summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-06-19upstream: Test that ssh-agent exits when running as as subprocessdtucker@openbsd.org
of a specified command (ie "ssh-agent command"). Would have caught bz#3181. OpenBSD-Regress-ID: 895b4765ba5153eefaea3160a7fe08ac0b6db8b3
2020-06-19upstream: run sshsig unit testsdjm@openbsd.org
OpenBSD-Regress-ID: 706ef17e2b545b64873626e0e35553da7c06052a
2020-06-19upstream: basic unit test for sshsig.[ch], including FIDO keysdjm@openbsd.org
verification only so far OpenBSD-Regress-ID: fb1f946c8fc59206bc6a6666e577b5d5d7e45896
2020-06-19upstream: basic unit test for FIDO kep parsingdjm@openbsd.org
OpenBSD-Regress-ID: 8089b88393dd916d7c95422b442a6fd4cfe00c82
2020-06-19upstream: check public host key matches private; ok markus@ (asdjm@openbsd.org
part of previous diff) OpenBSD-Commit-ID: 65a4f66436028748b59fb88b264cb8c94ce2ba63
2020-06-19upstream: avoid spurious "Unable to load host key" message whendjm@openbsd.org
sshd can load a private key but no public counterpart; with & ok markus@ OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b
2020-06-12upstream: correct RFC number; from HARUYAMA Seigo via GH PR191djm@openbsd.org
OpenBSD-Commit-ID: 8d03b6c96ca98bfbc23d3754c3c33e1fe0852e10
2020-06-05upstream: unbreak "sshd -ddd" - close of config passing fd happened toodjm@openbsd.org
early. ok markus@ OpenBSD-Commit-ID: 49346e945c6447aca3e904e65fc400128d2f8ed0
2020-06-05Add support for AUDIT_ARCH_RISCV64Andreas Schwab
2020-06-05upstream: make sshbuf_putb(b, NULL) a no-opdjm@openbsd.org
OpenBSD-Commit-ID: 976fdc99b500e347023d430df372f31c1dd128f7
2020-06-05upstream: make sshbuf_dump() args constdjm@openbsd.org
OpenBSD-Commit-ID: b4a5accae750875d665b862504169769bcf663bd
2020-06-05upstream: wrap long linedjm@openbsd.org
OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2
2020-06-05upstream: Correct historical comment: provos@ modified OpenSSH todtucker@openbsd.org
work with SSLeay (very quickly replaced by OpenSSL) not SSL in general. ok deraadt, historical context markus@ OpenBSD-Commit-ID: 7209e07a2984b50411ed8ca5a4932da5030d2b90
2020-06-05upstream: Import regenerated moduli file.dtucker@openbsd.org
OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54
2020-06-05Test fallthrough in OSSH_CHECK_CFLAG_COMPILE.Darren Tucker
clang 10's -Wimplicit-fallthrough does not understand /* FALLTHROUGH */ comments and we don't use the __attribute__((fallthrough)) that it's looking for. This has the effect of turning off -Wimplicit-fallthrough where it does not currently help (particularly with -Werror). ok djm@
2020-06-04upstream: Import regenerated moduli file.dtucker@openbsd.org
OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54
2020-06-04upstream: Remove now-unused proto_spec and associated definitions.dtucker@openbsd.org
ok djm@ OpenBSD-Commit-ID: 2e2b18e3aa6ee22a7b69c39f2d3bd679ec35c362
2020-05-30upstream: Fix error message on close(2) and add printf formatmillert@openbsd.org
attributes. From Christos Zoulas, OK markus@ OpenBSD-Commit-ID: 41523c999a9e3561fcc7082fd38ea2e0629ee07e
2020-05-29upstream: Make dollar_expand variadic and pass a real va_list todtucker@openbsd.org
vdollar_percent_expand. Fixes build error on arm64 spotted by otto@. OpenBSD-Commit-ID: 181910d7ae489f40ad609b4cf4a20f3d068a7279
2020-05-29Omit ToS setting if we don't have IPV6_TCLASS too.Darren Tucker
Fixes tests on old BSDs.
2020-05-29upstream: Pass a NULL instead of zeroed out va_list fromdtucker@openbsd.org
dollar_expand. The original intent was in case there's some platform where va_list is not a pointer equivalent, but on i386 this chokes on the memset. This unbreaks that build, but will require further consideration. OpenBSD-Commit-ID: 7b90afcd8e1137a1d863204060052aef415baaf7
2020-05-29upstream: remove a stray .El;jmc@openbsd.org
OpenBSD-Commit-ID: 58ddfe6f8a15fe10209db6664ecbe7896f1d167c
2020-05-29upstream: Add regression and unit tests for ${ENV} styledtucker@openbsd.org
environment variable expansion in various keywords (bz#3140). ok djm@ OpenBSD-Regress-ID: 4d9ceb95d89365b7b674bc26cf064c15a5bbb197
2020-05-29upstream: Unit test for convtime. ok djm@dtucker@openbsd.org
OpenBSD-Regress-ID: cec4239efa2fc4c7062064f07a847e1cbdbcd5dd
2020-05-29upstream: mention that wildcards are processed in lexical order;djm@openbsd.org
bz#3165 OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c
2020-05-29upstream: Allow some keywords to expand shell-style ${ENV}dtucker@openbsd.org
environment variables on the client side. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. This would for example allow forwarding of Unix domain socket paths that change at runtime. bz#3140, ok djm@ OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
2020-05-29dependDamien Miller
2020-05-29partial sync of regress/netcat.c with upstreamsobrado
synchronize synopsis and usage.
2020-05-29partial sync of regress/netcat.c with upstreamchl
remove unused variable ok tedu@
2020-05-29partial sync of regress/netcat.c with upstreamtobias
The code in socks.c writes multiple times in a row to a socket. If the socket becomes invalid between these calls (e.g. connection closed), write will throw SIGPIPE. With this patch, SIGPIPE is ignored so we can handle write's -1 return value (errno will be EPIPE). Ultimately, it leads to program exit, too -- but with nicer error message. :) with input by and ok djm
2020-05-29partial sync of regress/netcat.c with upstreamtobias
Check for short writes in fdpass(). Clean up while at it. ok djm
2020-05-29partial sync of regress/netcat.c with upstreamjca
Support for nc -T on IPv6 addresses. ok sthen@
2020-05-29upstream: fix compilation on !HAVE_DLOPEN platforms; stub functiondjm@openbsd.org
was not updated to match API change. From Dale Rahn via beck@ ok markus@ OpenBSD-Commit-ID: 2b8d054afe34c9ac85e417dae702ef981917b836
2020-05-29upstream: fix exit status for downloading of FIDO resident keys;djm@openbsd.org
from Pedro Martelletto, ok markus@ OpenBSD-Commit-ID: 0da77dc24a1084798eedd83c39a002a9d231faef
2020-05-29upstream: Fix multiplier in convtime when handling seconds afterdtucker@openbsd.org
other units. bz#3171, spotted by ronf at timeheart.net, ok djm@. OpenBSD-Commit-ID: 95b7a848e1083974a65fbb6ccb381d438e1dd5be
2020-05-28upstream: fix Include before Match in sshd_config; bz#3122 patchdjm@openbsd.org
from Jakub Jelen OpenBSD-Commit-ID: 1b0aaf135fe6732b5d326946042665dd3beba5f4
2020-05-28upstream: Do not call process_queued_listen_addrs() for everydjm@openbsd.org
included file from sshd_config; patch from Jakub Jelen OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
2020-05-28upstream: fix crash in recallocarray when deleting SendEnvdjm@openbsd.org
variables; spotted by & ok sthen@ OpenBSD-Commit-ID: b881e8e849edeec5082b5c0a87d8d7cff091a8fd
2020-05-28upstream: two new tests for Include in sshd_config, checking whetherdjm@openbsd.org
Port directives are processed correctly and handling of Include directives that appear before Match. Both tests currently fail. bz#3122 and bz#3169 - patch from Jakub Jelen OpenBSD-Regress-ID: 8ad5a4a385a63f0a1c59c59c763ff029b45715df
2020-05-27Document that libfido2 >= 1.4.0 is needed.Darren Tucker
2020-05-27upstream: fix memleak of signature; from Pedro Martellettodjm@openbsd.org
OpenBSD-Commit-ID: d0a6eb07e77c001427d738b220dd024ddc64b2bb
2020-05-27upstream: Restrict ssh-agent from signing web challenges for FIDOdjm@openbsd.org
keys. When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently pubkey authentication and sshsig signatures). This prevents ssh-agent forwarding on a host that has FIDO keys attached granting the ability for the remote side to sign challenges for web authentication using those keys too. Note that the converse case of web browsers signing SSH challenges is already precluded because no web RP can have the "ssh:" prefix in the application string that we require. ok markus@ OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
2020-05-27upstream: improve logging for MaxStartups connection throttling:djm@openbsd.org
have sshd log when it starts and stops throttling and periodically while in this state. bz#3055 ok markus@ OpenBSD-Commit-ID: 2e07a09a62ab45d790d3d2d714f8cc09a9ac7ab9
2020-05-27upstream: add fmt_timeframe() (from bgpd) to format a timedjm@openbsd.org
interval in a human- friendly format. Switch copyright for this file from BSD to MIT to make it easier to add Henning's copyright for this function. ok markus@ OpenBSD-Commit-ID: 414a831c662df7e68893e5233e86f2cac081ccf9
2020-05-27upstream: avoid possible NULL deref; from Pedro Martellettodjm@openbsd.org
OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721
2020-05-27upstream: sshd listener must not block if reexecd sshd exitsmarkus@openbsd.org
in write(2) on config_s[0] if the forked child exits early before finishing recv_rexec_state (e.g. with fatal()) because config_s[1] stays open in the parent. this prevents the parent from accepting new connections. ok djm, deraadt OpenBSD-Commit-ID: 92ccfeb939ccd55bda914dc3fe84582158c4a9ef
2020-05-27upstream: fix off-by-one error that caused sftp downloads to makedjm@openbsd.org
one more concurrent request that desired. This prevented using sftp(1) in unpipelined request/response mode, which is useful when debugging. Patch from Stephen Goetze in bz#3054 OpenBSD-Commit-ID: 41b394ebe57037dbc43bdd0eef21ff0511191f28
2020-05-27upstream: we are still aiming for pre-C99 ...deraadt@openbsd.org
OpenBSD-Commit-ID: a240fc9cbe60bc4e6c3d24d022eb4ab01fe1cb38
2020-05-27upstream: Enable credProtect extension when generating a residentdjm@openbsd.org
key. The FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect" feature to better protect resident keys. This option allows (amone other possibilities) requiring a PIN prior to all operations that may retrieve the key handle. Patch by Pedro Martelletto; ok djm and markus OpenBSD-Commit-ID: 013bc06a577dcaa66be3913b7f183eb8cad87e73
2020-05-27upstream: always call fido_init(); previous behaviour only calleddjm@openbsd.org
fido_init() when SK_DEBUG was defined. Harmless with current libfido2, but this isn't guaranteed in the future. OpenBSD-Commit-ID: c7ea20ff2bcd98dd12015d748d3672d4f01f0864