adb0ea006d
Correct value for IPTOS_DSCP_LE.
...
It needs to allow for the preceeding two ECN bits. From daisuke.higashi
at gmail.com via OpenSSH bz#3373, ok claudio@, job@, djm@.
2021-12-15 10:50:33 +11:00
3dafd3fe22
Increase timeout for test step.
2021-12-11 08:43:41 +11:00
5aefb05cd5
Update the list of tests that don't work on Minix.
...
While there, remove CC (configure will now find clang) and make the test
list easier to update via cut and paste.
2021-12-10 10:27:27 +11:00
1c09bb1b2e
Add minix host tuple.
...
Define SETEUID_BREAKS_SETUID for it which should make privsep work.
2021-12-10 10:12:57 +11:00
a218857903
upstream: fix unintended sizeof pointer in debug path ok markus@
...
OpenBSD-Commit-ID: b9c0481ffc0cd801e0840e342e6a282a85aac93c
2021-12-07 12:30:50 +11:00
da40355234
upstream: RSA/SHA-1 is not used by default anymore on the server
...
OpenBSD-Commit-ID: 64abef6cfc3e53088225f6b8a1dcd86d52dc8353
2021-12-07 12:30:50 +11:00
e9c71498a0
upstream: hash full host:port when asked to hash output, fixes hashes
...
for non- default ports. bz3367 ok dtucker@
OpenBSD-Commit-ID: 096021cc847da7318ac408742f2d0813ebe9aa73
2021-12-03 11:30:30 +11:00
b560120214
upstream: improve the testing of credentials against inserted FIDO
...
keys a little more: ask the token whether a particular key belongs to it in
cases where the token support on-token user- verification (e.g. biometrics)
rather than just assuming that it will accept it.
Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.
Motivated by bz3366; by Pedro Martelletto
OpenBSD-Commit-ID: ffac7f3215842397800e1ae2e20229671a55a63d
2021-12-03 10:27:40 +11:00
ca709e27c4
upstream: move check_sk_options() up so we can use it earlier
...
OpenBSD-Commit-ID: 67fe98ba1c846d22035279782c4664c1865763b4
2021-12-03 10:27:40 +11:00
b711bc01a7
upstream: ssh-rsa is no longer in the default for
...
PubkeyAcceptedAlgorithms.
OpenBSD-Commit-ID: 34a9e1bc30966fdcc922934ae00f09f2596cd73c
2021-12-03 10:27:40 +11:00
dc91ceea33
upstream: don't put the tty into raw mode when SessionType=none, avoids
...
^c being unable to kill such a session. bz3360; ok dtucker@
OpenBSD-Commit-ID: 83960c433052303b643b4c380ae2f799ac896f65
2021-12-02 13:57:50 +11:00
e6e7d2654a
previous commit broke bcrypt_pbkdf()
...
Accidentally reverted part of the conversion to use SHA512 from SUPERCOP
instead of OpenBSD-style libc SHA512.
2021-11-29 14:11:51 +11:00
c0459588b8
Fix typo in Neils' name.
2021-11-29 14:03:19 +11:00
158bf854e2
sync bcrypt-related files with OpenBSD
...
The main change is that Niels Provos kindly agreed to rescind the
BSD license advertising clause, shifting them to the 3-term BSD
license.
This was the last thing in OpenSSH that used the advertising clause.
2021-11-29 12:30:22 +11:00
e8976d92a4
depend
2021-11-29 12:29:29 +11:00
8249afeec0
upstream: sshsig: return "key not found" when searching empty files
...
rather than "internal error"
OpenBSD-Commit-ID: e2ccae554c78d7a7cd33fc5d217f35be7e2507ed
2021-11-28 18:28:08 +11:00
9e3227d4db
upstream: ssh-keygen -Y match-principals doesn't accept any -O
...
options at present, so don't say otherwise in SYNOPSIS; spotted jmc@
OpenBSD-Commit-ID: 9cc43a18f4091010741930b48b3db2f2e4f1d35c
2021-11-28 18:28:08 +11:00
56db1f4a4c
upstream: fix indenting in last commit
...
OpenBSD-Commit-ID: 8b9ba989815d0dec1fdf5427a4a4b58eb9cac4d2
2021-11-28 18:28:08 +11:00
50bea24a9a
upstream: missing initialisation for oerrno
...
OpenBSD-Commit-ID: 05d646bba238080259bec821c831a6f0b48d2a95
2021-11-28 18:28:08 +11:00
5a0f461904
Correct ifdef to activate poll() only if needed.
2021-11-28 15:31:37 +11:00
d4035c81a7
upstream: whitespac e
...
OpenBSD-Regress-ID: b9511d41568056bda489e13524390167889908f8
2021-11-27 18:25:23 +11:00
a443491e67
upstream: regression test for match-principals. Mostly by Fabian
...
Stelzer
OpenBSD-Regress-ID: ced0bec89af90935103438986bbbc4ad1df9cfa7
2021-11-27 18:22:47 +11:00
78230b3ec8
upstream: Add ssh-keygen -Y match-principals operation to perform
...
matching of principals names against an allowed signers file.
Requested by and mostly written by Fabian Stelzer, towards a TOFU
model for SSH signatures in git. Some tweaks by me.
"doesn't bother me" deraadt@
OpenBSD-Commit-ID: 8d1b71f5a4127bc5e10a880c8ea6053394465247
2021-11-27 18:22:41 +11:00
15db86611b
upstream: debug("func: ...") -> debug_f("...")
...
OpenBSD-Commit-ID: d58494dc05c985326a895adfbe16fbd5bcc54347
2021-11-27 18:22:41 +11:00
b7ffbb17e3
Allow for fd = -1 in compat ppoll overflow check.
...
Fixes tests on at least FreeBSD 6, possibly others.
2021-11-19 18:54:34 +11:00
04b172da5b
Don't auto-enable Capsicum sandbox on FreeBSD 9/10.
...
Since we changed from select() to ppoll() tests have been failing.
This seems to be because FreeBSD 10 (and presumably 9) do not allow
ppoll() in the privsep process and sshd will fail with "Not permitted in
capability mode". Setting CAP_EVENT on the FDs doesn't help, but weirdly,
poll() works without that. Those versions are EOL so this situation is
unlikely to change.
2021-11-19 16:11:39 +11:00
a823f39986
upstream: regression test for ssh-keygen -Y find-principals fix; from
...
Fabian Stelzer ok djm markus
OpenBSD-Regress-ID: 34fe4088854c1a2eb4c0c51cc4676ba24096bac4
2021-11-19 08:33:59 +11:00
199c4df66c
upstream: less confusing debug message; bz#3365
...
OpenBSD-Commit-ID: 836268d3642c2cdc84d39b98d65837f5241e4a50
2021-11-19 08:33:19 +11:00
97f9b6e613
upstream: avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we
...
already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries
that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364
OpenBSD-Commit-ID: 054d4dc1d6a99a2e6f8eebc48207b534057c154d
2021-11-19 08:12:57 +11:00
c74aa0eb73
upstream: ssh-keygen -Y find-principals was verifying key validity
...
when using ca certs but not with simple key lifetimes within the allowed
signers file.
Since it returns the first keys principal it finds this could
result in a principal with an expired key even though a valid
one is just below.
patch from Fabian Stelzer; feedback/ok djm markus
OpenBSD-Commit-ID: b108ed0a76b813226baf683ab468dc1cc79e0905
2021-11-19 08:12:51 +11:00
d902d728df
Correct calculation of tv_nsec in poll().
2021-11-18 23:44:07 +11:00
21dd5a9a3f
Add compat implementation of ppoll using pselect.
2021-11-18 23:11:37 +11:00
b544ce1ad4
Put poll.h inside ifdef HAVE_POLL_H.
2021-11-18 23:06:35 +11:00
875408270c
upstream: check for POLLHUP wherever we check for POLLIN
...
OpenBSD-Commit-ID: 6aa6f3ec6b17c3bd9bfec672a917f003a76d93e5
2021-11-18 14:32:54 +11:00
36b5e37030
upstream: fd leak in sshd listen loop error path; from Gleb
...
Smirnoff
OpenBSD-Commit-ID: a7a2be27a690a74bf2381bc16cea38e265657412
2021-11-18 14:11:38 +11:00
b99498d0c9
upstream: check for POLLHUP as well as POLLIN in sshd listen loop;
...
ok deraadt millert
OpenBSD-Commit-ID: a4f1244c5a9c2b08dac4f3b1dc22e9d1dc60c587
2021-11-18 14:11:38 +11:00
1f3055d788
upstream: check for POLLHUP as well as POLLIN, handle transient IO
...
errors as well as half-close on the output side; ok deraadt millert
OpenBSD-Commit-ID: de5c5b9939a37476d256328cbb96305bdecf511e
2021-11-18 14:11:38 +11:00
9778a15fa6
adjust seccomp filter for select->poll conversion
...
Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.
2021-11-18 10:16:55 +11:00
fcd8d895bb
update depends
2021-11-18 10:16:44 +11:00
76292787a1
compat for timespecsub() and friends
2021-11-18 09:26:20 +11:00
fd7e7de4dd
upstream: set num_listen_socks to 0 on close-all instead of -1,
...
which interferes with the new poll()-based listen loop; spotted and debugged
by anton@+deraadt@
OpenBSD-Commit-ID: f7ab8ab124f615a2e0c45fee14c38d2f2abbabbd
2021-11-18 09:14:22 +11:00
fd9343579a
upstream: use ppoll() instead of pselect() with djm
...
OpenBSD-Commit-ID: 980f87c9564d5d2ad55722b7a6f44f21284cd215
2021-11-18 09:14:22 +11:00
092d29b232
upstream: match .events with .fd better
...
OpenBSD-Commit-ID: 77eef212ca0add905949532af390164489c5984b
2021-11-18 09:12:28 +11:00
8d642c9a90
upstream: convert select() to poll() ok djm
...
OpenBSD-Commit-ID: b53e4940ff10dd24f8d16e8db8ef1970015d7ead
2021-11-18 09:12:28 +11:00
6582a31c38
upstream: replace select() with ppoll(), including converting
...
timeval's to timespec's to make things easier. back and forth and ok; djm
OpenBSD-Commit-ID: 89d3b23c60875da919e7820f9de6213286ffbec9
2021-11-18 09:09:59 +11:00
7c025c0055
upstream: It really looks like pledge "stdio dns" is possible
...
earlier. Discussed with mestre
OpenBSD-Commit-ID: 610873de63a593e0ac7bbbcb7a0f2894d36f4c01
2021-11-18 08:59:38 +11:00
06acb04c20
upstream: aggressively pre-fill the pollfd array with fd=-1
...
OpenBSD-Commit-ID: c2a525de8f83c1a04405bd79122c424140552a5b
2021-11-18 08:58:54 +11:00
7eec76793d
upstream: Convert from select() to ppoll(). Along the way, I
...
observed that the select() code was using exceptfds incorrectly.. ok millert
OpenBSD-Commit-ID: 548e05bfc31b2af02319eb3d051286d4128dec96
2021-11-18 08:58:54 +11:00
e665ed2d0c
Switch from LibreSSL 3.4.0 to 3.4.1.
...
The LibreSSL 3.4.0 release has an OPENBSD_BRANCH that points to
"master" and that branch no longer has the files LibreSSL expects
and thus it will no longer build, breaking the test.
2021-11-12 22:57:51 +11:00
21b6b5a06c
upstream: add the sntrup761x25519-sha512@openssh.com hybrid
...
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default
KEXAlgorithms list (after the ECDH methods but before the prime-group DH
ones).
ok markus@
OpenBSD-Commit-ID: 22b77e27a04e497a10e22f138107579652854210
2021-11-10 17:32:18 +11:00
Darren Tucker
jsg@openbsd.org
naddy@openbsd.org
djm@openbsd.org
dtucker@openbsd.org
Damien Miller
deraadt@openbsd.org