Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh Merge differences between openss...
details: https://anonhg.NetBSD.org/src/rev/cab92e2e1821
branches: trunk
changeset: 362008:cab92e2e1821
user: christos <christos%NetBSD.org@localhost>
date: Wed Feb 23 19:07:20 2022 +0000
description:
Merge differences between openssh-8.8 and openssh-8.9
diffstat:
crypto/external/bsd/openssh/dist/PROTOCOL | 71 +-
crypto/external/bsd/openssh/dist/PROTOCOL.agent | 87 +-
crypto/external/bsd/openssh/dist/PROTOCOL.mux | 8 +-
crypto/external/bsd/openssh/dist/addr.c | 34 +-
crypto/external/bsd/openssh/dist/auth-options.c | 9 +-
crypto/external/bsd/openssh/dist/auth-rhosts.c | 43 +-
crypto/external/bsd/openssh/dist/auth.c | 31 +-
crypto/external/bsd/openssh/dist/auth.h | 7 +-
crypto/external/bsd/openssh/dist/auth2-gss.c | 9 +-
crypto/external/bsd/openssh/dist/auth2-hostbased.c | 15 +-
crypto/external/bsd/openssh/dist/auth2-kbdint.c | 10 +-
crypto/external/bsd/openssh/dist/auth2-krb5.c | 7 +-
crypto/external/bsd/openssh/dist/auth2-none.c | 10 +-
crypto/external/bsd/openssh/dist/auth2-passwd.c | 10 +-
crypto/external/bsd/openssh/dist/auth2-pubkey.c | 54 +-
crypto/external/bsd/openssh/dist/auth2.c | 75 +-
crypto/external/bsd/openssh/dist/authfd.c | 121 ++-
crypto/external/bsd/openssh/dist/authfd.h | 37 +-
crypto/external/bsd/openssh/dist/authfile.c | 8 +-
crypto/external/bsd/openssh/dist/channels.c | 564 ++++++++---
crypto/external/bsd/openssh/dist/channels.h | 33 +-
crypto/external/bsd/openssh/dist/clientloop.c | 242 ++--
crypto/external/bsd/openssh/dist/dns.c | 8 +-
crypto/external/bsd/openssh/dist/hostfile.c | 27 +-
crypto/external/bsd/openssh/dist/kex.c | 53 +-
crypto/external/bsd/openssh/dist/kex.h | 15 +-
crypto/external/bsd/openssh/dist/kexgen.c | 38 +-
crypto/external/bsd/openssh/dist/kexgexc.c | 29 +-
crypto/external/bsd/openssh/dist/kexgexs.c | 19 +-
crypto/external/bsd/openssh/dist/kexsntrup761x25519.c | 8 +-
crypto/external/bsd/openssh/dist/misc.c | 85 +-
crypto/external/bsd/openssh/dist/misc.h | 6 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 | 140 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 | 153 +--
crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 | 144 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 | 121 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 | 155 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 | 116 +-
crypto/external/bsd/openssh/dist/monitor.c | 36 +-
crypto/external/bsd/openssh/dist/mux.c | 9 +-
crypto/external/bsd/openssh/dist/myproposal.h | 5 +-
crypto/external/bsd/openssh/dist/nchan.c | 15 +-
crypto/external/bsd/openssh/dist/packet.c | 109 +-
crypto/external/bsd/openssh/dist/packet.h | 5 +-
crypto/external/bsd/openssh/dist/readconf.c | 32 +-
crypto/external/bsd/openssh/dist/readconf.h | 9 +-
crypto/external/bsd/openssh/dist/rijndael.h | 7 +-
crypto/external/bsd/openssh/dist/scp.1 | 6 +-
crypto/external/bsd/openssh/dist/scp.c | 88 +-
crypto/external/bsd/openssh/dist/servconf.c | 25 +-
crypto/external/bsd/openssh/dist/serverloop.c | 158 +-
crypto/external/bsd/openssh/dist/session.c | 9 +-
crypto/external/bsd/openssh/dist/sftp-client.c | 206 ++-
crypto/external/bsd/openssh/dist/sftp-client.h | 6 +-
crypto/external/bsd/openssh/dist/sftp-server.c | 88 +-
crypto/external/bsd/openssh/dist/sk-usbhid.c | 191 ++-
crypto/external/bsd/openssh/dist/ssh-add.1 | 90 +-
crypto/external/bsd/openssh/dist/ssh-add.c | 222 ++++-
crypto/external/bsd/openssh/dist/ssh-agent.c | 721 +++++++++++++++-
crypto/external/bsd/openssh/dist/ssh-keygen.1 | 39 +-
crypto/external/bsd/openssh/dist/ssh-keygen.c | 251 +++-
crypto/external/bsd/openssh/dist/ssh-keyscan.c | 73 +-
crypto/external/bsd/openssh/dist/ssh-keysign.c | 52 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c | 9 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11.c | 14 +-
crypto/external/bsd/openssh/dist/ssh-sk-client.c | 103 +-
crypto/external/bsd/openssh/dist/ssh-sk-helper.c | 38 +-
crypto/external/bsd/openssh/dist/ssh-sk.c | 98 +-
crypto/external/bsd/openssh/dist/ssh.1 | 12 +-
crypto/external/bsd/openssh/dist/ssh.c | 25 +-
crypto/external/bsd/openssh/dist/ssh_config.5 | 22 +-
crypto/external/bsd/openssh/dist/sshbuf-misc.c | 41 +-
crypto/external/bsd/openssh/dist/sshbuf.h | 11 +-
crypto/external/bsd/openssh/dist/sshconnect.c | 9 +-
crypto/external/bsd/openssh/dist/sshconnect2.c | 84 +-
crypto/external/bsd/openssh/dist/sshd.c | 71 +-
crypto/external/bsd/openssh/dist/sshd_config.5 | 19 +-
crypto/external/bsd/openssh/dist/sshkey.c | 30 +-
crypto/external/bsd/openssh/dist/sshkey.h | 8 +-
crypto/external/bsd/openssh/dist/sshsig.c | 289 +++--
crypto/external/bsd/openssh/dist/umac.c | 9 +-
crypto/external/bsd/openssh/dist/umac.h | 6 +-
crypto/external/bsd/openssh/dist/version.h | 8 +-
crypto/external/bsd/openssh/dist/xmalloc.h | 2 +-
crypto/external/bsd/openssh/lib/shlib_version | 4 +-
85 files changed, 3996 insertions(+), 1970 deletions(-)
diffs (truncated from 11356 to 300 lines):
diff -r 31cb52699793 -r cab92e2e1821 crypto/external/bsd/openssh/dist/PROTOCOL
--- a/crypto/external/bsd/openssh/dist/PROTOCOL Wed Feb 23 19:04:26 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL Wed Feb 23 19:07:20 2022 +0000
@@ -342,9 +342,41 @@
extension signal "INFO%openssh.com@localhost" that allows sending SIGINFO on
BSD-derived systems.
-3. SFTP protocol changes
+3. Authentication protocol changes
+
+3.1. Host-bound public key authentication
+
+This is trivial change to the traditional "publickey" authentication
+method. The authentication request is identical to the original method
+but for the name and one additional field:
+
+ byte SSH2_MSG_USERAUTH_REQUEST
+ string username
+ string "ssh-connection"
+ string "publickey-hostbound-v00%openssh.com@localhost"
+ bool has_signature
+ string pkalg
+ string public key
+ string server host key
-3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
+Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in
+the signed data, this ensures that a binding between the destination
+user, the server identity and the session identifier is visible to the
+signer. OpenSSH uses this binding via signed data to implement per-key
+restrictions in ssh-agent.
+
+A server may advertise this method using the SSH2_MSG_EXT_INFO
+mechanism (RFC8308), with the following message:
+
+ string "publickey-hostbound%openssh.com@localhost"
+ string "0" (version)
+
+Clients should prefer host-bound authentication when advertised by
+server.
+
+4. SFTP protocol changes
+
+4.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
When OpenSSH's sftp-server was implemented, the order of the arguments
to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
@@ -357,7 +389,7 @@
string targetpath
string linkpath
-3.2. sftp: Server extension announcement in SSH_FXP_VERSION
+4.2. sftp: Server extension announcement in SSH_FXP_VERSION
OpenSSH's sftp-server lists the extensions it supports using the
standard extension announcement mechanism in the SSH_FXP_VERSION server
@@ -378,7 +410,7 @@
extension with multiple versions (though this is unlikely). Clients MUST
check the version number before attempting to use the extension.
-3.3. sftp: Extension request "posix-rename%openssh.com@localhost"
+4.3. sftp: Extension request "posix-rename%openssh.com@localhost"
This operation provides a rename operation with POSIX semantics, which
are different to those provided by the standard SSH_FXP_RENAME in
@@ -395,7 +427,7 @@
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
-3.4. sftp: Extension requests "statvfs%openssh.com@localhost" and
+4.4. sftp: Extension requests "statvfs%openssh.com@localhost" and
"fstatvfs%openssh.com@localhost"
These requests correspond to the statvfs and fstatvfs POSIX system
@@ -436,7 +468,7 @@
Both the "statvfs%openssh.com@localhost" and "fstatvfs%openssh.com@localhost" extensions are
advertised in the SSH_FXP_VERSION hello with version "2".
-3.5. sftp: Extension request "hardlink%openssh.com@localhost"
+4.5. sftp: Extension request "hardlink%openssh.com@localhost"
This request is for creating a hard link to a regular file. This
request is implemented as a SSH_FXP_EXTENDED request with the
@@ -452,7 +484,7 @@
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
-3.6. sftp: Extension request "fsync%openssh.com@localhost"
+4.6. sftp: Extension request "fsync%openssh.com@localhost"
This request asks the server to call fsync(2) on an open file handle.
@@ -466,7 +498,7 @@
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
-3.7. sftp: Extension request "lsetstat%openssh.com@localhost"
+4.7. sftp: Extension request "lsetstat%openssh.com@localhost"
This request is like the "setstat" command, but sets file attributes on
symlinks. It is implemented as a SSH_FXP_EXTENDED request with the
@@ -482,7 +514,7 @@
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
-3.8. sftp: Extension request "limits%openssh.com@localhost"
+4.8. sftp: Extension request "limits%openssh.com@localhost"
This request is used to determine various limits the server might impose.
Clients should not attempt to exceed these limits as the server might sever
@@ -525,7 +557,7 @@
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
-3.9. sftp: Extension request "expand-path%openssh.com@localhost"
+4.9. sftp: Extension request "expand-path%openssh.com@localhost"
This request supports canonicalisation of relative paths and
those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
@@ -544,9 +576,9 @@
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
-4. Miscellaneous changes
+5. Miscellaneous changes
-4.1 Public key format
+5.1 Public key format
OpenSSH public keys, as generated by ssh-keygen(1) and appearing in
authorized_keys files, are formatted as a single line of text consisting
@@ -557,23 +589,28 @@
and the "New public key formats" section of PROTOCOL.certkeys for the
OpenSSH certificate formats.
-4.2 Private key format
+5.2 Private key format
OpenSSH private keys, as generated by ssh-keygen(1) use the format
described in PROTOCOL.key by default. As a legacy option, PEM format
(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys
and were the default format before OpenSSH 7.8.
-4.3 KRL format
+5.3 KRL format
OpenSSH supports a compact format for Key Revocation Lists (KRLs). This
format is described in the PROTOCOL.krl file.
-4.4 Connection multiplexing
+5.4 Connection multiplexing
OpenSSH's connection multiplexing uses messages as described in
PROTOCOL.mux over a Unix domain socket for communications between a
master instance and later clients.
-$OpenBSD: PROTOCOL,v 1.42 2021/08/09 23:47:44 djm Exp $
-$NetBSD: PROTOCOL,v 1.17 2021/09/02 11:26:17 christos Exp $
+5.5. Agent protocol extensions
+
+OpenSSH extends the usual agent protocol. These changes are documented
+in the PROTOCOL.agent file.
+
+$OpenBSD: PROTOCOL,v 1.43 2021/12/19 22:15:42 djm Exp $
+$NetBSD: PROTOCOL,v 1.18 2022/02/23 19:07:20 christos Exp $
diff -r 31cb52699793 -r cab92e2e1821 crypto/external/bsd/openssh/dist/PROTOCOL.agent
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.agent Wed Feb 23 19:04:26 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.agent Wed Feb 23 19:07:20 2022 +0000
@@ -1,6 +1,85 @@
-$NetBSD: PROTOCOL.agent,v 1.11 2021/03/05 17:47:15 christos Exp $
-This file used to contain a description of the SSH agent protocol
-implemented by OpenSSH. It has since been superseded by
+$NetBSD: PROTOCOL.agent,v 1.12 2022/02/23 19:07:20 christos Exp $
+The SSH agent protocol is described in
https://tools.ietf.org/html/draft-miller-ssh-agent-04
-$OpenBSD: PROTOCOL.agent,v 1.14 2020/10/06 07:12:04 dtucker Exp $
+This file document's OpenSSH's extensions to the agent protocol.
+
+1. session-bind%openssh.com@localhost extension
+
+This extension allows a ssh client to bind an agent connection to a
+particular SSH session identifier as derived from the initial key
+exchange (as per RFC4253 section 7.2) and the host key used for that
+exchange. This binding is verifiable at the agent by including the
+initial KEX signature made by the host key.
+
+The message format is:
+
+ byte SSH_AGENTC_EXTENSION (0x1b)
+ string session-bind%openssh.com@localhost
+ string hostkey
+ string session identifier
+ string signature
+ bool is_forwarding
+
+Where 'hostkey' is the encoded server host public key, 'session
+identifier' is the exchange hash derived from the initial key
+exchange, 'signature' is the server's signature of the session
+identifier using the private hostkey, as sent in the final
+SSH2_MSG_KEXDH_REPLY/SSH2_MSG_KEXECDH_REPLY message of the initial key
+exchange. 'is_forwarding' is a flag indicating whether this connection
+should be bound for user authentication or forwarding.
+
+When an agent received this message, it will verify the signature and
+check the consistency of its contents, including refusing to accept
+a duplicate session identifier, or any attempt to bind a connection
+previously bound for authentication. It will then then record the
+binding for the life of the connection for use later in testing per-key
+destination constraints.
+
+2. restrict-destination-v00%openssh.com@localhost key constraint extension
+
+The key constraint extension supports destination- and forwarding path-
+restricted keys. It may be attached as a constraint when keys or
+smartcard keys are added to an agent.
+
+ byte SSH_AGENT_CONSTRAIN_EXTENSION (0xff)
+ string restrict-destination-v00%openssh.com@localhost
+ constraint[] constraints
+
+Where a constraint consists of:
+
+ string from_username (must be empty)
+ string from_hostname
+ keyspec[] from_hostkeys
+ string to_username
+ string to_hostname
+ keyspec[] to_hostkeys
+
+An a keyspec consists of:
+
+ string keyblob
+ bool is_ca
+
+When receiving this message, the agent will ensure that the
+'from_username' field is empty, and that 'to_hostname' and 'to_hostkeys'
+have been supplied (empty 'from_hostname' and 'from_hostkeys' are valid
+and signify the initial hop from the host running ssh-agent). The agent
+will then record the constraint against the key.
+
+Subsequent operations on this key including add/remove/request
+identities and, in particular, signature requests will check the key
+constraints against the session-bind%openssh.com@localhost bindings recorded for
+the agent connection over which they were received.
+
+3. SSH_AGENT_CONSTRAIN_MAXSIGN key constraint
+
+This key constraint allows communication to an agent of the maximum
+number of signatures that may be made with an XMSS key. The format of
+the constraint is:
+
+ byte SSH_AGENT_CONSTRAIN_MAXSIGN (0x03)
+ uint32 max_signatures
+
+This option is only valid for XMSS keys.
+
+$OpenBSD: PROTOCOL.agent,v 1.16 2022/01/01 01:55:30 jsg Exp $
diff -r 31cb52699793 -r cab92e2e1821 crypto/external/bsd/openssh/dist/PROTOCOL.mux
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.mux Wed Feb 23 19:04:26 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.mux Wed Feb 23 19:07:20 2022 +0000
@@ -15,7 +15,7 @@
field. This field is returned in replies as "client request id" to
facilitate matching of responses to requests.
-Many muliplexing (mux) client requests yield immediate responses from
+Many multiplexing (mux) client requests yield immediate responses from
the mux process; requesting a forwarding, performing an alive check or
requesting the master terminate itself fall in to this category.
@@ -216,7 +216,7 @@
9. Requesting proxy mode
-A client may request that the the control connection be placed in proxy
+A client may request that the control connection be placed in proxy
mode:
uint32 MUX_C_PROXY
@@ -295,5 +295,5 @@
XXX signals via mux request
XXX list active connections via mux
-$OpenBSD: PROTOCOL.mux,v 1.12 2020/03/13 03:17:07 djm Exp $
-$NetBSD: PROTOCOL.mux,v 1.11 2020/05/28 17:05:49 christos Exp $
+$OpenBSD: PROTOCOL.mux,v 1.13 2022/01/01 01:55:30 jsg Exp $
+$NetBSD: PROTOCOL.mux,v 1.12 2022/02/23 19:07:20 christos Exp $
diff -r 31cb52699793 -r cab92e2e1821 crypto/external/bsd/openssh/dist/addr.c
--- a/crypto/external/bsd/openssh/dist/addr.c Wed Feb 23 19:04:26 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/addr.c Wed Feb 23 19:07:20 2022 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: addr.c,v 1.2 2021/03/05 17:47:15 christos Exp $ */
-/* $OpenBSD: addr.c,v 1.1 2021/01/09 11:58:50 dtucker Exp $ */
+/* $NetBSD: addr.c,v 1.3 2022/02/23 19:07:20 christos Exp $ */
+/* $OpenBSD: addr.c,v 1.4 2021/10/22 10:51:57 dtucker Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm%mindrot.org@localhost>
@@ -18,7 +18,7 @@
*/
Home |
Main Index |
Thread Index |
Old Index