Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssh/lib Merge our changes from OpenS...



details:   https://anonhg.NetBSD.org/src/rev/b9210c2b7e8c
branches:  trunk
changeset: 985635:b9210c2b7e8c
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Sep 02 11:26:17 2021 +0000

description:
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7

diffstat:

 crypto/external/bsd/openssh/bin/scp/Makefile            |    3 +-
 crypto/external/bsd/openssh/dist/PROTOCOL               |   23 +-
 crypto/external/bsd/openssh/dist/PROTOCOL.certkeys      |   38 +-
 crypto/external/bsd/openssh/dist/auth-options.c         |   45 +-
 crypto/external/bsd/openssh/dist/auth-options.h         |    9 +-
 crypto/external/bsd/openssh/dist/auth-pam.c             |    3 +-
 crypto/external/bsd/openssh/dist/auth.c                 |   10 +-
 crypto/external/bsd/openssh/dist/auth2-hostbased.c      |    8 +-
 crypto/external/bsd/openssh/dist/auth2-kbdint.c         |    8 +-
 crypto/external/bsd/openssh/dist/auth2-pubkey.c         |   15 +-
 crypto/external/bsd/openssh/dist/channels.c             |   73 +-
 crypto/external/bsd/openssh/dist/channels.h             |   19 +-
 crypto/external/bsd/openssh/dist/clientloop.c           |   44 +-
 crypto/external/bsd/openssh/dist/compat.c               |    8 +-
 crypto/external/bsd/openssh/dist/compat.h               |    6 +-
 crypto/external/bsd/openssh/dist/dns.c                  |   70 +-
 crypto/external/bsd/openssh/dist/dns.h                  |    5 +-
 crypto/external/bsd/openssh/dist/hostfile.c             |    9 +-
 crypto/external/bsd/openssh/dist/krl.c                  |   12 +-
 crypto/external/bsd/openssh/dist/log.c                  |   11 +-
 crypto/external/bsd/openssh/dist/misc.c                 |  127 ++-
 crypto/external/bsd/openssh/dist/misc.h                 |   14 +-
 crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 |  158 +-
 crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 |  181 ++-
 crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 |  136 +-
 crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 |  149 +-
 crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 |  144 +-
 crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 |  125 +-
 crypto/external/bsd/openssh/dist/monitor.c              |   20 +-
 crypto/external/bsd/openssh/dist/mux.c                  |   43 +-
 crypto/external/bsd/openssh/dist/nchan.c                |   12 +-
 crypto/external/bsd/openssh/dist/packet.c               |   23 +-
 crypto/external/bsd/openssh/dist/packet.h               |    5 +-
 crypto/external/bsd/openssh/dist/readconf.c             |  479 ++++++---
 crypto/external/bsd/openssh/dist/readconf.h             |   12 +-
 crypto/external/bsd/openssh/dist/readpass.c             |   12 +-
 crypto/external/bsd/openssh/dist/scp.1                  |   52 +-
 crypto/external/bsd/openssh/dist/scp.c                  |  514 +++++++++-
 crypto/external/bsd/openssh/dist/servconf.c             |  659 +++++++------
 crypto/external/bsd/openssh/dist/servconf.h             |    5 +-
 crypto/external/bsd/openssh/dist/serverloop.c           |  117 +-
 crypto/external/bsd/openssh/dist/session.c              |    9 +-
 crypto/external/bsd/openssh/dist/sftp-client.c          |  758 +++++++++++++--
 crypto/external/bsd/openssh/dist/sftp-client.h          |   39 +-
 crypto/external/bsd/openssh/dist/sftp-server.8          |   14 +-
 crypto/external/bsd/openssh/dist/sftp-server.c          |   69 +-
 crypto/external/bsd/openssh/dist/sftp.1                 |    7 +-
 crypto/external/bsd/openssh/dist/sftp.c                 |   34 +-
 crypto/external/bsd/openssh/dist/sk-usbhid.c            |   17 +-
 crypto/external/bsd/openssh/dist/ssh-keygen.1           |   32 +-
 crypto/external/bsd/openssh/dist/ssh-keygen.c           |   84 +-
 crypto/external/bsd/openssh/dist/ssh-keysign.c          |   10 +-
 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c    |    9 +-
 crypto/external/bsd/openssh/dist/ssh-pkcs11.c           |   24 +-
 crypto/external/bsd/openssh/dist/ssh.1                  |   49 +-
 crypto/external/bsd/openssh/dist/ssh.c                  |  114 +-
 crypto/external/bsd/openssh/dist/ssh_config.5           |  116 ++-
 crypto/external/bsd/openssh/dist/sshbuf-misc.c          |    6 +-
 crypto/external/bsd/openssh/dist/sshconnect.c           |   17 +-
 crypto/external/bsd/openssh/dist/sshconnect2.c          |   35 +-
 crypto/external/bsd/openssh/dist/sshd.8                 |   55 +-
 crypto/external/bsd/openssh/dist/sshd.c                 |   66 +-
 crypto/external/bsd/openssh/dist/sshd_config            |    6 +-
 crypto/external/bsd/openssh/dist/sshd_config.5          |   40 +-
 crypto/external/bsd/openssh/dist/sshkey.c               |   57 +-
 crypto/external/bsd/openssh/dist/sshkey.h               |    6 +-
 crypto/external/bsd/openssh/dist/sshsig.c               |  122 +-
 crypto/external/bsd/openssh/dist/version.h              |    8 +-
 crypto/external/bsd/openssh/lib/shlib_version           |    4 +-
 69 files changed, 3421 insertions(+), 1792 deletions(-)

diffs (truncated from 10077 to 300 lines):

diff -r b1a34f308e66 -r b9210c2b7e8c crypto/external/bsd/openssh/bin/scp/Makefile
--- a/crypto/external/bsd/openssh/bin/scp/Makefile      Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/bin/scp/Makefile      Thu Sep 02 11:26:17 2021 +0000
@@ -1,7 +1,8 @@
-#      $NetBSD: Makefile,v 1.5 2020/05/29 12:15:30 christos Exp $
+#      $NetBSD: Makefile,v 1.6 2021/09/02 11:26:17 christos Exp $
 
 BINDIR=/usr/bin
 
 PROG=  scp
+SRCS=  scp.c sftp-client.c sftp-common.c sftp-glob.c
 
 .include <bsd.prog.mk>
diff -r b1a34f308e66 -r b9210c2b7e8c crypto/external/bsd/openssh/dist/PROTOCOL
--- a/crypto/external/bsd/openssh/dist/PROTOCOL Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL Thu Sep 02 11:26:17 2021 +0000
@@ -525,6 +525,25 @@
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".
 
+3.9. sftp: Extension request "expand-path%openssh.com@localhost"
+
+This request supports canonicalisation of relative paths and
+those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
+These paths are expanded using shell-like rules and the resultant
+path is canonicalised similarly to SSH2_FXP_REALPATH.
+
+It is implemented as a SSH_FXP_EXTENDED request with the following
+format:
+
+       uint32          id
+       string          "expand-path%openssh.com@localhost"
+       string          path
+
+Its reply is the same format as that of SSH2_FXP_REALPATH.
+
+This extension is advertised in the SSH_FXP_VERSION hello with version
+"1".
+
 4. Miscellaneous changes
 
 4.1 Public key format
@@ -556,5 +575,5 @@
 PROTOCOL.mux over a Unix domain socket for communications between a
 master instance and later clients.
 
-$OpenBSD: PROTOCOL,v 1.41 2021/02/18 02:49:35 djm Exp $
-$NetBSD: PROTOCOL,v 1.16 2021/03/05 17:47:15 christos Exp $
+$OpenBSD: PROTOCOL,v 1.42 2021/08/09 23:47:44 djm Exp $
+$NetBSD: PROTOCOL,v 1.17 2021/09/02 11:26:17 christos Exp $
diff -r b1a34f308e66 -r b9210c2b7e8c crypto/external/bsd/openssh/dist/PROTOCOL.certkeys
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.certkeys        Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.certkeys        Thu Sep 02 11:26:17 2021 +0000
@@ -45,7 +45,7 @@
     rsa-sha2-512-cert-v01%openssh.com@localhost
 
 These RSA/SHA-2 types should not appear in keys at rest or transmitted
-on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
+on the wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
 field or in the "public key algorithm name" field of a "publickey"
 SSH_USERAUTH_REQUEST to indicate that the signature will use the
 specified algorithm.
@@ -159,12 +159,11 @@
 curve and public key are respectively the ECDSA "[identifier]" and "Q"
 defined in section 3.1 of RFC5656.
 
-pk is the encoded Ed25519 public key as defined by
-draft-josefsson-eddsa-ed25519-03.
+pk is the encoded Ed25519 public key as defined by RFC8032.
 
 serial is an optional certificate serial number set by the CA to
 provide an abbreviated way to refer to certificates from that CA.
-If a CA does not wish to number its certificates it must set this
+If a CA does not wish to number its certificates, it must set this
 field to zero.
 
 type specifies whether this certificate is for identification of a user
@@ -217,13 +216,13 @@
 up to, and including the signature key. Signatures are computed and
 encoded according to the rules defined for the CA's public key algorithm
 (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
-types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
+types, and RFC8032 for Ed25519).
 
 Critical options
 ----------------
 
 The critical options section of the certificate specifies zero or more
-options on the certificates validity. The format of this field
+options on the certificate's validity. The format of this field
 is a sequence of zero or more tuples:
 
     string       name
@@ -234,7 +233,7 @@
 
 The name field identifies the option and the data field encodes
 option-specific information (see below). All options are
-"critical", if an implementation does not recognise a option
+"critical"; if an implementation does not recognise a option,
 then the validating party should refuse to accept the certificate.
 
 Custom options should append the originating author or organisation's
@@ -256,10 +255,18 @@
                                       for authentication. Addresses are
                                       specified in CIDR format (nn.nn.nn.nn/nn
                                       or hhhh::hhhh/nn).
-                                      If this option is not present then
+                                      If this option is not present, then
                                       certificates may be presented from any
                                       source address.
 
+verify-required         empty         Flag indicating that signatures made
+                                      with this certificate must assert FIDO
+                                      user verification (e.g. PIN or
+                                      biometric). This option only makes sense
+                                      for the U2F/FIDO security key types that
+                                      support this feature in their signature
+                                      formats.
+
 Extensions
 ----------
 
@@ -280,11 +287,11 @@
 
 Name                    Format        Description
 -----------------------------------------------------------------------------
-no-presence-required    empty         Flag indicating that signatures made
+no-touch-required       empty         Flag indicating that signatures made
                                       with this certificate need not assert
-                                      user presence. This option only make
-                                      sense for the U2F/FIDO security key
-                                      types that support this feature in
+                                      FIDO user presence. This option only
+                                      makes sense for the U2F/FIDO security
+                                      key types that support this feature in
                                       their signature formats.
 
 permit-X11-forwarding   empty         Flag indicating that X11 forwarding
@@ -298,7 +305,7 @@
 
 permit-port-forwarding  empty         Flag indicating that port-forwarding
                                       should be allowed. If this option is
-                                      not present then no port forwarding will
+                                      not present, then no port forwarding will
                                       be allowed.
 
 permit-pty              empty         Flag indicating that PTY allocation
@@ -311,6 +318,5 @@
                                       of this script will not be permitted if
                                       this option is not present.
 
-$OpenBSD: PROTOCOL.certkeys,v 1.16 2018/10/26 01:23:03 djm Exp $
-$OpenBSD: PROTOCOL.certkeys,v 1.17 2019/11/25 00:57:51 djm Exp $
-$NetBSD: PROTOCOL.certkeys,v 1.12 2020/02/27 00:24:40 christos Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.19 2021/06/05 13:47:00 naddy Exp $
+$NetBSD: PROTOCOL.certkeys,v 1.13 2021/09/02 11:26:17 christos Exp $
diff -r b1a34f308e66 -r b9210c2b7e8c crypto/external/bsd/openssh/dist/auth-options.c
--- a/crypto/external/bsd/openssh/dist/auth-options.c   Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.c   Thu Sep 02 11:26:17 2021 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: auth-options.c,v 1.26 2021/04/19 14:40:15 christos Exp $       */
-/* $OpenBSD: auth-options.c,v 1.95 2021/04/03 06:18:40 djm Exp $ */
+/*     $NetBSD: auth-options.c,v 1.27 2021/09/02 11:26:17 christos Exp $       */
+/* $OpenBSD: auth-options.c,v 1.97 2021/07/24 01:55:19 djm Exp $ */
 
 /*
  * Copyright (c) 2018 Damien Miller <djm%mindrot.org@localhost>
@@ -18,7 +18,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: auth-options.c,v 1.26 2021/04/19 14:40:15 christos Exp $");
+__RCSID("$NetBSD: auth-options.c,v 1.27 2021/09/02 11:26:17 christos Exp $");
 #include <sys/types.h>
 #include <sys/queue.h>
 
@@ -326,6 +326,7 @@
        struct sshauthopt *ret = NULL;
        const char *errstr = "unknown error";
        uint64_t valid_before;
+       size_t i, l;
 
        if (errstrp != NULL)
                *errstrp = NULL;
@@ -399,7 +400,7 @@
                            valid_before < ret->valid_before)
                                ret->valid_before = valid_before;
                } else if (opt_match(&opts, "environment")) {
-                       if (ret->nenv > INT_MAX) {
+                       if (ret->nenv > SSH_AUTHOPT_ENV_MAX) {
                                errstr = "too many environment strings";
                                goto fail;
                        }
@@ -411,25 +412,41 @@
                                errstr = "invalid environment string";
                                goto fail;
                        }
-                       if ((cp = strdup(opt)) == NULL)
+                       if ((cp = strdup(opt)) == NULL) {
+                               free(opt);
                                goto alloc_fail;
-                       cp[tmp - opt] = '\0'; /* truncate at '=' */
+                       }
+                       l = (size_t)(tmp - opt);
+                       cp[l] = '\0'; /* truncate at '=' */
                        if (!valid_env_name(cp)) {
                                free(cp);
                                free(opt);
                                errstr = "invalid environment string";
                                goto fail;
                        }
+                       /* Check for duplicates; XXX O(n*log(n)) */
+                       for (i = 0; i < ret->nenv; i++) {
+                               if (strncmp(ret->env[i], cp, l) == 0 &&
+                                   ret->env[i][l] == '=')
+                                       break;
+                       }
                        free(cp);
-                       /* Append it. */
-                       oarray = ret->env;
-                       if ((ret->env = recallocarray(ret->env, ret->nenv,
-                           ret->nenv + 1, sizeof(*ret->env))) == NULL) {
-                               free(opt);
-                               ret->env = oarray; /* put it back for cleanup */
-                               goto alloc_fail;
+                       /* First match wins */
+                       if (i >= ret->nenv) {
+                               /* Append it. */
+                               oarray = ret->env;
+                               if ((ret->env = recallocarray(ret->env,
+                                   ret->nenv, ret->nenv + 1,
+                                   sizeof(*ret->env))) == NULL) {
+                                       free(opt);
+                                       /* put it back for cleanup */
+                                       ret->env = oarray;
+                                       goto alloc_fail;
+                               }
+                               ret->env[ret->nenv++] = opt;
+                               opt = NULL; /* transferred */
                        }
-                       ret->env[ret->nenv++] = opt;
+                       free(opt);
                } else if (opt_match(&opts, "permitopen")) {
                        if (handle_permit(&opts, 0, &ret->permitopen,
                            &ret->npermitopen, &errstr) != 0)
diff -r b1a34f308e66 -r b9210c2b7e8c crypto/external/bsd/openssh/dist/auth-options.h
--- a/crypto/external/bsd/openssh/dist/auth-options.h   Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.h   Thu Sep 02 11:26:17 2021 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: auth-options.h,v 1.14 2020/12/04 18:42:49 christos Exp $       */
-/* $OpenBSD: auth-options.h,v 1.30 2020/08/27 01:07:09 djm Exp $ */
+/*     $NetBSD: auth-options.h,v 1.15 2021/09/02 11:26:17 christos Exp $       */
+/* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */
 
 /*
  * Copyright (c) 2018 Damien Miller <djm%mindrot.org@localhost>
@@ -24,7 +24,10 @@
 struct sshkey;
 
 /* Maximum number of permitopen/permitlisten directives to accept */
-#define SSH_AUTHOPT_PERMIT_MAX 4096
+#define SSH_AUTHOPT_PERMIT_MAX 4096
+
+/* Maximum number of environment directives to accept */
+#define SSH_AUTHOPT_ENV_MAX    1024
 
 /*
  * sshauthopt represents key options parsed from authorized_keys or
diff -r b1a34f308e66 -r b9210c2b7e8c crypto/external/bsd/openssh/dist/auth-pam.c
--- a/crypto/external/bsd/openssh/dist/auth-pam.c       Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-pam.c       Thu Sep 02 11:26:17 2021 +0000
@@ -51,7 +51,7 @@
 /*
  * NetBSD local changes
  */
-__RCSID("$NetBSD: auth-pam.c,v 1.19 2019/04/20 17:16:40 christos Exp $");
+__RCSID("$NetBSD: auth-pam.c,v 1.20 2021/09/02 11:26:17 christos Exp $");
 #define _LIB_PTHREAD_H
 #undef USE_POSIX_THREADS /* Not yet */
 #define HAVE_SECURITY_PAM_APPL_H
@@ -1386,6 +1386,5 @@
        sshpam_maxtries_reached = 1;
        options.password_authentication = 0;
        options.kbd_interactive_authentication = 0;
-       options.challenge_response_authentication = 0;
 }
 #endif /* USE_PAM */
diff -r b1a34f308e66 -r b9210c2b7e8c crypto/external/bsd/openssh/dist/auth.c
--- a/crypto/external/bsd/openssh/dist/auth.c   Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth.c   Thu Sep 02 11:26:17 2021 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: auth.c,v 1.30 2021/04/19 14:40:15 christos Exp $       */
-/* $OpenBSD: auth.c,v 1.152 2021/04/03 06:18:40 djm Exp $ */
+/*     $NetBSD: auth.c,v 1.31 2021/09/02 11:26:17 christos Exp $       */
+/* $OpenBSD: auth.c,v 1.153 2021/07/05 00:50:25 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -26,7 +26,7 @@
  */



Home | Main Index | Thread Index | Old Index