fix merge conflict

This commit is contained in:
Tess Gauthier 2024-03-11 11:46:39 -04:00
commit 0d44bc9b49
12 changed files with 109 additions and 64 deletions

View File

@ -59,17 +59,18 @@ jobs:
- { target: ubuntu-latest, config: libressl-3.5.3 } - { target: ubuntu-latest, config: libressl-3.5.3 }
- { target: ubuntu-latest, config: libressl-3.6.1 } - { target: ubuntu-latest, config: libressl-3.6.1 }
- { target: ubuntu-latest, config: libressl-3.7.2 } - { target: ubuntu-latest, config: libressl-3.7.2 }
- { target: ubuntu-latest, config: libressl-3.8.2 } - { target: ubuntu-latest, config: libressl-3.8.3 }
- { target: ubuntu-latest, config: libressl-3.9.0 }
- { target: ubuntu-latest, config: openssl-master } - { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec } - { target: ubuntu-latest, config: openssl-noec }
- { target: ubuntu-latest, config: openssl-1.1.1 } - { target: ubuntu-latest, config: openssl-1.1.1 }
- { target: ubuntu-latest, config: openssl-1.1.1t } - { target: ubuntu-latest, config: openssl-1.1.1t }
- { target: ubuntu-latest, config: openssl-1.1.1w } - { target: ubuntu-latest, config: openssl-1.1.1w }
- { target: ubuntu-latest, config: openssl-3.0.0 } - { target: ubuntu-latest, config: openssl-3.0.0 }
- { target: ubuntu-latest, config: openssl-3.0.12 } - { target: ubuntu-latest, config: openssl-3.0.13 }
- { target: ubuntu-latest, config: openssl-3.1.0 } - { target: ubuntu-latest, config: openssl-3.1.0 }
- { target: ubuntu-latest, config: openssl-3.1.4 } - { target: ubuntu-latest, config: openssl-3.1.5 }
- { target: ubuntu-latest, config: openssl-3.2.0 } - { target: ubuntu-latest, config: openssl-3.2.1 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable } - { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch - { target: ubuntu-latest, config: openssl-3.0 } # stable branch
- { target: ubuntu-latest, config: openssl-3.2 } # stable branch - { target: ubuntu-latest, config: openssl-3.2 } # stable branch

2
README
View File

@ -1,4 +1,4 @@
See https://www.openssh.com/releasenotes.html#9.6p1 for the release See https://www.openssh.com/releasenotes.html#9.7p1 for the release
notes. notes.
Please read https://www.openssh.com/report.html for bug reporting Please read https://www.openssh.com/report.html for bug reporting

View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.436 2024/01/09 22:19:00 djm Exp $ */ /* $OpenBSD: channels.c,v 1.437 2024/03/06 02:59:59 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -3254,9 +3254,8 @@ channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
goto out; goto out;
} }
/* Record that connection to this host/port is permitted. */ /* Record that connection to this host/port is permitted. */
permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1, permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>",
listen_host, NULL, (int)listen_port, downstream); -1, listen_host, NULL, (int)listen_port, downstream);
listen_host = NULL;
break; break;
case SSH2_MSG_CHANNEL_CLOSE: case SSH2_MSG_CHANNEL_CLOSE:
if (have < 4) if (have < 4)

View File

@ -149,6 +149,7 @@ fi
use_stack_protector=1 use_stack_protector=1
use_toolchain_hardening=1 use_toolchain_hardening=1
use_retpoline=1
AC_ARG_WITH([stackprotect], AC_ARG_WITH([stackprotect],
[ --without-stackprotect Don't use compiler's stack protection], [ [ --without-stackprotect Don't use compiler's stack protection], [
if test "x$withval" = "xno"; then if test "x$withval" = "xno"; then
@ -159,6 +160,11 @@ AC_ARG_WITH([hardening],
if test "x$withval" = "xno"; then if test "x$withval" = "xno"; then
use_toolchain_hardening=0 use_toolchain_hardening=0
fi ]) fi ])
AC_ARG_WITH([retpoline],
[ --without-retpoline Enable retpoline spectre mitigation], [
if test "x$withval" = "xno"; then
use_retpoline=0
fi ])
# We use -Werror for the tests only so that we catch warnings like "this is # We use -Werror for the tests only so that we catch warnings like "this is
# on by default" for things like -fPIE. # on by default" for things like -fPIE.
@ -216,8 +222,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical]) OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
if test "x$use_toolchain_hardening" = "x1"; then if test "x$use_toolchain_hardening" = "x1"; then
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
@ -240,6 +244,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
esac esac
OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero]) OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
fi fi
if test "x$use_retpoline" = "x1"; then
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
fi
AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset]) AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
saved_CFLAGS="$CFLAGS" saved_CFLAGS="$CFLAGS"
@ -2735,7 +2743,15 @@ AC_ARG_WITH([ssl-dir],
else else
CPPFLAGS="-I${withval} ${CPPFLAGS}" CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi fi
openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps" dnl Ensure specified openssl binary works, eg it can
dnl find its runtime libraries, before trying to use.
if test -x "${withval}/bin/openssl" && \
"${withval}/bin/openssl" version >/dev/null 2>&1; then
openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}"
elif test -x "${withval}/apps/openssl" && \
"${withval}/apps/openssl" version >/dev/null 2>&1; then
openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}"
fi
fi fi
] ]
) )

View File

@ -1,4 +1,4 @@
%global ver 9.6p1 %global ver 9.7p1
%global rel 1%{?dist} %global rel 1%{?dist}
# OpenSSH privilege separation requires a user & group ID # OpenSSH privilege separation requires a user & group ID

View File

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh Name: openssh
Version: 9.6p1 Version: 9.7p1
URL: https://www.openssh.com/ URL: https://www.openssh.com/
Release: 1 Release: 1
Source0: openssh-%{version}.tar.gz Source0: openssh-%{version}.tar.gz

View File

@ -156,31 +156,40 @@ TEST_SSH_SSHKEYGEN?=ssh-keygen
CPPFLAGS=-I.. CPPFLAGS=-I..
t1: t1:
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv ; \
awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv ; \
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
fi
t2: t2:
cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
chmod 600 $(OBJ)/t2.out cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out ; \
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub chmod 600 $(OBJ)/t2.out ; \
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub ; \
fi
t3: t3:
${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out ; \
${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub ; \
fi
t4: t4:
${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
awk '{print $$2}' | diff - ${.CURDIR}/t4.ok ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t4.ok ; \
fi
t5: t5:
${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
awk '{print $$2}' | diff - ${.CURDIR}/t5.ok ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t5.ok ; \
fi
t6: t6:
set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 ; \ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 ; \
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 ; \ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 ; \
chmod 600 $(OBJ)/t6.out1 ; \ chmod 600 $(OBJ)/t6.out1 ; \
@ -188,19 +197,23 @@ t6:
fi fi
$(OBJ)/t7.out: $(OBJ)/t7.out:
${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ ; \
fi
t7: $(OBJ)/t7.out t7: $(OBJ)/t7.out
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null ; \
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null ; \
fi
$(OBJ)/t8.out: $(OBJ)/t8.out:
set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ ; \ ${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ ; \
fi fi
t8: $(OBJ)/t8.out t8: $(OBJ)/t8.out
set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null ; \ ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null ; \
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null ; \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null ; \
fi fi
@ -224,8 +237,10 @@ t10: $(OBJ)/t10.out
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
t11: t11:
${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
awk '{print $$2}' | diff - ${.CURDIR}/t11.ok ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t11.ok ; \
fi
$(OBJ)/t12.out: $(OBJ)/t12.out:
${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $@ ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $@

View File

@ -1,4 +1,4 @@
# $OpenBSD: dynamic-forward.sh,v 1.15 2023/01/06 08:50:33 dtucker Exp $ # $OpenBSD: dynamic-forward.sh,v 1.17 2024/03/08 11:34:10 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="dynamic forwarding" tid="dynamic forwarding"
@ -26,6 +26,7 @@ start_ssh() {
arg="$2" arg="$2"
n=0 n=0
error="1" error="1"
# Use a multiplexed ssh so we can control its lifecycle.
trace "start dynamic -$direction forwarding, fork to background" trace "start dynamic -$direction forwarding, fork to background"
(cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config
${REAL_SSH} -vvvnNfF $OBJ/ssh_config -E$TEST_SSH_LOGFILE \ ${REAL_SSH} -vvvnNfF $OBJ/ssh_config -E$TEST_SSH_LOGFILE \
@ -62,9 +63,9 @@ check_socks() {
for s in 4 5; do for s in 4 5; do
for h in 127.0.0.1 localhost; do for h in 127.0.0.1 localhost; do
trace "testing ssh socks version $s host $h (-$direction)" trace "testing ssh socks version $s host $h (-$direction)"
${REAL_SSH} -q -F $OBJ/ssh_config \ ${REAL_SSH} -q -F $OBJ/ssh_config -o \
-o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \ "ProxyCommand ${TEST_SHELL} -c '${proxycmd}${s} $h $PORT 2>/dev/null'" \
somehost cat ${DATA} > ${COPY} somehost cat ${DATA} > ${COPY}
r=$? r=$?
if [ "x$expect_success" = "xY" ] ; then if [ "x$expect_success" = "xY" ] ; then
if [ $r -ne 0 ] ; then if [ $r -ne 0 ] ; then

View File

@ -1,4 +1,4 @@
# $OpenBSD: test-exec.sh,v 1.107 2024/02/19 09:25:52 dtucker Exp $ # $OpenBSD: test-exec.sh,v 1.108 2024/03/08 11:34:10 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
#SUDO=sudo #SUDO=sudo
@ -110,6 +110,9 @@ DBCLIENT=/usr/local/bin/dbclient
DROPBEARKEY=/usr/local/bin/dropbearkey DROPBEARKEY=/usr/local/bin/dropbearkey
DROPBEARCONVERT=/usr/local/bin/dropbearconvert DROPBEARCONVERT=/usr/local/bin/dropbearconvert
# So we can override this in Portable.
TEST_SHELL="${TEST_SHELL:-/bin/sh}"
# Tools used by multiple tests # Tools used by multiple tests
NC=$OBJ/netcat NC=$OBJ/netcat
# Always use the one configure tells us to, even if that's empty. # Always use the one configure tells us to, even if that's empty.

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-agent.c,v 1.304 2023/12/18 15:58:56 djm Exp $ */ /* $OpenBSD: ssh-agent.c,v 1.306 2024/03/09 05:12:13 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -162,6 +162,8 @@ int max_fd = 0;
pid_t parent_pid = -1; pid_t parent_pid = -1;
time_t parent_alive_interval = 0; time_t parent_alive_interval = 0;
sig_atomic_t signalled = 0;
/* pid of process for which cleanup_socket is applicable */ /* pid of process for which cleanup_socket is applicable */
pid_t cleanup_pid = 0; pid_t cleanup_pid = 0;
@ -250,6 +252,7 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
free(dcs); free(dcs);
} }
#ifdef ENABLE_PKCS11
static void static void
dup_dest_constraint_hop(const struct dest_constraint_hop *dch, dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
struct dest_constraint_hop *out) struct dest_constraint_hop *out)
@ -289,6 +292,7 @@ dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
} }
return ret; return ret;
} }
#endif /* ENABLE_PKCS11 */
#ifdef DEBUG_CONSTRAINTS #ifdef DEBUG_CONSTRAINTS
static void static void
@ -1522,6 +1526,7 @@ no_identities(SocketEntry *e)
sshbuf_free(msg); sshbuf_free(msg);
} }
#ifdef ENABLE_PKCS11
/* Add an identity to idlist; takes ownership of 'key' and 'comment' */ /* Add an identity to idlist; takes ownership of 'key' and 'comment' */
static void static void
add_p11_identity(struct sshkey *key, char *comment, const char *provider, add_p11_identity(struct sshkey *key, char *comment, const char *provider,
@ -1548,7 +1553,6 @@ add_p11_identity(struct sshkey *key, char *comment, const char *provider,
idtab->nentries++; idtab->nentries++;
} }
#ifdef ENABLE_PKCS11
static void static void
process_add_smartcard_key(SocketEntry *e) process_add_smartcard_key(SocketEntry *e)
{ {
@ -2060,7 +2064,7 @@ after_poll(struct pollfd *pfd, size_t npfd, u_int maxfds)
} }
static int static int
prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp, u_int maxfds) prepare_poll(struct pollfd **pfdp, size_t *npfdp, struct timespec *timeoutp, u_int maxfds)
{ {
struct pollfd *pfd = *pfdp; struct pollfd *pfd = *pfdp;
size_t i, j, npfd = 0; size_t i, j, npfd = 0;
@ -2126,14 +2130,8 @@ prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp, u_int maxfds)
if (parent_alive_interval != 0) if (parent_alive_interval != 0)
deadline = (deadline == 0) ? parent_alive_interval : deadline = (deadline == 0) ? parent_alive_interval :
MINIMUM(deadline, parent_alive_interval); MINIMUM(deadline, parent_alive_interval);
if (deadline == 0) { if (deadline != 0)
*timeoutp = -1; /* INFTIM */ ptimeout_deadline_sec(timeoutp, deadline);
} else {
if (deadline > INT_MAX / 1000)
*timeoutp = INT_MAX / 1000;
else
*timeoutp = deadline * 1000;
}
return (1); return (1);
} }
@ -2153,17 +2151,16 @@ void
cleanup_exit(int i) cleanup_exit(int i)
{ {
cleanup_socket(); cleanup_socket();
#ifdef ENABLE_PKCS11
pkcs11_terminate();
#endif
_exit(i); _exit(i);
} }
static void static void
cleanup_handler(int sig) cleanup_handler(int sig)
{ {
cleanup_socket(); signalled = sig;
#ifdef ENABLE_PKCS11
pkcs11_terminate();
#endif
_exit(2);
} }
static void static void
@ -2207,10 +2204,11 @@ main(int ac, char **av)
char pidstrbuf[1 + 3 * sizeof pid]; char pidstrbuf[1 + 3 * sizeof pid];
size_t len; size_t len;
mode_t prev_mask; mode_t prev_mask;
int timeout = -1; /* INFTIM */ struct timespec timeout;
struct pollfd *pfd = NULL; struct pollfd *pfd = NULL;
size_t npfd = 0; size_t npfd = 0;
u_int maxfds; u_int maxfds;
sigset_t nsigset, osigset;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd(); sanitise_stdfd();
@ -2446,13 +2444,25 @@ skip:
ssh_signal(SIGHUP, cleanup_handler); ssh_signal(SIGHUP, cleanup_handler);
ssh_signal(SIGTERM, cleanup_handler); ssh_signal(SIGTERM, cleanup_handler);
sigemptyset(&nsigset);
sigaddset(&nsigset, SIGINT);
sigaddset(&nsigset, SIGHUP);
sigaddset(&nsigset, SIGTERM);
if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
fatal("%s: pledge: %s", __progname, strerror(errno)); fatal("%s: pledge: %s", __progname, strerror(errno));
platform_pledge_agent(); platform_pledge_agent();
while (1) { while (1) {
sigprocmask(SIG_BLOCK, &nsigset, &osigset);
if (signalled != 0) {
logit("exiting on signal %d", (int)signalled);
cleanup_exit(2);
}
ptimeout_init(&timeout);
prepare_poll(&pfd, &npfd, &timeout, maxfds); prepare_poll(&pfd, &npfd, &timeout, maxfds);
result = poll(pfd, npfd, timeout); result = ppoll(pfd, npfd, ptimeout_get_tsp(&timeout), &osigset);
sigprocmask(SIG_SETMASK, &osigset, NULL);
saved_errno = errno; saved_errno = errno;
if (parent_alive_interval != 0) if (parent_alive_interval != 0)
check_parent_exists(); check_parent_exists();

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshsig.c,v 1.34 2023/12/08 09:18:39 markus Exp $ */ /* $OpenBSD: sshsig.c,v 1.35 2024/03/08 22:16:32 djm Exp $ */
/* /*
* Copyright (c) 2019 Google LLC * Copyright (c) 2019 Google LLC
* *
@ -779,7 +779,7 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
*keyp = NULL; *keyp = NULL;
cp = line; cp = line;
cp = cp + strspn(cp, " \t"); /* skip leading whitespace */ cp = cp + strspn(cp, " \t\n\r"); /* skip leading whitespace */
if (*cp == '#' || *cp == '\0') if (*cp == '#' || *cp == '\0')
return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */ return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */

View File

@ -1,6 +1,6 @@
/* $OpenBSD: version.h,v 1.100 2023/12/18 14:48:44 djm Exp $ */ /* $OpenBSD: version.h,v 1.101 2024/03/11 04:59:47 djm Exp $ */
#define SSH_VERSION "OpenSSH_for_Windows_9.6" #define SSH_VERSION "OpenSSH_for_Windows_9.7"
#define SSH_PORTABLE "p1" #define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE #define SSH_RELEASE SSH_VERSION SSH_PORTABLE