Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh/lib Merge our changes from OpenS...
details: https://anonhg.NetBSD.org/src/rev/53750b518f1b
branches: trunk
changeset: 1023300:53750b518f1b
user: christos <christos%NetBSD.org@localhost>
date: Thu Sep 02 11:26:17 2021 +0000
description:
Merge our changes from OpenSSH-8.6 to OpenSSH-8.7
diffstat:
crypto/external/bsd/openssh/bin/scp/Makefile | 3 +-
crypto/external/bsd/openssh/dist/PROTOCOL | 23 +-
crypto/external/bsd/openssh/dist/PROTOCOL.certkeys | 38 +-
crypto/external/bsd/openssh/dist/auth-options.c | 45 +-
crypto/external/bsd/openssh/dist/auth-options.h | 9 +-
crypto/external/bsd/openssh/dist/auth-pam.c | 3 +-
crypto/external/bsd/openssh/dist/auth.c | 10 +-
crypto/external/bsd/openssh/dist/auth2-hostbased.c | 8 +-
crypto/external/bsd/openssh/dist/auth2-kbdint.c | 8 +-
crypto/external/bsd/openssh/dist/auth2-pubkey.c | 15 +-
crypto/external/bsd/openssh/dist/channels.c | 73 +-
crypto/external/bsd/openssh/dist/channels.h | 19 +-
crypto/external/bsd/openssh/dist/clientloop.c | 44 +-
crypto/external/bsd/openssh/dist/compat.c | 8 +-
crypto/external/bsd/openssh/dist/compat.h | 6 +-
crypto/external/bsd/openssh/dist/dns.c | 70 +-
crypto/external/bsd/openssh/dist/dns.h | 5 +-
crypto/external/bsd/openssh/dist/hostfile.c | 9 +-
crypto/external/bsd/openssh/dist/krl.c | 12 +-
crypto/external/bsd/openssh/dist/log.c | 11 +-
crypto/external/bsd/openssh/dist/misc.c | 127 ++-
crypto/external/bsd/openssh/dist/misc.h | 14 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 | 158 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 | 181 ++-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 | 136 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 | 149 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 | 144 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 | 125 +-
crypto/external/bsd/openssh/dist/monitor.c | 20 +-
crypto/external/bsd/openssh/dist/mux.c | 43 +-
crypto/external/bsd/openssh/dist/nchan.c | 12 +-
crypto/external/bsd/openssh/dist/packet.c | 23 +-
crypto/external/bsd/openssh/dist/packet.h | 5 +-
crypto/external/bsd/openssh/dist/readconf.c | 479 ++++++---
crypto/external/bsd/openssh/dist/readconf.h | 12 +-
crypto/external/bsd/openssh/dist/readpass.c | 12 +-
crypto/external/bsd/openssh/dist/scp.1 | 52 +-
crypto/external/bsd/openssh/dist/scp.c | 514 +++++++++-
crypto/external/bsd/openssh/dist/servconf.c | 659 +++++++------
crypto/external/bsd/openssh/dist/servconf.h | 5 +-
crypto/external/bsd/openssh/dist/serverloop.c | 117 +-
crypto/external/bsd/openssh/dist/session.c | 9 +-
crypto/external/bsd/openssh/dist/sftp-client.c | 758 +++++++++++++--
crypto/external/bsd/openssh/dist/sftp-client.h | 39 +-
crypto/external/bsd/openssh/dist/sftp-server.8 | 14 +-
crypto/external/bsd/openssh/dist/sftp-server.c | 69 +-
crypto/external/bsd/openssh/dist/sftp.1 | 7 +-
crypto/external/bsd/openssh/dist/sftp.c | 34 +-
crypto/external/bsd/openssh/dist/sk-usbhid.c | 17 +-
crypto/external/bsd/openssh/dist/ssh-keygen.1 | 32 +-
crypto/external/bsd/openssh/dist/ssh-keygen.c | 84 +-
crypto/external/bsd/openssh/dist/ssh-keysign.c | 10 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c | 9 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11.c | 24 +-
crypto/external/bsd/openssh/dist/ssh.1 | 49 +-
crypto/external/bsd/openssh/dist/ssh.c | 114 +-
crypto/external/bsd/openssh/dist/ssh_config.5 | 116 ++-
crypto/external/bsd/openssh/dist/sshbuf-misc.c | 6 +-
crypto/external/bsd/openssh/dist/sshconnect.c | 17 +-
crypto/external/bsd/openssh/dist/sshconnect2.c | 35 +-
crypto/external/bsd/openssh/dist/sshd.8 | 55 +-
crypto/external/bsd/openssh/dist/sshd.c | 66 +-
crypto/external/bsd/openssh/dist/sshd_config | 6 +-
crypto/external/bsd/openssh/dist/sshd_config.5 | 40 +-
crypto/external/bsd/openssh/dist/sshkey.c | 57 +-
crypto/external/bsd/openssh/dist/sshkey.h | 6 +-
crypto/external/bsd/openssh/dist/sshsig.c | 122 +-
crypto/external/bsd/openssh/dist/version.h | 8 +-
crypto/external/bsd/openssh/lib/shlib_version | 4 +-
69 files changed, 3421 insertions(+), 1792 deletions(-)
diffs (truncated from 10077 to 300 lines):
diff -r db7b85ae78ab -r 53750b518f1b crypto/external/bsd/openssh/bin/scp/Makefile
--- a/crypto/external/bsd/openssh/bin/scp/Makefile Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/bin/scp/Makefile Thu Sep 02 11:26:17 2021 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.5 2020/05/29 12:15:30 christos Exp $
+# $NetBSD: Makefile,v 1.6 2021/09/02 11:26:17 christos Exp $
BINDIR=/usr/bin
PROG= scp
+SRCS= scp.c sftp-client.c sftp-common.c sftp-glob.c
.include <bsd.prog.mk>
diff -r db7b85ae78ab -r 53750b518f1b crypto/external/bsd/openssh/dist/PROTOCOL
--- a/crypto/external/bsd/openssh/dist/PROTOCOL Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL Thu Sep 02 11:26:17 2021 +0000
@@ -525,6 +525,25 @@
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
+3.9. sftp: Extension request "expand-path%openssh.com@localhost"
+
+This request supports canonicalisation of relative paths and
+those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
+These paths are expanded using shell-like rules and the resultant
+path is canonicalised similarly to SSH2_FXP_REALPATH.
+
+It is implemented as a SSH_FXP_EXTENDED request with the following
+format:
+
+ uint32 id
+ string "expand-path%openssh.com@localhost"
+ string path
+
+Its reply is the same format as that of SSH2_FXP_REALPATH.
+
+This extension is advertised in the SSH_FXP_VERSION hello with version
+"1".
+
4. Miscellaneous changes
4.1 Public key format
@@ -556,5 +575,5 @@
PROTOCOL.mux over a Unix domain socket for communications between a
master instance and later clients.
-$OpenBSD: PROTOCOL,v 1.41 2021/02/18 02:49:35 djm Exp $
-$NetBSD: PROTOCOL,v 1.16 2021/03/05 17:47:15 christos Exp $
+$OpenBSD: PROTOCOL,v 1.42 2021/08/09 23:47:44 djm Exp $
+$NetBSD: PROTOCOL,v 1.17 2021/09/02 11:26:17 christos Exp $
diff -r db7b85ae78ab -r 53750b518f1b crypto/external/bsd/openssh/dist/PROTOCOL.certkeys
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.certkeys Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.certkeys Thu Sep 02 11:26:17 2021 +0000
@@ -45,7 +45,7 @@
rsa-sha2-512-cert-v01%openssh.com@localhost
These RSA/SHA-2 types should not appear in keys at rest or transmitted
-on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
+on the wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
field or in the "public key algorithm name" field of a "publickey"
SSH_USERAUTH_REQUEST to indicate that the signature will use the
specified algorithm.
@@ -159,12 +159,11 @@
curve and public key are respectively the ECDSA "[identifier]" and "Q"
defined in section 3.1 of RFC5656.
-pk is the encoded Ed25519 public key as defined by
-draft-josefsson-eddsa-ed25519-03.
+pk is the encoded Ed25519 public key as defined by RFC8032.
serial is an optional certificate serial number set by the CA to
provide an abbreviated way to refer to certificates from that CA.
-If a CA does not wish to number its certificates it must set this
+If a CA does not wish to number its certificates, it must set this
field to zero.
type specifies whether this certificate is for identification of a user
@@ -217,13 +216,13 @@
up to, and including the signature key. Signatures are computed and
encoded according to the rules defined for the CA's public key algorithm
(RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
-types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
+types, and RFC8032 for Ed25519).
Critical options
----------------
The critical options section of the certificate specifies zero or more
-options on the certificates validity. The format of this field
+options on the certificate's validity. The format of this field
is a sequence of zero or more tuples:
string name
@@ -234,7 +233,7 @@
The name field identifies the option and the data field encodes
option-specific information (see below). All options are
-"critical", if an implementation does not recognise a option
+"critical"; if an implementation does not recognise a option,
then the validating party should refuse to accept the certificate.
Custom options should append the originating author or organisation's
@@ -256,10 +255,18 @@
for authentication. Addresses are
specified in CIDR format (nn.nn.nn.nn/nn
or hhhh::hhhh/nn).
- If this option is not present then
+ If this option is not present, then
certificates may be presented from any
source address.
+verify-required empty Flag indicating that signatures made
+ with this certificate must assert FIDO
+ user verification (e.g. PIN or
+ biometric). This option only makes sense
+ for the U2F/FIDO security key types that
+ support this feature in their signature
+ formats.
+
Extensions
----------
@@ -280,11 +287,11 @@
Name Format Description
-----------------------------------------------------------------------------
-no-presence-required empty Flag indicating that signatures made
+no-touch-required empty Flag indicating that signatures made
with this certificate need not assert
- user presence. This option only make
- sense for the U2F/FIDO security key
- types that support this feature in
+ FIDO user presence. This option only
+ makes sense for the U2F/FIDO security
+ key types that support this feature in
their signature formats.
permit-X11-forwarding empty Flag indicating that X11 forwarding
@@ -298,7 +305,7 @@
permit-port-forwarding empty Flag indicating that port-forwarding
should be allowed. If this option is
- not present then no port forwarding will
+ not present, then no port forwarding will
be allowed.
permit-pty empty Flag indicating that PTY allocation
@@ -311,6 +318,5 @@
of this script will not be permitted if
this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.16 2018/10/26 01:23:03 djm Exp $
-$OpenBSD: PROTOCOL.certkeys,v 1.17 2019/11/25 00:57:51 djm Exp $
-$NetBSD: PROTOCOL.certkeys,v 1.12 2020/02/27 00:24:40 christos Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.19 2021/06/05 13:47:00 naddy Exp $
+$NetBSD: PROTOCOL.certkeys,v 1.13 2021/09/02 11:26:17 christos Exp $
diff -r db7b85ae78ab -r 53750b518f1b crypto/external/bsd/openssh/dist/auth-options.c
--- a/crypto/external/bsd/openssh/dist/auth-options.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.c Thu Sep 02 11:26:17 2021 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth-options.c,v 1.26 2021/04/19 14:40:15 christos Exp $ */
-/* $OpenBSD: auth-options.c,v 1.95 2021/04/03 06:18:40 djm Exp $ */
+/* $NetBSD: auth-options.c,v 1.27 2021/09/02 11:26:17 christos Exp $ */
+/* $OpenBSD: auth-options.c,v 1.97 2021/07/24 01:55:19 djm Exp $ */
/*
* Copyright (c) 2018 Damien Miller <djm%mindrot.org@localhost>
@@ -18,7 +18,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth-options.c,v 1.26 2021/04/19 14:40:15 christos Exp $");
+__RCSID("$NetBSD: auth-options.c,v 1.27 2021/09/02 11:26:17 christos Exp $");
#include <sys/types.h>
#include <sys/queue.h>
@@ -326,6 +326,7 @@
struct sshauthopt *ret = NULL;
const char *errstr = "unknown error";
uint64_t valid_before;
+ size_t i, l;
if (errstrp != NULL)
*errstrp = NULL;
@@ -399,7 +400,7 @@
valid_before < ret->valid_before)
ret->valid_before = valid_before;
} else if (opt_match(&opts, "environment")) {
- if (ret->nenv > INT_MAX) {
+ if (ret->nenv > SSH_AUTHOPT_ENV_MAX) {
errstr = "too many environment strings";
goto fail;
}
@@ -411,25 +412,41 @@
errstr = "invalid environment string";
goto fail;
}
- if ((cp = strdup(opt)) == NULL)
+ if ((cp = strdup(opt)) == NULL) {
+ free(opt);
goto alloc_fail;
- cp[tmp - opt] = '\0'; /* truncate at '=' */
+ }
+ l = (size_t)(tmp - opt);
+ cp[l] = '\0'; /* truncate at '=' */
if (!valid_env_name(cp)) {
free(cp);
free(opt);
errstr = "invalid environment string";
goto fail;
}
+ /* Check for duplicates; XXX O(n*log(n)) */
+ for (i = 0; i < ret->nenv; i++) {
+ if (strncmp(ret->env[i], cp, l) == 0 &&
+ ret->env[i][l] == '=')
+ break;
+ }
free(cp);
- /* Append it. */
- oarray = ret->env;
- if ((ret->env = recallocarray(ret->env, ret->nenv,
- ret->nenv + 1, sizeof(*ret->env))) == NULL) {
- free(opt);
- ret->env = oarray; /* put it back for cleanup */
- goto alloc_fail;
+ /* First match wins */
+ if (i >= ret->nenv) {
+ /* Append it. */
+ oarray = ret->env;
+ if ((ret->env = recallocarray(ret->env,
+ ret->nenv, ret->nenv + 1,
+ sizeof(*ret->env))) == NULL) {
+ free(opt);
+ /* put it back for cleanup */
+ ret->env = oarray;
+ goto alloc_fail;
+ }
+ ret->env[ret->nenv++] = opt;
+ opt = NULL; /* transferred */
}
- ret->env[ret->nenv++] = opt;
+ free(opt);
} else if (opt_match(&opts, "permitopen")) {
if (handle_permit(&opts, 0, &ret->permitopen,
&ret->npermitopen, &errstr) != 0)
diff -r db7b85ae78ab -r 53750b518f1b crypto/external/bsd/openssh/dist/auth-options.h
--- a/crypto/external/bsd/openssh/dist/auth-options.h Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.h Thu Sep 02 11:26:17 2021 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth-options.h,v 1.14 2020/12/04 18:42:49 christos Exp $ */
-/* $OpenBSD: auth-options.h,v 1.30 2020/08/27 01:07:09 djm Exp $ */
+/* $NetBSD: auth-options.h,v 1.15 2021/09/02 11:26:17 christos Exp $ */
+/* $OpenBSD: auth-options.h,v 1.31 2021/07/23 03:57:20 djm Exp $ */
/*
* Copyright (c) 2018 Damien Miller <djm%mindrot.org@localhost>
@@ -24,7 +24,10 @@
struct sshkey;
/* Maximum number of permitopen/permitlisten directives to accept */
-#define SSH_AUTHOPT_PERMIT_MAX 4096
+#define SSH_AUTHOPT_PERMIT_MAX 4096
+
+/* Maximum number of environment directives to accept */
+#define SSH_AUTHOPT_ENV_MAX 1024
/*
* sshauthopt represents key options parsed from authorized_keys or
diff -r db7b85ae78ab -r 53750b518f1b crypto/external/bsd/openssh/dist/auth-pam.c
--- a/crypto/external/bsd/openssh/dist/auth-pam.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-pam.c Thu Sep 02 11:26:17 2021 +0000
@@ -51,7 +51,7 @@
/*
* NetBSD local changes
*/
-__RCSID("$NetBSD: auth-pam.c,v 1.19 2019/04/20 17:16:40 christos Exp $");
+__RCSID("$NetBSD: auth-pam.c,v 1.20 2021/09/02 11:26:17 christos Exp $");
#define _LIB_PTHREAD_H
#undef USE_POSIX_THREADS /* Not yet */
#define HAVE_SECURITY_PAM_APPL_H
@@ -1386,6 +1386,5 @@
sshpam_maxtries_reached = 1;
options.password_authentication = 0;
options.kbd_interactive_authentication = 0;
- options.challenge_response_authentication = 0;
}
#endif /* USE_PAM */
diff -r db7b85ae78ab -r 53750b518f1b crypto/external/bsd/openssh/dist/auth.c
--- a/crypto/external/bsd/openssh/dist/auth.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/auth.c Thu Sep 02 11:26:17 2021 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth.c,v 1.30 2021/04/19 14:40:15 christos Exp $ */
-/* $OpenBSD: auth.c,v 1.152 2021/04/03 06:18:40 djm Exp $ */
+/* $NetBSD: auth.c,v 1.31 2021/09/02 11:26:17 christos Exp $ */
+/* $OpenBSD: auth.c,v 1.153 2021/07/05 00:50:25 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -26,7 +26,7 @@
*/
Home |
Main Index |
Thread Index |
Old Index