$OBJ/timestamp`" + logfile="${TEST_SSH_LOGDIR}/${timestamp}.$tool.$$.log" + echo "Logging $tool to log \${logfile}" >>$TEST_REGRESS_LOGFILE + echo $logfile +} + # Some test data. We make a copy because some tests will overwrite it. # The tests may assume that $DATA exists and is writable and $COPY does # not exist. Tests requiring larger data files can call increase_datafile_size @@ -450,19 +487,37 @@ cleanup () start_debug_log () { - echo "trace: $@" >$TEST_REGRESS_LOGFILE - echo "trace: $@" >$TEST_SSH_LOGFILE - echo "trace: $@" >$TEST_SSHD_LOGFILE + echo "trace: $@" >>$TEST_REGRESS_LOGFILE + if [ -d "$TEST_SSH_LOGDIR" ]; then + rm -f $TEST_SSH_LOGDIR/* + fi } save_debug_log () { + testname=`echo $tid | tr ' ' _` + tarname="$OBJ/failed-$testname-logs.tar" + echo $@ >>$TEST_REGRESS_LOGFILE echo $@ >>$TEST_SSH_LOGFILE echo $@ >>$TEST_SSHD_LOGFILE + echo "Saving debug logs to $tarname" >>$TEST_REGRESS_LOGFILE (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log + + # Save all logfiles in a tarball. + (cd $OBJ && + logfiles="" + for i in $TEST_REGRESS_LOGFILE $TEST_SSH_LOGFILE $TEST_SSHD_LOGFILE \ + $TEST_SSH_LOGDIR; do + if [ -e "`basename $i`" ]; then + logfiles="$logfiles `basename $i`" + else + logfiles="$logfiles $i" + fi + done + tar cf "$tarname" $logfiles) } trace () @@ -724,7 +779,7 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then echo "HostName=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy - echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "ProxyTelnetCommand=${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy PUTTYDIR=${OBJ}/.putty @@ -734,7 +789,7 @@ fi # create a proxy version of the client config ( cat $OBJ/ssh_config - echo proxycommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy + echo proxycommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy ) > $OBJ/ssh_proxy # check proxy config @@ -743,6 +798,7 @@ ${SSHD} -t -f $OBJ/sshd_proxy || fatal "sshd_proxy broken" start_sshd () { # start sshd + logfile="${TEST_SSH_LOGDIR}/sshd.`$OBJ/timestamp`.$$.log" $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" $SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" \ ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE diff --git a/regress/timestamp.c b/regress/timestamp.c new file mode 100644 index 000000000000..77dae457b6ad --- /dev/null +++ b/regress/timestamp.c @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2023 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD: timestamp.c,v 1.1 2023/03/01 09:29:32 dtucker Exp $ */ + +/* + * Print a microsecond-granularity timestamp to stdout in an ISO8601-ish + * format, which we can then use as the first component of the log file + * so that they'll sort into chronological order. + */ + +#include + +#include +#include +#include + +int +main(void) +{ + struct timeval tv; + struct tm *tm; + char buf[1024]; + + if (gettimeofday(&tv, NULL) != 0) + exit(1); + if ((tm = localtime(&tv.tv_sec)) == NULL) + exit(2); + if (strftime(buf, sizeof buf, "%Y%m%dT%H%M%S", tm) <= 0) + exit(3); + printf("%s.%06d\n", buf, (int)tv.tv_usec); + exit(0); +} diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c index d6cf0f5da7d7..fa4192bb661c 100644 --- a/regress/unittests/kex/test_proposal.c +++ b/regress/unittests/kex/test_proposal.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_proposal.c,v 1.1 2023/02/02 12:12:52 djm Exp $ */ +/* $OpenBSD: test_proposal.c,v 1.2 2023/03/06 12:15:47 dtucker Exp $ */ /* * Regress test KEX * @@ -18,21 +18,24 @@ #include "../test_helper/test_helper.h" +#include "cipher.h" #include "compat.h" #include "ssherr.h" #include "sshbuf.h" #include "kex.h" +#include "myproposal.h" #include "packet.h" #include "xmalloc.h" -void kex_proposal(void); +void kex_proposal_tests(void); +void kex_proposal_populate_tests(void); #define CURVE25519 "curve25519-sha256@libssh.org" #define DHGEX1 "diffie-hellman-group-exchange-sha1" #define DHGEX256 "diffie-hellman-group-exchange-sha256" #define KEXALGOS CURVE25519","DHGEX256","DHGEX1 void -kex_proposal(void) +kex_proposal_tests(void) { size_t i; struct ssh ssh; @@ -81,3 +84,41 @@ kex_proposal(void) } TEST_DONE(); } + +void +kex_proposal_populate_tests(void) +{ + char *prop[PROPOSAL_MAX], *kexalgs, *ciphers, *macs, *hkalgs; + const char *comp = compression_alg_list(0); + int i; + struct ssh ssh; + struct kex kex; + + kexalgs = kex_alg_list(','); + ciphers = cipher_alg_list(',', 0); + macs = mac_alg_list(','); + hkalgs = kex_alg_list(','); + + ssh.kex = &kex; + TEST_START("compat_kex_proposal_populate"); + for (i = 0; i <= 1; i++) { + kex.server = i; + for (ssh.compat = 0; ssh.compat < 0x40000000; ) { + kex_proposal_populate_entries(&ssh, prop, NULL, NULL, + NULL, NULL, NULL); + kex_proposal_free_entries(prop); + kex_proposal_populate_entries(&ssh, prop, kexalgs, + ciphers, macs, hkalgs, comp); + kex_proposal_free_entries(prop); + if (ssh.compat == 0) + ssh.compat = 1; + else + ssh.compat <<= 1; + } + } + + free(kexalgs); + free(ciphers); + free(macs); + free(hkalgs); +} diff --git a/regress/unittests/kex/tests.c b/regress/unittests/kex/tests.c index 2a83dafbc3ae..d3044f033767 100644 --- a/regress/unittests/kex/tests.c +++ b/regress/unittests/kex/tests.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tests.c,v 1.2 2023/02/02 12:12:52 djm Exp $ */ +/* $OpenBSD: tests.c,v 1.3 2023/03/06 12:15:47 dtucker Exp $ */ /* * Placed in the public domain */ @@ -6,11 +6,13 @@ #include "../test_helper/test_helper.h" void kex_tests(void); -void kex_proposal(void); +void kex_proposal_tests(void); +void kex_proposal_populate_tests(void); void tests(void) { kex_tests(); - kex_proposal(); + kex_proposal_tests(); + kex_proposal_populate_tests(); } diff --git a/regress/unittests/misc/test_ptimeout.c b/regress/unittests/misc/test_ptimeout.c index 7adc590e98d6..284f0a1eed00 100644 --- a/regress/unittests/misc/test_ptimeout.c +++ b/regress/unittests/misc/test_ptimeout.c @@ -5,9 +5,13 @@ * Placed in the public domain. */ +#include "includes.h" + #include #include -#include +#ifdef HAVE_STDINT_H +# include +#endif #include #include #include diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 4ab49eb6e4c3..23b40b643567 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2012 Will Drewry + * Copyright (c) 2015,2017,2019,2020,2023 Damien Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -48,6 +49,7 @@ #include #include +#include #include #include #include @@ -132,6 +134,71 @@ /* reload syscall number; all rules expect it in accumulator */ \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ offsetof(struct seccomp_data, nr)) +/* Deny unless syscall argument contains only values in mask */ +#define SC_DENY_UNLESS_ARG_MASK(_nr, _arg_nr, _arg_mask, _errno) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 8), \ + /* load, mask and test syscall argument, low word */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \ + BPF_STMT(BPF_ALU+BPF_AND+BPF_K, ~((_arg_mask) & 0xFFFFFFFF)), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 3), \ + /* load, mask and test syscall argument, high word */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \ + BPF_STMT(BPF_ALU+BPF_AND+BPF_K, \ + ~(((uint32_t)((uint64_t)(_arg_mask) >> 32)) & 0xFFFFFFFF)), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)), \ + /* reload syscall number; all rules expect it in accumulator */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, nr)) +#define SC_DENY_UNLESS_MASK(_nr, _arg_nr, _arg_val, _errno) \ +/* Special handling for futex(2) that combines a bitmap and operation number */ +#if defined(__NR_futex) || defined(__NR_futex_time64) +#define SC_FUTEX_MASK (FUTEX_PRIVATE_FLAG|FUTEX_CLOCK_REALTIME) +#define SC_ALLOW_FUTEX_OP(_nr, _op) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_nr), 0, 8), \ + /* load syscall argument, low word */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[1]) + ARG_LO_OFFSET), \ + /* mask off allowed bitmap values, low word */ \ + BPF_STMT(BPF_ALU+BPF_AND+BPF_K, ~(SC_FUTEX_MASK & 0xFFFFFFFF)), \ + /* test operation number, low word */ \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ((_op) & 0xFFFFFFFF), 0, 4), \ + /* load syscall argument, high word */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[1]) + ARG_HI_OFFSET), \ + /* mask off allowed bitmap values, high word */ \ + BPF_STMT(BPF_ALU+BPF_AND+BPF_K, \ + ~(((uint32_t)((uint64_t)SC_FUTEX_MASK >> 32)) & 0xFFFFFFFF)), \ + /* test operation number, high word */ \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \ + (((uint32_t)((uint64_t)(_op) >> 32)) & 0xFFFFFFFF), 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ + /* reload syscall number; all rules expect it in accumulator */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)) + +/* Use this for both __NR_futex and __NR_futex_time64 */ +# define SC_FUTEX(_nr) \ + SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT), \ + SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT_BITSET), \ + SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE), \ + SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE_BITSET), \ + SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_REQUEUE), \ + SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_CMP_REQUEUE) +#endif /* __NR_futex || __NR_futex_time64 */ + +#if defined(__NR_mmap) || defined(__NR_mmap2) +# ifdef MAP_FIXED_NOREPLACE +# define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED|MAP_FIXED_NOREPLACE +# else +# define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED +# endif /* MAP_FIXED_NOREPLACE */ +/* Use this for both __NR_mmap and __NR_mmap2 variants */ +# define SC_MMAP(_nr) \ + SC_DENY_UNLESS_ARG_MASK(_nr, 3, SC_MMAP_FLAGS, EINVAL), \ + SC_ALLOW_ARG_MASK(_nr, 2, PROT_READ|PROT_WRITE|PROT_NONE) +#endif /* __NR_mmap || __NR_mmap2 */ /* Syscall filtering set for preauth. */ static const struct sock_filter preauth_insns[] = { @@ -211,10 +278,10 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW(__NR_exit_group), #endif #ifdef __NR_futex - SC_ALLOW(__NR_futex), + SC_FUTEX(__NR_futex), #endif #ifdef __NR_futex_time64 - SC_ALLOW(__NR_futex_time64), + SC_FUTEX(__NR_futex_time64), #endif #ifdef __NR_geteuid SC_ALLOW(__NR_geteuid), @@ -244,13 +311,29 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW(__NR_getuid32), #endif #ifdef __NR_madvise - SC_ALLOW(__NR_madvise), + SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL), +# ifdef MADV_FREE + SC_ALLOW_ARG(__NR_madvise, 2, MADV_FREE), +# endif +# ifdef MADV_DONTNEED + SC_ALLOW_ARG(__NR_madvise, 2, MADV_DONTNEED), +# endif +# ifdef MADV_DONTFORK + SC_ALLOW_ARG(__NR_madvise, 2, MADV_DONTFORK), +# endif +# ifdef MADV_DONTDUMP + SC_ALLOW_ARG(__NR_madvise, 2, MADV_DONTDUMP), +# endif +# ifdef MADV_WIPEONFORK + SC_ALLOW_ARG(__NR_madvise, 2, MADV_WIPEONFORK), +# endif + SC_DENY(__NR_madvise, EINVAL), #endif #ifdef __NR_mmap - SC_ALLOW_ARG_MASK(__NR_mmap, 2, PROT_READ|PROT_WRITE|PROT_NONE), + SC_MMAP(__NR_mmap), #endif #ifdef __NR_mmap2 - SC_ALLOW_ARG_MASK(__NR_mmap2, 2, PROT_READ|PROT_WRITE|PROT_NONE), + SC_MMAP(__NR_mmap2), #endif #ifdef __NR_mprotect SC_ALLOW_ARG_MASK(__NR_mprotect, 2, PROT_READ|PROT_WRITE|PROT_NONE), diff --git a/scp.c b/scp.c index 1adff5cec222..a893d4a285e9 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.252 2023/01/10 23:22:15 millert Exp $ */ +/* $OpenBSD: scp.c,v 1.253 2023/03/03 03:12:24 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -394,8 +394,10 @@ do_cmd2(char *host, char *remuser, int port, char *cmd, /* Fork a child to execute the command on the remote host using ssh. */ pid = fork(); if (pid == 0) { - dup2(fdin, 0); - dup2(fdout, 1); + if (dup2(fdin, 0) == -1) + perror("dup2"); + if (dup2(fdout, 1) == -1) + perror("dup2"); replacearg(&args, 0, "%s", ssh_program); if (port != -1) { diff --git a/servconf.c b/servconf.c index 2e039da8b95e..9d5b73ecfc0b 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.390 2023/01/17 09:44:48 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.392 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -54,7 +54,6 @@ #include "sshbuf.h" #include "misc.h" #include "servconf.h" -#include "compat.h" #include "pathnames.h" #include "cipher.h" #include "sshkey.h" @@ -2917,8 +2916,16 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) { u_int i; - if (count <= 0 && code != sAuthenticationMethods) - return; + switch (code) { + case sAuthenticationMethods: + case sChannelTimeout: + break; + default: + if (count <= 0) + return; + break; + } + printf("%s", lookup_opcode_name(code)); for (i = 0; i < count; i++) printf(" %s", vals[i]); diff --git a/serverloop.c b/serverloop.c index 6db0916d8220..de5fa2e3c2e8 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.234 2023/01/17 09:44:48 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.236 2023/03/08 04:43:12 guenther Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -69,7 +69,6 @@ #include "canohost.h" #include "sshpty.h" #include "channels.h" -#include "compat.h" #include "ssh2.h" #include "sshkey.h" #include "cipher.h" @@ -113,14 +112,12 @@ bind_permitted(int port, uid_t uid) return 1; } -/*ARGSUSED*/ static void sigchld_handler(int sig) { child_terminated = 1; } -/*ARGSUSED*/ static void sigterm_handler(int sig) { diff --git a/session.c b/session.c index f30d7ac519ac..89dcfdab628c 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.333 2023/01/06 02:42:34 djm Exp $ */ +/* $OpenBSD: session.c,v 1.335 2023/03/07 06:09:14 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -72,7 +72,6 @@ #include "ssherr.h" #include "match.h" #include "uidswap.h" -#include "compat.h" #include "channels.h" #include "sshkey.h" #include "cipher.h" @@ -1159,6 +1158,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) } *value++ = '\0'; child_set_env(&env, &envsize, cp, value); + free(cp); } /* SSH_CLIENT deprecated */ diff --git a/sftp-client.c b/sftp-client.c index e01464818064..87b4d142aa74 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.168 2023/01/11 05:39:38 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.169 2023/03/08 04:43:12 guenther Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -149,7 +149,6 @@ request_find(struct requests *requests, u_int id) return req; } -/* ARGSUSED */ static int sftpio(void *_bwlimit, size_t amount) { diff --git a/sftp-server.c b/sftp-server.c index fe61a35159b3..49ca1ca9f700 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.145 2022/11/09 09:04:12 dtucker Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.146 2023/03/07 05:37:26 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -819,7 +819,7 @@ process_read(u_int32_t id) } if (len > buflen) { debug3_f("allocate %zu => %u", buflen, len); - if ((buf = realloc(NULL, len)) == NULL) + if ((buf = realloc(buf, len)) == NULL) fatal_f("realloc failed"); buflen = len; } diff --git a/sftp.c b/sftp.c index b3616c15cd09..29081db3d434 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.225 2023/01/05 05:49:13 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.229 2023/03/12 09:41:18 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -217,7 +217,6 @@ static const struct CMD cmds[] = { { NULL, -1, -1, -1 } }; -/* ARGSUSED */ static void killchild(int signo) { @@ -232,7 +231,6 @@ killchild(int signo) _exit(1); } -/* ARGSUSED */ static void suspchild(int signo) { @@ -244,7 +242,6 @@ suspchild(int signo) kill(getpid(), SIGSTOP); } -/* ARGSUSED */ static void cmd_interrupt(int signo) { @@ -256,14 +253,12 @@ cmd_interrupt(int signo) errno = olderrno; } -/* ARGSUSED */ static void read_interrupt(int signo) { interrupted = 1; } -/*ARGSUSED*/ static void sigchld_handler(int sig) { @@ -1012,7 +1007,7 @@ do_globbed_ls(struct sftp_conn *conn, const char *path, */ for (nentries = 0; g.gl_pathv[nentries] != NULL; nentries++) ; /* count entries */ - indices = calloc(nentries, sizeof(*indices)); + indices = xcalloc(nentries, sizeof(*indices)); for (i = 0; i < nentries; i++) indices[i] = i; @@ -1030,6 +1025,7 @@ do_globbed_ls(struct sftp_conn *conn, const char *path, if (lflag & LS_LONG_VIEW) { if (g.gl_statv[i] == NULL) { error("no stat information for %s", fname); + free(fname); continue; } lname = ls_file(fname, g.gl_statv[i], 1, @@ -2001,7 +1997,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, memset(&g, 0, sizeof(g)); if (remote != LOCAL) { - tmp = make_absolute_pwd_glob(tmp, remote_path); + tmp2 = make_absolute_pwd_glob(tmp, remote_path); + free(tmp); + tmp = tmp2; remote_glob(conn, tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); } else glob(tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); diff --git a/ssh-add.c b/ssh-add.c index 777f21e26b01..752b86dfcd8e 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.166 2022/06/18 02:17:16 dtucker Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.167 2023/03/08 00:05:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -477,6 +477,7 @@ test_key(int agent_fd, const char *filename) { struct sshkey *key = NULL; u_char *sig = NULL; + const char *alg = NULL; size_t slen = 0; int r, ret = -1; char data[1024]; @@ -485,14 +486,16 @@ test_key(int agent_fd, const char *filename) error_r(r, "Couldn't read public key %s", filename); return -1; } + if (sshkey_type_plain(key->type) == KEY_RSA) + alg = "rsa-sha2-256"; arc4random_buf(data, sizeof(data)); if ((r = ssh_agent_sign(agent_fd, key, &sig, &slen, data, sizeof(data), - NULL, 0)) != 0) { + alg, 0)) != 0) { error_r(r, "Agent signature failed for %s", filename); goto done; } if ((r = sshkey_verify(key, sig, slen, data, sizeof(data), - NULL, 0, NULL)) != 0) { + alg, 0, NULL)) != 0) { error_r(r, "Signature verification failed for %s", filename); goto done; } diff --git a/ssh-agent.c b/ssh-agent.c index 63e1137bca64..618bb198190e 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.294 2022/12/04 11:03:11 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.297 2023/03/09 21:06:24 jcs Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -80,7 +80,6 @@ #include "sshbuf.h" #include "sshkey.h" #include "authfd.h" -#include "compat.h" #include "log.h" #include "misc.h" #include "digest.h" @@ -1024,8 +1023,8 @@ parse_dest_constraint(struct sshbuf *m, struct dest_constraint *dc) error_fr(r, "parse"); goto out; } - if ((r = parse_dest_constraint_hop(frombuf, &dc->from) != 0) || - (r = parse_dest_constraint_hop(tobuf, &dc->to) != 0)) + if ((r = parse_dest_constraint_hop(frombuf, &dc->from)) != 0 || + (r = parse_dest_constraint_hop(tobuf, &dc->to)) != 0) goto out; /* already logged */ if (elen != 0) { error_f("unsupported extensions (len %zu)", elen); @@ -1961,7 +1960,6 @@ cleanup_exit(int i) _exit(i); } -/*ARGSUSED*/ static void cleanup_handler(int sig) { diff --git a/ssh-dss.c b/ssh-dss.c index 2ea0c0a55760..3174ef146dc3 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.48 2022/10/28 00:44:44 djm Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.49 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -37,7 +37,6 @@ #include #include "sshbuf.h" -#include "compat.h" #include "ssherr.h" #include "digest.h" #define SSHKEY_INTERNAL diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c index 729e5487c9f5..5dcd3c13d345 100644 --- a/ssh-ecdsa-sk.c +++ b/ssh-ecdsa-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa-sk.c,v 1.17 2022/10/28 00:44:44 djm Exp $ */ +/* $OpenBSD: ssh-ecdsa-sk.c,v 1.18 2023/03/08 04:43:12 guenther Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -230,7 +230,6 @@ webauthn_check_prepare_hash(const u_char *data, size_t datalen, return r; } -/* ARGSUSED */ static int ssh_ecdsa_sk_verify(const struct sshkey *key, const u_char *sig, size_t siglen, diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 4bcb89baf517..341c32409bce 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa.c,v 1.25 2022/10/28 00:44:44 djm Exp $ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.26 2023/03/08 04:43:12 guenther Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -222,7 +222,6 @@ ssh_ecdsa_deserialize_private(const char *ktype, struct sshbuf *b, return r; } -/* ARGSUSED */ static int ssh_ecdsa_sign(struct sshkey *key, u_char **sigp, size_t *lenp, @@ -288,7 +287,6 @@ ssh_ecdsa_sign(struct sshkey *key, return ret; } -/* ARGSUSED */ static int ssh_ecdsa_verify(const struct sshkey *key, const u_char *sig, size_t siglen, diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 4b2e356bbe00..86cb91b204dd 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -278,6 +278,14 @@ DESCRIPTION suffixed with a Z character, which causes them to be interpreted in the UTC time zone. + When generating SSHFP DNS records from public keys using the -r + flag, the following options are accepted: + + hashalg=algorithm + Selects a hash algorithm to use when printing SSHFP + records using the -D flag. Valid algorithms are M-bM-^@M-^\sha1M-bM-^@M-^] + and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is to print both. + The -O option may be specified multiple times. -P passphrase @@ -899,4 +907,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.2 September 10, 2022 OpenBSD 7.2 +OpenBSD 7.2 February 10, 2023 OpenBSD 7.2 diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 8b1f617d2377..1be08228237d 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.226 2022/09/10 08:50:53 jsg Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.228 2023/02/10 06:40:48 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 10 2022 $ +.Dd $Mdocdate: February 10 2023 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -518,6 +518,21 @@ suffixed with a Z character, which causes them to be interpreted in the UTC time zone. .El .Pp +When generating SSHFP DNS records from public keys using the +.Fl r +flag, the following options are accepted: +.Bl -tag -width Ds +.It Cm hashalg Ns = Ns Ar algorithm +Selects a hash algorithm to use when printing SSHFP records using the +.Fl D +flag. +Valid algorithms are +.Dq sha1 +and +.Dq sha256 . +The default is to print both. +.El +.Pp The .Fl O option may be specified multiple times. diff --git a/ssh-keygen.c b/ssh-keygen.c index ae05440f68bf..2c0c9cd35ae2 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.461 2022/12/04 23:50:49 cheloha Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.466 2023/03/08 00:05:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -476,6 +476,7 @@ do_convert_private_ssh2(struct sshbuf *b) { struct sshkey *key = NULL; char *type, *cipher; + const char *alg = NULL; u_char e1, e2, e3, *sig = NULL, data[] = "abcde12345"; int r, rlen, ktype; u_int magic, i1, i2, i3, i4; @@ -584,6 +585,7 @@ do_convert_private_ssh2(struct sshbuf *b) if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0) fatal_fr(r, "generate RSA parameters"); BN_clear_free(rsa_iqmp); + alg = "rsa-sha2-256"; break; } rlen = sshbuf_len(b); @@ -592,10 +594,10 @@ do_convert_private_ssh2(struct sshbuf *b) /* try the key */ if ((r = sshkey_sign(key, &sig, &slen, data, sizeof(data), - NULL, NULL, NULL, 0)) != 0) + alg, NULL, NULL, 0)) != 0) error_fr(r, "signing with converted key failed"); else if ((r = sshkey_verify(key, sig, slen, data, sizeof(data), - NULL, 0, NULL)) != 0) + alg, 0, NULL)) != 0) error_fr(r, "verification with converted key failed"); if (r != 0) { sshkey_free(key); @@ -1337,7 +1339,7 @@ do_known_hosts(struct passwd *pw, const char *name, int find_host, unlink(tmp); fatal("fdopen: %s", strerror(oerrno)); } - fchmod(fd, sb.st_mode & 0644); + (void)fchmod(fd, sb.st_mode & 0644); inplace = 1; } /* XXX support identity_file == "-" for stdin */ @@ -1479,13 +1481,23 @@ do_change_passphrase(struct passwd *pw) */ static int do_print_resource_record(struct passwd *pw, char *fname, char *hname, - int print_generic) + int print_generic, char * const *opts, size_t nopts) { struct sshkey *public; char *comment = NULL; struct stat st; - int r; + int r, hash = -1; + size_t i; + for (i = 0; i < nopts; i++) { + if (strncasecmp(opts[i], "hashalg=", 8) == 0) { + if ((hash = ssh_digest_alg_by_name(opts[i] + 8)) == -1) + fatal("Unsupported hash algorithm"); + } else { + error("Invalid option \"%s\"", opts[i]); + return SSH_ERR_INVALID_ARGUMENT; + } + } if (fname == NULL) fatal_f("no filename"); if (stat(fname, &st) == -1) { @@ -1495,7 +1507,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname, } if ((r = sshkey_load_public(fname, &public, &comment)) != 0) fatal_r(r, "Failed to read v2 public key from \"%s\"", fname); - export_dns_rr(hname, public, stdout, print_generic); + export_dns_rr(hname, public, stdout, print_generic, hash); sshkey_free(public); free(comment); return 1; @@ -3005,6 +3017,7 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts) } else if (strncmp(opts[i], "start-line=", 11) == 0) { start_lineno = strtoul(opts[i]+11, NULL, 10); } else if (strncmp(opts[i], "checkpoint=", 11) == 0) { + free(checkpoint); checkpoint = xstrdup(opts[i]+11); } else if (strncmp(opts[i], "generator=", 10) == 0) { generator_wanted = (u_int32_t)strtonum( @@ -3043,6 +3056,9 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts) generator_wanted, checkpoint, start_lineno, lines_to_process) != 0) fatal("modulus screening failed"); + if (in != stdin) + (void)fclose(in); + free(checkpoint); #else /* WITH_OPENSSL */ fatal("Moduli screening is not supported"); #endif /* WITH_OPENSSL */ @@ -3725,7 +3741,7 @@ main(int argc, char **argv) if (have_identity) { n = do_print_resource_record(pw, identity_file, - rr_hostname, print_generic); + rr_hostname, print_generic, opts, nopts); if (n == 0) fatal("%s: %s", identity_file, strerror(errno)); exit(0); @@ -3733,19 +3749,19 @@ main(int argc, char **argv) n += do_print_resource_record(pw, _PATH_HOST_RSA_KEY_FILE, rr_hostname, - print_generic); + print_generic, opts, nopts); n += do_print_resource_record(pw, _PATH_HOST_DSA_KEY_FILE, rr_hostname, - print_generic); + print_generic, opts, nopts); n += do_print_resource_record(pw, _PATH_HOST_ECDSA_KEY_FILE, rr_hostname, - print_generic); + print_generic, opts, nopts); n += do_print_resource_record(pw, _PATH_HOST_ED25519_KEY_FILE, rr_hostname, - print_generic); + print_generic, opts, nopts); n += do_print_resource_record(pw, _PATH_HOST_XMSS_KEY_FILE, rr_hostname, - print_generic); + print_generic, opts, nopts); if (n == 0) fatal("no keys found."); exit(0); diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index b0c6814c4d1d..b95235eee86a 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 @@ -4,8 +4,8 @@ NAME ssh-keyscan M-bM-^@M-^S gather SSH public keys from servers SYNOPSIS - ssh-keyscan [-46cDHv] [-f file] [-p port] [-T timeout] [-t type] - [host | addrlist namelist] + ssh-keyscan [-46cDHv] [-f file] [-O option] [-p port] [-T timeout] + [-t type] [host | addrlist namelist] DESCRIPTION ssh-keyscan is a utility for gathering the public SSH host keys of a @@ -54,6 +54,15 @@ DESCRIPTION be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file's contents be disclosed. + -O option + Specify a key/value option. At present, only a single option is + supported: + + hashalg=algorithm + Selects a hash algorithm to use when printing SSHFP + records using the -D flag. Valid algorithms are M-bM-^@M-^\sha1M-bM-^@M-^] + and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is to print both. + -p port Connect to port on the remote host. @@ -109,4 +118,4 @@ AUTHORS Davison added support for protocol version 2. -OpenBSD 7.2 October 28, 2022 OpenBSD 7.2 +OpenBSD 7.2 February 10, 2023 OpenBSD 7.2 diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index ca4feea2a9e0..aa6d34f63dc3 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.47 2022/10/28 02:29:34 djm Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.49 2023/02/10 06:41:53 jmc Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: October 28 2022 $ +.Dd $Mdocdate: February 10 2023 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -16,6 +16,7 @@ .Nm ssh-keyscan .Op Fl 46cDHv .Op Fl f Ar file +.Op Fl O Ar option .Op Fl p Ar port .Op Fl T Ar timeout .Op Fl t Ar type @@ -97,6 +98,20 @@ and .Xr sshd 8 , but they do not reveal identifying information should the file's contents be disclosed. +.It Fl O Ar option +Specify a key/value option. +At present, only a single option is supported: +.Bl -tag -width Ds +.It Cm hashalg Ns = Ns Ar algorithm +Selects a hash algorithm to use when printing SSHFP records using the +.Fl D +flag. +Valid algorithms are +.Dq sha1 +and +.Dq sha256 . +The default is to print both. +.El .It Fl p Ar port Connect to .Ar port diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 1318c2fa6fb7..3f3092e63d29 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.149 2022/12/26 19:16:03 jmc Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.151 2023/02/10 06:41:53 jmc Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -40,6 +40,7 @@ #include "sshbuf.h" #include "sshkey.h" #include "cipher.h" +#include "digest.h" #include "kex.h" #include "compat.h" #include "myproposal.h" @@ -80,6 +81,8 @@ int print_sshfp = 0; /* Print SSHFP records instead of known_hosts */ int found_one = 0; /* Successfully found a key */ +int hashalg = -1; /* Hash for SSHFP records or -1 for all */ + #define MAXMAXFD 256 /* The number of seconds after which to give up on a TCP connection */ @@ -314,7 +317,7 @@ keyprint_one(const char *host, struct sshkey *key) found_one = 1; if (print_sshfp) { - export_dns_rr(host, key, stdout, 0); + export_dns_rr(host, key, stdout, 0, hashalg); return; } @@ -698,9 +701,8 @@ static void usage(void) { fprintf(stderr, - "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n" - "\t\t [host | addrlist namelist]\n", - __progname); + "usage: ssh-keyscan [-46cDHv] [-f file] [-O option] [-p port] [-T timeout]\n" + " [-t type] [host | addrlist namelist]\n"); exit(1); } @@ -726,7 +728,7 @@ main(int argc, char **argv) if (argc <= 1) usage(); - while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) { + while ((opt = getopt(argc, argv, "cDHv46O:p:T:t:f:")) != -1) { switch (opt) { case 'H': hash_hosts = 1; @@ -766,6 +768,14 @@ main(int argc, char **argv) optarg = NULL; argv[fopt_count++] = optarg; break; + case 'O': + /* Maybe other misc options in the future too */ + if (strncmp(optarg, "hashalg=", 8) != 0) + fatal("Unsupported -O option"); + if ((hashalg = ssh_digest_alg_by_name( + optarg + 8)) == -1) + fatal("Unsupported hash algorithm"); + break; case 't': get_keytypes = 0; tname = strtok(optarg, ","); diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index b2e2b32a5078..6be647ec443c 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.55 2021/11/18 21:11:01 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.56 2023/03/08 05:33:53 tb Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved. @@ -523,7 +523,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, BIGNUM *r = NULL, *s = NULL; if ((k11 = EC_KEY_get_ex_data(ec, ec_key_idx)) == NULL) { - ossl_error("EC_KEY_get_key_method_data failed for ec"); + ossl_error("EC_KEY_get_ex_data failed for ec"); return (NULL); } @@ -545,7 +545,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, goto done; } if (siglen < 64 || siglen > 132 || siglen % 2) { - ossl_error("d2i_ECDSA_SIG failed"); + error_f("bad signature length: %lu", (u_long)siglen); goto done; } bnlen = siglen/2; @@ -555,7 +555,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, } if ((r = BN_bin2bn(sig, bnlen, NULL)) == NULL || (s = BN_bin2bn(sig+bnlen, bnlen, NULL)) == NULL) { - ossl_error("d2i_ECDSA_SIG failed"); + ossl_error("BN_bin2bn failed"); ECDSA_SIG_free(ret); ret = NULL; goto done; diff --git a/ssh-rsa.c b/ssh-rsa.c index 6516ddc13acd..be8f51e7576b 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.78 2022/10/28 02:47:04 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.79 2023/03/05 05:34:09 dtucker Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -28,7 +28,6 @@ #include #include "sshbuf.h" -#include "compat.h" #include "ssherr.h" #define SSHKEY_INTERNAL #include "sshkey.h" diff --git a/ssh.c b/ssh.c index 87454b84a95f..918389bccba2 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.584 2023/01/17 18:52:44 millert Exp $ */ +/* $OpenBSD: ssh.c,v 1.585 2023/02/10 04:40:28 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -794,6 +794,7 @@ main(int ac, char **av) else if (strcmp(optarg, "key-plain") == 0) cp = sshkey_alg_list(0, 1, 0, '\n'); else if (strcmp(optarg, "key-sig") == 0 || + strcasecmp(optarg, "CASignatureAlgorithms") == 0 || strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */ strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 || strcasecmp(optarg, "HostKeyAlgorithms") == 0 || diff --git a/ssh_config.0 b/ssh_config.0 index 4960dad46322..9bf5bd00da3a 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -11,12 +11,12 @@ DESCRIPTION 2. user's configuration file (~/.ssh/config) 3. system-wide configuration file (/etc/ssh/ssh_config) - For each parameter, the first obtained value will be used. The - configuration files contain sections separated by Host specifications, - and that section is only applied for hosts that match one of the patterns - given in the specification. The matched host name is usually the one - given on the command line (see the CanonicalizeHostname option for - exceptions). + Unless noted otherwise, for each parameter, the first obtained value will + be used. The configuration files contain sections separated by Host + specifications, and that section is only applied for hosts that match one + of the patterns given in the specification. The matched host name is + usually the one given on the command line (see the CanonicalizeHostname + option for exceptions). Since the first obtained value for each parameter is used, more host- specific declarations should be given near the beginning of the file, and @@ -1323,4 +1323,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.2 January 13, 2023 OpenBSD 7.2 +OpenBSD 7.2 March 10, 2023 OpenBSD 7.2 diff --git a/ssh_config.5 b/ssh_config.5 index 9eb6b97794a6..c56b9d7be670 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.378 2023/01/13 07:13:40 jmc Exp $ -.Dd $Mdocdate: January 13 2023 $ +.\" $OpenBSD: ssh_config.5,v 1.379 2023/03/10 02:32:04 djm Exp $ +.Dd $Mdocdate: March 10 2023 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -56,7 +56,7 @@ system-wide configuration file .Pq Pa /etc/ssh/ssh_config .El .Pp -For each parameter, the first obtained value +Unless noted otherwise, for each parameter, the first obtained value will be used. The configuration files contain sections separated by .Cm Host diff --git a/sshconnect.c b/sshconnect.c index 792bc34bcb92..e6012f01e4d9 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.361 2023/01/13 02:44:02 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.363 2023/03/10 07:17:08 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -54,7 +54,6 @@ #include "ssh.h" #include "sshbuf.h" #include "packet.h" -#include "compat.h" #include "sshkey.h" #include "sshconnect.h" #include "log.h" @@ -364,7 +363,7 @@ ssh_create_socket(struct addrinfo *ai) error("socket: %s", strerror(errno)); return -1; } - fcntl(sock, F_SETFD, FD_CLOEXEC); + (void)fcntl(sock, F_SETFD, FD_CLOEXEC); /* Use interactive QOS (if specified) until authentication completed */ if (options.ip_qos_interactive != INT_MAX) diff --git a/sshconnect2.c b/sshconnect2.c index 58fe98db2200..bc05f02142fd 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.361 2022/09/17 10:33:18 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.366 2023/03/09 07:11:05 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -56,7 +56,6 @@ #include "cipher.h" #include "sshkey.h" #include "kex.h" -#include "myproposal.h" #include "sshconnect.h" #include "authfile.h" #include "dh.h" @@ -221,15 +220,18 @@ void ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, const struct ssh_conn_info *cinfo) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; - char *s, *all_key; - char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; + char *myproposal[PROPOSAL_MAX]; + char *s, *all_key, *hkalgs = NULL; int r, use_known_hosts_order = 0; xxx_host = host; xxx_hostaddr = hostaddr; xxx_conn_info = cinfo; + if (options.rekey_limit || options.rekey_interval) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); + /* * If the user has not specified HostkeyAlgorithms, or has only * appended or removed algorithms from that list then prefer algorithms @@ -249,29 +251,15 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) fatal_f("kex_names_cat"); - myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = - compat_cipher_proposal(ssh, options.ciphers); - myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = - (char *)compression_alg_list(options.compression); - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; - if (use_known_hosts_order) { - /* Query known_hosts and prefer algorithms that appear there */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = - compat_pkalg_proposal(ssh, - order_hostkeyalgs(host, hostaddr, port, cinfo)); - } else { - /* Use specified HostkeyAlgorithms exactly */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = - compat_pkalg_proposal(ssh, options.hostkeyalgorithms); - } - if (options.rekey_limit || options.rekey_interval) - ssh_packet_set_rekey_limits(ssh, options.rekey_limit, - options.rekey_interval); + if (use_known_hosts_order) + hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo); + + kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers, + options.macs, compression_alg_list(options.compression), + hkalgs ? hkalgs : options.hostkeyalgorithms); + + free(hkalgs); /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) @@ -295,6 +283,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); /* remove ext-info from the KEX proposals for rekeying */ + free(myproposal[PROPOSAL_KEX_ALGS]); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, options.kex_algorithms); if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) @@ -308,10 +297,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, (r = ssh_packet_write_wait(ssh)) != 0) fatal_fr(r, "send packet"); #endif - /* Free only parts of proposal that were dynamically allocated here. */ - free(prop_kex); - free(prop_enc); - free(prop_hostkey); + kex_proposal_free_entries(myproposal); } /* @@ -506,7 +492,6 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, } } -/* ARGSUSED */ static int input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) { @@ -538,7 +523,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh) { @@ -583,7 +567,6 @@ userauth(struct ssh *ssh, char *authlist) } } -/* ARGSUSED */ static int input_userauth_error(int type, u_int32_t seq, struct ssh *ssh) { @@ -591,7 +574,6 @@ input_userauth_error(int type, u_int32_t seq, struct ssh *ssh) return 0; } -/* ARGSUSED */ static int input_userauth_banner(int type, u_int32_t seq, struct ssh *ssh) { @@ -611,7 +593,6 @@ input_userauth_banner(int type, u_int32_t seq, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) { @@ -644,7 +625,6 @@ input_userauth_success_unexpected(int type, u_int32_t seq, struct ssh *ssh) } #endif -/* ARGSUSED */ static int input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh) { @@ -705,7 +685,6 @@ format_identity(Identity *id) return ret; } -/* ARGSUSED */ static int input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) { @@ -913,7 +892,6 @@ process_gssapi_token(struct ssh *ssh, gss_buffer_t recv_tok) return status; } -/* ARGSUSED */ static int input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) { @@ -958,7 +936,6 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) { @@ -991,7 +968,6 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) { @@ -1026,7 +1002,6 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) return 0; } -/* ARGSUSED */ static int input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) { @@ -1104,7 +1079,6 @@ userauth_passwd(struct ssh *ssh) /* * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST */ -/* ARGSUSED */ static int input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh) { @@ -1874,20 +1848,6 @@ pubkey_reset(Authctxt *authctxt) id->tried = 0; } -static int -try_identity(struct ssh *ssh, Identity *id) -{ - if (!id->key) - return (0); - if (sshkey_type_plain(id->key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - debug("Skipped %s key %s for RSA/MD5 server", - sshkey_type(id->key), id->filename); - return (0); - } - return 1; -} - static int userauth_pubkey(struct ssh *ssh) { @@ -1908,7 +1868,7 @@ userauth_pubkey(struct ssh *ssh) * private key instead */ if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { ident = format_identity(id); debug("Offering public key: %s", ident); free(ident); @@ -1918,7 +1878,7 @@ userauth_pubkey(struct ssh *ssh) debug("Trying private key: %s", id->filename); id->key = load_identity_file(id); if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { id->isprivate = 1; sent = sign_and_send_pubkey(ssh, id); } @@ -2089,7 +2049,8 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, if (dup2(sock, STDERR_FILENO + 1) == -1) fatal_f("dup2: %s", strerror(errno)); sock = STDERR_FILENO + 1; - fcntl(sock, F_SETFD, 0); /* keep the socket on exec */ + if (fcntl(sock, F_SETFD, 0) == -1) /* keep the socket on exec */ + debug3_f("fcntl F_SETFD: %s", strerror(errno)); closefrom(sock + 1); debug3_f("[child] pid=%ld, exec %s", diff --git a/sshd.0 b/sshd.0 index cc72dd619aca..00d6081b824f 100644 --- a/sshd.0 +++ b/sshd.0 @@ -4,7 +4,7 @@ NAME sshd M-bM-^@M-^S OpenSSH daemon SYNOPSIS - sshd [-46DdeiqTtV] [-C connection_spec] [-c host_certificate_file] + sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_certificate_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-o option] [-p port] [-u len] @@ -67,6 +67,12 @@ DESCRIPTION /etc/ssh/sshd_config. sshd refuses to start if there is no configuration file. + -G Parse and print configuration file. Check the validity of the + configuration file, output the effective configuration to stdout + and then exit. Optionally, Match rules may be applied by + specifying the connection parameters using one or more -C + options. + -g login_grace_time Gives the grace time for clients to authenticate themselves (default 120 seconds). If the client fails to authenticate the @@ -103,7 +109,9 @@ DESCRIPTION -T Extended test mode. Check the validity of the configuration file, output the effective configuration to stdout and then exit. Optionally, Match rules may be applied by specifying the - connection parameters using one or more -C options. + connection parameters using one or more -C options. This is + similar to the -G flag, but it includes the additional testing + performed by the -t flag. -t Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as @@ -675,4 +683,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.2 January 18, 2023 OpenBSD 7.2 +OpenBSD 7.2 February 10, 2023 OpenBSD 7.2 diff --git a/sshd.8 b/sshd.8 index bace97839b7a..9c8f2fcaa86a 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.322 2023/01/18 01:50:21 millert Exp $ -.Dd $Mdocdate: January 18 2023 $ +.\" $OpenBSD: sshd.8,v 1.324 2023/02/10 06:39:27 jmc Exp $ +.Dd $Mdocdate: February 10 2023 $ .Dt SSHD 8 .Os .Sh NAME @@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm sshd .Bk -words -.Op Fl 46DdeiqTtV +.Op Fl 46DdeGiqTtV .Op Fl C Ar connection_spec .Op Fl c Ar host_certificate_file .Op Fl E Ar log_file @@ -154,6 +154,15 @@ The default is .Pa /etc/ssh/sshd_config . .Nm refuses to start if there is no configuration file. +.It Fl G +Parse and print configuration file. +Check the validity of the configuration file, output the effective configuration +to stdout and then exit. +Optionally, +.Cm Match +rules may be applied by specifying the connection parameters using one or more +.Fl C +options. .It Fl g Ar login_grace_time Gives the grace time for clients to authenticate themselves (default 120 seconds). @@ -208,6 +217,11 @@ Optionally, rules may be applied by specifying the connection parameters using one or more .Fl C options. +This is similar to the +.Fl G +flag, but it includes the additional testing performed by the +.Fl t +flag. .It Fl t Test mode. Only check the validity of the configuration file and sanity of the keys. diff --git a/sshd.c b/sshd.c index 6321936c0208..264e81ac705b 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.596 2023/01/18 01:50:21 millert Exp $ */ +/* $OpenBSD: sshd.c,v 1.600 2023/03/08 04:43:12 guenther Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -104,7 +104,6 @@ #include "digest.h" #include "sshkey.h" #include "kex.h" -#include "myproposal.h" #include "authfile.h" #include "pathnames.h" #include "atomicio.h" @@ -295,7 +294,6 @@ close_startup_pipes(void) * the server key). */ -/*ARGSUSED*/ static void sighup_handler(int sig) { @@ -325,7 +323,6 @@ sighup_restart(void) /* * Generic signal handler for terminating signals in the master daemon. */ -/*ARGSUSED*/ static void sigterm_handler(int sig) { @@ -336,7 +333,6 @@ sigterm_handler(int sig) * SIGCHLD handler. This is called whenever a child dies. This will then * reap any zombies left by exited children. */ -/*ARGSUSED*/ static void main_sigchld_handler(int sig) { @@ -353,7 +349,6 @@ main_sigchld_handler(int sig) /* * Signal handler for the alarm after the login grace period has expired. */ -/*ARGSUSED*/ static void grace_alarm_handler(int sig) { @@ -901,7 +896,7 @@ usage(void) { fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSH_OPENSSL_VERSION); fprintf(stderr, -"usage: sshd [-46DdeiqTtV] [-C connection_spec] [-c host_cert_file]\n" +"usage: sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_cert_file]\n" " [-E log_file] [-f config_file] [-g login_grace_time]\n" " [-h host_key_file] [-o option] [-p port] [-u len]\n" ); @@ -1524,6 +1519,21 @@ prepare_proctitle(int ac, char **av) return ret; } +static void +print_config(struct ssh *ssh, struct connection_info *connection_info) +{ + /* + * If no connection info was provided by -C then use + * use a blank one that will cause no predicate to match. + */ + if (connection_info == NULL) + connection_info = get_connection_info(ssh, 0, 0); + connection_info->test = 1; + parse_server_match_config(&options, &includes, connection_info); + dump_config(&options); + exit(0); +} + /* * Main program for the daemon. */ @@ -1533,7 +1543,7 @@ main(int ac, char **av) struct ssh *ssh = NULL; extern char *optarg; extern int optind; - int r, opt, on = 1, already_daemon, remote_port; + int r, opt, on = 1, do_dump_cfg = 0, already_daemon, remote_port; int sock_in = -1, sock_out = -1, newsock = -1; const char *remote_ip, *rdomain; char *fp, *line, *laddr, *logfile = NULL; @@ -1581,7 +1591,7 @@ main(int ac, char **av) /* Parse command-line arguments. */ while ((opt = getopt(ac, av, - "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrtV")) != -1) { + "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtV")) != -1) { switch (opt) { case '4': options.address_family = AF_INET; @@ -1606,6 +1616,9 @@ main(int ac, char **av) case 'D': no_daemon_flag = 1; break; + case 'G': + do_dump_cfg = 1; + break; case 'E': logfile = optarg; /* FALLTHROUGH */ @@ -1693,7 +1706,7 @@ main(int ac, char **av) } if (rexeced_flag || inetd_flag) rexec_flag = 0; - if (!test_flag && rexec_flag && !path_absolute(av[0])) + if (!test_flag && !do_dump_cfg && rexec_flag && !path_absolute(av[0])) fatal("sshd re-exec requires execution with an absolute path"); if (rexeced_flag) closefrom(REEXEC_MIN_FREE_FD); @@ -1799,6 +1812,9 @@ main(int ac, char **av) debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION); + if (do_dump_cfg) + print_config(ssh, connection_info); + /* Store privilege separation user for later use if required. */ privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0); if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { @@ -1981,17 +1997,8 @@ main(int ac, char **av) "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); } - if (test_flag > 1) { - /* - * If no connection info was provided by -C then use - * use a blank one that will cause no predicate to match. - */ - if (connection_info == NULL) - connection_info = get_connection_info(ssh, 0, 0); - connection_info->test = 1; - parse_server_match_config(&options, &includes, connection_info); - dump_config(&options); - } + if (test_flag > 1) + print_config(ssh, connection_info); /* Configuration looks good, so exit if in test mode. */ if (test_flag) @@ -2105,17 +2112,21 @@ main(int ac, char **av) if (rexec_flag) { debug("rexec start in %d out %d newsock %d pipe %d sock %d", sock_in, sock_out, newsock, startup_pipe, config_s[0]); - dup2(newsock, STDIN_FILENO); - dup2(STDIN_FILENO, STDOUT_FILENO); + if (dup2(newsock, STDIN_FILENO) == -1) + debug3_f("dup2 stdin: %s", strerror(errno)); + if (dup2(STDIN_FILENO, STDOUT_FILENO) == -1) + debug3_f("dup2 stdout: %s", strerror(errno)); if (startup_pipe == -1) close(REEXEC_STARTUP_PIPE_FD); else if (startup_pipe != REEXEC_STARTUP_PIPE_FD) { - dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD); + if (dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD) == -1) + debug3_f("dup2 startup_p: %s", strerror(errno)); close(startup_pipe); startup_pipe = REEXEC_STARTUP_PIPE_FD; } - dup2(config_s[1], REEXEC_CONFIG_PASS_FD); + if (dup2(config_s[1], REEXEC_CONFIG_PASS_FD) == -1) + debug3_f("dup2 config_s: %s", strerror(errno)); close(config_s[1]); ssh_signal(SIGHUP, SIG_IGN); /* avoid reset to SIG_DFL */ @@ -2373,30 +2384,23 @@ sshd_hostkey_sign(struct ssh *ssh, struct sshkey *privkey, static void do_ssh2_kex(struct ssh *ssh) { - char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; + char *hkalgs = NULL, *myproposal[PROPOSAL_MAX]; + const char *compression = NULL; struct kex *kex; - char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; int r; - myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, - options.kex_algorithms); - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = - compat_cipher_proposal(ssh, options.ciphers); - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; - - if (options.compression == COMP_NONE) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; - } - if (options.rekey_limit || options.rekey_interval) ssh_packet_set_rekey_limits(ssh, options.rekey_limit, options.rekey_interval); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = - compat_pkalg_proposal(ssh, list_hostkey_types()); + if (options.compression == COMP_NONE) + compression = "none"; + hkalgs = list_hostkey_types(); + + kex_proposal_populate_entries(ssh, myproposal, options.kex_algorithms, + options.ciphers, options.macs, compression, hkalgs); + + free(hkalgs); /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) @@ -2431,9 +2435,7 @@ do_ssh2_kex(struct ssh *ssh) (r = ssh_packet_write_wait(ssh)) != 0) fatal_fr(r, "send test"); #endif - free(prop_kex); - free(prop_enc); - free(prop_hostkey); + kex_proposal_free_entries(myproposal); debug("KEX done"); } diff --git a/sshd_config.0 b/sshd_config.0 index b0bb6f92646f..b2003109309e 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -6,10 +6,10 @@ NAME DESCRIPTION sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file specified with -f on the command line). The file contains keyword- - argument pairs, one per line. For each keyword, the first obtained value - will be used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as - comments. Arguments may optionally be enclosed in double quotes (") in - order to represent arguments containing spaces. + argument pairs, one per line. Unless noted otherwise, for each keyword, + the first obtained value will be used. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty + lines are interpreted as comments. Arguments may optionally be enclosed + in double quotes (") in order to represent arguments containing spaces. The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): @@ -49,6 +49,8 @@ DESCRIPTION following order: DenyGroups, AllowGroups. See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. AllowStreamLocalForwarding Specifies whether StreamLocal (Unix-domain socket) forwarding is @@ -82,6 +84,8 @@ DESCRIPTION processed in the following order: DenyUsers, AllowUsers. See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. AuthenticationMethods Specifies the authentication methods that must be successfully @@ -377,6 +381,8 @@ DESCRIPTION order: DenyGroups, AllowGroups. See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. DenyUsers This keyword can be followed by a list of user name patterns, @@ -391,6 +397,8 @@ DESCRIPTION following order: DenyUsers, AllowUsers. See PATTERNS in ssh_config(5) for more information on patterns. + This keyword may appear multiple times in sshd_config with each + instance appending to the list. DisableForwarding Disables all forwarding features, including X11, ssh-agent(1), @@ -1275,4 +1283,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.2 January 18, 2023 OpenBSD 7.2 +OpenBSD 7.2 March 3, 2023 OpenBSD 7.2 diff --git a/sshd_config.5 b/sshd_config.5 index 7313a7f792b2..9a1578f75e86 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.347 2023/01/18 06:55:32 jmc Exp $ -.Dd $Mdocdate: January 18 2023 $ +.\" $OpenBSD: sshd_config.5,v 1.348 2023/03/03 04:36:20 djm Exp $ +.Dd $Mdocdate: March 3 2023 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -48,7 +48,7 @@ reads configuration data from .Fl f on the command line). The file contains keyword-argument pairs, one per line. -For each keyword, the first obtained value will be used. +Unless noted otherwise, for each keyword, the first obtained value will be used. Lines starting with .Ql # and empty lines are interpreted as comments. @@ -120,6 +120,9 @@ The allow/deny groups directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm AllowStreamLocalForwarding Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. The available options are @@ -177,6 +180,9 @@ The allow/deny users directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. @@ -629,6 +635,9 @@ The allow/deny groups directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. @@ -647,6 +656,9 @@ The allow/deny users directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm DisableForwarding Disables all forwarding features, including X11, .Xr ssh-agent 1 , diff --git a/umac.c b/umac.c index a710424ce0fd..d5958babfd34 100644 --- a/umac.c +++ b/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.22 2022/01/01 05:55:06 jsg Exp $ */ +/* $OpenBSD: umac.c,v 1.23 2023/03/07 01:30:52 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -233,7 +233,8 @@ static void pdf_init(pdf_ctx *pc, aes_int_key prf_key) explicit_bzero(buf, sizeof(buf)); } -static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8]) +static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], + UINT8 buf[UMAC_OUTPUT_LEN]) { /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes * of the AES output. If last time around we returned the ndx-1st diff --git a/version.h b/version.h index d83ae5b94e4a..69e76e6344fa 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.96 2023/02/02 12:10:22 djm Exp $ */ +/* $OpenBSD: version.h,v 1.97 2023/03/15 21:19:57 djm Exp $ */ -#define SSH_VERSION "OpenSSH_9.2" +#define SSH_VERSION "OpenSSH_9.3" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE