summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2020-06-07 10:19:23 +0100
committerColin Watson <cjwatson@debian.org>2020-06-07 10:19:23 +0100
commit202f5a676221c244cd450086c334c2b59f339e86 (patch)
treed2f90a3a9ce2b33485c271eab01a48f02ef6fb5a /ChangeLog
parentf0de78bd4f29fa688c5df116f3f9cd43543a76d0 (diff)
parent9ca7e9c861775dd6c6312bc8aaab687403d24676 (diff)
Import openssh_8.3p1.orig.tar.gz
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog2828
1 files changed, 1421 insertions, 1407 deletions
diff --git a/ChangeLog b/ChangeLog
index fbbbca0ed..f283a8b3f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,1424 @@
1commit 9ca7e9c861775dd6c6312bc8aaab687403d24676
2Author: Damien Miller <djm@mindrot.org>
3Date: Wed May 27 10:38:00 2020 +1000
4
5 depend
6
7commit b6d251ed9af90e16c08a72c4aac2cb8ace8f94b1
8Author: djm@openbsd.org <djm@openbsd.org>
9Date: Mon May 18 04:29:35 2020 +0000
10
11 upstream: avoid possible NULL deref; from Pedro Martelletto
12
13 OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721
14
15commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d
16Author: Damien Miller <djm@mindrot.org>
17Date: Thu May 14 12:22:09 2020 +1000
18
19 prefer ln to cp for temporary copy of sshd
20
21 I saw failures on the reexec fallback test on Darwin 19.4 where
22 fork()ed children of a process that had it's executable removed
23 would instantly fail. Using ln to preserve the inode avoids this.
24
25commit f700d316c6b15a9cfbe87230d2dca81a5d916279
26Author: Darren Tucker <dtucker@dtucker.net>
27Date: Wed May 13 15:24:51 2020 +1000
28
29 Actually skip pty tests when needed.
30
31commit 08ce6b2210f46f795e7db747809f8e587429dfd2
32Author: Darren Tucker <dtucker@dtucker.net>
33Date: Wed May 13 13:56:45 2020 +1000
34
35 Skip building sk-dummy library if no SK support.
36
37commit 102d106bc2e50347d0e545fad6ff5ce408d67247
38Author: Damien Miller <djm@mindrot.org>
39Date: Wed May 13 12:08:34 2020 +1000
40
41 explicitly manage .depend and .depend.bak
42
43 Bring back removal of .depend to give the file a known state before
44 running makedepend, but manually move aside the current .depend file
45 and restore it as .depend.bak afterwards so the stale .depend check
46 works as expected.
47
48commit 83a6dc6ba1e03b3fa39d12a8522b8b0e68dd6390
49Author: Damien Miller <djm@mindrot.org>
50Date: Wed May 13 12:03:42 2020 +1000
51
52 make depend
53
54commit 7c0bbed967abed6301a63e0267cc64144357a99a
55Author: Damien Miller <djm@mindrot.org>
56Date: Wed May 13 12:01:10 2020 +1000
57
58 revert removal of .depend before makedepend
59
60 Commit 83657eac4 started removing .depend before running makedepend
61 to reset the contents of .depend to a known state. Unfortunately
62 this broke the depend-check step as now .depend.bak would only ever
63 be created as an empty file.
64
65 ok dtucker
66
67commit 58ad004acdcabf3b9f40bc3aaa206b25d998db8c
68Author: Damien Miller <djm@mindrot.org>
69Date: Tue May 12 12:58:46 2020 +1000
70
71 prepare for 8.3 release
72
73commit 4fa9e048c2af26beb7dc2ee9479ff3323e92a7b5
74Author: Darren Tucker <dtucker@dtucker.net>
75Date: Fri May 8 21:50:43 2020 +1000
76
77 Ensure SA_SIGNAL test only signals itself.
78
79 When the test's child signals its parent and it exits the result of
80 getppid changes. On Ubuntu 20.04 this results in the ppid being that
81 of the GDM session, causing it to exit. Analysis and testing from pedro
82 at ambientworks.net
83
84commit dc2da29aae76e170d22f38bb36f1f5d1edd5ec2b
85Author: Damien Miller <djm@mindrot.org>
86Date: Fri May 8 13:31:53 2020 +1000
87
88 sync config.guess/config.sub with latest versions
89
90 ok dtucker@
91
92commit a8265bd64c14881fc7f4fa592f46dfc66b911f17
93Author: djm@openbsd.org <djm@openbsd.org>
94Date: Wed May 6 20:58:01 2020 +0000
95
96 upstream: openssh-8.3; ok deraadt@
97
98 OpenBSD-Commit-ID: c8831ec88b9c750f5816aed9051031fb535d22c1
99
100commit 955854cafca88e0cdcd3d09ca1ad4ada465364a1
101Author: djm@openbsd.org <djm@openbsd.org>
102Date: Wed May 6 20:57:38 2020 +0000
103
104 upstream: another case where a utimes() failure could make scp send
105
106 a desynchronising error; reminded by Aymeric Vincent ok deraadt markus
107
108 OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381
109
110commit 59d531553fd90196946743da391f3a27cf472f4e
111Author: Darren Tucker <dtucker@dtucker.net>
112Date: Thu May 7 15:34:12 2020 +1000
113
114 Check if -D_REENTRANT is needed for localtime_r.
115
116 On at least HP-UX 11.11, the localtime_r declararation is behind
117 ifdef _REENTRANT. Check for and add if needed.
118
119commit c13403e55de8cdbb9da628ed95017b1d4c0f205f
120Author: Darren Tucker <dtucker@dtucker.net>
121Date: Tue May 5 11:32:43 2020 +1000
122
123 Skip security key tests if ENABLE_SK not set.
124
125commit 4da393f87cd52d788c84112ee3f2191c9bcaaf30
126Author: djm@openbsd.org <djm@openbsd.org>
127Date: Fri May 1 04:03:14 2020 +0000
128
129 upstream: sure enough, some of the test data that we though were in
130
131 new format were actually in the old format; fix from Michael Forney
132
133 OpenBSD-Regress-ID: a41a5c43a61b0f0b1691994dbf16dfb88e8af933
134
135commit 15bfafc1db4c8792265ada9623a96f387990f732
136Author: djm@openbsd.org <djm@openbsd.org>
137Date: Fri May 1 04:00:29 2020 +0000
138
139 upstream: make mktestdata.sh generate old/new format keys that we
140
141 expect. This script was written before OpenSSH switched to new-format private
142 keys by default and was never updated to the change (until now) From Michael
143 Forney
144
145 OpenBSD-Regress-ID: 38cf354715c96852e5b71c2393fb6e7ad28b7ca7
146
147commit 7882d2eda6ad3eb82220a85294de545d20ef82db
148Author: djm@openbsd.org <djm@openbsd.org>
149Date: Fri May 1 03:58:02 2020 +0000
150
151 upstream: portability fix for sed that always emil a newline even
152
153 if the input does not contain one; from Michael Forney
154
155 OpenBSD-Regress-ID: 9190c3ddf0d2562ccc02c4a95fce0e392196bfc7
156
157commit 8074f9499e454df0acdacea33598858a1453a357
158Author: djm@openbsd.org <djm@openbsd.org>
159Date: Fri May 1 03:36:25 2020 +0000
160
161 upstream: remove obsolete RSA1 test keys; spotted by Michael Forney
162
163 OpenBSD-Regress-ID: 6384ba889594e217d166908ed8253718ab0866da
164
165commit c697e46c314aa94574af0d393d80f23e0ebc9748
166Author: Darren Tucker <dtucker@dtucker.net>
167Date: Sat May 2 18:34:47 2020 +1000
168
169 Update .depend.
170
171commit 83657eac42941f270c4b02b2c46d9a21f616ef99
172Author: Darren Tucker <dtucker@dtucker.net>
173Date: Sat May 2 18:29:40 2020 +1000
174
175 Remove use of tail for 'make depend'.
176
177 Not every tail supports +N and we can do with out it so just remove it.
178 Prompted by mforney at mforney.org.
179
180commit d25d630d24c5a1c64d4e646510e79dc22d6d7b88
181Author: djm@openbsd.org <djm@openbsd.org>
182Date: Sat May 2 07:19:43 2020 +0000
183
184 upstream: we have a sshkey_save_public() function to save public keys;
185
186 use it and save a bunch of redundant code.
187
188 Patch from loic AT venez.fr; ok markus@ djm@
189
190 OpenBSD-Commit-ID: f93e030a0ebcd0fd9054ab30db501ec63454ea5f
191
192commit e9dc9863723e111ae05e353d69df857f0169544a
193Author: Darren Tucker <dtucker@dtucker.net>
194Date: Fri May 1 18:32:25 2020 +1000
195
196 Use LONG_LONG_MAX and friends if available.
197
198 If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX}
199 then use those instead. We do calculate these values in configure,
200 but it turns out that at least one compiler (old HP ANSI C) can't
201 parse "-9223372036854775808LL" without mangling it. (It can parse
202 "-9223372036854775807LL" which is presumably why its limits.h defines
203 LONG_LONG_MIN as the latter minus 1.)
204
205 Fixes rekey test when compiled with the aforementioned compiler.
206
207commit aad87b88fc2536b1ea023213729aaf4eaabe1894
208Author: djm@openbsd.org <djm@openbsd.org>
209Date: Fri May 1 06:31:42 2020 +0000
210
211 upstream: when receving a file in sink(), be careful to send at
212
213 most a single error response after the file has been opened. Otherwise the
214 source() and sink() can become desyncronised. Reported by Daniel Goujot,
215 Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.
216
217 ok deraadt@ markus@
218
219 OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035
220
221commit 31909696c4620c431dd55f6cd15db65c4e9b98da
222Author: djm@openbsd.org <djm@openbsd.org>
223Date: Fri May 1 06:28:52 2020 +0000
224
225 upstream: expose vasnmprintf(); ok (as part of other commit) markus
226
227 deraadt
228
229 OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5
230
231commit 99ce9cefbe532ae979744c6d956b49f4b02aff82
232Author: djm@openbsd.org <djm@openbsd.org>
233Date: Fri May 1 04:23:11 2020 +0000
234
235 upstream: avoid NULL dereference when attempting to convert invalid
236
237 ssh.com private keys using "ssh-keygen -i"; spotted by Michael Forney
238
239 OpenBSD-Commit-ID: 2e56e6d26973967d11d13f56ea67145f435bf298
240
241commit 6c6072ba8b079e6f5caa38b011a6f4570c14ed38
242Author: Darren Tucker <dtucker@dtucker.net>
243Date: Fri May 1 15:09:26 2020 +1000
244
245 See if SA_RESTART signals will interrupt select().
246
247 On some platforms (at least older HP-UXes such as 11.11, possibly others)
248 setting SA_RESTART on signal handers will cause it to not interrupt
249 select(), at least for calls that do not specify a timeout. Try to
250 detect this and if found, don't use SA_RESTART.
251
252 POSIX says "If SA_RESTART has been set for the interrupting signal, it
253 is implementation-dependent whether select() restarts or returns with
254 [EINTR]" so this behaviour is within spec.
255
256commit 90a0b434ed41f9c505662dba8782591818599cb3
257Author: Damien Miller <djm@mindrot.org>
258Date: Fri May 1 13:55:03 2020 +1000
259
260 fix reversed test
261
262commit c0dfd18dd1c2107c73d18f70cd164f7ebd434b08
263Author: Damien Miller <djm@mindrot.org>
264Date: Fri May 1 13:29:16 2020 +1000
265
266 wrap sha2.h inclusion in #ifdef HAVE_SHA2_H
267
268commit a01817a9f63dbcbbc6293aacc4019993a4cdc7e3
269Author: djm@openbsd.org <djm@openbsd.org>
270Date: Tue Apr 28 04:59:29 2020 +0000
271
272 upstream: adapt dummy FIDO middleware to API change; ok markus@
273
274 OpenBSD-Regress-ID: 8bb84ee500c2eaa5616044314dd0247709a1790f
275
276commit 261571ddf02ea38fdb5e4a97c69ee53f847ca5b7
277Author: jmc@openbsd.org <jmc@openbsd.org>
278Date: Thu Apr 30 18:28:37 2020 +0000
279
280 upstream: tweak previous; ok markus
281
282 OpenBSD-Commit-ID: 41895450ce2294ec44a5713134491cc31f0c09fd
283
284commit 5de21c82e1d806d3e401b5338371e354b2e0a66f
285Author: markus@openbsd.org <markus@openbsd.org>
286Date: Thu Apr 30 17:12:20 2020 +0000
287
288 upstream: bring back debug() removed in rev 1.74; noted by pradeep
289
290 kumar
291
292 OpenBSD-Commit-ID: 8d134d22ab25979078a3b48d058557d49c402e65
293
294commit ea14103ce9a5e13492e805f7e9277516ff5a4273
295Author: markus@openbsd.org <markus@openbsd.org>
296Date: Thu Apr 30 17:07:10 2020 +0000
297
298 upstream: run the 2nd ssh with BatchMode for scp -3
299
300 OpenBSD-Commit-ID: 77994fc8c7ca02d88e6d0d06d0f0fe842a935748
301
302commit 59d2de956ed29aa5565ed5e5947a7abdb27ac013
303Author: djm@openbsd.org <djm@openbsd.org>
304Date: Tue Apr 28 04:02:29 2020 +0000
305
306 upstream: when signing a challenge using a FIDO toke, perform the
307
308 hashing in the middleware layer rather than in ssh code. This allows
309 middlewares that call APIs that perform the hashing implicitly (including
310 Microsoft's AFAIK). ok markus@
311
312 OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
313
314commit c9d10dbc0ccfb1c7568bbb784f7aeb7a0b5ded12
315Author: dtucker@openbsd.org <dtucker@openbsd.org>
316Date: Sun Apr 26 09:38:14 2020 +0000
317
318 upstream: Fix comment typo. Patch from mforney at mforney.org.
319
320 OpenBSD-Commit-ID: 3565f056003707a5e678e60e03f7a3efd0464a2b
321
322commit 4d2c87b4d1bde019cdd0f00552fcf97dd8b39940
323Author: dtucker@openbsd.org <dtucker@openbsd.org>
324Date: Sat Apr 25 06:59:36 2020 +0000
325
326 upstream: We've standardized on memset over bzero, replace a couple
327
328 that had slipped in. ok deraadt markus djm.
329
330 OpenBSD-Commit-ID: f5be055554ee93e6cc66b0053b590bef3728dbd6
331
332commit 7f23f42123d64272a7b00754afa6b0841d676691
333Author: Darren Tucker <dtucker@dtucker.net>
334Date: Fri May 1 12:21:58 2020 +1000
335
336 Include sys/byteorder.h for htons and friends.
337
338 These are usually in netinet/in.h but on HP-UX they are not defined if
339 _XOPEN_SOURCE_EXTENDED is set. Only needed for netcat in the regression
340 tests.
341
342commit d27cba58c972d101a5de976777e518f34ac779cb
343Author: Darren Tucker <dtucker@dtucker.net>
344Date: Fri May 1 09:21:52 2020 +1000
345
346 Fix conditional for openssl-based chacha20.
347
348 Fixes warnings or link errors when building against older OpenSSLs.
349 ok djm
350
351commit 20819b962dc1467cd6fad5486a7020c850efdbee
352Author: Darren Tucker <dtucker@dtucker.net>
353Date: Fri Apr 24 15:07:55 2020 +1000
354
355 Error out if given RDomain if unsupported.
356
357 If the config contained 'RDomain %D' on a platform that did not support
358 it, the error would not be detected until runtime resulting in a broken
359 sshd. Detect this earlier and error out if found. bz#3126, based on a
360 patch from jjelen at redhat.com, tweaks and ok djm@
361
362commit 2c1690115a585c624eed2435075a93a463a894e2
363Author: dtucker@openbsd.org <dtucker@openbsd.org>
364Date: Fri Apr 24 03:33:21 2020 +0000
365
366 upstream: Fix incorrect error message for "too many known hosts files."
367
368 bz#3149, patch from jjelen at redhat.com.
369
370 OpenBSD-Commit-ID: e0fcb07ed5cf7fd54ce340471a747c24454235e5
371
372commit 3beb7276e7a8aedd3d4a49f9c03b97f643448c92
373Author: dtucker@openbsd.org <dtucker@openbsd.org>
374Date: Fri Apr 24 02:19:40 2020 +0000
375
376 upstream: Remove leave_non_blocking() which is now dead code
377
378 because nothing sets in_non_blocking_mode any more. Patch from
379 michaael.meeks at collabora.com, ok djm@
380
381 OpenBSD-Commit-ID: c403cefe97a5a99eca816e19cc849cdf926bd09c
382
383commit 8654e3561772f0656e7663a0bd6a1a8cb6d43300
384Author: jmc@openbsd.org <jmc@openbsd.org>
385Date: Thu Apr 23 21:28:09 2020 +0000
386
387 upstream: ce examples of "Ar arg Ar arg" with "Ar arg arg" and
388
389 stop the spread;
390
391 OpenBSD-Commit-ID: af0e952ea0f5e2019c2ce953ed1796eca47f0705
392
393commit 67697e4a8246dd8423e44b8785f3ee31fee72d07
394Author: Darren Tucker <dtucker@dtucker.net>
395Date: Fri Apr 24 11:10:18 2020 +1000
396
397 Update .depend.
398
399commit d6cc76176216fe3fac16cd20d148d75cb9c50876
400Author: Darren Tucker <dtucker@dtucker.net>
401Date: Wed Apr 22 14:07:00 2020 +1000
402
403 Mailing list is now closed to non-subscribers.
404
405 While there, add a reference to the bugzilla. ok djm@
406
407commit cecde6a41689d0ae585ec903b190755613a6de79
408Author: Darren Tucker <dtucker@dtucker.net>
409Date: Wed Apr 22 12:09:40 2020 +1000
410
411 Put the values from env vars back.
412
413 This merges the values from the recently removed environment into make's
414 command line arguments since we actually need those.
415
416commit 300c4322b92e98d3346efa0aec1c094c94d0f964
417Author: Darren Tucker <dtucker@dtucker.net>
418Date: Wed Apr 22 11:33:15 2020 +1000
419
420 Pass configure's egrep through to test-exec.sh.
421
422 Use it to create a wrapper function to call it from tests. Fixes the
423 keygen-comment test on platforms with impoverished default egrep (eg
424 Solaris).
425
426commit c8d9796cfe046f00eb8b2096d2b7028d6a523a84
427Author: Darren Tucker <dtucker@dtucker.net>
428Date: Wed Apr 22 10:56:44 2020 +1000
429
430 Remove unneeded env vars from t-exec invocation.
431
432commit 01d4cdcd4514e99a4b6eb9523cd832bbf008d1d7
433Author: dtucker@openbsd.org <dtucker@openbsd.org>
434Date: Tue Apr 21 23:14:58 2020 +0000
435
436 upstream: Backslash '$' at then end of string. Prevents warning on
437
438 some shells.
439
440 OpenBSD-Regress-ID: 5dc27ab624c09d34078fd326b10e38c1ce9c741f
441
442commit 8854724ccefc1fa16f10b37eda2e759c98148caa
443Author: Darren Tucker <dtucker@dtucker.net>
444Date: Tue Apr 21 18:27:23 2020 +1000
445
446 Sync rev 1.49.
447
448 Prevent infinite for loop since i went from ssize_t to size_t. Patch from
449 eagleoflqj via OpenSSH github PR#178, ok djm@, feedback & ok millert@
450
451commit d00d07b6744d3b4bb7aca46c734ecd670148da23
452Author: djm@openbsd.org <djm@openbsd.org>
453Date: Mon Apr 20 04:44:47 2020 +0000
454
455 upstream: regression test for printing of private key fingerprints and
456
457 key comments, mostly by loic AT venez.fr (slightly tweaked for portability)
458 ok dtucker@
459
460 OpenBSD-Regress-ID: 8dc6c4feaf4fe58b6d634cd89afac9a13fd19004
461
462commit a98d5ba31e5e7e01317352f85fa63b846a960f8c
463Author: djm@openbsd.org <djm@openbsd.org>
464Date: Mon Apr 20 04:43:57 2020 +0000
465
466 upstream: fix a bug I introduced in r1.406: when printing private key
467
468 fingerprint of old-format key, key comments were not being displayed. Spotted
469 by loic AT venez.fr, ok dtucker
470
471 OpenBSD-Commit-ID: 2d98e4f9eb168eea733d17e141e1ead9fe26e533
472
473commit 32f2d0aad42c15e19bd3b07496076ca891573a58
474Author: djm@openbsd.org <djm@openbsd.org>
475Date: Fri Apr 17 07:16:07 2020 +0000
476
477 upstream: repair private key fingerprint printing to also print
478
479 comment after regression caused by my recent pubkey loading refactor.
480 Reported by loic AT venez.fr, ok dtucker@
481
482 OpenBSD-Commit-ID: f8db49acbee6a6ccb2a4259135693b3cceedb89e
483
484commit 094dd513f4b42e6a3cebefd18d1837eb709b4d99
485Author: djm@openbsd.org <djm@openbsd.org>
486Date: Fri Apr 17 07:15:11 2020 +0000
487
488 upstream: refactor out some duplicate private key loading code;
489
490 based on patch from loic AT venez.fr, ok dtucker@
491
492 OpenBSD-Commit-ID: 5eff2476b0d8d0614924c55e350fb7bb9c84f45e
493
494commit 4e04f46f248f1708e39b900b76c9693c820eff68
495Author: jmc@openbsd.org <jmc@openbsd.org>
496Date: Fri Apr 17 06:12:41 2020 +0000
497
498 upstream: add space beteen macro arg and punctuation;
499
500 OpenBSD-Commit-ID: c93a6cbb4bf9468fc4c13e64bc1fd4efee201a44
501
502commit 44ae009a0112081d0d541aeaa90088bedb6f21ce
503Author: djm@openbsd.org <djm@openbsd.org>
504Date: Fri Apr 17 04:27:03 2020 +0000
505
506 upstream: auth2-pubkey r1.89 changed the order of operations to
507
508 checking AuthorizedKeysFile first and falling back to AuthorizedKeysCommand
509 if no key was found in a file. Document this order here; bz3134
510
511 OpenBSD-Commit-ID: afce0872cbfcfc1d4910ad7722e50f792a1dce12
512
513commit f96f17f920f38ceea6f3c5cb0b075c46b8929fdc
514Author: Damien Miller <djm@mindrot.org>
515Date: Fri Apr 17 14:07:15 2020 +1000
516
517 sys/sysctl.h is only used on OpenBSD
518
519 so change the preprocessor test used to include it to check
520 __OpenBSD__, matching the code that uses the symbols it declares.
521
522commit 54688e937a69c7aebef8a3d50cbd4c6345bab2ca
523Author: djm@openbsd.org <djm@openbsd.org>
524Date: Fri Apr 17 03:38:47 2020 +0000
525
526 upstream: fix reversed test that caused IdentitiesOnly=yes to not
527
528 apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@
529
530 OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352fb659f677
531
532commit 267cbc87b5b6e78973ac4d3c7a6f807ed226928c
533Author: djm@openbsd.org <djm@openbsd.org>
534Date: Fri Apr 17 03:34:42 2020 +0000
535
536 upstream: mention that /etc/hosts.equiv and /etc/shosts.equiv are
537
538 not considered for HostbasedAuthentication when the target user is root;
539 bz3148
540
541 OpenBSD-Commit-ID: fe4c1256929e53f23af17068fbef47852f4bd752
542
543commit c90f72d29e84b4a2709078bf5546a72c29a65177
544Author: djm@openbsd.org <djm@openbsd.org>
545Date: Fri Apr 17 03:30:05 2020 +0000
546
547 upstream: make IgnoreRhosts a tri-state option: "yes" ignore
548
549 rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
550 .shosts files but not .rhosts. ok dtucker@
551
552 OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9
553
554commit 321c7147079270f3a154f91b59e66219aac3d514
555Author: djm@openbsd.org <djm@openbsd.org>
556Date: Fri Apr 17 03:23:13 2020 +0000
557
558 upstream: allow the IgnoreRhosts directive to appear anywhere in a
559
560 sshd_config, not just before any Match blocks; bz3148, ok dtucker@
561
562 OpenBSD-Commit-ID: e042467d703bce640b1f42c5d1a62bf3825736e8
563
564commit ca5403b085a735055ec7b7cdcd5b91f2662df94c
565Author: jmc@openbsd.org <jmc@openbsd.org>
566Date: Sat Apr 11 20:20:09 2020 +0000
567
568 upstream: add space between macro arg and punctuation;
569
570 OpenBSD-Commit-ID: e579e4d95eef13059c30931ea1f09ed8296b819c
571
572commit 8af0244d7b4a65eed2e62f9c89141c7c8e63f09d
573Author: Darren Tucker <dtucker@dtucker.net>
574Date: Wed Apr 15 10:58:02 2020 +1000
575
576 Add sys/syscall.h for syscall numbers.
577
578 In some architecture/libc configurations we need to explicitly include
579 sys/syscall.h for the syscall number (__NR_xxx) definitions. bz#3085,
580 patch from blowfist at xroutine.net.
581
582commit 3779b50ee952078018a5d9e1df20977f4355df17
583Author: djm@openbsd.org <djm@openbsd.org>
584Date: Sat Apr 11 10:16:11 2020 +0000
585
586 upstream: Refactor private key parsing. Eliminates a fair bit of
587
588 duplicated code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key
589 type check in the ECDSA_CERT parsing path.
590
591 feedback and ok markus@
592
593 OpenBSD-Commit-ID: 4711981d88afb7196d228f7baad9be1d3b20f9c9
594
595commit b6a4013647db67ec622c144a9e05dd768f1966b3
596Author: dtucker@openbsd.org <dtucker@openbsd.org>
597Date: Fri Apr 10 00:54:03 2020 +0000
598
599 upstream: Add tests for TOKEN expansion of LocalForward and
600
601 RemoteForward.
602
603 OpenBSD-Regress-ID: 90fcbc60d510eb114a2b6eaf4a06ff87ecd80a89
604
605commit abc3e0a5179c13c0469a1b11fe17d832abc39999
606Author: dtucker@openbsd.org <dtucker@openbsd.org>
607Date: Mon Apr 6 09:43:55 2020 +0000
608
609 upstream: Add utf8.c for asmprintf used by krl.c
610
611 OpenBSD-Regress-ID: 433708d11165afdb189fe635151d21659dd37a37
612
613commit 990687a0336098566c3a854d23cce74a31ec6fe2
614Author: dtucker@openbsd.org <dtucker@openbsd.org>
615Date: Fri Apr 10 00:52:07 2020 +0000
616
617 upstream: Add TOKEN percent expansion to LocalFoward and RemoteForward
618
619 when used for Unix domain socket forwarding. Factor out the code for the
620 config keywords that use the most common subset of TOKENS into its own
621 function. bz#3014, ok jmc@ (man page bits) djm@
622
623 OpenBSD-Commit-ID: bffc9f7e7b5cf420309a057408bef55171fd0b97
624
625commit 2b13d3934d5803703c04803ca3a93078ecb5b715
626Author: djm@openbsd.org <djm@openbsd.org>
627Date: Wed Apr 8 00:10:37 2020 +0000
628
629 upstream: let sshkey_try_load_public() load public keys from the
630
631 unencrypted envelope of private key files if not sidecar public key file is
632 present.
633
634 ok markus@
635
636 OpenBSD-Commit-ID: 252a0a580e10b9a6311632530d63b5ac76592040
637
638commit d01f39304eaab0352793b490a25e1ab5f59a5366
639Author: djm@openbsd.org <djm@openbsd.org>
640Date: Wed Apr 8 00:09:24 2020 +0000
641
642 upstream: simplify sshkey_try_load_public()
643
644 ok markus@
645
646 OpenBSD-Commit-ID: 05a5d46562aafcd70736c792208b1856064f40ad
647
648commit f290ab0833e44355fc006e4e67b92446c14673ef
649Author: djm@openbsd.org <djm@openbsd.org>
650Date: Wed Apr 8 00:08:46 2020 +0000
651
652 upstream: add sshkey_parse_pubkey_from_private_fileblob_type()
653
654 Extracts a public key from the unencrypted envelope of a new-style
655 OpenSSH private key.
656
657 ok markus@
658
659 OpenBSD-Commit-ID: 44d7ab446e5e8c686aee96d5897b26b3939939aa
660
661commit 8d514eea4ae089626a55e11c7bc1745c8d9683e4
662Author: djm@openbsd.org <djm@openbsd.org>
663Date: Wed Apr 8 00:07:19 2020 +0000
664
665 upstream: simplify sshkey_parse_private_fileblob_type()
666
667 Try new format parser for all key types first, fall back to PEM
668 parser only for invalid format errors.
669
670 ok markus@
671
672 OpenBSD-Commit-ID: 0173bbb3a5cface77b0679d4dca0e15eb5600b77
673
674commit 421169d0e758351b105eabfcebf42378ebf17217
675Author: djm@openbsd.org <djm@openbsd.org>
676Date: Wed Apr 8 00:05:59 2020 +0000
677
678 upstream: check private key type against requested key type in
679
680 new-style private decoding; ok markus@
681
682 OpenBSD-Commit-ID: 04d44b3a34ce12ce5187fb6f6e441a88c8c51662
683
684commit 6aabfb6d22b36d07f584cba97f4cdc4363a829da
685Author: djm@openbsd.org <djm@openbsd.org>
686Date: Wed Apr 8 00:04:32 2020 +0000
687
688 upstream: check that pubkey in private key envelope matches actual
689
690 private key
691
692 (this public key is currently unusued)
693
694 ok markus@
695
696 OpenBSD-Commit-ID: 634a60b5e135d75f48249ccdf042f3555112049c
697
698commit c0f5b2294796451001fd328c44f0d00f1114eddf
699Author: djm@openbsd.org <djm@openbsd.org>
700Date: Wed Apr 8 00:01:52 2020 +0000
701
702 upstream: refactor private key parsing a little
703
704 Split out the base64 decoding and private section decryption steps in
705 to separate functions. This will make the decryption step easier to fuzz
706 as well as making it easier to write a "load public key from new-format
707 private key" function.
708
709 ok markus@
710
711 OpenBSD-Commit-ID: 7de31d80fb9062aa01901ddf040c286b64ff904e
712
713commit 8461a5b3db34ed0b5a4a18d82f64fd5ac8693ea8
714Author: Darren Tucker <dtucker@dtucker.net>
715Date: Mon Apr 6 20:54:34 2020 +1000
716
717 Include openssl-compat.h before checking ifdefs.
718
719 Fixes problem where unsuitable chacha20 code in libressl would be used
720 unintentionally.
721
722commit 931c50c5883a9910ea1ae9a371e4e815ec56b035
723Author: Damien Miller <djm@mindrot.org>
724Date: Mon Apr 6 10:04:56 2020 +1000
725
726 fix inverted test for LibreSSL version
727
728commit d1d5f728511e2338b7c994968d301d8723012264
729Author: dtucker@openbsd.org <dtucker@openbsd.org>
730Date: Sat Apr 4 23:04:41 2020 +0000
731
732 upstream: Indicate if we're using a cached key in trace output.
733
734 OpenBSD-Regress-ID: 409a7b0e59d1272890fda507651c0c3d2d3c0d89
735
736commit a398251a4627367c78bc483c70c2ec973223f82c
737Author: Darren Tucker <dtucker@dtucker.net>
738Date: Sun Apr 5 08:43:57 2020 +1000
739
740 Use /usr/bin/xp4g/id if necessary.
741
742 Solaris' native "id" doesn't support the options we use but the one
743 in /usr/bin/xp4g does, so use that instead.
744
745commit db0fdd48335b5b01114f78c1a73a195235910f81
746Author: dtucker@openbsd.org <dtucker@openbsd.org>
747Date: Sat Apr 4 22:14:26 2020 +0000
748
749 upstream: Some platforms don't have "hostname -s", so use cut to trim
750
751 short hostname instead.
752
753 OpenBSD-Regress-ID: ebcf36a6fdf287c9336b0d4f6fc9f793c05307a7
754
755commit e7e59a9cc8eb7fd5944ded28f4d7e3ae0a5fdecd
756Author: dtucker@openbsd.org <dtucker@openbsd.org>
757Date: Fri Apr 3 07:53:10 2020 +0000
758
759 upstream: Compute hash locally and re-enable %C tests.
760
761 OpenBSD-Regress-ID: 94d1366e8105274858b88a1f9ad2e62801e49770
762
763commit abe2b245b3ac6c4801e99bc0f13289cd28211e22
764Author: Damien Miller <djm@mindrot.org>
765Date: Fri Apr 3 17:25:46 2020 +1100
766
767 prefer libcrypto chacha20-poly1305 where possible
768
769commit bc5c5d01ad668981f9e554e62195383bc12e8528
770Author: dtucker@openbsd.org <dtucker@openbsd.org>
771Date: Fri Apr 3 05:43:11 2020 +0000
772
773 upstream: Temporarily remove tests for '%C' since the hash contains the
774
775 local hostname and it doesn't work on any machine except mine... spotted by
776 djm@
777
778 OpenBSD-Regress-ID: 2d4c3585b9fcbbff14f4a5a5fde51dbd0d690401
779
780commit 81624026989654955a657ebf2a1fe8b9994f3c87
781Author: djm@openbsd.org <djm@openbsd.org>
782Date: Fri Apr 3 06:07:57 2020 +0000
783
784 upstream: r1.522 deleted one too many lines; repair
785
786 OpenBSD-Commit-ID: 1af8851fd7a99e4a887b19aa8f4c41a6b3d25477
787
788commit 668cb3585ce829bd6e34d4a962c489bda1d16370
789Author: jmc@openbsd.org <jmc@openbsd.org>
790Date: Fri Apr 3 05:53:52 2020 +0000
791
792 upstream: sort -N and add it to usage();
793
794 OpenBSD-Commit-ID: 5b00e8db37c2b0a54c7831fed9e5f4db53ada332
795
796commit 338ccee1e7fefa47f3d128c2541e94c5270abe0c
797Author: djm@openbsd.org <djm@openbsd.org>
798Date: Fri Apr 3 05:48:57 2020 +0000
799
800 upstream: avoid another compiler warning spotted in -portable
801
802 OpenBSD-Commit-ID: 1d29c51ac844b287c4c8bcaf04c63c7d9ba3b8c7
803
804commit 9f8a42340bd9af86a99cf554dc39ecdf89287544
805Author: djm@openbsd.org <djm@openbsd.org>
806Date: Fri Apr 3 04:07:48 2020 +0000
807
808 upstream: this needs utf8.c too
809
810 OpenBSD-Regress-ID: 445040036cec714d28069a20da25553a04a28451
811
812commit 92115ea7c3a834374720c350841fc729e7d5c8b2
813Author: dtucker@openbsd.org <dtucker@openbsd.org>
814Date: Fri Apr 3 03:14:03 2020 +0000
815
816 upstream: Add percent_expand test for 'Match Exec'.
817
818 OpenBSD-Regress-ID: a41c14fd6a0b54d66aa1e9eebfb9ec962b41232f
819
820commit de34a440276ae855c38deb20f926d46752c62c9d
821Author: djm@openbsd.org <djm@openbsd.org>
822Date: Fri Apr 3 04:43:24 2020 +0000
823
824 upstream: fix format string (use %llu for uint64, not %lld). spotted by
825
826 Darren and his tinderbox tests
827
828 OpenBSD-Commit-ID: 3b4587c3d9d46a7be9bdf028704201943fba96c2
829
830commit 9cd40b829a5295cc81fbea8c7d632b2478db6274
831Author: djm@openbsd.org <djm@openbsd.org>
832Date: Fri Apr 3 04:34:15 2020 +0000
833
834 upstream: Add a flag to re-enable verbose output when in batch
835
836 mode; requested in bz3135; ok dtucker
837
838 OpenBSD-Commit-ID: 5ad2ed0e6440562ba9c84b666a5bbddc1afe2e2b
839
840commit 6ce51a5da5d333a44e7c74c027f3571f70c39b24
841Author: djm@openbsd.org <djm@openbsd.org>
842Date: Fri Apr 3 04:32:21 2020 +0000
843
844 upstream: chacha20-poly1305 AEAD using libcrypto EVP_chacha20
845
846 Based on patch from Yuriy M. Kaminskiy. ok + lots of assistance along the
847 way at a2k20 tb@
848
849 OpenBSD-Commit-ID: 5e08754c13d31258bae6c5e318cc96219d6b10f0
850
851commit eba523f0a130f1cce829e6aecdcefa841f526a1a
852Author: djm@openbsd.org <djm@openbsd.org>
853Date: Fri Apr 3 04:27:03 2020 +0000
854
855 upstream: make Chacha20-POLY1305 context struct opaque; ok tb@ as
856
857 part of a larger diff at a2k20
858
859 OpenBSD-Commit-ID: a4609b7263284f95c9417ef60ed7cdbb7bf52cfd
860
861commit ebd29e90129cf18fedfcfe1de86e324228669295
862Author: djm@openbsd.org <djm@openbsd.org>
863Date: Fri Apr 3 04:06:26 2020 +0000
864
865 upstream: fix debug statement
866
867 OpenBSD-Commit-ID: 42c6edeeda5ce88b51a20d88c93be3729ce6b916
868
869commit 7b4d8999f2e1a0cb7b065e3efa83e6edccfc7d82
870Author: djm@openbsd.org <djm@openbsd.org>
871Date: Fri Apr 3 04:03:51 2020 +0000
872
873 upstream: the tunnel-forwarding vs ExitOnForwardFailure fix that I
874
875 committed earlier had an off-by-one. Fix this and add some debugging that
876 would have made it apparent sooner.
877
878 OpenBSD-Commit-ID: 082f8f72b1423bd81bbdad750925b906e5ac6910
879
880commit eece243666d44ceb710d004624c5c7bdc05454bc
881Author: dtucker@openbsd.org <dtucker@openbsd.org>
882Date: Fri Apr 3 03:12:11 2020 +0000
883
884 upstream: %C expansion just added to Match Exec should include
885
886 remote user not local user.
887
888 OpenBSD-Commit-ID: 80f1d976938f2a55ee350c11d8b796836c8397e2
889
890commit d5318a784d016478fc8da90a38d9062c51c10432
891Author: dtucker@openbsd.org <dtucker@openbsd.org>
892Date: Fri Apr 3 02:33:31 2020 +0000
893
894 upstream: Add regression test for percent expansions where possible.
895
896 OpenBSD-Regress-ID: 7283be8b2733ac1cbefea3048a23d02594485288
897
898commit 663e84bb53de2a60e56a44d538d25b8152b5c1cc
899Author: djm@openbsd.org <djm@openbsd.org>
900Date: Fri Apr 3 02:40:32 2020 +0000
901
902 upstream: make failures when establishing "Tunnel" forwarding terminate
903
904 the connection when ExitOnForwardFailure is enabled; bz3116; ok dtucker
905
906 OpenBSD-Commit-ID: ef4b4808de0a419c17579b1081da768625c1d735
907
908commit ed833da176611a39d3376d62154eb88eb440d31c
909Author: dtucker@openbsd.org <dtucker@openbsd.org>
910Date: Fri Apr 3 02:27:12 2020 +0000
911
912 upstream: Make with config keywords support which
913
914 percent_expansions more consistent. - %C is moved into its own function and
915 added to Match Exec. - move the common (global) options into a macro. This
916 is ugly but it's the least-ugly way I could come up with. - move
917 IdentityAgent and ForwardAgent percent expansion to before the config dump
918 to make it regression-testable. - document all of the above
919
920 ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest.
921
922 OpenBSD-Commit-ID: 4b65664bd6d8ae2a9afaf1a2438ddd1b614b1d75
923
924commit 6ec7457171468da2bbd908b8cd63d298b0e049ea
925Author: djm@openbsd.org <djm@openbsd.org>
926Date: Fri Apr 3 02:26:56 2020 +0000
927
928 upstream: give ssh-keygen the ability to dump the contents of a
929
930 binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker
931
932 OpenBSD-Commit-ID: b76afc4e3b74ab735dbde4e5f0cfa1f02356033b
933
934commit af628b8a6c3ef403644d83d205c80ff188c97f0c
935Author: djm@openbsd.org <djm@openbsd.org>
936Date: Fri Apr 3 02:25:21 2020 +0000
937
938 upstream: add allocating variant of the safe utf8 printer; ok
939
940 dtucker as part of a larger diff
941
942 OpenBSD-Commit-ID: 037e2965bd50eacc2ffb49889ecae41552744fa0
943
944commit d8ac9af645f5519ac5211e9e1e4dc1ed00e9cced
945Author: dtucker@openbsd.org <dtucker@openbsd.org>
946Date: Mon Mar 16 02:17:02 2020 +0000
947
948 upstream: Cast lifetime to u_long for comparison to prevent unsigned
949
950 comparison warning on 32bit arches. Spotted by deraadt, ok djm.
951
952 OpenBSD-Commit-ID: 7a75b2540bff5ab4fa00b4d595db1df13bb0515a
953
954commit 0eaca933ae08b0a515edfccd5cc4a6b667034813
955Author: Darren Tucker <dtucker@dtucker.net>
956Date: Sat Mar 14 20:58:46 2020 +1100
957
958 Include fido.h when checking for fido/credman.h.
959
960 It's required for fido_dev_t, otherwise configure fails with
961 when given --with-security-key-builtin.
962
963commit c7c099060f82ffe6a36d8785ecf6052e12fd92f0
964Author: djm@openbsd.org <djm@openbsd.org>
965Date: Fri Mar 13 03:18:45 2020 +0000
966
967 upstream: some more speeling mistakes from
968
969 OpenBSD-Regress-ID: 02471c079805471c546b7a69d9ab1d34e9a57443
970
971commit 1d89232a4aa97fe935cd60b8d24d75c2f70d56c5
972Author: djm@openbsd.org <djm@openbsd.org>
973Date: Fri Mar 13 04:16:27 2020 +0000
974
975 upstream: improve error messages for some common PKCS#11 C_Login
976
977 failure cases; based on patch from Jacob Hoffman-Andrews in bz3130; ok
978 dtucker
979
980 OpenBSD-Commit-ID: b8b849621b4a98e468942efd0a1c519c12ce089e
981
982commit 5becbec023f2037394987f85ed7f74b9a28699e0
983Author: djm@openbsd.org <djm@openbsd.org>
984Date: Fri Mar 13 04:01:56 2020 +0000
985
986 upstream: use sshpkt_fatal() for kex_exchange_identification()
987
988 errors. This ensures that the logged errors are consistent with other
989 transport- layer errors and that the relevant IP addresses are logged. bz3129
990 ok dtucker@
991
992 OpenBSD-Commit-ID: 2c22891f0b9e1a6cd46771cedbb26ac96ec2e6ab
993
994commit eef88418f9e5e51910af3c5b23b5606ebc17af55
995Author: dtucker@openbsd.org <dtucker@openbsd.org>
996Date: Fri Mar 13 03:24:49 2020 +0000
997
998 upstream: Don't clear alarm timers in listening sshd. Previously
999
1000 these timers were used for regenerating the SSH1 ephemeral host keys but
1001 those are now gone so there's no need to clear the timers either. ok
1002 deraadt@
1003
1004 OpenBSD-Commit-ID: 280d2b885e4a1ce404632e8cc38fcb17be7dafc0
1005
1006commit d081f017c20a3564255873ed99fd7d024cac540f
1007Author: djm@openbsd.org <djm@openbsd.org>
1008Date: Fri Mar 13 03:17:07 2020 +0000
1009
1010 upstream: spelling errors in comments; no code change from
1011
1012 OpenBSD-Commit-ID: 166ea64f6d84f7bac5636dbd38968592cb5eb924
1013
1014commit c084a2d040f160bc2b83f13297e3e3ca3f5dbac6
1015Author: djm@openbsd.org <djm@openbsd.org>
1016Date: Fri Mar 13 03:12:17 2020 +0000
1017
1018 upstream: when downloading FIDO2 resident keys from a token, don't
1019
1020 prompt for a PIN until the token has told us that it needs one. Avoids
1021 double-prompting on devices that implement on-device authentication (e.g. a
1022 touchscreen PIN pad on the Trezor Model T). ok dtucker@
1023
1024 OpenBSD-Commit-ID: 38b78903dd4422d7d3204095a31692fb69130817
1025
1026commit 955c4cf4c6a1417c28d4e1040702c4d9bf63645b
1027Author: Damien Miller <djm@mindrot.org>
1028Date: Fri Mar 13 14:30:16 2020 +1100
1029
1030 sync fnmatch.c with upstream to fix another typo
1031
1032commit 397f217e8640e75bb719a8e87111b4bd848fb3df
1033Author: Damien Miller <djm@mindrot.org>
1034Date: Fri Mar 13 14:24:23 2020 +1100
1035
1036 another spelling error in comment
1037
1038commit def31bc5427579ec3f7f2ce99f2da1338fdc0c9f
1039Author: Damien Miller <djm@mindrot.org>
1040Date: Fri Mar 13 14:23:07 2020 +1100
1041
1042 spelling mistakes
1043
1044 from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
1045
1046commit 8bdc3bb7cf4c82c3344cfcb82495a43406e87e83
1047Author: markus@openbsd.org <markus@openbsd.org>
1048Date: Fri Mar 6 18:29:54 2020 +0000
1049
1050 upstream: fix relative includes in sshd_config; ok djm
1051
1052 OpenBSD-Commit-ID: fa29b0da3c93cbc3a1d4c6bcd58af43c00ffeb5b
1053
1054commit e32ef97a56ae03febfe307688858badae3a70e5a
1055Author: markus@openbsd.org <markus@openbsd.org>
1056Date: Fri Mar 6 18:29:14 2020 +0000
1057
1058 upstream: fix use-after-free in do_download_sk; ok djm
1059
1060 OpenBSD-Commit-ID: 96b49623d297797d4fc069f1f09e13c8811f8863
1061
1062commit 5732d58020309364bf31fa125354e399361006db
1063Author: markus@openbsd.org <markus@openbsd.org>
1064Date: Fri Mar 6 18:28:50 2020 +0000
1065
1066 upstream: do not leak oprincipals; ok djm
1067
1068 OpenBSD-Commit-ID: 4691d9387eab36f8fda48f5d8009756ed13a7c4c
1069
1070commit 8fae395f34c2c52cdaf9919aa261d1848b4bb00b
1071Author: markus@openbsd.org <markus@openbsd.org>
1072Date: Fri Mar 6 18:28:27 2020 +0000
1073
1074 upstream: initialize seconds for debug message; ok djm
1075
1076 OpenBSD-Commit-ID: 293fbefe6d00b4812a180ba02e26170e4c855b81
1077
1078commit 46e5c4c8ffcd1569bcd5d04803abaa2ecf3e4cff
1079Author: markus@openbsd.org <markus@openbsd.org>
1080Date: Fri Mar 6 18:27:50 2020 +0000
1081
1082 upstream: correct return code; ok djm
1083
1084 OpenBSD-Commit-ID: 319d09e3b7f4b2bc920c67244d9ff6426b744810
1085
1086commit 31c39e7840893f1bfdcbe4f813b20d1d7e69ec3e
1087Author: markus@openbsd.org <markus@openbsd.org>
1088Date: Fri Mar 6 18:27:15 2020 +0000
1089
1090 upstream: principalsp is optional, pubkey required; ok djm
1091
1092 OpenBSD-Commit-ID: 2cc3ea5018c28ed97edaccd7f17d2cc796f01024
1093
1094commit e26a31757c5df2f58687cb9a4853d1418f39728e
1095Author: markus@openbsd.org <markus@openbsd.org>
1096Date: Fri Mar 6 18:26:21 2020 +0000
1097
1098 upstream: remove unused variables in ssh-pkcs11-helper; ok djm
1099
1100 OpenBSD-Commit-ID: 13e572846d0d1b28f1251ddd2165e9cf18135ae1
1101
1102commit 1b378c0d982d6ab522eda634b0e88cf1fca5e352
1103Author: markus@openbsd.org <markus@openbsd.org>
1104Date: Fri Mar 6 18:25:48 2020 +0000
1105
1106 upstream: return correct error in sshsk_ed25519_sig; ok djm
1107
1108 OpenBSD-Commit-ID: 52bf733df220303c260fee4f165ec64b4a977625
1109
1110commit fbff605e637b068061ab6784ff03e3874890c092
1111Author: markus@openbsd.org <markus@openbsd.org>
1112Date: Fri Mar 6 18:25:12 2020 +0000
1113
1114 upstream: fix possible null-deref in check_key_not_revoked; ok
1115
1116 djm
1117
1118 OpenBSD-Commit-ID: 80855e9d7af42bb6fcc16c074ba69876bfe5e3bf
1119
1120commit bc30b446841fc16e50ed6e75c56ccfbd37b9f281
1121Author: markus@openbsd.org <markus@openbsd.org>
1122Date: Fri Mar 6 18:24:39 2020 +0000
1123
1124 upstream: ssh_fetch_identitylist() returns the return value from
1125
1126 ssh_request_reply() so we should also check against != 0 ok djm
1127
1128 OpenBSD-Commit-ID: 28d0028769d03e665688c61bb5fd943e18614952
1129
1130commit 7b4f70ddeb59f35283d77d8d9c834ca58f8cf436
1131Author: markus@openbsd.org <markus@openbsd.org>
1132Date: Fri Mar 6 18:23:17 2020 +0000
1133
1134 upstream: sshkey_cert_check_authority requires reason to be set;
1135
1136 ok djm
1137
1138 OpenBSD-Commit-ID: 6f7a6f19540ed5749763c2f9530c0897c94aa552
1139
1140commit 05efe270df1e925db0af56a806d18b5063db4b6d
1141Author: markus@openbsd.org <markus@openbsd.org>
1142Date: Fri Mar 6 18:21:28 2020 +0000
1143
1144 upstream: passphrase depends on kdfname, not ciphername (possible
1145
1146 null-deref); ok djm
1147
1148 OpenBSD-Commit-ID: 0d39668edf5e790b5837df4926ee1141cec5471c
1149
1150commit 1ddf5682f3992bdacd29164891abb71a19c2cf61
1151Author: markus@openbsd.org <markus@openbsd.org>
1152Date: Fri Mar 6 18:20:44 2020 +0000
1153
1154 upstream: consistently check packet_timeout_ms against 0; ok djm
1155
1156 OpenBSD-Commit-ID: e8fb8cb2c96c980f075069302534eaf830929928
1157
1158commit 31f1ee54968ad84eb32375e4412e0318766b586b
1159Author: markus@openbsd.org <markus@openbsd.org>
1160Date: Fri Mar 6 18:20:02 2020 +0000
1161
1162 upstream: initialize cname in case ai_canonname is NULL or too
1163
1164 long; ok djm
1165
1166 OpenBSD-Commit-ID: c27984636fdb1035d1642283664193e91aab6e37
1167
1168commit a6134b02b5264b2611c8beae98bb392329452bba
1169Author: markus@openbsd.org <markus@openbsd.org>
1170Date: Fri Mar 6 18:19:21 2020 +0000
1171
1172 upstream: fix uninitialized pointers for forward_cancel; ok djm
1173
1174 OpenBSD-Commit-ID: 612778e6d87ee865d0ba97d0a335f141cee1aa37
1175
1176commit 16d4f9961c75680aab374dee762a5baa0ad507af
1177Author: markus@openbsd.org <markus@openbsd.org>
1178Date: Fri Mar 6 18:16:21 2020 +0000
1179
1180 upstream: exit on parse failures in input_service_request; ok djm
1181
1182 OpenBSD-Commit-ID: 6a7e1bfded26051d5aa893c030229b1ee6a0d5d2
1183
1184commit 5f25afe5216ba7f8921e04f79aa4ca0624eca820
1185Author: markus@openbsd.org <markus@openbsd.org>
1186Date: Fri Mar 6 18:15:38 2020 +0000
1187
1188 upstream: fix null-deref on calloc failure; ok djm
1189
1190 OpenBSD-Commit-ID: a313519579b392076b7831ec022dfdefbec8724a
1191
1192commit ff2acca039aef16a15fce409163df404858f7aa5
1193Author: markus@openbsd.org <markus@openbsd.org>
1194Date: Fri Mar 6 18:15:04 2020 +0000
1195
1196 upstream: exit if ssh_krl_revoke_key_sha256 fails; ok djm
1197
1198 OpenBSD-Commit-ID: 0864ad4fe8bf28ab21fd1df766e0365c11bbc0dc
1199
1200commit 31c860a0212af2d5b6a129e3e8fcead51392ee1d
1201Author: markus@openbsd.org <markus@openbsd.org>
1202Date: Fri Mar 6 18:14:13 2020 +0000
1203
1204 upstream: pkcs11_register_provider: return < 0 on error; ok djm
1205
1206 OpenBSD-Commit-ID: cfc8321315b787e4d40da4bdb2cbabd4154b0d97
1207
1208commit 15be29e1e3318737b0768ca37d5b4a3fbe868ef0
1209Author: markus@openbsd.org <markus@openbsd.org>
1210Date: Fri Mar 6 18:13:29 2020 +0000
1211
1212 upstream: sshsig: return correct error, fix null-deref; ok djm
1213
1214 OpenBSD-Commit-ID: 1d1af7cd538b8b23e621cf7ab84f11e7a923edcd
1215
1216commit 6fb6f186cb62a6370fba476b6a03478a1e95c30d
1217Author: markus@openbsd.org <markus@openbsd.org>
1218Date: Fri Mar 6 18:12:55 2020 +0000
1219
1220 upstream: vasnmprintf allocates str and returns -1; ok djm
1221
1222 OpenBSD-Commit-ID: dae4c9e83d88471bf3b3f89e3da7a107b44df11c
1223
1224commit 714e1cbca17daa13f4f98978cf9e0695d4b2e0a4
1225Author: markus@openbsd.org <markus@openbsd.org>
1226Date: Fri Mar 6 18:11:10 2020 +0000
1227
1228 upstream: sshpkt_fatal() does not return; ok djm
1229
1230 OpenBSD-Commit-ID: 7dfe847e28bd78208eb227b37f29f4a2a0929929
1231
1232commit 9b47bd7b09d191991ad9e0506bb66b74bbc93d34
1233Author: djm@openbsd.org <djm@openbsd.org>
1234Date: Fri Feb 28 01:07:28 2020 +0000
1235
1236 upstream: no-touch-required certificate option should be an
1237
1238 extension, not a critical option.
1239
1240 OpenBSD-Commit-ID: 626b22c5feb7be8a645e4b9a9bef89893b88600d
1241
1242commit dd992520bed35387fc010239abe1bdc0c2665e38
1243Author: djm@openbsd.org <djm@openbsd.org>
1244Date: Fri Feb 28 01:06:05 2020 +0000
1245
1246 upstream: better error message when trying to use a FIDO key
1247
1248 function and SecurityKeyProvider is empty
1249
1250 OpenBSD-Commit-ID: e56602c2ee8c82f835d30e4dc8ee2e4a7896be24
1251
1252commit b81e66dbe0345aef4717911abcb4f589fff33a0a
1253Author: dtucker@openbsd.org <dtucker@openbsd.org>
1254Date: Thu Feb 27 02:32:37 2020 +0000
1255
1256 upstream: Drop leading space from line count that was confusing
1257
1258 ssh-keygen's screen mode.
1259
1260 OpenBSD-Commit-ID: 3bcae7a754db3fc5ad3cab63dd46774edb35b8ae
1261
1262commit d5ba1c03278eb079438bb038266d80d7477d49cb
1263Author: jsg@openbsd.org <jsg@openbsd.org>
1264Date: Wed Feb 26 13:40:09 2020 +0000
1265
1266 upstream: change explicit_bzero();free() to freezero()
1267
1268 While freezero() returns early if the pointer is NULL the tests for
1269 NULL in callers are left to avoid warnings about passing an
1270 uninitialised size argument across a function boundry.
1271
1272 ok deraadt@ djm@
1273
1274 OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
1275
1276commit 9e3220b585c5be19a7431ea4ff8884c137b3a81c
1277Author: dtucker@openbsd.org <dtucker@openbsd.org>
1278Date: Wed Feb 26 11:46:51 2020 +0000
1279
1280 upstream: Have sftp reject "-1" in the same way as ssh(1) and
1281
1282 scp(1) do instead of accepting and silently ignoring it since protocol 1
1283 support has been removed. Spotted by shivakumar2696 at gmail.com, ok
1284 deraadt@
1285
1286 OpenBSD-Commit-ID: b79f95559a1c993214f4ec9ae3c34caa87e9d5de
1287
1288commit ade8e67bb0f07b12e5e47e7baeafbdc898de639f
1289Author: dtucker@openbsd.org <dtucker@openbsd.org>
1290Date: Wed Feb 26 01:31:47 2020 +0000
1291
1292 upstream: Remove obsolete XXX comment. ok deraadt@
1293
1294 OpenBSD-Commit-ID: bc462cc843947feea26a2e21c750b3a7469ff01b
1295
1296commit 7eb903f51eba051d7f65790bab92a28970ac1ccc
1297Author: dtucker@openbsd.org <dtucker@openbsd.org>
1298Date: Mon Feb 24 04:27:58 2020 +0000
1299
1300 upstream: Fix typo. Patch from itoama at live.jp via github PR#173.
1301
1302 OpenBSD-Commit-ID: 5cdaafab38bbdea0d07e24777d00bfe6f972568a
1303
1304commit b2491c289dd1b557a18a2aca04eeff5c157fc5ef
1305Author: Nico Kadel-Garcia <nkadel@gmail.com>
1306Date: Sat Oct 12 17:51:01 2019 -0400
1307
1308 Switch %define to %global for redhat/openssh.spec
1309
1310commit b18dcf6cca7c7aba1cc22e668e04492090ef0255
1311Author: mkontani <itoama@live.jp>
1312Date: Fri Feb 21 00:54:49 2020 +0900
1313
1314 fix some typos and sentence
1315
1316commit 0001576a096f788d40c2c0a39121cff51bf961ad
1317Author: dtucker@openbsd.org <dtucker@openbsd.org>
1318Date: Fri Feb 21 00:04:43 2020 +0000
1319
1320 upstream: Fix some typos and an incorrect word in docs. Patch from
1321
1322 itoama at live.jp via github PR#172.
1323
1324 OpenBSD-Commit-ID: 166ee8f93a7201fef431b9001725ab8b269d5874
1325
1326commit 99ff8fefe4b2763a53778d06b5f74443c8701615
1327Author: dtucker@openbsd.org <dtucker@openbsd.org>
1328Date: Thu Feb 20 05:58:08 2020 +0000
1329
1330 upstream: Update moduli generation script to new ssh-keygen
1331
1332 generation and screening command line flags.
1333
1334 OpenBSD-Commit-ID: 5010ff08f7ad92082e87dde098b20f5c24921a8f
1335
1336commit 700d16f5e534d6de5a3b7105a74a7a6f4487b681
1337Author: dtucker@openbsd.org <dtucker@openbsd.org>
1338Date: Thu Feb 20 05:41:51 2020 +0000
1339
1340 upstream: Import regenerated moduli.
1341
1342 OpenBSD-Commit-ID: 7b7b619c1452a459310b0cf4391c5757c6bdbc0f
1343
1344commit 4753b74ba0f09e4aacdaab5e184cd540352004d5
1345Author: Darren Tucker <dtucker@dtucker.net>
1346Date: Thu Feb 20 16:42:50 2020 +1100
1347
1348 Import regenerated moduli.
1349
1350commit 11d427162778c18fa42917893a75d178679a2389
1351Author: HARUYAMA Seigo <haruyama@unixuser.org>
1352Date: Fri Feb 14 16:14:23 2020 +0900
1353
1354 Fix typos in INSTALL: s/avilable/available/ s/suppports/supports/
1355
1356commit 264a966216137c9f4f8220fd9142242d784ba059
1357Author: dtucker@openbsd.org <dtucker@openbsd.org>
1358Date: Tue Feb 18 08:58:33 2020 +0000
1359
1360 upstream: Ensure that the key lifetime provided fits within the
1361
1362 values allowed by the wire format (u32). Prevents integer wraparound of the
1363 timeout values. bz#3119, ok markus@ djm@
1364
1365 OpenBSD-Commit-ID: 8afe6038b5cdfcf63360788f012a7ad81acc46a2
1366
1367commit de1f3564cd85915b3002859873a37cb8d31ac9ce
1368Author: dtucker@openbsd.org <dtucker@openbsd.org>
1369Date: Tue Feb 18 08:49:49 2020 +0000
1370
1371 upstream: Detect and prevent simple configuration loops when using
1372
1373 ProxyJump. bz#3057, ok djm@
1374
1375 OpenBSD-Commit-ID: 077d21c564c886c98309d871ed6f8ef267b9f037
1376
1377commit 30144865bfa06b12239cfabc37c45e5ddc369d97
1378Author: naddy@openbsd.org <naddy@openbsd.org>
1379Date: Sun Feb 16 21:15:43 2020 +0000
1380
1381 upstream: document -F none; with jmc@
1382
1383 OpenBSD-Commit-ID: 0eb93b75473d2267aae9200e02588e57778c84f2
1384
1385commit 011052de73f3dbc53f50927ccf677266a9ade4f6
1386Author: Darren Tucker <dtucker@dtucker.net>
1387Date: Mon Feb 17 22:55:51 2020 +1100
1388
1389 Remove unused variable warning.
1390
1391commit 31c9348c5e4e94e9913ec64b3ca6e15f68ba19e5
1392Author: Darren Tucker <dtucker@dtucker.net>
1393Date: Mon Feb 17 22:53:24 2020 +1100
1394
1395 Constify aix_krb5_get_principal_name.
1396
1397 Prevents warning about discarding type qualifiers on AIX.
1398
1399commit 290c994336a2cfe03c5496bebb6580863f94b232
1400Author: Darren Tucker <dtucker@dtucker.net>
1401Date: Mon Feb 17 22:51:36 2020 +1100
1402
1403 Check if TILDE is already defined and undef.
1404
1405 Prevents redefinition warning on AIX.
1406
1407commit 41a2e64ae480eda73ee0e809bbe743d203890938
1408Author: Darren Tucker <dtucker@dtucker.net>
1409Date: Mon Feb 17 22:51:00 2020 +1100
1410
1411 Prevent unused variable warning.
1412
1413commit d4860ec4efd25ba194337082736797fce0bda016
1414Author: Darren Tucker <dtucker@dtucker.net>
1415Date: Mon Feb 17 22:48:50 2020 +1100
1416
1417 Check if getpeereid is actually declared.
1418
1419 Check in sys/socket.h (AIX) and unistd.h (FreeBSD, DragonFLy and OS X).
1420 Prevents undeclared function warning on at least some versions of AIX.
1421
1commit 8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8 1422commit 8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8
2Author: djm@openbsd.org <djm@openbsd.org> 1423Author: djm@openbsd.org <djm@openbsd.org>
3Date: Fri Feb 14 00:39:20 2020 +0000 1424Date: Fri Feb 14 00:39:20 2020 +0000
@@ -11254,1410 +12675,3 @@ Date: Fri Jun 1 03:11:49 2018 +0000
11254 directive; bz2831, feedback and ok dtucker@ 12675 directive; bz2831, feedback and ok dtucker@
11255 12676
11256 OpenBSD-Commit-ID: 3cec709a131499fbb0c1ea8a0a9e0b0915ce769e 12677 OpenBSD-Commit-ID: 3cec709a131499fbb0c1ea8a0a9e0b0915ce769e
11257
11258commit fbb4b5fd4f8e0bb89732670a01954e18b69e15ba
11259Author: djm@openbsd.org <djm@openbsd.org>
11260Date: Fri May 25 07:11:01 2018 +0000
11261
11262 upstream: Do not ban PTY allocation when a sshd session is restricted
11263
11264 because the user password is expired as it breaks password change dialog.
11265
11266 regression in openssh-7.7 reported by Daniel Wagner
11267
11268 OpenBSD-Commit-ID: 9fc09c584c6f1964b00595e3abe7f83db4d90d73
11269
11270commit f6a59a22b0c157c4c4e5fd7232f868138223be64
11271Author: djm@openbsd.org <djm@openbsd.org>
11272Date: Fri May 25 04:25:46 2018 +0000
11273
11274 upstream: Fix return value confusion in several functions (readdir,
11275
11276 download and fsync). These should return -1 on error, not a sftp status code.
11277
11278 patch from Petr Cerny in bz#2871
11279
11280 OpenBSD-Commit-ID: 651aa0220ad23c9167d9297a436162d741f97a09
11281
11282commit 1da5934b860ac0378d52d3035b22b6670f6a967e
11283Author: dtucker@openbsd.org <dtucker@openbsd.org>
11284Date: Fri May 25 03:20:59 2018 +0000
11285
11286 upstream: If select() fails in ssh_packet_read_seqnr go directly to
11287
11288 the error path instead of trying to read from the socket on the way out,
11289 which resets errno and causes the true error to be misreported. ok djm@
11290
11291 OpenBSD-Commit-ID: 2614edaadbd05a957aa977728aa7a030af7c6f0a
11292
11293commit 4ef75926ef517d539f2c7aac3188b09f315c86a7
11294Author: Damien Miller <djm@mindrot.org>
11295Date: Fri May 25 13:36:58 2018 +1000
11296
11297 Permit getuid()/geteuid() syscalls.
11298
11299 Requested for Linux/s390; patch from Eduardo Barretto via bz#2752;
11300 ok dtucker
11301
11302commit 4b22fd8ecefd059a66140be67f352eb6145a9d88
11303Author: djm@openbsd.org <djm@openbsd.org>
11304Date: Tue May 22 00:13:26 2018 +0000
11305
11306 upstream: support ProxyJump=none to disable ProxyJump
11307
11308 functionality; bz#2869 ok dtucker@
11309
11310 OpenBSD-Commit-ID: 1c06ee08eb78451b5837fcfd8cbebc5ff3a67a01
11311
11312commit f41bcd70f55b4f0fc4d8e1039cb361ac922b23fb
11313Author: jmc@openbsd.org <jmc@openbsd.org>
11314Date: Tue May 15 05:40:11 2018 +0000
11315
11316 upstream: correct keyowrd name (permitemptypasswords); from brendan
11317
11318 macdonell
11319
11320 OpenBSD-Commit-ID: ef1bdbc936b2ea693ee37a4c20a94d4d43f5fda3
11321
11322commit f18bc97151340127859634d20d79fd39ec8a7f39
11323Author: djm@openbsd.org <djm@openbsd.org>
11324Date: Fri May 11 04:01:11 2018 +0000
11325
11326 upstream: Emphasise that -w implicitly sets Tunnel=point-to-point
11327
11328 and that users should specify an explicit Tunnel directive if they don't want
11329 this. bz#2365.
11330
11331 OpenBSD-Commit-ID: 1a8d9c67ae213ead180481900dbbb3e04864560d
11332
11333commit 32e4e94e1511fe0020fbfbb62399d31b2d22a801
11334Author: Damien Miller <djm@mindrot.org>
11335Date: Mon May 14 14:40:08 2018 +1000
11336
11337 sync fmt_scaled.c
11338
11339 revision 1.17
11340 date: 2018/05/14 04:39:04; author: djm; state: Exp; lines: +5 -2;
11341 commitid: 53zY8GjViUBnWo8Z;
11342 constrain fractional part to [0-9] (less confusing to static analysis); ok ian@
11343
11344commit 54268d589e85ecc43d3eba8d83f327bdada9d696
11345Author: Damien Miller <djm@mindrot.org>
11346Date: Fri May 11 14:04:40 2018 +1000
11347
11348 fix key-options.sh on platforms without openpty(3)
11349
11350 Skip the pty tests if the platform lacks openpty(3) and has to chown(2)
11351 the pty device explicitly. This typically requires root permissions that
11352 this test lacks.
11353
11354 bz#2856 ok dtucker@
11355
11356commit b2140a739be4c3b43cc1dc08322dca39a1e39d20
11357Author: djm@openbsd.org <djm@openbsd.org>
11358Date: Fri May 11 03:38:51 2018 +0000
11359
11360 upstream: implement EMFILE mitigation for ssh-agent: remember the
11361
11362 fd rlimit and stop accepting new connections when it is exceeded (with some
11363 grace). Accept is resumed when enough connections are closed.
11364
11365 bz#2576. feedback deraadt; ok dtucker@
11366
11367 OpenBSD-Commit-ID: 6a85d9cec7b85741961e7116a49f8dae777911ea
11368
11369commit fdba503fdfc647ee8a244002f1581e869c1f3d90
11370Author: dtucker@openbsd.org <dtucker@openbsd.org>
11371Date: Fri May 11 03:22:55 2018 +0000
11372
11373 upstream: Explicit cast when snprintf'ing an uint64. Prevents
11374
11375 warnings on platforms where int64 is long not long long. ok djm@
11376
11377 OpenBSD-Commit-ID: 9c5359e2fbfce11dea2d93f7bc257e84419bd001
11378
11379commit e7751aa4094d51a9bc00778aa8d07e22934c55ee
11380Author: bluhm@openbsd.org <bluhm@openbsd.org>
11381Date: Thu Apr 26 14:47:03 2018 +0000
11382
11383 upstream: Since the previous commit, ssh regress test sftp-chroot was
11384
11385 failing. The sftp program terminated with the wrong exit code as sftp called
11386 fatal() instad of exit(0). So when the sigchld handler waits for the child,
11387 remember that it was found. Then don't expect that main() can wait again. OK
11388 dtucker@
11389
11390 OpenBSD-Commit-ID: bfafd940c0de5297940c71ddf362053db0232266
11391
11392commit 7c15301841e2e9d37cae732400de63ae9c0961d6
11393Author: Darren Tucker <dtucker@dtucker.net>
11394Date: Sun Apr 29 17:54:12 2018 +1000
11395
11396 Use includes.h instead of config.h.
11397
11398 This ensures it picks up the definition of DEF_WEAK, the lack of which
11399 can cause compile errors in some cases (eg modern AIX). From
11400 michael at felt.demon.nl.
11401
11402commit cec338967a666b7c8ad8b88175f2faeddf268116
11403Author: Darren Tucker <dtucker@dtucker.net>
11404Date: Thu Apr 19 09:53:14 2018 +1000
11405
11406 Omit 3des-cbc if OpenSSL built without DES.
11407
11408 Patch from hongxu.jia at windriver.com, ok djm@
11409
11410commit a575ddd58835759393d2dddd16ebe5abdb56485e
11411Author: djm@openbsd.org <djm@openbsd.org>
11412Date: Mon Apr 16 22:50:44 2018 +0000
11413
11414 upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch clients
11415
11416 without version numbers since they choke on them under some circumstances.
11417 https://twistedmatrix.com/trac/ticket/9422 via Colin Watson
11418
11419 Newer Conch versions have a version number in their ident string and
11420 handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424
11421
11422 OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539
11423
11424commit 390c7000a8946db565b66eab9e52fb11948711fa
11425Author: djm@openbsd.org <djm@openbsd.org>
11426Date: Sat Apr 14 21:50:41 2018 +0000
11427
11428 upstream: don't free the %C expansion, it's used later for
11429
11430 LocalCommand
11431
11432 OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
11433
11434commit 3455f1e7c48e2e549192998d330214975b9b1dc7
11435Author: djm@openbsd.org <djm@openbsd.org>
11436Date: Fri Apr 13 05:04:12 2018 +0000
11437
11438 upstream: notify user immediately when underlying ssh process dies;
11439
11440 patch from Thomas Kuthan in bz2719; ok dtucker@
11441
11442 OpenBSD-Commit-ID: 78fac88c2f08054d1fc5162c43c24162b131cf78
11443
11444commit 1c5b4bc827f4abc3e65888cda061ad5edf1b8c7c
11445Author: Darren Tucker <dtucker@dtucker.net>
11446Date: Fri Apr 13 16:23:57 2018 +1000
11447
11448 Allow nanosleep in preauth privsep child.
11449
11450 The new timing attack mitigation code uses nanosleep in the preauth
11451 codepath, allow in systrace andbox too.
11452
11453commit 0e73428038d5ecfa5d2a28cff26661502a7aff4e
11454Author: Darren Tucker <dtucker@dtucker.net>
11455Date: Fri Apr 13 16:06:29 2018 +1000
11456
11457 Allow nanosleep in preauth privsep child.
11458
11459 The new timing attack mitigation code uses nanosleep in the preauth
11460 codepath, allow in sandbox.
11461
11462commit e9d910b0289c820852f7afa67f584cef1c05fe95
11463Author: dtucker@openbsd.org <dtucker@openbsd.org>
11464Date: Fri Apr 13 03:57:26 2018 +0000
11465
11466 upstream: Defend against user enumeration timing attacks. This
11467
11468 establishes a minimum time for each failed authentication attempt (5ms) and
11469 adds a per-user constant derived from a host secret (0-4ms). Based on work
11470 by joona.kannisto at tut.fi, ok markus@ djm@.
11471
11472 OpenBSD-Commit-ID: b7845b355bb7381703339c8fb0e57e81a20ae5ca
11473
11474commit d97874cbd909eb706886cd0cdd418f812c119ef9
11475Author: Darren Tucker <dtucker@dtucker.net>
11476Date: Fri Apr 13 13:43:55 2018 +1000
11477
11478 Using "==" in shell tests is not portable.
11479
11480 Patch from rsbecker at nexbridge.com.
11481
11482commit cfb1d9bc76734681e3dea532a1504fcd466fbe91
11483Author: Damien Miller <djm@mindrot.org>
11484Date: Fri Apr 13 13:38:06 2018 +1000
11485
11486 Fix tunnel forwarding broken in 7.7p1
11487
11488 bz2855, ok dtucker@
11489
11490commit afa6e79b76fb52a0c09a29688b5c0d125eb08302
11491Author: Damien Miller <djm@mindrot.org>
11492Date: Fri Apr 13 13:31:42 2018 +1000
11493
11494 prefer to use getrandom() for PRNG seeding
11495
11496 Only applies when built --without-openssl. Thanks Jann Horn for
11497 reminder.
11498
11499commit 575fac34a97f69bc217b235f81de9f8f433eceed
11500Author: Darren Tucker <dtucker@dtucker.net>
11501Date: Fri Apr 13 13:13:33 2018 +1000
11502
11503 Revert $REGRESSTMP changes.
11504
11505 Revert 3fd2d229 and subsequent changes as they turned out to be a
11506 portability hassle.
11507
11508commit 10479cc2a4acd6faaf643eb305233b49d70c31c1
11509Author: Damien Miller <djm@mindrot.org>
11510Date: Tue Apr 10 10:19:02 2018 +1000
11511
11512 Many typo fixes from Karsten Weiss
11513
11514 Spotted using https://github.com/lucasdemarchi/codespell
11515
11516commit 907da2f88519b34189fd03fac96de0c52d448233
11517Author: djm@openbsd.org <djm@openbsd.org>
11518Date: Tue Apr 10 00:14:10 2018 +0000
11519
11520 upstream: more typos spotted by Karsten Weiss using codespell
11521
11522 OpenBSD-Regress-ID: d906a2aea0663810a658b7d0bc61a1d2907d4d69
11523
11524commit 37e5f4a7ab9a8026e5fc2f47dafb0f1b123d39e9
11525Author: djm@openbsd.org <djm@openbsd.org>
11526Date: Tue Apr 10 00:13:27 2018 +0000
11527
11528 upstream: make this a bit more portable-friendly
11529
11530 OpenBSD-Regress-ID: 62f7b9e055e8dfaab92b3825f158beeb4ca3f963
11531
11532commit 001aa55484852370488786bd40e9fdad4b465811
11533Author: djm@openbsd.org <djm@openbsd.org>
11534Date: Tue Apr 10 00:10:49 2018 +0000
11535
11536 upstream: lots of typos in comments/docs. Patch from Karsten Weiss
11537
11538 after checking with codespell tool
11539 (https://github.com/lucasdemarchi/codespell)
11540
11541 OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
11542
11543commit 260ede2787fe80b18b8d5920455b4fb268519c7d
11544Author: djm@openbsd.org <djm@openbsd.org>
11545Date: Mon Apr 9 23:54:49 2018 +0000
11546
11547 upstream: don't kill ssh-agent's listening socket entriely if we
11548
11549 fail to accept a connection; bz#2837, patch from Lukas Kuster
11550
11551 OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
11552
11553commit ebc8b4656f9b0f834a642a9fb3c9fbca86a61838
11554Author: tj@openbsd.org <tj@openbsd.org>
11555Date: Mon Apr 9 20:41:22 2018 +0000
11556
11557 upstream: the UseLogin option was removed, so remove it here too.
11558
11559 ok dtucker
11560
11561 OpenBSD-Commit-ID: 7080be73a64d68e21f22f5408a67a0ba8b1b6b06
11562
11563commit 3e36f281851fc8e9c996b33f108b2ae167314fbe
11564Author: jmc@openbsd.org <jmc@openbsd.org>
11565Date: Sun Apr 8 07:36:02 2018 +0000
11566
11567 upstream: tweak previous;
11568
11569 OpenBSD-Commit-ID: 2b9c23022ea7b9dddb62864de4e906000f9d7474
11570
11571commit 8368571efd6693c5c57f850e23a2372acf3f865f
11572Author: jmc@openbsd.org <jmc@openbsd.org>
11573Date: Sat Apr 7 13:50:10 2018 +0000
11574
11575 upstream: tweak previous;
11576
11577 OpenBSD-Commit-ID: 38e347b6f8e888f5e0700d01abb1eba7caa154f9
11578
11579commit 555294a7279914ae6795b71bedf4e6011b7636df
11580Author: djm@openbsd.org <djm@openbsd.org>
11581Date: Fri Apr 6 13:02:39 2018 +0000
11582
11583 upstream: Allow "SendEnv -PATTERN" to clear environment variables
11584
11585 previously labeled for sendind. bz#1285 ok dtucker@
11586
11587 OpenBSD-Commit-ID: f6fec9e3d0f366f15903094fbe1754cb359a0df9
11588
11589commit 40f5f03544a07ebd2003b443d42e85cb51d94d59
11590Author: djm@openbsd.org <djm@openbsd.org>
11591Date: Fri Apr 6 04:15:45 2018 +0000
11592
11593 upstream: relax checking of authorized_keys environment="..."
11594
11595 options to allow underscores in variable names (regression introduced in
11596 7.7). bz2851, ok deraadt@
11597
11598 OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
11599
11600commit 30fd7f9af0f553aaa2eeda5a1f53f26cfc222b5e
11601Author: djm@openbsd.org <djm@openbsd.org>
11602Date: Fri Apr 6 03:51:27 2018 +0000
11603
11604 upstream: add a couple of missed options to the config dump; patch
11605
11606 from Jakub Jelen via bz2835
11607
11608 OpenBSD-Commit-ID: 5970adadf6ef206bee0dddfc75d24c2019861446
11609
11610commit 8d6829be324452d2acd282d5f8ceb0adaa89a4de
11611Author: djm@openbsd.org <djm@openbsd.org>
11612Date: Fri Apr 6 03:34:27 2018 +0000
11613
11614 upstream: ssh does not accept -oInclude=... on the commandline, the
11615
11616 Include keyword is for configuration files only. bz#2840, patch from Jakub
11617 Jelen
11618
11619 OpenBSD-Commit-ID: 32d052b4a7a7f22df35fe3f71c368c02b02cacb0
11620
11621commit 00c5222ddc0c8edcaa4ea45ac03befdc8013d137
11622Author: djm@openbsd.org <djm@openbsd.org>
11623Date: Thu Apr 5 22:54:28 2018 +0000
11624
11625 upstream: We don't offer CBC cipher by default any more. Spotted by
11626
11627 Renaud Allard (via otto@)
11628
11629 OpenBSD-Commit-ID: a559b1eef741557dd959ae378b665a2977d92dca
11630
11631commit 5ee8448ad7c306f05a9f56769f95336a8269f379
11632Author: job@openbsd.org <job@openbsd.org>
11633Date: Wed Apr 4 15:12:17 2018 +0000
11634
11635 upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for
11636
11637 interactive and CS1 for bulk
11638
11639 AF21 was selected as this is the highest priority within the low-latency
11640 service class (and it is higher than what we have today). SSH is elastic
11641 and time-sensitive data, where a user is waiting for a response via the
11642 network in order to continue with a task at hand. As such, these flows
11643 should be considered foreground traffic, with delays or drops to such
11644 traffic directly impacting user-productivity.
11645
11646 For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
11647 networks implementing a scavanger/lower-than-best effort class to
11648 discriminate scp(1) below normal activities, such as web surfing. In
11649 general this type of bulk SSH traffic is a background activity.
11650
11651 An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
11652 is that they are recognisable values on all common platforms (IANA
11653 https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
11654 for AF21 specifically a definition of the intended behavior exists
11655 https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
11656 of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
11657 for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
11658
11659 The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
11660 802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
11661 or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
11662 MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
11663
11664 OK deraadt@, "no objection" djm@
11665
11666 OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
11667
11668commit 424b544fbda963f973da80f884717c3e0a513288
11669Author: dtucker@openbsd.org <dtucker@openbsd.org>
11670Date: Tue Apr 3 02:14:08 2018 +0000
11671
11672 upstream: Import regenerated moduli file.
11673
11674 OpenBSD-Commit-ID: 1de0e85522051eb2ffa00437e1885e9d7b3e0c2e
11675
11676commit 323f66ce934df2da551f256f37d69822428e1ca1
11677Author: dtucker@openbsd.org <dtucker@openbsd.org>
11678Date: Fri Apr 6 04:18:35 2018 +0000
11679
11680 upstream: Add test for username options parsing order, prompted by
11681
11682 bz#2849.
11683
11684 OpenBSD-Regress-ID: 6985cd32f38596882a3ac172ff8c510693b65283
11685
11686commit e8f474554e3bda102a797a2fbab0594ccc66f097
11687Author: Damien Miller <djm@mindrot.org>
11688Date: Fri Apr 6 14:11:44 2018 +1000
11689
11690 Expose SSH_AUTH_INFO_0 to PAM auth modules
11691
11692 bz#2408, patch from Radoslaw Ejsmont; ok dtucker@
11693
11694commit 014ba209cf4c6a159baa30ecebbaddfa97da7100
11695Author: Darren Tucker <dtucker@dtucker.net>
11696Date: Tue Apr 3 12:18:00 2018 +1000
11697
11698 Import regenerated moduli file.
11699
11700commit a0349a1cc4a18967ad1dbff5389bcdf9da098814
11701Author: Damien Miller <djm@mindrot.org>
11702Date: Mon Apr 2 15:38:28 2018 +1000
11703
11704 update versions in .spec files
11705
11706commit 816ad38f79792f5617e3913be306ddb27e91091c
11707Author: Damien Miller <djm@mindrot.org>
11708Date: Mon Apr 2 15:38:20 2018 +1000
11709
11710 update version number
11711
11712commit 2c71ca1dd1efe458cb7dee3f8a1a566f913182c2
11713Author: Darren Tucker <dtucker@dtucker.net>
11714Date: Fri Mar 30 18:23:07 2018 +1100
11715
11716 Disable native strndup and strnlen on AIX.
11717
11718 On at least some revisions of AIX, strndup returns unterminated strings
11719 under some conditions, apparently because strnlen returns incorrect
11720 values in those cases. Disable both on AIX and use the replacements
11721 from openbsd-compat. Fixes problem with ECDSA keys there, ok djm.
11722
11723commit 6b5a17bc14e896e3904dc58d889b58934cfacd24
11724Author: Darren Tucker <dtucker@dtucker.net>
11725Date: Mon Mar 26 13:12:44 2018 +1100
11726
11727 Include ssh_api.h for struct ssh.
11728
11729 struct ssh is needed by implementations of sys_auth_passwd() that were
11730 converted in commit bba02a50. Needed to fix build on AIX, I assume for
11731 the other platforms too (although it should be harmless if not needed).
11732
11733commit bc3f80e4d191b8e48650045dfa8a682cd3aabd4d
11734Author: Darren Tucker <dtucker@dtucker.net>
11735Date: Mon Mar 26 12:58:09 2018 +1100
11736
11737 Remove UNICOS code missed during removal.
11738
11739 Fixes compile error on AIX.
11740
11741commit 9d57762c24882e2f000a21a0ffc8c5908a1fa738
11742Author: markus@openbsd.org <markus@openbsd.org>
11743Date: Sat Mar 24 19:29:03 2018 +0000
11744
11745 upstream: openssh-7.7
11746
11747 OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
11748
11749commit 4b7d8acdbbceef247dc035e611e577174ed8a87e
11750Author: Damien Miller <djm@mindrot.org>
11751Date: Mon Mar 26 09:37:02 2018 +1100
11752
11753 Remove authinfo.sh test dependency on printenv
11754
11755 Some platforms lack printenv in the default $PATH.
11756 Reported by Tom G. Christensen
11757
11758commit 4afeaf3dcb7dc70efd98fcfcb0ed28a6b40b820e
11759Author: Tim Rice <tim@multitalents.net>
11760Date: Sun Mar 25 10:00:21 2018 -0700
11761
11762 Use libiaf on all sysv5 systems
11763
11764commit bba02a5094b3db228ceac41cb4bfca165d0735f3
11765Author: Tim Rice <tim@multitalents.net>
11766Date: Sun Mar 25 09:17:33 2018 -0700
11767
11768 modified: auth-sia.c
11769 modified: openbsd-compat/port-aix.c
11770 modified: openbsd-compat/port-uw.c
11771
11772 propogate changes to auth-passwd.c in commit
11773 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 to other providers
11774 of sys_auth_passwd()
11775
11776commit d7a7a39168bdfe273587bf85d779d60569100a3f
11777Author: markus@openbsd.org <markus@openbsd.org>
11778Date: Sat Mar 24 19:29:03 2018 +0000
11779
11780 upstream: openssh-7.7
11781
11782 OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
11783
11784commit 9efcaaac314c611c6c0326e8bac5b486c424bbd2
11785Author: markus@openbsd.org <markus@openbsd.org>
11786Date: Sat Mar 24 19:28:43 2018 +0000
11787
11788 upstream: fix bogus warning when signing cert keys using agent;
11789
11790 from djm; ok deraadt dtucker
11791
11792 OpenBSD-Commit-ID: 12e50836ba2040042383a8b71e12d7ea06e9633d
11793
11794commit 393436024d2e4b4c7a01f9cfa5854e7437896d11
11795Author: Darren Tucker <dtucker@dtucker.net>
11796Date: Sun Mar 25 09:40:46 2018 +1100
11797
11798 Replace /dev/stdin with "-".
11799
11800 For some reason sftp -b doesn't work with /dev/stdin on Cygwin, as noted
11801 and suggested by vinschen at redhat.com.
11802
11803commit b5974de1a1d419e316ffb6524b1b277dda2f3b49
11804Author: Darren Tucker <dtucker@dtucker.net>
11805Date: Fri Mar 23 13:21:14 2018 +1100
11806
11807 Provide $OBJ to paths in PuTTY interop tests.
11808
11809commit dc31e79454e9b9140b33ad380565fdb59b9c4f33
11810Author: dtucker@openbsd.org <dtucker@openbsd.org>
11811Date: Fri Mar 16 09:06:31 2018 +0000
11812
11813 upstream: Tell puttygen to use /dev/urandom instead of /dev/random. On
11814
11815 OpenBSD they are both non-blocking, but on many other -portable platforms it
11816 blocks, stalling tests.
11817
11818 OpenBSD-Regress-ID: 397d0d4c719c353f24d79f5b14775e0cfdf0e1cc
11819
11820commit cb1f94431ef319cd48618b8b771b58739a8210cf
11821Author: markus@openbsd.org <markus@openbsd.org>
11822Date: Thu Mar 22 07:06:11 2018 +0000
11823
11824 upstream: ssh/xmss: fix build; ok djm@
11825
11826 OpenBSD-Commit-ID: c9374ca41d4497f1c673ab681cc33f6e7c5dd186
11827
11828commit 27979da9e4074322611355598f69175b9ff10d39
11829Author: markus@openbsd.org <markus@openbsd.org>
11830Date: Thu Mar 22 07:05:48 2018 +0000
11831
11832 upstream: ssh/xmss: fix deserialize for certs; ok djm@
11833
11834 OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc
11835
11836commit c6cb2565c9285eb54fa9dfbb3890f5464aff410f
11837Author: Darren Tucker <dtucker@dtucker.net>
11838Date: Thu Mar 22 17:00:28 2018 +1100
11839
11840 Save $? before case statement.
11841
11842 In some shells (FreeBSD 9, ash) the case statement resets $?, so save
11843 for later testing.
11844
11845commit 4c4e7f783b43b264c247233acb887ee10ed4ce4d
11846Author: djm@openbsd.org <djm@openbsd.org>
11847Date: Wed Mar 14 05:35:40 2018 +0000
11848
11849 upstream: rename recently-added "valid-before" key restriction to
11850
11851 "expiry-time" as the former is confusing wrt similar terminology in X.509;
11852 pointed out by jsing@
11853
11854 OpenBSD-Regress-ID: ac8b41dbfd90cffd525d58350c327195b0937793
11855
11856commit 500396b204c58e78ad9d081516a365a9f28dc3fd
11857Author: djm@openbsd.org <djm@openbsd.org>
11858Date: Mon Mar 12 00:56:03 2018 +0000
11859
11860 upstream: check valid-before option in authorized_keys
11861
11862 OpenBSD-Regress-ID: 7e1e4a84f7f099a290e5a4cbf4196f90ff2d7e11
11863
11864commit a76b5d26c2a51d7dd7a5164e683ab3f4419be215
11865Author: djm@openbsd.org <djm@openbsd.org>
11866Date: Mon Mar 12 00:54:04 2018 +0000
11867
11868 upstream: explicitly specify RSA/SHA-2 keytype here too
11869
11870 OpenBSD-Regress-ID: 74d7b24e8c72c27af6b481198344eb077e993a62
11871
11872commit 3a43297ce29d37c64e37c7e21282cb219e28d3d1
11873Author: djm@openbsd.org <djm@openbsd.org>
11874Date: Mon Mar 12 00:52:57 2018 +0000
11875
11876 upstream: exlicitly include RSA/SHA-2 keytypes in
11877
11878 PubkeyAcceptedKeyTypes here
11879
11880 OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
11881
11882commit 037fdc1dc2d68e1d43f9c9e2586c02cabc8f7cc8
11883Author: jmc@openbsd.org <jmc@openbsd.org>
11884Date: Wed Mar 14 06:56:20 2018 +0000
11885
11886 upstream: sort expiry-time;
11887
11888 OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf
11889
11890commit abc0fa38c9bc136871f28e452c3465c3051fc785
11891Author: djm@openbsd.org <djm@openbsd.org>
11892Date: Wed Mar 14 05:35:40 2018 +0000
11893
11894 upstream: rename recently-added "valid-before" key restriction to
11895
11896 "expiry-time" as the former is confusing wrt similar terminology in X.509;
11897 pointed out by jsing@
11898
11899 OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
11900
11901commit bf0fbf2b11a44f06a64b620af7d01ff171c28e13
11902Author: djm@openbsd.org <djm@openbsd.org>
11903Date: Mon Mar 12 00:52:01 2018 +0000
11904
11905 upstream: add valid-before="[time]" authorized_keys option. A
11906
11907 simple way of giving a key an expiry date. ok markus@
11908
11909 OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
11910
11911commit fbd733ab7adc907118a6cf56c08ed90c7000043f
11912Author: Darren Tucker <dtucker@dtucker.net>
11913Date: Mon Mar 12 19:17:26 2018 +1100
11914
11915 Add AC_LANG_PROGRAM to AC_COMPILE_IFELSE.
11916
11917 The recently added MIPS ABI tests need AC_LANG_PROGRAM to prevent
11918 warnings from autoconf. Pointed out by klausz at haus-gisela.de.
11919
11920commit c7c458e8261b04d161763cd333d74e7a5842e917
11921Author: djm@openbsd.org <djm@openbsd.org>
11922Date: Wed Mar 7 23:53:08 2018 +0000
11923
11924 upstream: revert recent strdelim() change, it causes problems with
11925
11926 some configs.
11927
11928 revision 1.124
11929 date: 2018/03/02 03:02:11; author: djm; state: Exp; lines: +19 -8; commitid: nNRsCijZiGG6SUTT;
11930 Allow escaped quotes \" and \' in ssh_config and sshd_config quotes
11931 option strings. bz#1596 ok markus@
11932
11933 OpenBSD-Commit-ID: 59c40b1b81206d713c06b49d8477402c86babda5
11934
11935commit 0bcd871ccdf3baf2b642509ba4773d5be067cfa2
11936Author: jmc@openbsd.org <jmc@openbsd.org>
11937Date: Mon Mar 5 07:03:18 2018 +0000
11938
11939 upstream: move the input format details to -f; remove the output
11940
11941 format details and point to sshd(8), where it is documented;
11942
11943 ok dtucker
11944
11945 OpenBSD-Commit-ID: 95f17e47dae02a6ac7329708c8c893d4cad0004a
11946
11947commit 45011511a09e03493568506ce32f4891a174a3bd
11948Author: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
11949Date: Tue Jun 20 16:42:28 2017 +0100
11950
11951 configure.ac: properly set seccomp_audit_arch for MIPS64
11952
11953 Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or
11954 AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built
11955 for MIPS64. However, that's only valid for n64 ABI. The right macros for
11956 n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and
11957 AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively.
11958
11959 Because of that an sshd built for MIPS64 n32 rejects connection attempts
11960 and the output of strace reveals that the problem is related to seccomp
11961 audit:
11962
11963 [pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,
11964 filter=0x555d5da0}) = 0
11965 [pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ?
11966 [pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP},
11967 {fd=6, revents=POLLHUP}])
11968 [pid 194] +++ killed by SIGSYS +++
11969
11970 This patch fixes that problem by setting the right value to
11971 seccomp_audit_arch taking into account the MIPS64 ABI.
11972
11973 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
11974
11975commit 580086704c31de91dc7ba040a28e416bf1fefbca
11976Author: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
11977Date: Tue Jun 20 16:42:11 2017 +0100
11978
11979 configure.ac: detect MIPS ABI
11980
11981 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
11982
11983commit cd4e937aa701f70366cd5b5969af525dff6fdf15
11984Author: Alan Yee <alyee@ucsd.edu>
11985Date: Wed Mar 7 15:12:14 2018 -0800
11986
11987 Use https URLs for links that support it.
11988
11989commit c0a0c3fc4a76b682db22146b28ddc46566db1ce9
11990Author: Darren Tucker <dtucker@dtucker.net>
11991Date: Mon Mar 5 20:03:07 2018 +1100
11992
11993 Disable UTMPX on SunOS4.
11994
11995commit 58fd4c5c0140f6636227ca7acbb149ab0c2509b9
11996Author: Darren Tucker <dtucker@dtucker.net>
11997Date: Mon Mar 5 19:28:08 2018 +1100
11998
11999 Check for and work around buggy fflush(NULL).
12000
12001 Some really old platforms (eg SunOS4) segfault on fflush(NULL) so check
12002 for and work around. With klausz at haus-gisela.de.
12003
12004commit 71e48bc7945f867029e50e06c665c66aed6d3c64
12005Author: Darren Tucker <dtucker@dtucker.net>
12006Date: Mon Mar 5 10:22:32 2018 +1100
12007
12008 Remove extra XMSS #endif
12009
12010 Extra #endif breaks compile with -DWITH_XMSS. Pointed out by Jack
12011 Schmidt via github.
12012
12013commit 055e09e2212ff52067786bf6d794ca9512ff7f0c
12014Author: dtucker@openbsd.org <dtucker@openbsd.org>
12015Date: Sat Mar 3 06:37:53 2018 +0000
12016
12017 upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18
12018
12019 bumped the minimum from 768 to 1024, update man page accordingly.
12020
12021 OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338
12022
12023commit 7e4fadd3248d6bb7d39d6688c76a613d35d2efc1
12024Author: djm@openbsd.org <djm@openbsd.org>
12025Date: Sun Mar 4 01:46:48 2018 +0000
12026
12027 upstream: for the pty control tests, just check that the PTY path
12028
12029 points to something in /dev (rather than checking the device node itself);
12030 makes life easier for portable, where systems with dynamic ptys can delete
12031 nodes before we get around to testing their existence.
12032
12033 OpenBSD-Regress-ID: b1e455b821e62572bccd98102f8dd9d09bb94994
12034
12035commit 13ef4cf53f24753fe920832b990b25c9c9cd0530
12036Author: Darren Tucker <dtucker@dtucker.net>
12037Date: Sat Mar 3 16:21:20 2018 +1100
12038
12039 Update PAM password change to new opts API.
12040
12041commit 33561e68e0b27366cb769295a077aabc6a49d2a1
12042Author: Darren Tucker <dtucker@dtucker.net>
12043Date: Sat Mar 3 14:56:09 2018 +1100
12044
12045 Add strndup for platforms that need it.
12046
12047 Some platforms don't have strndup, which includes Solaris 10, NetBSD 3
12048 and FreeBSD 6.
12049
12050commit e8a17feba95eef424303fb94441008f6c5347aaf
12051Author: Darren Tucker <dtucker@dtucker.net>
12052Date: Sat Mar 3 14:49:07 2018 +1100
12053
12054 Flatten and alphabetize object file lists.
12055
12056 This will make maintenance and changes easier. "no objection" tim@
12057
12058commit de1920d743d295f50e6905e5957c4172c038e8eb
12059Author: djm@openbsd.org <djm@openbsd.org>
12060Date: Sat Mar 3 03:16:17 2018 +0000
12061
12062 upstream: unit tests for new authorized_keys options API
12063
12064 OpenBSD-Regress-ID: 820f9ec9c6301f6ca330ad4052d85f0e67d0bdc1
12065
12066commit dc3e92df17556dc5b0ab19cee8dcb2a6ba348717
12067Author: djm@openbsd.org <djm@openbsd.org>
12068Date: Fri Mar 2 02:53:27 2018 +0000
12069
12070 upstream: fix testing of pty option, include positive test and
12071
12072 testing of restrict keyword
12073
12074 OpenBSD-Regress-ID: 4268f27c2706a0a95e725d9518c5bcbec9814c6d
12075
12076commit 3d1edd1ebbc0aabea8bbe61903060f37137f7c61
12077Author: djm@openbsd.org <djm@openbsd.org>
12078Date: Fri Mar 2 02:51:55 2018 +0000
12079
12080 upstream: better testing for port-forwarding and restrict flags in
12081
12082 authorized_keys
12083
12084 OpenBSD-Regress-ID: ee771df8955f2735df54746872c6228aff381daa
12085
12086commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
12087Author: djm@openbsd.org <djm@openbsd.org>
12088Date: Sat Mar 3 03:15:51 2018 +0000
12089
12090 upstream: switch over to the new authorized_keys options API and
12091
12092 remove the legacy one.
12093
12094 Includes a fairly big refactor of auth2-pubkey.c to retain less state
12095 between key file lines.
12096
12097 feedback and ok markus@
12098
12099 OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
12100
12101commit 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b
12102Author: djm@openbsd.org <djm@openbsd.org>
12103Date: Sat Mar 3 03:06:02 2018 +0000
12104
12105 upstream: Introduce a new API for handling authorized_keys options.
12106
12107 This API parses options to a dedicated structure rather than the old API's
12108 approach of setting global state. It also includes support for merging
12109 options, e.g. from authorized_keys, authorized_principals and/or
12110 certificates.
12111
12112 feedback and ok markus@
12113
12114 OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2
12115
12116commit 26074380767e639ef89321610e146ae11016b385
12117Author: djm@openbsd.org <djm@openbsd.org>
12118Date: Sat Mar 3 03:01:50 2018 +0000
12119
12120 upstream: warn when the agent returns a signature type that was
12121
12122 different to what was requested. This might happen when an old/non-OpenSSH
12123 agent is asked to make a rsa-sha2-256/512 signature but only supports
12124 ssh-rsa. bz#2799 feedback and ok markus@
12125
12126 OpenBSD-Commit-ID: 760c0f9438c5c58abc16b5f98008ff2d95cb13ce
12127
12128commit f493d2b0b66fb003ed29f31dd66ff1aeb64be1fc
12129Author: jmc@openbsd.org <jmc@openbsd.org>
12130Date: Fri Mar 2 21:40:15 2018 +0000
12131
12132 upstream: apply a lick of paint; tweaks/ok dtucker
12133
12134 OpenBSD-Commit-ID: 518a6736338045e0037f503c21027d958d05e703
12135
12136commit 713d9cb510e0e7759398716cbe6dcf43e574be71
12137Author: djm@openbsd.org <djm@openbsd.org>
12138Date: Fri Mar 2 03:02:11 2018 +0000
12139
12140 upstream: Allow escaped quotes \" and \' in ssh_config and
12141
12142 sshd_config quotes option strings. bz#1596 ok markus@
12143
12144 OpenBSD-Commit-ID: dd3a29fc2dc905e8780198e5a6a30b096de1a1cb
12145
12146commit 94b4e2d29afaaaef89a95289b16c18bf5627f7cd
12147Author: djm@openbsd.org <djm@openbsd.org>
12148Date: Fri Mar 2 02:08:03 2018 +0000
12149
12150 upstream: refactor sshkey_read() to make it a little more, err,
12151
12152 readable. ok markus
12153
12154 OpenBSD-Commit-ID: 2e9247b5762fdac3b6335dc606d3822121714c28
12155
12156commit 5886b92968b360623491699247caddfb77a74d80
12157Author: markus@openbsd.org <markus@openbsd.org>
12158Date: Thu Mar 1 20:32:16 2018 +0000
12159
12160 upstream: missing #ifdef for _PATH_HOST_XMSS_KEY_FILE; report by
12161
12162 jmc@
12163
12164 OpenBSD-Commit-ID: 9039cb69a3f9886bfef096891a9e7fcbd620280b
12165
12166commit 3b36bed3d26f17f6a2b7e036e01777770fe1bcd4
12167Author: dtucker@openbsd.org <dtucker@openbsd.org>
12168Date: Mon Feb 26 12:14:53 2018 +0000
12169
12170 upstream: Remove unneeded (local) include. ok markus@
12171
12172 OpenBSD-Commit-ID: 132812dd2296b1caa8cb07d2408afc28e4e60f93
12173
12174commit 27b9f3950e0289e225b57b7b880a8f1859dcd70b
12175Author: dtucker@openbsd.org <dtucker@openbsd.org>
12176Date: Mon Feb 26 03:56:44 2018 +0000
12177
12178 upstream: Add $OpenBSD$ markers to xmss files to help keep synced
12179
12180 with portable. ok djm@.
12181
12182 OpenBSD-Commit-ID: 5233a27aafd1dfadad4b957225f95ae51eb365c1
12183
12184commit afd830847a82ebbd5aeab05bad6d2c8ce74df1cd
12185Author: dtucker@openbsd.org <dtucker@openbsd.org>
12186Date: Mon Feb 26 03:03:05 2018 +0000
12187
12188 upstream: Add newline at end of file to prevent compiler warnings.
12189
12190 OpenBSD-Commit-ID: 52f247d4eafe840c7c14c8befa71a760a8eeb063
12191
12192commit 941e0d3e9bb8d5e4eb70cc694441445faf037c84
12193Author: Darren Tucker <dtucker@dtucker.net>
12194Date: Wed Feb 28 19:59:35 2018 +1100
12195
12196 Add WITH_XMSS, move to prevent conflicts.
12197
12198 Add #ifdef WITH_XMSS to ssh-xmss.c, move it in the other files to after
12199 includes.h so it's less likely to conflict and will pick up WITH_XMSS if
12200 added to config.h.
12201
12202commit a10d8552d0d2438da4ed539275abcbf557d1e7a8
12203Author: Darren Tucker <dtucker@dtucker.net>
12204Date: Tue Feb 27 14:45:17 2018 +1100
12205
12206 Conditionally compile XMSS code.
12207
12208 The XMSS code is currently experimental and, unlike the rest of OpenSSH
12209 cannot currently be compiled with a c89 compiler.
12210
12211commit 146c3bd28c8dbee9c4b06465d9c9facab96b1e9b
12212Author: Darren Tucker <dtucker@dtucker.net>
12213Date: Mon Feb 26 12:51:29 2018 +1100
12214
12215 Check dlopen has RTLD_NOW before enabling pkcs11.
12216
12217commit 1323f120d06a26074c4d154fcbe7f49bcad3d741
12218Author: Darren Tucker <dtucker@dtucker.net>
12219Date: Tue Feb 27 08:41:25 2018 +1100
12220
12221 Check for attributes on prototype args.
12222
12223 Some compilers (gcc 2.9.53, 3.0 and probably others, see gcc bug #3481)
12224 do not accept __attribute__ on function pointer prototype args. Check for
12225 this and hide them if they're not accepted.
12226
12227commit f0b245b0439e600fab782d19e97980e9f2c2533c
12228Author: Darren Tucker <dtucker@dtucker.net>
12229Date: Mon Feb 26 11:43:48 2018 +1100
12230
12231 Check if HAVE_DECL_BZERO correctly.
12232
12233commit c7ef4a399155e1621a532cc5e08e6fa773658dd4
12234Author: Darren Tucker <dtucker@dtucker.net>
12235Date: Mon Feb 26 17:42:56 2018 +1100
12236
12237 Wrap <stdint.h> in #ifdef HAVE_STDINT_H.
12238
12239commit ac53ce46cf8165cbda7f57ee045f9f32e1e92b31
12240Author: Darren Tucker <dtucker@dtucker.net>
12241Date: Mon Feb 26 16:24:23 2018 +1100
12242
12243 Replace $(CURDIR) with $(PWD).
12244
12245 The former doesn't work on Solaris or BSDs.
12246
12247commit 534b2680a15d14e7e60274d5b29b812d44cc5a44
12248Author: Darren Tucker <dtucker@dtucker.net>
12249Date: Mon Feb 26 14:51:59 2018 +1100
12250
12251 Comment out hexdump().
12252
12253 Nothing currently uses them but they cause conflicts on at least
12254 FreeBSD, possibly others. ok djm@
12255
12256commit 5aea4aa522f61bb2f34c3055a7de203909dfae77
12257Author: Darren Tucker <dtucker@dtucker.net>
12258Date: Mon Feb 26 14:39:14 2018 +1100
12259
12260 typo: missing ;
12261
12262commit cd3ab57f9b388f8b1abf601dc4d78ff82d83b75e
12263Author: Darren Tucker <dtucker@dtucker.net>
12264Date: Mon Feb 26 14:37:06 2018 +1100
12265
12266 Hook up flock() compat code.
12267
12268 Also a couple of minor changes: fail if we can't lock instead of
12269 silently succeeding, and apply a couple of minor style fixes.
12270
12271commit b087998d1ba90dd1ddb6bfdb17873dc3e7392798
12272Author: Darren Tucker <dtucker@dtucker.net>
12273Date: Mon Feb 26 14:27:02 2018 +1100
12274
12275 Import flock() compat from NetBSD.
12276
12277 From NetBSD's src/trunk/tools/compat/flock.c, no OpenSSH changes yet.
12278
12279commit 89212533dde6798324e835b1499084658df4579e
12280Author: Darren Tucker <dtucker@dtucker.net>
12281Date: Mon Feb 26 12:32:14 2018 +1100
12282
12283 Fix breakage when REGRESSTMP not set.
12284
12285 BUILDDIR is not set where used for REGRESSTMP, use make's CURDIR
12286 instead. Pointed out by djm@.
12287
12288commit f885474137df4b89498c0b8834c2ac72c47aa4bd
12289Author: Damien Miller <djm@mindrot.org>
12290Date: Mon Feb 26 12:18:14 2018 +1100
12291
12292 XMSS-related files get includes.h
12293
12294commit 612faa34c72e421cdc9e63f624526bae62d557cc
12295Author: Damien Miller <djm@mindrot.org>
12296Date: Mon Feb 26 12:17:55 2018 +1100
12297
12298 object files end with .o - not .c
12299
12300commit bda709b8e13d3eef19e69c2d1684139e3af728f5
12301Author: Damien Miller <djm@mindrot.org>
12302Date: Mon Feb 26 12:17:22 2018 +1100
12303
12304 avoid inclusion of deprecated selinux/flask.h
12305
12306 Use string_to_security_class() instead.
12307
12308commit 2e396439365c4ca352cac222717d09b14f8a0dfd
12309Author: Damien Miller <djm@mindrot.org>
12310Date: Mon Feb 26 11:48:27 2018 +1100
12311
12312 updatedepend
12313
12314commit 1b11ea7c58cd5c59838b5fa574cd456d6047b2d4
12315Author: markus@openbsd.org <markus@openbsd.org>
12316Date: Fri Feb 23 15:58:37 2018 +0000
12317
12318 upstream: Add experimental support for PQC XMSS keys (Extended
12319
12320 Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
12321 in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
12322 https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
12323 djm@
12324
12325 OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
12326
12327commit 7d330a1ac02076de98cfc8fda05353d57b603755
12328Author: jmc@openbsd.org <jmc@openbsd.org>
12329Date: Fri Feb 23 07:38:09 2018 +0000
12330
12331 upstream: some cleanup for BindInterface and ssh-keyscan;
12332
12333 OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c
12334
12335commit c7b5a47e3b9db9a0f0198f9c90c705f6307afc2b
12336Author: Darren Tucker <dtucker@dtucker.net>
12337Date: Sun Feb 25 23:55:41 2018 +1100
12338
12339 Invert sense of getpgrp test.
12340
12341 AC_FUNC_GETPGRP tests if getpgrp(0) works, which it does if it's not
12342 declared. Instead, test if the zero-arg version we want to use works.
12343
12344commit b39593a6de5290650a01adf8699c6460570403c2
12345Author: Darren Tucker <dtucker@dtucker.net>
12346Date: Sun Feb 25 13:25:15 2018 +1100
12347
12348 Add no-op getsid implmentation.
12349
12350commit 11057564eb6ab8fd987de50c3d7f394c6f6632b7
12351Author: Darren Tucker <dtucker@dtucker.net>
12352Date: Sun Feb 25 11:22:57 2018 +1100
12353
12354 bsd-statvfs: include sys/vfs.h, check for f_flags.
12355
12356commit e9dede06e5bc582a4aeb5b1cd5a7a640d7de3609
12357Author: Darren Tucker <dtucker@dtucker.net>
12358Date: Sun Feb 25 10:20:31 2018 +1100
12359
12360 Handle calloc(0,x) where different from malloc.
12361
12362 Configure assumes that if malloc(0) returns null then calloc(0,n)
12363 also does. On some old platforms (SunOS4) malloc behaves as expected
12364 (as determined by AC_FUNC_MALLOC) but calloc doesn't. Test for this
12365 at configure time and activate the replacement function if found, plus
12366 handle this case in rpl_calloc.
12367
12368commit 2eb4041493fd2635ffdc64a852d02b38c4955e0b
12369Author: Darren Tucker <dtucker@dtucker.net>
12370Date: Sat Feb 24 21:06:48 2018 +1100
12371
12372 Add prototype for readv if needed.
12373
12374commit 6c8c9a615b6d31db8a87bc25033f053d5b0a831e
12375Author: Darren Tucker <dtucker@dtucker.net>
12376Date: Sat Feb 24 20:46:37 2018 +1100
12377
12378 Check for raise and supply if needed.
12379
12380commit a9004425a032d7a7141a5437cfabfd02431e2a74
12381Author: Darren Tucker <dtucker@dtucker.net>
12382Date: Sat Feb 24 20:25:22 2018 +1100
12383
12384 Check for bzero and supply if needed.
12385
12386 Since explicit_bzero uses it via an indirect it needs to be a function
12387 not just a macro.
12388
12389commit 1a348359e4d2876203b5255941bae348557f4f54
12390Author: djm@openbsd.org <djm@openbsd.org>
12391Date: Fri Feb 23 05:14:05 2018 +0000
12392
12393 upstream: Add ssh-keyscan -D option to make it print its results in
12394
12395 SSHFP format bz#2821, ok dtucker@
12396
12397 OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221
12398
12399commit 3e19fb976a47b44b3d7c4f8355269f7f2c5dd82c
12400Author: dtucker@openbsd.org <dtucker@openbsd.org>
12401Date: Fri Feb 23 04:18:46 2018 +0000
12402
12403 upstream: Add missing braces.
12404
12405 Caught by the tinderbox's -Werror=misleading-indentation, ok djm@
12406
12407 OpenBSD-Commit-ID: d44656af594c3b2366eb87d6abcef83e1c88a6ca
12408
12409commit b59162da99399d89bd57f71c170c0003c55b1583
12410Author: Darren Tucker <dtucker@dtucker.net>
12411Date: Fri Feb 23 15:20:42 2018 +1100
12412
12413 Check for ifaddrs.h for BindInterface.
12414
12415 BindInterface required getifaddr and friends so disable if not available
12416 (eg Solaris 10). We should be able to add support for some systems with
12417 a bit more work but this gets the building again.
12418
12419commit a8dd6fe0aa10b6866830b4688a73ef966f0aed88
12420Author: Damien Miller <djm@mindrot.org>
12421Date: Fri Feb 23 14:19:11 2018 +1100
12422
12423 space before tab in previous
12424
12425commit b5e9263c7704247f9624c8f5c458e9181fcdbc09
12426Author: dtucker@openbsd.org <dtucker@openbsd.org>
12427Date: Fri Feb 9 03:40:22 2018 +0000
12428
12429 upstream: Replace fatal with exit in the case that we do not have
12430
12431 $SUDO set. Prevents test failures when neither sudo nor doas are configured.
12432
12433 OpenBSD-Regress-ID: 6a0464decc4f8ac7d6eded556a032b0fc521bc7b
12434
12435commit 3e9d3192ad43758ef761c5b0aa3ac5ccf8121ef2
12436Author: Darren Tucker <dtucker@dtucker.net>
12437Date: Fri Feb 23 14:10:53 2018 +1100
12438
12439 Use portable syntax for REGRESSTMP.
12440
12441commit 73282b61187883a2b2bb48e087fdda1d751d6059
12442Author: djm@openbsd.org <djm@openbsd.org>
12443Date: Fri Feb 23 03:03:00 2018 +0000
12444
12445 upstream: unbreak interop test after SSHv1 purge; patch from Colin
12446
12447 Watson via bz#2823
12448
12449 OpenBSD-Regress-ID: 807d30a597756ed6612bdf46dfebca74f49cb31a
12450
12451commit f8985dde5f46aedade0373365cbf86ed3f1aead2
12452Author: dtucker@openbsd.org <dtucker@openbsd.org>
12453Date: Fri Feb 9 03:42:57 2018 +0000
12454
12455 upstream: Skip sftp-chroot test when SUDO not set instead of
12456
12457 fatal().
12458
12459 OpenBSD-Regress-ID: cd4b5f1109b0dc09af4e5ea7d4968c43fbcbde88
12460
12461commit df88551c02d4e3445c44ff67ba8757cff718609a
12462Author: dtucker@openbsd.org <dtucker@openbsd.org>
12463Date: Fri Feb 9 03:40:22 2018 +0000
12464
12465 upstream: Replace fatal with exit in the case that we do not have
12466
12467 $SUDO set. Prevents test failures when neither sudo nor doas are configured.
12468
12469 OpenBSD-Regress-ID: 6a0464decc4f8ac7d6eded556a032b0fc521bc7b
12470
12471commit 3b252c20b19f093e87363de197f1100b79705dd3
12472Author: djm@openbsd.org <djm@openbsd.org>
12473Date: Thu Feb 8 08:46:20 2018 +0000
12474
12475 upstream: some helpers to check verbose/quiet mode
12476
12477 OpenBSD-Regress-ID: e736aac39e563f5360a0935080a71d5fdcb976de
12478
12479commit ac2e3026bbee1367e4cda34765d1106099be3287
12480Author: djm@openbsd.org <djm@openbsd.org>
12481Date: Fri Feb 23 02:34:33 2018 +0000
12482
12483 upstream: Add BindInterface ssh_config directive and -B
12484
12485 command-line argument to ssh(1) that directs it to bind its outgoing
12486 connection to the address of the specified network interface.
12487
12488 BindInterface prefers to use addresses that aren't loopback or link-
12489 local, but will fall back to those if no other addresses of the
12490 required family are available on that interface.
12491
12492 Based on patch by Mike Manning in bz#2820, ok dtucker@
12493
12494 OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
12495
12496commit fcdb9d777839a3fa034b3bc3067ba8c1f6886679
12497Author: djm@openbsd.org <djm@openbsd.org>
12498Date: Mon Feb 19 00:55:02 2018 +0000
12499
12500 upstream: emphasise that the hostkey rotation may send key types
12501
12502 that the client may not support, and that the client should simply disregard
12503 such keys (this is what ssh does already).
12504
12505 OpenBSD-Commit-ID: 65f8ffbc32ac8d12be8f913d7c0ea55bef8622bf
12506
12507commit ce066f688dc166506c082dac41ca686066e3de5f
12508Author: Darren Tucker <dtucker@dtucker.net>
12509Date: Thu Feb 22 20:45:09 2018 +1100
12510
12511 Add headers for sys/audit.h.
12512
12513 On some older platforms (at least sunos4, probably others) sys/audit.h
12514 requires some other headers. Patch from klausz at haus-gisela.de.
12515
12516commit 3fd2d2291a695c96a54269deae079bacce6e3fb9
12517Author: Darren Tucker <dtucker@dtucker.net>
12518Date: Mon Feb 19 18:37:40 2018 +1100
12519
12520 Add REGRESSTMP make var override.
12521
12522 Defaults to original location ($srcdir/regress) but allows overriding
12523 if desired, eg a directory in /tmp.
12524
12525commit f8338428588f3ecb5243c86336eccaa28809f97e
12526Author: Darren Tucker <dtucker@dtucker.net>
12527Date: Sun Feb 18 15:53:15 2018 +1100
12528
12529 Remove now-unused check for getrusage.
12530
12531 getrusage was used in ssh-rand-helper but that's now long gone.
12532 Patch from klauszh at haus-gisela.de.
12533
12534commit 8570177195f6a4b3173c0a25484a83641ee3faa6
12535Author: dtucker@openbsd.org <dtucker@openbsd.org>
12536Date: Fri Feb 16 04:43:11 2018 +0000
12537
12538 upstream: Don't send IUTF8 to servers that don't like them.
12539
12540 Some SSH servers eg "ConfD" drop the connection if the client sends the
12541 new IUTF8 (RFC8160) terminal mode even if it's not set. Add a bug bit
12542 for such servers and avoid sending IUTF8 to them. ok djm@
12543
12544 OpenBSD-Commit-ID: 26425855402d870c3c0a90491e72e2a8a342ceda
12545
12546commit f6dc2ba3c9d12be53057b9371f5109ec553a399f
12547Author: Darren Tucker <dtucker@dtucker.net>
12548Date: Fri Feb 16 17:32:28 2018 +1100
12549
12550 freezero should check for NULL.
12551
12552commit 680321f3eb46773883111e234b3c262142ff7c5b
12553Author: djm@openbsd.org <djm@openbsd.org>
12554Date: Fri Feb 16 02:40:45 2018 +0000
12555
12556 upstream: Mention recent DH KEX methods:
12557
12558 diffie-hellman-group14-sha256
12559 diffie-hellman-group16-sha512
12560 diffie-hellman-group18-sha512
12561
12562 From Jakub Jelen via bz#2826
12563
12564 OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a
12565
12566commit 88c50a5ae20902715f0fca306bb9c38514f71679
12567Author: djm@openbsd.org <djm@openbsd.org>
12568Date: Fri Feb 16 02:32:40 2018 +0000
12569
12570 upstream: stop loading DSA keys by default, remove sshd_config
12571
12572 stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
12573
12574 OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
12575
12576commit d2b3db2860c962927def39a52f67f1c23f7b201a
12577Author: jsing@openbsd.org <jsing@openbsd.org>
12578Date: Wed Feb 14 16:27:24 2018 +0000
12579
12580 upstream: Ensure that D mod (P-1) and D mod (Q-1) are calculated in
12581
12582 constant time.
12583
12584 This avoids a potential side channel timing leak.
12585
12586 ok djm@ markus@
12587
12588 OpenBSD-Commit-ID: 71ff3c16be03290e63d8edab8fac053d8a82968c
12589
12590commit 4270efad7048535b4f250f493d70f9acfb201593
12591Author: jsing@openbsd.org <jsing@openbsd.org>
12592Date: Wed Feb 14 16:03:32 2018 +0000
12593
12594 upstream: Some obvious freezero() conversions.
12595
12596 This also zeros an ed25519_pk when it was not being zeroed previously.
12597
12598 ok djm@ dtucker@
12599
12600 OpenBSD-Commit-ID: 5c196a3c85c23ac0bd9b11bcadaedd90b7a2ce82
12601
12602commit affa6ba67ffccc30b85d6e98f36eb5afd9386882
12603Author: Darren Tucker <dtucker@dtucker.net>
12604Date: Thu Feb 15 22:32:04 2018 +1100
12605
12606 Remove execute bit from modpipe.c.
12607
12608commit 9879dca438526ae6dfd656fecb26b0558c29c731
12609Author: Darren Tucker <dtucker@dtucker.net>
12610Date: Thu Feb 15 22:26:16 2018 +1100
12611
12612 Update prngd link to point to sourceforge.
12613
12614commit b6973fa5152b1a0bafd2417b7c3ad96f6e87d014
12615Author: Darren Tucker <dtucker@dtucker.net>
12616Date: Thu Feb 15 22:22:38 2018 +1100
12617
12618 Remove references to UNICOS.
12619
12620commit f1ca487940449f0b64f38f1da575078257609966
12621Author: Darren Tucker <dtucker@dtucker.net>
12622Date: Thu Feb 15 22:18:37 2018 +1100
12623
12624 Remove extra newline.
12625
12626commit 6d4e980f3cf27f409489cf89cd46c21501b13731
12627Author: Darren Tucker <dtucker@dtucker.net>
12628Date: Thu Feb 15 22:16:54 2018 +1100
12629
12630 OpenSSH's builtin entropy gathering is long gone.
12631
12632commit 389125b25d1a1d7f22e907463b7e8eca74af79ea
12633Author: Darren Tucker <dtucker@dtucker.net>
12634Date: Thu Feb 15 21:43:01 2018 +1100
12635
12636 Replace remaining mysignal() with signal().
12637
12638 These seem to have been missed during the replacement of mysignal
12639 with #define signal in commit 5ade9ab. Both include the requisite
12640 headers to pick up the #define.
12641
12642commit 265d88d4e61e352de6791733c8b29fa3d7d0c26d
12643Author: Darren Tucker <dtucker@dtucker.net>
12644Date: Thu Feb 15 20:06:19 2018 +1100
12645
12646 Remove remaining now-obsolete cvs $Ids.
12647
12648commit 015749e9b1d2f6e14733466d19ba72f014d0845c
12649Author: Darren Tucker <dtucker@dtucker.net>
12650Date: Thu Feb 15 17:01:54 2018 +1100
12651
12652 Regenerate dependencies after UNICOS removal.
12653
12654commit ddc0f3814881ea279a6b6d4d98e03afc60ae1ed7
12655Author: Darren Tucker <dtucker@dtucker.net>
12656Date: Tue Feb 13 09:10:46 2018 +1100
12657
12658 Remove UNICOS support.
12659
12660 The code required to support it is quite invasive to the mainline
12661 code that is synced with upstream and is an ongoing maintenance burden.
12662 Both the hardware and software are literal museum pieces these days and
12663 we could not find anyone still running OpenSSH on one.