system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-08 20:26:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

ssh: update to OpenSSH v9.0p1

Browse Source 
Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Ed Maste 2022-04-15 10:41:08 -04:00
commit 87c1498d1a
53 changed files with 1164 additions and 868 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/openssh/.depend
View File

@ -121,7 +121,7 @@ sftp-common.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c
sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h
sftp-realpath.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sftp.h misc.h xmalloc.h
sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h
sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h
sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h
sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h

21
crypto/openssh/.github/configs vendored
View File

@ -38,13 +38,13 @@ case "$config" in
CC="clang-12"
# clang's implicit-fallthrough requires that the code be annotated with
# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough"
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
CONFIGFLAGS="--with-pam --with-Werror"
;;
gcc-11-Werror)
CC="gcc"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
CFLAGS="-Wall -Wextra -Wno-format-truncation -O2 -Wimplicit-fallthrough=4"
CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
CONFIGFLAGS="--with-pam --with-Werror"
;;
clang*|gcc*)
@ -145,10 +145,23 @@ case "$config" in
esac
case "${TARGET_HOST}" in
aix*)
# These are slow real or virtual machines so skip the slowest tests
# (which tend to be thw ones that transfer lots of data) so that the
# test run does not time out.
# The agent-restrict test fails due to some quoting issue when run
# with sh or ksh so specify bash for now.
TEST_TARGET="t-exec TEST_SHELL=bash"
SKIP_LTESTS="rekey sftp"
;;
dfly58*|dfly60*)
# scp 3-way connection hangs on these so skip until sorted.
SKIP_LTESTS=scp3
;;
fbsd6)
# Native linker is not great with PIC so OpenSSL is built w/out.
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
;;
hurd)
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
;;
@ -173,6 +186,10 @@ case "${TARGET_HOST}" in
# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
;;
openwrt-*)
CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
TEST_TARGET="t-exec"
;;
sol10|sol11)
# sol10 VM is 32bit and the unit tests are slow.
# sol11 has 4 test configs so skip unit tests to speed up.

25
crypto/openssh/.github/setup_ci.sh vendored
View File

@ -80,7 +80,7 @@ for TARGET in $TARGETS; do
INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
case ${INSTALL_LIBRESSL} in
master) ;;
*) INSTALL_LIBRESSL="v$(echo ${TARGET} | cut -f2 -d-)" ;;
*) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
esac
PACKAGES="${PACKAGES} putty-tools"
;;
@ -122,11 +122,20 @@ if [ ! -z "${INSTALL_OPENSSL}" ]; then
fi
if [ ! -z "${INSTALL_LIBRESSL}" ]; then
(mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
git clone https://github.com/libressl-portable/portable.git &&
cd ${HOME}/libressl/portable &&
git checkout ${INSTALL_LIBRESSL} &&
sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl &&
make -j2 && sudo make install)
if [ "${INSTALL_LIBRESSL}" = "master" ]; then
(mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
git clone https://github.com/libressl-portable/portable.git &&
cd ${HOME}/libressl/portable &&
git checkout ${INSTALL_LIBRESSL} &&
sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl &&
make -j2 && sudo make install)
else
LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
(cd ${HOME} &&
wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
cd libressl-${INSTALL_LIBRESSL} &&
./configure --prefix=/opt/libressl && make -j2 && sudo make install)
fi
fi

3
crypto/openssh/.github/workflows/c-cpp.yml vendored
View File

@ -46,6 +46,7 @@ jobs:
- { os: ubuntu-latest, configs: libressl-3.2.6 }
- { os: ubuntu-latest, configs: libressl-3.3.4 }
- { os: ubuntu-latest, configs: libressl-3.4.1 }
- { os: ubuntu-latest, configs: libressl-3.5.0 }
- { os: ubuntu-latest, configs: openssl-master }
- { os: ubuntu-latest, configs: openssl-noec }
- { os: ubuntu-latest, configs: openssl-1.0.1 }
@ -54,7 +55,9 @@ jobs:
- { os: ubuntu-latest, configs: openssl-1.1.0h }
- { os: ubuntu-latest, configs: openssl-1.1.1 }
- { os: ubuntu-latest, configs: openssl-1.1.1k }
- { os: ubuntu-latest, configs: openssl-1.1.1m }
- { os: ubuntu-latest, configs: openssl-3.0.0 }
- { os: ubuntu-latest, configs: openssl-3.0.1 }
- { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
- { os: ubuntu-latest, configs: openssl-3.0 } # stable branch
- { os: ubuntu-18.04, configs: pam }

7
crypto/openssh/.github/workflows/selfhosted.yml vendored
View File

@ -16,9 +16,11 @@ jobs:
# default config. "os" corresponds to a label associated with the worker.
matrix:
os:
- aix51
- ARM64
- alpine
- bbone
- debian-i386
- dfly30
- dfly48
- dfly58
@ -40,6 +42,8 @@ jobs:
- obsd70
- obsdsnap
- openindiana
- openwrt-mips
- openwrt-mipsel
# - rocky84
- sol10
- sol11
@ -49,6 +53,7 @@ jobs:
# Then we include any extra configs we want to test for specific VMs.
include:
- { os: ARM64, configs: pam }
- { os: debian-i386, configs: pam }
- { os: dfly30, configs: without-openssl}
- { os: dfly48, configs: pam }
- { os: dfly58, configs: pam }
@ -87,7 +92,7 @@ jobs:
run: vmrun make
- name: make tests
run: vmrun ./.github/run_test.sh ${{ matrix.configs }}
timeout-minutes: 300
timeout-minutes: 600
- name: save logs
if: failure()
uses: actions/upload-artifact@v2

1092
crypto/openssh/ChangeLog
View File

File diff suppressed because it is too large Load Diff

5
crypto/openssh/Makefile.in
View File

@ -1,5 +1,4 @@
# uncomment if you run a non bourne compatible shell. Ie. csh
#SHELL = @SH@
SHELL=@SH@
AUTORECONF=autoreconf
@ -688,7 +687,7 @@ SK_DUMMY_LIBRARY=@SK_DUMMY_LIBRARY@
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< -o $@
regress/misc/sk-dummy/sk-dummy.so: $(SK_DUMMY_OBJS)
$(CC) $(CFLAGS) $(CPPFLAGS) -fPIC -shared -o $@ $(SK_DUMMY_OBJS) \
$(CC) $(CFLAGS) $(CPPFLAGS) $(PICFLAG) -shared -o $@ $(SK_DUMMY_OBJS) \
-L. -Lopenbsd-compat -lopenbsd-compat $(LDFLAGS_NOPIE) $(LIBS)
regress-binaries: regress-prep $(LIBCOMPAT) \

41
crypto/openssh/PROTOCOL
View File

@ -492,7 +492,7 @@ This request asks the server to call fsync(2) on an open file handle.
string "fsync@openssh.com"
string handle
One receiving this request, a server will call fsync(handle_fd) and will
On receiving this request, a server will call fsync(handle_fd) and will
respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
@ -576,6 +576,43 @@ Its reply is the same format as that of SSH2_FXP_REALPATH.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
4.10. sftp: Extension request "copy-data"
This request asks the server to copy data from one open file handle and
write it to a different open file handle. This avoids needing to transfer
the data across the network twice (a download followed by an upload).
byte SSH_FXP_EXTENDED
uint32 id
string "copy-data"
string read-from-handle
uint64 read-from-offset
uint64 read-data-length
string write-to-handle
uint64 write-to-offset
The server will copy read-data-length bytes starting from
read-from-offset from the read-from-handle and write them to
write-to-handle starting from write-to-offset, and then respond with a
SSH_FXP_STATUS message.
It's equivalent to issuing a series of SSH_FXP_READ requests on
read-from-handle and a series of requests of SSH_FXP_WRITE on
write-to-handle.
If read-from-handle and write-to-handle are the same, the server will
fail the request and respond with a SSH_FX_INVALID_PARAMETER message.
If read-data-length is 0, then the server will read data from the
read-from-handle until EOF is reached.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
This request is identical to the "copy-data" request documented in:
https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
5. Miscellaneous changes
5.1 Public key format
@ -612,4 +649,4 @@ master instance and later clients.
OpenSSH extends the usual agent protocol. These changes are documented
in the PROTOCOL.agent file.
$OpenBSD: PROTOCOL,v 1.43 2021/12/19 22:15:42 djm Exp $
$OpenBSD: PROTOCOL,v 1.44 2022/03/31 03:05:49 djm Exp $

2
crypto/openssh/README
View File

@ -1,4 +1,4 @@
See https://www.openssh.com/releasenotes.html#8.9p1 for the release notes.
See https://www.openssh.com/releasenotes.html#9.0p1 for the release notes.
Please read https://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or

52
crypto/openssh/auth.c
View File

@ -103,62 +103,18 @@ int
allowed_user(struct ssh *ssh, struct passwd * pw)
{
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
const char *hostname = NULL, *ipaddr = NULL;
u_int i;
int r;
#ifdef USE_SHADOW
struct spwd *spw = NULL;
#endif
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw || !pw->pw_name)
return 0;
#ifdef USE_SHADOW
if (!options.use_pam)
spw = getspnam(pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
if (!options.use_pam && platform_locked_account(pw)) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
return 0;
#endif /* HAS_SHADOW_EXPIRE */
#endif /* USE_SHADOW */
/* grab passwd field for locked account check */
passwd = pw->pw_passwd;
#ifdef USE_SHADOW
if (spw != NULL)
#ifdef USE_LIBIAF
passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
#endif /* USE_LIBIAF */
#endif
/* check for locked account */
if (!options.use_pam && passwd && *passwd) {
int locked = 0;
#ifdef LOCKED_PASSWD_STRING
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
locked = 1;
#endif
#ifdef LOCKED_PASSWD_PREFIX
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
strlen(LOCKED_PASSWD_PREFIX)) == 0)
locked = 1;
#endif
#ifdef LOCKED_PASSWD_SUBSTR
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
#ifdef USE_LIBIAF
free((void *) passwd);
#endif /* USE_LIBIAF */
if (locked) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
return 0;
}
}
/*

6
crypto/openssh/auth2-pubkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.112 2021/12/19 22:12:30 djm Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.113 2022/02/27 01:33:59 naddy Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -166,8 +166,8 @@ userauth_pubkey(struct ssh *ssh, const char *method)
goto done;
}
if (match_pattern_list(pkalg, options.pubkey_accepted_algos, 0) != 1) {
logit_f("key type %s not in PubkeyAcceptedAlgorithms",
sshkey_ssh_name(key));
logit_f("signature algorithm %s not in "
"PubkeyAcceptedAlgorithms", pkalg);
goto done;
}
if ((r = sshkey_check_cert_sigtype(key,

218
crypto/openssh/channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.413 2022/02/17 10:58:27 djm Exp $ */
/* $OpenBSD: channels.c,v 1.415 2022/03/30 21:10:25 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -432,21 +432,25 @@ channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
c->io_want &= ~SSH_CHAN_IO_RFD;
c->io_ready &= ~SSH_CHAN_IO_RFD;
c->rfd = -1;
c->pfds[0] = -1;
}
if (*fdp == c->wfd) {
c->io_want &= ~SSH_CHAN_IO_WFD;
c->io_ready &= ~SSH_CHAN_IO_WFD;
c->wfd = -1;
c->pfds[1] = -1;
}
if (*fdp == c->efd) {
c->io_want &= ~SSH_CHAN_IO_EFD;
c->io_ready &= ~SSH_CHAN_IO_EFD;
c->efd = -1;
c->pfds[2] = -1;
}
if (*fdp == c->sock) {
c->io_want &= ~SSH_CHAN_IO_SOCK;
c->io_ready &= ~SSH_CHAN_IO_SOCK;
c->sock = -1;
c->pfds[3] = -1;
}
ret = close(fd);
@ -2475,10 +2479,13 @@ dump_channel_poll(const char *func, const char *what, Channel *c,
u_int pollfd_offset, struct pollfd *pfd)
{
#ifdef DEBUG_CHANNEL_POLL
debug3_f("channel %d: rfd r%d w%d e%d s%d "
"pfd[%u].fd=%d want 0x%02x ev 0x%02x ready 0x%02x rev 0x%02x",
c->self, c->rfd, c->wfd, c->efd, c->sock, pollfd_offset, pfd->fd,
c->io_want, pfd->events, c->io_ready, pfd->revents);
debug3("%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] "
"io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d "
"pfd.ev 0x%02x pfd.rev 0x%02x", func, c->self, what,
c->rfd, c->wfd, c->efd, c->sock,
c->pfds[0], c->pfds[1], c->pfds[2], c->pfds[3],
c->io_want, c->io_ready,
pollfd_offset, pfd->fd, pfd->events, pfd->revents);
#endif
}
@ -2487,7 +2494,7 @@ static void
channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
struct pollfd *pfd, u_int npfd)
{
u_int p = *next_pollfd;
u_int ev, p = *next_pollfd;
if (c == NULL)
return;
@ -2496,7 +2503,7 @@ channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
fatal_f("channel %d: bad pfd offset %u (max %u)",
c->self, p, npfd);
}
c->pollfd_offset = -1;
c->pfds[0] = c->pfds[1] = c->pfds[2] = c->pfds[3] = -1;
/*
* prepare c->rfd
*
@ -2505,69 +2512,82 @@ channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
* IO too.
*/
if (c->rfd != -1) {
if (c->pollfd_offset == -1)
c->pollfd_offset = p;
pfd[p].fd = c->rfd;
pfd[p].events = 0;
ev = 0;
if ((c->io_want & SSH_CHAN_IO_RFD) != 0)
pfd[p].events |= POLLIN;
ev |= POLLIN;
/* rfd == wfd */
if (c->wfd == c->rfd &&
(c->io_want & SSH_CHAN_IO_WFD) != 0)
pfd[p].events |= POLLOUT;
if (c->wfd == c->rfd) {
if ((c->io_want & SSH_CHAN_IO_WFD) != 0)
ev |= POLLOUT;
}
/* rfd == efd */
if (c->efd == c->rfd &&
(c->io_want & SSH_CHAN_IO_EFD_R) != 0)
pfd[p].events |= POLLIN;
if (c->efd == c->rfd &&
(c->io_want & SSH_CHAN_IO_EFD_W) != 0)
pfd[p].events |= POLLOUT;
if (c->efd == c->rfd) {
if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
ev |= POLLIN;
if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
ev |= POLLOUT;
}
/* rfd == sock */
if (c->sock == c->rfd &&
(c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
pfd[p].events |= POLLIN;
if (c->sock == c->rfd &&
(c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
pfd[p].events |= POLLOUT;
dump_channel_poll(__func__, "rfd", c, p, &pfd[p]);
p++;
if (c->sock == c->rfd) {
if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
ev |= POLLIN;
if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
ev |= POLLOUT;
}
/* Pack a pfd entry if any event armed for this fd */
if (ev != 0) {
c->pfds[0] = p;
pfd[p].fd = c->rfd;
pfd[p].events = ev;
dump_channel_poll(__func__, "rfd", c, p, &pfd[p]);
p++;
}
}
/* prepare c->wfd (if not already handled above) */
/* prepare c->wfd if wanting IO and not already handled above */
if (c->wfd != -1 && c->rfd != c->wfd) {
if (c->pollfd_offset == -1)
c->pollfd_offset = p;
pfd[p].fd = c->wfd;
pfd[p].events = 0;
if ((c->io_want & SSH_CHAN_IO_WFD) != 0)
pfd[p].events = POLLOUT;
dump_channel_poll(__func__, "wfd", c, p, &pfd[p]);
p++;
ev = 0;
if ((c->io_want & SSH_CHAN_IO_WFD))
ev |= POLLOUT;
/* Pack a pfd entry if any event armed for this fd */
if (ev != 0) {
c->pfds[1] = p;
pfd[p].fd = c->wfd;
pfd[p].events = ev;
dump_channel_poll(__func__, "wfd", c, p, &pfd[p]);
p++;
}
}
/* prepare c->efd (if not already handled above) */
/* prepare c->efd if wanting IO and not already handled above */
if (c->efd != -1 && c->rfd != c->efd) {
if (c->pollfd_offset == -1)
c->pollfd_offset = p;
pfd[p].fd = c->efd;
pfd[p].events = 0;
ev = 0;
if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
pfd[p].events |= POLLIN;
ev |= POLLIN;
if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
pfd[p].events |= POLLOUT;
dump_channel_poll(__func__, "efd", c, p, &pfd[p]);
p++;
ev |= POLLOUT;
/* Pack a pfd entry if any event armed for this fd */
if (ev != 0) {
c->pfds[2] = p;
pfd[p].fd = c->efd;
pfd[p].events = ev;
dump_channel_poll(__func__, "efd", c, p, &pfd[p]);
p++;
}
}
/* prepare c->sock (if not already handled above) */
/* prepare c->sock if wanting IO and not already handled above */
if (c->sock != -1 && c->rfd != c->sock) {
if (c->pollfd_offset == -1)
c->pollfd_offset = p;
pfd[p].fd = c->sock;
pfd[p].events = 0;
ev = 0;
if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
pfd[p].events |= POLLIN;
ev |= POLLIN;
if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
pfd[p].events |= POLLOUT;
dump_channel_poll(__func__, "sock", c, p, &pfd[p]);
p++;
ev |= POLLOUT;
/* Pack a pfd entry if any event armed for this fd */
if (ev != 0) {
c->pfds[3] = p;
pfd[p].fd = c->sock;
pfd[p].events = 0;
dump_channel_poll(__func__, "sock", c, p, &pfd[p]);
p++;
}
}
*next_pollfd = p;
}
@ -2614,13 +2634,15 @@ channel_prepare_poll(struct ssh *ssh, struct pollfd **pfdp, u_int *npfd_allocp,
}
static void
fd_ready(Channel *c, u_int p, struct pollfd *pfds, int fd,
fd_ready(Channel *c, int p, struct pollfd *pfds, u_int npfd, int fd,
const char *what, u_int revents_mask, u_int ready)
{
struct pollfd *pfd = &pfds[p];
if (fd == -1)
return;
if (p == -1 || (u_int)p >= npfd)
fatal_f("channel %d: bad pfd %d (max %u)", c->self, p, npfd);
dump_channel_poll(__func__, what, c, p, pfd);
if (pfd->fd != fd) {
fatal("channel %d: inconsistent %s fd=%d pollfd[%u].fd %d "
@ -2643,11 +2665,12 @@ void
channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
{
struct ssh_channels *sc = ssh->chanctxt;
u_int i, p;
u_int i;
int p;
Channel *c;
#ifdef DEBUG_CHANNEL_POLL
for (p = 0; p < npfd; p++) {
for (p = 0; p < (int)npfd; p++) {
if (pfd[p].revents == 0)
continue;
debug_f("pfd[%u].fd %d rev 0x%04x",
@ -2658,13 +2681,8 @@ channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
/* Convert pollfd into c->io_ready */
for (i = 0; i < sc->channels_alloc; i++) {
c = sc->channels[i];
if (c == NULL || c->pollfd_offset < 0)
if (c == NULL)
continue;
if ((u_int)c->pollfd_offset >= npfd) {
/* shouldn't happen */
fatal_f("channel %d: (before) bad pfd %u (max %u)",
c->self, c->pollfd_offset, npfd);
}
/* if rfd is shared with efd/sock then wfd should be too */
if (c->rfd != -1 && c->wfd != -1 && c->rfd != c->wfd &&
(c->rfd == c->efd || c->rfd == c->sock)) {
@ -2673,56 +2691,52 @@ channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
c->self, c->rfd, c->wfd, c->efd, c->sock);
}
c->io_ready = 0;
p = c->pollfd_offset;
/* rfd, potentially shared with wfd, efd and sock */
if (c->rfd != -1) {
fd_ready(c, p, pfd, c->rfd, "rfd", POLLIN,
SSH_CHAN_IO_RFD);
if (c->rfd != -1 && (p = c->pfds[0]) != -1) {
fd_ready(c, p, pfd, npfd, c->rfd,
"rfd", POLLIN, SSH_CHAN_IO_RFD);
if (c->rfd == c->wfd) {
fd_ready(c, p, pfd, c->wfd, "wfd/r", POLLOUT,
SSH_CHAN_IO_WFD);
fd_ready(c, p, pfd, npfd, c->wfd,
"wfd/r", POLLOUT, SSH_CHAN_IO_WFD);
}
if (c->rfd == c->efd) {
fd_ready(c, p, pfd, c->efd, "efdr/r", POLLIN,
SSH_CHAN_IO_EFD_R);
fd_ready(c, p, pfd, c->efd, "efdw/r", POLLOUT,
SSH_CHAN_IO_EFD_W);
fd_ready(c, p, pfd, npfd, c->efd,
"efdr/r", POLLIN, SSH_CHAN_IO_EFD_R);
fd_ready(c, p, pfd, npfd, c->efd,
"efdw/r", POLLOUT, SSH_CHAN_IO_EFD_W);
}
if (c->rfd == c->sock) {
fd_ready(c, p, pfd, c->sock, "sockr/r", POLLIN,
SSH_CHAN_IO_SOCK_R);
fd_ready(c, p, pfd, c->sock, "sockw/r", POLLOUT,
SSH_CHAN_IO_SOCK_W);
fd_ready(c, p, pfd, npfd, c->sock,
"sockr/r", POLLIN, SSH_CHAN_IO_SOCK_R);
fd_ready(c, p, pfd, npfd, c->sock,
"sockw/r", POLLOUT, SSH_CHAN_IO_SOCK_W);
}
p++;
dump_channel_poll(__func__, "rfd", c, p, pfd);
}
/* wfd */
if (c->wfd != -1 && c->wfd != c->rfd) {
fd_ready(c, p, pfd, c->wfd, "wfd", POLLOUT,
SSH_CHAN_IO_WFD);
p++;
if (c->wfd != -1 && c->wfd != c->rfd &&
(p = c->pfds[1]) != -1) {
fd_ready(c, p, pfd, npfd, c->wfd,
"wfd", POLLOUT, SSH_CHAN_IO_WFD);
dump_channel_poll(__func__, "wfd", c, p, pfd);
}
/* efd */
if (c->efd != -1 && c->efd != c->rfd) {
fd_ready(c, p, pfd, c->efd, "efdr", POLLIN,
SSH_CHAN_IO_EFD_R);
fd_ready(c, p, pfd, c->efd, "efdw", POLLOUT,
SSH_CHAN_IO_EFD_W);
p++;
if (c->efd != -1 && c->efd != c->rfd &&
(p = c->pfds[2]) != -1) {
fd_ready(c, p, pfd, npfd, c->efd,
"efdr", POLLIN, SSH_CHAN_IO_EFD_R);
fd_ready(c, p, pfd, npfd, c->efd,
"efdw", POLLOUT, SSH_CHAN_IO_EFD_W);
dump_channel_poll(__func__, "efd", c, p, pfd);
}
/* sock */
if (c->sock != -1 && c->sock != c->rfd) {
fd_ready(c, p, pfd, c->sock, "sockr", POLLIN,
SSH_CHAN_IO_SOCK_R);
fd_ready(c, p, pfd, c->sock, "sockw", POLLOUT,
SSH_CHAN_IO_SOCK_W);
p++;
}
if (p > npfd) {
/* shouldn't happen */
fatal_f("channel %d: (after) bad pfd %u (max %u)",
c->self, c->pollfd_offset, npfd);
if (c->sock != -1 && c->sock != c->rfd &&
(p = c->pfds[3]) != -1) {
fd_ready(c, p, pfd, npfd, c->sock,
"sockr", POLLIN, SSH_CHAN_IO_SOCK_R);
fd_ready(c, p, pfd, npfd, c->sock,
"sockw", POLLOUT, SSH_CHAN_IO_SOCK_W);
dump_channel_poll(__func__, "sock", c, p, pfd);
}
}
channel_handler(ssh, CHAN_POST, NULL);

4
crypto/openssh/channels.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.141 2022/01/22 00:49:34 djm Exp $ */
/* $OpenBSD: channels.h,v 1.142 2022/03/30 21:10:25 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -138,7 +138,7 @@ struct Channel {
int sock; /* sock fd */
u_int io_want; /* bitmask of SSH_CHAN_IO_* */
u_int io_ready; /* bitmask of SSH_CHAN_IO_* */
int pollfd_offset; /* base offset into pollfd array (or -1) */
int pfds[4]; /* pollfd entries for rfd/wfd/efd/sock */
int ctl_chan; /* control channel (multiplexed connections) */
int isatty; /* rfd is a tty */
#ifdef _AIX

7
crypto/openssh/config.h
View File

@ -334,6 +334,10 @@
*/
#define HAVE_DECL_BZERO 1
/* Define to 1 if you have the declaration of `ftruncate', and to 0 if you
don't. */
#define HAVE_DECL_FTRUNCATE 1
/* Define to 1 if you have the declaration of `getpeereid', and to 0 if you
don't. */
#define HAVE_DECL_GETPEEREID 1
@ -847,6 +851,9 @@
/* Define if you have isblank(3C). */
#define HAVE_ISBLANK 1
/* Define to 1 if you have the `killpg' function. */
#define HAVE_KILLPG 1
/* Define to 1 if you have the `krb5_cc_new_unique' function. */
/* #undef HAVE_KRB5_CC_NEW_UNIQUE */

13
crypto/openssh/configure.ac
View File

@ -48,6 +48,8 @@ AC_PATH_PROG([SED], [sed])
AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
AC_PATH_PROG([SH], [bash])
AC_PATH_PROG([SH], [ksh])
AC_PATH_PROG([SH], [sh])
AC_PATH_PROG([GROFF], [groff])
AC_PATH_PROG([NROFF], [nroff awf])
@ -1933,6 +1935,7 @@ AC_CHECK_FUNCS([ \
inet_ntoa \
inet_ntop \
innetgr \
killpg \
llabs \
localtime_r \
login_getcapbool \
@ -2149,6 +2152,12 @@ AC_CHECK_DECLS([O_NONBLOCK], , ,
#endif
])
AC_CHECK_DECLS([ftruncate], , ,
[
#include <sys/types.h>
#include <unistd.h>
])
AC_CHECK_DECLS([readv, writev], , , [
#include <sys/types.h>
#include <sys/uio.h>
@ -3631,8 +3640,8 @@ AC_RUN_IFELSE(
select_works_with_rlimit=yes],
[AC_MSG_RESULT([no])
select_works_with_rlimit=no],
[AC_MSG_WARN([cross compiling: assuming yes])
select_works_with_rlimit=yes]
[AC_MSG_WARN([cross compiling: assuming no])
select_works_with_rlimit=no]
)
AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[

2
crypto/openssh/contrib/redhat/openssh.spec
View File

@ -1,4 +1,4 @@
%global ver 8.9p1
%global ver 9.0p1
%global rel 1%{?dist}
# OpenSSH privilege separation requires a user & group ID

2
crypto/openssh/contrib/suse/openssh.spec
View File

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 8.9p1
Version: 9.0p1
URL: https://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz

3
crypto/openssh/m4/openssh.m4
View File

@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
#include <stdlib.h>
#include <stdio.h>
/* Trivial function to help test for -fzero-call-used-regs */
void f(int n) {}
int main(int argc, char **argv) {
(void)argv;
/* Some math to catch -ftrapv problems in the toolchain */
@ -21,6 +23,7 @@ int main(int argc, char **argv) {
float l = i * 2.1;
double m = l / 0.5;
long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
f(0);
printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
/*
* Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does

27
crypto/openssh/misc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.174 2022/02/11 00:43:56 dtucker Exp $ */
/* $OpenBSD: misc.c,v 1.175 2022/03/20 08:51:21 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@ -1069,16 +1069,21 @@ addargs(arglist *args, char *fmt, ...)
r = vasprintf(&cp, fmt, ap);
va_end(ap);
if (r == -1)
fatal("addargs: argument too long");
fatal_f("argument too long");
nalloc = args->nalloc;
if (args->list == NULL) {
nalloc = 32;
args->num = 0;
} else if (args->num+2 >= nalloc)
} else if (args->num > (256 * 1024))
fatal_f("too many arguments");
else if (args->num >= args->nalloc)
fatal_f("arglist corrupt");
else if (args->num+2 >= nalloc)
nalloc *= 2;
args->list = xrecallocarray(args->list, args->nalloc, nalloc, sizeof(char *));
args->list = xrecallocarray(args->list, args->nalloc,
nalloc, sizeof(char *));
args->nalloc = nalloc;
args->list[args->num++] = cp;
args->list[args->num] = NULL;
@ -1095,10 +1100,12 @@ replacearg(arglist *args, u_int which, char *fmt, ...)
r = vasprintf(&cp, fmt, ap);
va_end(ap);
if (r == -1)
fatal("replacearg: argument too long");
fatal_f("argument too long");
if (args->list == NULL || args->num >= args->nalloc)
fatal_f("arglist corrupt");
if (which >= args->num)
fatal("replacearg: tried to replace invalid arg %d >= %d",
fatal_f("tried to replace invalid arg %d >= %d",
which, args->num);
free(args->list[which]);
args->list[which] = cp;
@ -1109,13 +1116,15 @@ freeargs(arglist *args)
{
u_int i;
if (args->list != NULL) {
if (args == NULL)
return;
if (args->list != NULL && args->num < args->nalloc) {
for (i = 0; i < args->num; i++)
free(args->list[i]);
free(args->list);
args->nalloc = args->num = 0;
args->list = NULL;
}
args->nalloc = args->num = 0;
args->list = NULL;
}
/*

11
crypto/openssh/monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.231 2022/01/28 06:18:42 guenther Exp $ */
/* $OpenBSD: monitor.c,v 1.232 2022/02/25 02:09:27 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -709,7 +709,6 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m)
int
mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
{
char *username;
struct passwd *pwent;
int r, allowed = 0;
u_int i;
@ -719,14 +718,12 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
if (authctxt->attempt++ != 0)
fatal_f("multiple attempts for getpwnam");
if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0)
if ((r = sshbuf_get_cstring(m, &authctxt->user, NULL)) != 0)
fatal_fr(r, "parse");
pwent = getpwnamallow(ssh, username);
pwent = getpwnamallow(ssh, authctxt->user);
authctxt->user = xstrdup(username);
setproctitle("%s [priv]", pwent ? username : "unknown");
free(username);
setproctitle("%s [priv]", pwent ? authctxt->user : "unknown");
sshbuf_reset(m);

4
crypto/openssh/myproposal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.70 2021/11/10 06:29:25 djm Exp $ */
/* $OpenBSD: myproposal.h,v 1.71 2022/03/30 21:13:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -25,12 +25,12 @@
*/
#define KEX_SERVER_KEX \
"sntrup761x25519-sha512@openssh.com," \
"curve25519-sha256," \
"curve25519-sha256@libssh.org," \
"ecdh-sha2-nistp256," \
"ecdh-sha2-nistp384," \
"ecdh-sha2-nistp521," \
"sntrup761x25519-sha512@openssh.com," \
"diffie-hellman-group-exchange-sha256," \
"diffie-hellman-group16-sha512," \
"diffie-hellman-group18-sha512," \

2
crypto/openssh/openbsd-compat/arc4random.c
View File

@ -79,7 +79,7 @@ _rs_init(u_char *buf, size_t n)
{
if (n < KEYSZ + IVSZ)
return;
chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
chacha_keysetup(&rs, buf, KEYSZ * 8);
chacha_ivsetup(&rs, buf + KEYSZ);
}

10
crypto/openssh/openbsd-compat/bsd-misc.c
View File

@ -107,7 +107,7 @@ const char *strerror(int e)
#endif
#ifndef HAVE_UTIMES
int utimes(char *filename, struct timeval *tvp)
int utimes(const char *filename, struct timeval *tvp)
{
struct utimbuf ub;
@ -412,6 +412,14 @@ getsid(pid_t pid)
}
#endif
#ifndef HAVE_KILLPG
int
killpg(pid_t pgrp, int sig)
{
return kill(pgrp, sig);
}
#endif
#ifdef FFLUSH_NULL_BUG
#undef fflush
int _ssh_compat_fflush(FILE *f)

2
crypto/openssh/openbsd-compat/bsd-misc.h
View File

@ -62,7 +62,7 @@ struct timeval {
}
#endif /* HAVE_STRUCT_TIMEVAL */
int utimes(char *, struct timeval *);
int utimes(const char *, struct timeval *);
#endif /* HAVE_UTIMES */
#ifndef AT_FDCWD

6
crypto/openssh/openbsd-compat/bsd-poll.c
View File

@ -91,11 +91,11 @@ ppoll(struct pollfd *fds, nfds_t nfds, const struct timespec *tmoutp,
fds[i].revents = 0;
if (fd == -1)
continue;
if (FD_ISSET(fd, readfds))
if ((fds[i].events & POLLIN) && FD_ISSET(fd, readfds))
fds[i].revents |= POLLIN;
if (FD_ISSET(fd, writefds))
if ((fds[i].events & POLLOUT) && FD_ISSET(fd, writefds))
fds[i].revents |= POLLOUT;
if (FD_ISSET(fd, exceptfds))
if ((fds[i].events & POLLPRI) && FD_ISSET(fd, exceptfds))
fds[i].revents |= POLLPRI;
}

6
crypto/openssh/openbsd-compat/chacha_private.h
View File

@ -1,10 +1,12 @@
/* OPENBSD ORIGINAL: lib/libc/crypt/chacha_private.h */
/*
chacha-merged.c version 20080118
D. J. Bernstein
Public domain.
*/
/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
/* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */
typedef unsigned char u8;
typedef unsigned int u32;
@ -52,7 +54,7 @@ static const char sigma[16] = "expand 32-byte k";
static const char tau[16] = "expand 16-byte k";
static void
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
{
const char *constants;

31
crypto/openssh/openbsd-compat/getrrsetbyname.c
View File

@ -89,7 +89,7 @@ struct __res_state _res;
#ifndef GETSHORT
#define GETSHORT(s, cp) { \
register u_char *t_cp = (u_char *)(cp); \
u_char *t_cp = (u_char *)(cp); \
(s) = ((u_int16_t)t_cp[0] << 8) \
| ((u_int16_t)t_cp[1]) \
; \
@ -99,7 +99,7 @@ struct __res_state _res;
#ifndef GETLONG
#define GETLONG(l, cp) { \
register u_char *t_cp = (u_char *)(cp); \
u_char *t_cp = (u_char *)(cp); \
(l) = ((u_int32_t)t_cp[0] << 24) \
| ((u_int32_t)t_cp[1] << 16) \
| ((u_int32_t)t_cp[2] << 8) \
@ -109,36 +109,35 @@ struct __res_state _res;
}
#endif
/*
* If the system doesn't have _getshort/_getlong or that are not exactly what
* we need then use local replacements, avoiding name collisions.
*/
#if !defined(HAVE__GETSHORT) || !defined(HAVE__GETLONG) || \
!defined(HAVE_DECL__GETSHORT) || HAVE_DECL__GETSHORT == 0 || \
!defined(HAVE_DECL__GETLONG) || HAVE_DECL__GETLONG == 0
#define _getshort(x) (_ssh_compat_getshort(x))
#define _getlong(x) (_ssh_compat_getlong(x))
/*
* Routines to insert/extract short/long's.
*/
#ifndef HAVE__GETSHORT
static u_int16_t
_getshort(msgp)
register const u_char *msgp;
_getshort(const u_char *msgp)
{
register u_int16_t u;
u_int16_t u;
GETSHORT(u, msgp);
return (u);
}
#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
u_int16_t _getshort(register const u_char *);
#endif
#ifndef HAVE__GETLONG
static u_int32_t
_getlong(msgp)
register const u_char *msgp;
_getlong(const u_char *msgp)
{
register u_int32_t u;
u_int32_t u;
GETLONG(u, msgp);
return (u);
}
#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
u_int32_t _getlong(register const u_char *);
#endif
/* ************** */

8
crypto/openssh/openbsd-compat/openbsd-compat.h
View File

@ -65,6 +65,10 @@ int bindresvport_sa(int sd, struct sockaddr *sa);
void closefrom(int);
#endif
#if defined(HAVE_DECL_FTRUNCATE) && HAVE_DECL_FTRUNCATE == 0
int ftruncate(int filedes, off_t length);
#endif
#ifndef HAVE_GETLINE
#include <stdio.h>
ssize_t getline(char **, size_t *, FILE *);
@ -78,6 +82,10 @@ int getpagesize(void);
char *getcwd(char *pt, size_t size);
#endif
#ifndef HAVE_KILLPG
int killpg(pid_t, int);
#endif
#if defined(HAVE_DECL_MEMMEM) && HAVE_DECL_MEMMEM == 0
void *memmem(const void *, size_t, const void *, size_t);
#endif

51
crypto/openssh/platform.c
View File

@ -18,6 +18,7 @@
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include "log.h"
@ -197,3 +198,53 @@ platform_krb5_get_principal_name(const char *pw_name)
return NULL;
#endif
}
/* returns 1 if account is locked */
int
platform_locked_account(struct passwd *pw)
{
int locked = 0;
char *passwd = pw->pw_passwd;
#ifdef USE_SHADOW
struct spwd *spw = NULL;
#ifdef USE_LIBIAF
char *iaf_passwd = NULL;
#endif
spw = getspnam(pw->pw_name);
#ifdef HAS_SHADOW_EXPIRE
if (spw != NULL && auth_shadow_acctexpired(spw))
return 1;
#endif /* HAS_SHADOW_EXPIRE */
if (spw != NULL)
#ifdef USE_LIBIAF
iaf_passwd = passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
#endif /* USE_LIBIAF */
#endif
/* check for locked account */
if (passwd && *passwd) {
#ifdef LOCKED_PASSWD_STRING
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
locked = 1;
#endif
#ifdef LOCKED_PASSWD_PREFIX
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
strlen(LOCKED_PASSWD_PREFIX)) == 0)
locked = 1;
#endif
#ifdef LOCKED_PASSWD_SUBSTR
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
}
#ifdef USE_LIBIAF
if (iaf_passwd != NULL)
freezero(iaf_passwd, strlen(iaf_passwd));
#endif /* USE_LIBIAF */
return locked;
}

1
crypto/openssh/platform.h
View File

@ -28,6 +28,7 @@ void platform_setusercontext(struct passwd *);
void platform_setusercontext_post_groups(struct passwd *);
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
int platform_locked_account(struct passwd *);
int platform_sys_dir_uid(uid_t);
void platform_disable_tracing(int);

4
crypto/openssh/scp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: scp.c,v 1.245 2022/02/10 04:12:38 djm Exp $ */
/* $OpenBSD: scp.c,v 1.247 2022/03/20 08:52:17 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@ -968,7 +968,7 @@ do_sftp_connect(char *host, char *user, int port, char *sftp_direct,
return NULL;
} else {
args.list = NULL;
freeargs(&args);
addargs(&args, "sftp-server");
if (do_cmd(sftp_direct, host, NULL, -1, 0, "sftp",
reminp, remoutp, pidp) < 0)

9
crypto/openssh/servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.383 2022/02/08 08:59:12 dtucker Exp $ */
/* $OpenBSD: servconf.c,v 1.384 2022/03/18 04:04:11 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -2542,7 +2542,7 @@ parse_server_match_config(ServerOptions *options,
initialize_server_options(&mo);
parse_server_config(&mo, "reprocess config", cfg, includes,
connectinfo);
connectinfo, 0);
copy_set_server_options(options, &mo, 0);
}
@ -2720,12 +2720,13 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
void
parse_server_config(ServerOptions *options, const char *filename,
struct sshbuf *conf, struct include_list *includes,
struct connection_info *connectinfo)
struct connection_info *connectinfo, int reexec)
{
int active = connectinfo ? 0 : 1;
parse_server_config_depth(options, filename, conf, includes,
connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
process_queued_listen_addrs(options);
if (!reexec)
process_queued_listen_addrs(options);
}
static const char *

4
crypto/openssh/servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.155 2021/07/02 05:11:21 dtucker Exp $ */
/* $OpenBSD: servconf.h,v 1.156 2022/03/18 04:04:11 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -298,7 +298,7 @@ int process_server_config_line(ServerOptions *, char *, const char *, int,
void process_permitopen(struct ssh *ssh, ServerOptions *options);
void load_server_config(const char *, struct sshbuf *);
void parse_server_config(ServerOptions *, const char *, struct sshbuf *,
struct include_list *includes, struct connection_info *);
struct include_list *includes, struct connection_info *, int);
void parse_server_match_config(ServerOptions *,
struct include_list *includes, struct connection_info *);
int parse_server_match_testspec(struct connection_info *, char *);

122
crypto/openssh/sftp-client.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.c,v 1.161 2022/01/17 21:41:04 djm Exp $ */
/* $OpenBSD: sftp-client.c,v 1.162 2022/03/31 03:07:03 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -103,6 +103,7 @@ struct sftp_conn {
#define SFTP_EXT_LSETSTAT 0x00000020
#define SFTP_EXT_LIMITS 0x00000040
#define SFTP_EXT_PATH_EXPAND 0x00000080
#define SFTP_EXT_COPY_DATA 0x00000100
u_int exts;
u_int64_t limit_kbps;
struct bwlimit bwlimit_in, bwlimit_out;
@ -534,6 +535,10 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests,
strcmp((char *)value, "1") == 0) {
ret->exts |= SFTP_EXT_PATH_EXPAND;
known = 1;
} else if (strcmp(name, "copy-data") == 0 &&
strcmp((char *)value, "1") == 0) {
ret->exts |= SFTP_EXT_COPY_DATA;
known = 1;
}
if (known) {
debug2("Server supports extension \"%s\" revision %s",
@ -1078,6 +1083,121 @@ do_expand_path(struct sftp_conn *conn, const char *path)
return do_realpath_expand(conn, path, 1);
}
int
do_copy(struct sftp_conn *conn, const char *oldpath, const char *newpath)
{
Attrib junk, *a;
struct sshbuf *msg;
u_char *old_handle, *new_handle;
u_int mode, status, id;
size_t old_handle_len, new_handle_len;
int r;
/* Return if the extension is not supported */
if ((conn->exts & SFTP_EXT_COPY_DATA) == 0) {
error("Server does not support copy-data extension");
return -1;
}
/* Make sure the file exists, and we can copy its perms */
if ((a = do_stat(conn, oldpath, 0)) == NULL)
return -1;
/* Do not preserve set[ug]id here, as we do not preserve ownership */
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
mode = a->perm & 0777;
if (!S_ISREG(a->perm)) {
error("Cannot copy non-regular file: %s", oldpath);
return -1;
}
} else {
/* NB: The user's umask will apply to this */
mode = 0666;
}
/* Set up the new perms for the new file */
attrib_clear(a);
a->perm = mode;
a->flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
if ((msg = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
attrib_clear(&junk); /* Send empty attributes */
/* Open the old file for reading */
id = conn->msg_id++;
if ((r = sshbuf_put_u8(msg, SSH2_FXP_OPEN)) != 0 ||
(r = sshbuf_put_u32(msg, id)) != 0 ||
(r = sshbuf_put_cstring(msg, oldpath)) != 0 ||
(r = sshbuf_put_u32(msg, SSH2_FXF_READ)) != 0 ||
(r = encode_attrib(msg, &junk)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
send_msg(conn, msg);
debug3("Sent message SSH2_FXP_OPEN I:%u P:%s", id, oldpath);
sshbuf_reset(msg);
old_handle = get_handle(conn, id, &old_handle_len,
"remote open(\"%s\")", oldpath);
if (old_handle == NULL) {
sshbuf_free(msg);
return -1;
}
/* Open the new file for writing */
id = conn->msg_id++;
if ((r = sshbuf_put_u8(msg, SSH2_FXP_OPEN)) != 0 ||
(r = sshbuf_put_u32(msg, id)) != 0 ||
(r = sshbuf_put_cstring(msg, newpath)) != 0 ||
(r = sshbuf_put_u32(msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|
SSH2_FXF_TRUNC)) != 0 ||
(r = encode_attrib(msg, a)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
send_msg(conn, msg);
debug3("Sent message SSH2_FXP_OPEN I:%u P:%s", id, newpath);
sshbuf_reset(msg);
new_handle = get_handle(conn, id, &new_handle_len,
"remote open(\"%s\")", newpath);
if (new_handle == NULL) {
sshbuf_free(msg);
free(old_handle);
return -1;
}
/* Copy the file data */
id = conn->msg_id++;
if ((r = sshbuf_put_u8(msg, SSH2_FXP_EXTENDED)) != 0 ||
(r = sshbuf_put_u32(msg, id)) != 0 ||
(r = sshbuf_put_cstring(msg, "copy-data")) != 0 ||
(r = sshbuf_put_string(msg, old_handle, old_handle_len)) != 0 ||
(r = sshbuf_put_u64(msg, 0)) != 0 ||
(r = sshbuf_put_u64(msg, 0)) != 0 ||
(r = sshbuf_put_string(msg, new_handle, new_handle_len)) != 0 ||
(r = sshbuf_put_u64(msg, 0)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
send_msg(conn, msg);
debug3("Sent message copy-data \"%s\" 0 0 -> \"%s\" 0",
oldpath, newpath);
status = get_status(conn, id);
if (status != SSH2_FX_OK)
error("Couldn't copy file \"%s\" to \"%s\": %s", oldpath,
newpath, fx2txt(status));
/* Clean up everything */
sshbuf_free(msg);
do_close(conn, old_handle, old_handle_len);
do_close(conn, new_handle, new_handle_len);
free(old_handle);
free(new_handle);
return status == SSH2_FX_OK ? 0 : -1;
}
int
do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath,
int force_legacy)

5
crypto/openssh/sftp-client.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.h,v 1.35 2022/01/01 01:55:30 jsg Exp $ */
/* $OpenBSD: sftp-client.h,v 1.36 2022/03/31 03:07:03 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
@ -125,6 +125,9 @@ int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
/* Rename 'oldpath' to 'newpath' */
int do_rename(struct sftp_conn *, const char *, const char *, int);
/* Copy 'oldpath' to 'newpath' */
int do_copy(struct sftp_conn *, const char *, const char *);
/* Link 'oldpath' to 'newpath' */
int do_hardlink(struct sftp_conn *, const char *, const char *);

8
crypto/openssh/sftp-glob.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-glob.c,v 1.29 2019/11/13 04:47:52 deraadt Exp $ */
/* $OpenBSD: sftp-glob.c,v 1.30 2022/02/25 09:46:24 dtucker Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -51,7 +51,7 @@ fudge_opendir(const char *path)
r = xcalloc(1, sizeof(*r));
if (do_readdir(cur.conn, (char *)path, &r->dir)) {
if (do_readdir(cur.conn, path, &r->dir)) {
free(r);
return(NULL);
}
@ -112,7 +112,7 @@ fudge_lstat(const char *path, struct stat *st)
{
Attrib *a;
if (!(a = do_lstat(cur.conn, (char *)path, 1)))
if (!(a = do_lstat(cur.conn, path, 1)))
return(-1);
attrib_to_stat(a, st);
@ -125,7 +125,7 @@ fudge_stat(const char *path, struct stat *st)
{
Attrib *a;
if (!(a = do_stat(cur.conn, (char *)path, 1)))
if (!(a = do_stat(cur.conn, path, 1)))
return(-1);
attrib_to_stat(a, st);

94
crypto/openssh/sftp-server.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-server.c,v 1.139 2022/02/01 23:32:51 djm Exp $ */
/* $OpenBSD: sftp-server.c,v 1.140 2022/03/31 03:05:49 djm Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@ -44,6 +44,7 @@
#include <unistd.h>
#include <stdarg.h>
#include "atomicio.h"
#include "xmalloc.h"
#include "sshbuf.h"
#include "ssherr.h"
@ -119,6 +120,7 @@ static void process_extended_fsync(u_int32_t id);
static void process_extended_lsetstat(u_int32_t id);
static void process_extended_limits(u_int32_t id);
static void process_extended_expand(u_int32_t id);
static void process_extended_copy_data(u_int32_t id);
static void process_extended(u_int32_t id);
struct sftp_handler {
@ -164,6 +166,7 @@ static const struct sftp_handler extended_handlers[] = {
{ "limits", "limits@openssh.com", 0, process_extended_limits, 0 },
{ "expand-path", "expand-path@openssh.com", 0,
process_extended_expand, 0 },
{ "copy-data", "copy-data", 0, process_extended_copy_data, 1 },
{ NULL, NULL, 0, NULL, 0 }
};
@ -720,6 +723,7 @@ process_init(void)
compose_extension(msg, "lsetstat@openssh.com", "1");
compose_extension(msg, "limits@openssh.com", "1");
compose_extension(msg, "expand-path@openssh.com", "1");
compose_extension(msg, "copy-data", "1");
send_msg(msg);
sshbuf_free(msg);
@ -1592,6 +1596,94 @@ process_extended_expand(u_int32_t id)
free(path);
}
static void
process_extended_copy_data(u_int32_t id)
{
u_char buf[64*1024];
int read_handle, read_fd, write_handle, write_fd;
u_int64_t len, read_off, read_len, write_off;
int r, copy_until_eof, status = SSH2_FX_OP_UNSUPPORTED;
size_t ret;
if ((r = get_handle(iqueue, &read_handle)) != 0 ||
(r = sshbuf_get_u64(iqueue, &read_off)) != 0 ||
(r = sshbuf_get_u64(iqueue, &read_len)) != 0 ||
(r = get_handle(iqueue, &write_handle)) != 0 ||
(r = sshbuf_get_u64(iqueue, &write_off)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
debug("request %u: copy-data from \"%s\" (handle %d) off %llu len %llu "
"to \"%s\" (handle %d) off %llu",
id, handle_to_name(read_handle), read_handle,
(unsigned long long)read_off, (unsigned long long)read_len,
handle_to_name(write_handle), write_handle,
(unsigned long long)write_off);
/* For read length of 0, we read until EOF. */
if (read_len == 0) {
read_len = (u_int64_t)-1 - read_off;
copy_until_eof = 1;
} else
copy_until_eof = 0;
read_fd = handle_to_fd(read_handle);
write_fd = handle_to_fd(write_handle);
/* Disallow reading & writing to the same handle or same path or dirs */
if (read_handle == write_handle || read_fd < 0 || write_fd < 0 ||
!strcmp(handle_to_name(read_handle), handle_to_name(write_handle))) {
status = SSH2_FX_FAILURE;
goto out;
}
if (lseek(read_fd, read_off, SEEK_SET) < 0) {
status = errno_to_portable(errno);
error("%s: read_seek failed", __func__);
goto out;
}
if ((handle_to_flags(write_handle) & O_APPEND) == 0 &&
lseek(write_fd, write_off, SEEK_SET) < 0) {
status = errno_to_portable(errno);
error("%s: write_seek failed", __func__);
goto out;
}
/* Process the request in chunks. */
while (read_len > 0 || copy_until_eof) {
len = MINIMUM(sizeof(buf), read_len);
read_len -= len;
ret = atomicio(read, read_fd, buf, len);
if (ret == 0 && errno == EPIPE) {
status = copy_until_eof ? SSH2_FX_OK : SSH2_FX_EOF;
break;
} else if (ret == 0) {
status = errno_to_portable(errno);
error("%s: read failed: %s", __func__, strerror(errno));
break;
}
len = ret;
handle_update_read(read_handle, len);
ret = atomicio(vwrite, write_fd, buf, len);
if (ret != len) {
status = errno_to_portable(errno);
error("%s: write failed: %llu != %llu: %s", __func__,
(unsigned long long)ret, (unsigned long long)len,
strerror(errno));
break;
}
handle_update_write(write_handle, len);
}
if (read_len == 0)
status = SSH2_FX_OK;
out:
send_status(id, status);
}
static void
process_extended(u_int32_t id)
{

20
crypto/openssh/sftp.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: sftp.1,v 1.138 2021/07/02 05:11:21 dtucker Exp $
.\" $OpenBSD: sftp.1,v 1.140 2022/03/31 17:27:27 naddy Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 2 2021 $
.Dd $Mdocdate: March 31 2022 $
.Dt SFTP 1
.Os
.Sh NAME
@ -126,7 +126,7 @@ Batch mode reads a series of commands from an input
.Ar batchfile
instead of
.Em stdin .
Since it lacks user interaction it should be used in conjunction with
Since it lacks user interaction, it should be used in conjunction with
non-interactive authentication to obviate the need to enter a password
at connection time (see
.Xr sshd 8
@ -144,7 +144,7 @@ will abort if any of the following
commands fail:
.Ic get , put , reget , reput , rename , ln ,
.Ic rm , mkdir , chdir , ls ,
.Ic lchdir , chmod , chown ,
.Ic lchdir , copy , cp , chmod , chown ,
.Ic chgrp , lpwd , df , symlink ,
and
.Ic lmkdir .
@ -400,6 +400,18 @@ If the
flag is specified, then symlinks will not be followed.
Note that this is only supported by servers that implement
the "lsetstat@openssh.com" extension.
.It Ic copy Ar oldpath Ar newpath
Copy remote file from
.Ar oldpath
to
.Ar newpath .
.Pp
Note that this is only supported by servers that implement the "copy-data"
extension.
.It Ic cp Ar oldpath Ar newpath
Alias to
.Ic copy
command.
.It Xo Ic df
.Op Fl hi
.Op Ar path

17
crypto/openssh/sftp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp.c,v 1.212 2021/09/11 09:05:50 schwarze Exp $ */
/* $OpenBSD: sftp.c,v 1.214 2022/03/31 03:07:03 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -137,6 +137,7 @@ enum sftp_command {
I_CHGRP,
I_CHMOD,
I_CHOWN,
I_COPY,
I_DF,
I_GET,
I_HELP,
@ -180,6 +181,8 @@ static const struct CMD cmds[] = {
{ "chgrp", I_CHGRP, REMOTE },
{ "chmod", I_CHMOD, REMOTE },
{ "chown", I_CHOWN, REMOTE },
{ "copy", I_COPY, REMOTE },
{ "cp", I_COPY, REMOTE },
{ "df", I_DF, REMOTE },
{ "dir", I_LS, REMOTE },
{ "exit", I_QUIT, NOARGS },
@ -286,6 +289,8 @@ help(void)
"chgrp [-h] grp path Change group of file 'path' to 'grp'\n"
"chmod [-h] mode path Change permissions of file 'path' to 'mode'\n"
"chown [-h] own path Change owner of file 'path' to 'own'\n"
"copy oldpath newpath Copy remote file\n"
"cp oldpath newpath Copy remote file\n"
"df [-hi] [path] Display statistics for current directory or\n"
" filesystem containing 'path'\n"
"exit Quit sftp\n"
@ -1369,6 +1374,10 @@ parse_args(const char **cpp, int *ignore_errors, int *disable_echo, int *aflag,
if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1)
return -1;
goto parse_two_paths;
case I_COPY:
if ((optidx = parse_no_flags(cmd, argv, argc)) == -1)
return -1;
goto parse_two_paths;
case I_RENAME:
if ((optidx = parse_rename_flags(cmd, argv, argc, lflag)) == -1)
return -1;
@ -1536,6 +1545,11 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
err = process_put(conn, path1, path2, *pwd, pflag,
rflag, aflag, fflag);
break;
case I_COPY:
path1 = make_absolute(path1, *pwd);
path2 = make_absolute(path2, *pwd);
err = do_copy(conn, path1, path2);
break;
case I_RENAME:
path1 = make_absolute(path1, *pwd);
path2 = make_absolute(path2, *pwd);
@ -2272,7 +2286,6 @@ static void
connect_to_server(char *path, char **args, int *in, int *out)
{
int c_in, c_out;
#ifdef USE_PIPES
int pin[2], pout[2];

8
crypto/openssh/ssh-agent.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $
.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $
.\" $FreeBSD$
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: June 22 2020 $
.Dd $Mdocdate: March 31 2022 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@ -83,12 +83,12 @@ This is the default if
looks like it's a csh style of shell.
.It Fl D
Foreground mode.
When this option is specified
When this option is specified,
.Nm
will not fork.
.It Fl d
Debug mode.
When this option is specified
When this option is specified,
.Nm
will not fork and will write debug information to standard error.
.It Fl E Ar fingerprint_hash

9
crypto/openssh/ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.448 2022/02/01 23:32:51 djm Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.450 2022/03/18 02:32:22 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -3538,6 +3538,13 @@ main(int argc, char **argv)
return sig_sign(identity_file, cert_principals,
argc, argv, opts, nopts);
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
/* NB. cert_principals is actually namespace, via -n */
if (cert_principals == NULL ||
*cert_principals == '\0') {
error("Too few arguments for check-novalidate: "
"missing namespace");
exit(1);
}
if (ca_key_path == NULL) {
error("Too few arguments for check-novalidate: "
"missing signature file");

6
crypto/openssh/ssh-keysign.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keysign.8,v 1.16 2019/11/30 07:07:59 jmc Exp $
.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: November 30 2019 $
.Dd $Mdocdate: March 31 2022 $
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME
@ -77,7 +77,7 @@ must be set-uid root if host-based authentication is used.
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
If these files exist they are assumed to contain public certificate
If these files exist, they are assumed to contain public certificate
information corresponding with the private keys above.
.El
.Sh SEE ALSO

10
crypto/openssh/ssh.1
View File

@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.429 2022/02/06 00:29:03 jsg Exp $
.\" $OpenBSD: ssh.1,v 1.430 2022/03/31 17:27:27 naddy Exp $
.\" $FreeBSD$
.Dd $Mdocdate: February 6 2022 $
.Dd $Mdocdate: March 31 2022 $
.Dt SSH 1
.Os
.Sh NAME
@ -707,7 +707,7 @@ argument is
the listen port will be dynamically allocated on the server and reported
to the client at run time.
When used together with
.Ic -O forward
.Ic -O forward ,
the allocated port will be printed to the standard output.
.Pp
.It Fl S Ar ctl_path
@ -1047,7 +1047,7 @@ the user a normal shell as an interactive session.
All communication with
the remote command or shell will be automatically encrypted.
.Pp
If an interactive session is requested
If an interactive session is requested,
.Nm
by default will only request a pseudo-terminal (pty) for interactive
sessions when the client has one.
@ -1057,7 +1057,7 @@ and
.Fl t
can be used to override this behaviour.
.Pp
If a pseudo-terminal has been allocated the
If a pseudo-terminal has been allocated, the
user may use the escape characters noted below.
.Pp
If no pseudo-terminal has been allocated,

4
crypto/openssh/ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.573 2022/02/08 08:59:12 dtucker Exp $ */
/* $OpenBSD: ssh.c,v 1.574 2022/03/30 04:33:09 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -697,7 +697,7 @@ main(int ac, char **av)
again:
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
"AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
"AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */
switch (opt) {
case '1':
fatal("SSH protocol v.1 is no longer supported");

2
crypto/openssh/ssh_config
View File

@ -46,4 +46,4 @@
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
# VerifyHostKeyDNS yes
# VersionAddendum FreeBSD-20220413
# VersionAddendum FreeBSD-20220415

10
crypto/openssh/ssh_config.5
View File

@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.369 2022/02/15 05:13:36 djm Exp $
.\" $OpenBSD: ssh_config.5,v 1.371 2022/03/31 17:58:44 naddy Exp $
.\" $FreeBSD$
.Dd $Mdocdate: February 15 2022 $
.Dd $Mdocdate: March 31 2022 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -1168,9 +1168,9 @@ character, then the specified algorithms will be placed at the head of the
default set.
The default is:
.Bd -literal -offset indent
sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
sntrup761x25519-sha512@openssh.com,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
@ -1584,7 +1584,7 @@ If forwarding to a specific destination then the second argument must be
or a Unix domain socket path,
otherwise if no destination argument is specified then the remote forwarding
will be established as a SOCKS proxy.
When acting as a SOCKS proxy the destination of the connection can be
When acting as a SOCKS proxy, the destination of the connection can be
restricted by
.Cm PermitRemoteOpen .
.Pp
@ -1979,7 +1979,7 @@ in
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
.Dq FreeBSD-20220413 .
.Dq FreeBSD-20220415 .
The value
.Cm none
may be used to disable this.

6
crypto/openssh/sshd.8
View File

@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.317 2021/09/10 11:38:38 dtucker Exp $
.\" $OpenBSD: sshd.8,v 1.318 2022/03/31 17:27:27 naddy Exp $
.\" $FreeBSD$
.Dd $Mdocdate: September 10 2021 $
.Dd $Mdocdate: March 31 2022 $
.Dt SSHD 8
.Os
.Sh NAME
@ -652,7 +652,7 @@ Enable all restrictions, i.e. disable port, agent and X11 forwarding,
as well as disabling PTY allocation
and execution of
.Pa ~/.ssh/rc .
If any future restriction capabilities are added to authorized_keys files
If any future restriction capabilities are added to authorized_keys files,
they will be included in this set.
.It Cm tunnel="n"
Force a

4
crypto/openssh/sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.584 2022/03/01 01:59:19 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.585 2022/03/18 04:04:11 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1806,7 +1806,7 @@ main(int ac, char **av)
load_server_config(config_file_name, cfg);
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, &includes, NULL);
cfg, &includes, NULL, rexeced_flag);
#ifdef WITH_OPENSSL
if (options.moduli_file != NULL)

2
crypto/openssh/sshd_config
View File

@ -105,7 +105,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#VersionAddendum FreeBSD-20220413
#VersionAddendum FreeBSD-20220415
# no default banner path
#Banner none

8
crypto/openssh/sshd_config.5
View File

@ -33,9 +33,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.339 2021/12/04 00:05:39 naddy Exp $
.\" $OpenBSD: sshd_config.5,v 1.340 2022/03/31 17:58:44 naddy Exp $
.\" $FreeBSD$
.Dd $Mdocdate: December 4 2021 $
.Dd $Mdocdate: March 31 2022 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -962,9 +962,9 @@ sntrup761x25519-sha512@openssh.com
.Pp
The default is:
.Bd -literal -offset indent
sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
sntrup761x25519-sha512@openssh.com,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256
@ -1806,7 +1806,7 @@ The default is
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
.Qq FreeBSD-20220413 .
.Qq FreeBSD-20220415 .
The value
.Cm none
may be used to disable this.

9
crypto/openssh/sshsig.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshsig.c,v 1.28 2022/02/01 23:34:47 djm Exp $ */
/* $OpenBSD: sshsig.c,v 1.29 2022/03/30 04:27:51 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@ -739,7 +739,7 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */
/* format: identity[,identity...] [option[,option...]] key */
if ((tmp = strdelimw(&cp)) == NULL) {
if ((tmp = strdelimw(&cp)) == NULL || cp == NULL) {
error("%s:%lu: invalid line", path, linenum);
r = SSH_ERR_INVALID_FORMAT;
goto out;
@ -777,6 +777,11 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (cp == NULL || *cp == '\0') {
error("%s:%lu: missing key", path, linenum);
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
*cp++ = '\0';
skip_space(&cp);
if (sshkey_read(key, &cp) != 0) {

2
crypto/openssh/version.h
View File

@ -6,7 +6,7 @@
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
#define SSH_VERSION_FREEBSD "FreeBSD-20220413"
#define SSH_VERSION_FREEBSD "FreeBSD-20220415"
#ifdef WITH_OPENSSL
#define OPENSSL_VERSION_STRING OpenSSL_version(OPENSSL_VERSION)

5
crypto/openssh/xmalloc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: xmalloc.c,v 1.36 2019/11/12 22:32:48 djm Exp $ */
/* $OpenBSD: xmalloc.c,v 1.37 2022/03/13 23:27:54 cheloha Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -91,8 +91,7 @@ xstrdup(const char *str)
len = strlen(str) + 1;
cp = xmalloc(len);
strlcpy(cp, str, len);
return cp;
return memcpy(cp, str, len);
}
int