Commit Graph

12350 Commits

Author SHA1 Message Date
Philip Hands cf84498f67
ssh-copy-id: add -x option (for debugging)
This option causes the ssh-copy-id to run with set -x

SSH-Copy-ID-Upstream: a0ee367ea8c0a29c8b4515245e408d2d349e7844
2023-05-25 18:24:32 +10:00
Philip Hands b4a1efdcb8
update copyright notices
SSH-Copy-ID-Upstream: c284ed33b361814ea48ff68cbd01ca525b2bf117
2023-05-25 18:24:25 +10:00
djm@openbsd.org fcd78e31cd
upstream: fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears previously in configuration. Reported by John Meyers in bz3574 ok
dtucker@

OpenBSD-Commit-ID: 1c92e4517284386703936e1d3abaa36cfacf1951
2023-05-25 09:42:00 +10:00
dtucker@openbsd.org 5ec5504f1d
upstream: Remove unused prototypes for ssh1 RSA functions.
From lengyijun via github PR#396.

OpenBSD-Commit-ID: 379a5afa8b7a0f3cba0c8a9bcceb4e5e33a5c1ef
2023-05-10 20:40:48 +10:00
Darren Tucker fbf362b389
main(void) to prevent unused variable warning. 2023-05-09 19:26:56 +10:00
Darren Tucker baf854c8bb
Remove warning pragma since clang doesn't like it. 2023-05-09 19:25:45 +10:00
Darren Tucker 5fbb7a1349
Suppress warning for snprintf truncation test. 2023-05-09 17:13:33 +10:00
Darren Tucker 47742c513e
Update OpenSSL compat test for 3.x. 2023-05-09 17:12:50 +10:00
Darren Tucker 86ad25d455
Add macos13 PAM test target. 2023-05-08 20:23:08 +10:00
Darren Tucker 77cca2c4b1
Skip agent-peereid test on macos13.
sudo -S nobody doesn't work on the github runners (probably a
permission issue) so skip that test.
2023-05-08 20:14:46 +10:00
Darren Tucker b356b8e916
Include config.guess in debug output. 2023-05-08 20:14:28 +10:00
Darren Tucker b7afd8a4ec
Handle OpenSSL >=3 ABI compatibility.
Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only
major must match instead of major and minor in earlier versions).
bz#3548, ok djm@
2023-05-08 20:12:59 +10:00
dtucker@openbsd.org 0e9e2663eb
upstream: Import regenerated moduli.
OpenBSD-Commit-ID: 3d5f811cfcaed8cc4a97e1db49ac61bdf118113c
2023-05-01 19:13:18 +10:00
Darren Tucker d9687f4968
Add macos-13 test target.
Also flatten OS list for clarity.
2023-05-01 18:04:35 +10:00
djm@openbsd.org aacfd67674
upstream: adjust ftruncate() logic to handle servers that reorder
requests.

sftp/scp will ftruncate the destination file after a transfer completes,
to deal with the case where a longer destination file already existed.
We tracked the highest contiguous block transferred to deal with this
case, but our naive tracking doesn't deal with servers that reorder
requests - a misfeature strictly permitted by the protocol but seldom
implemented.

Adjust the logic to ftruncate() at the highest absolute block received
when the transfer is successful. feedback deraadt@ ok markus@

prompted by https://github.com/openssh/openssh-portable/commit/9b733#commitcomment-110679778

OpenBSD-Commit-ID: 4af7fac75958ad8507b4fea58706f3ff0cfddb1b
2023-05-01 08:56:04 +10:00
djm@openbsd.org c8eb394175
upstream: Check for ProxyJump=none in CanonicalizeHostname logic.
Previously ssh would incorrectly refuse to canonicalise the hostname
if ProxyJump was explicitly set to "none" when CanonicalizeHostname=yes

bz3567; ok dtucker

OpenBSD-Commit-ID: 80a58e43c3a32f97361282f756ec8d3f37989efd
2023-04-26 14:38:21 +10:00
jsg@openbsd.org ac383f3a5c
upstream: remove duplicate signal.h include
OpenBSD-Commit-ID: 30c0a34d74d91ddd0e6992525da70d3293392f70
2023-04-17 09:21:14 +10:00
jsg@openbsd.org 740dafa20f
upstream: fix double words ok dtucker@
OpenBSD-Commit-ID: 44d3223902fbce5276422bdc8063ab72a4078489
2023-04-17 09:21:13 +10:00
Darren Tucker 6452f89577
Test against LibreSSL 3.7.2. 2023-04-11 16:49:19 +10:00
Damien Miller 2138f6be59
remove unused upper-case const strings in fmtfp
no float format that uses upper-case is supported nor are hex floats.
ok dtucker
2023-04-06 14:33:10 +10:00
djm@openbsd.org 484c5e6168
upstream: simplify sshsig_find_principals() similar to what happened to
sshsig_check_allowed_keys() in r1.31, removing some dead code

OpenBSD-Commit-ID: a493e628d4d6c08f878c276d998f4313ba61702d
2023-04-06 13:57:28 +10:00
djm@openbsd.org 3a7b110fbc
upstream: remove redundant ssh!=NULL check; we'd already
dereferenced it

OpenBSD-Commit-ID: 852bf12591ec5a9fb12dcbde9b1fd3945ad0df3c
2023-04-06 13:27:17 +10:00
djm@openbsd.org 2519110659
upstream: match_user() shouldn't be called with user==NULL unless
host and ipaddr are also NULL

OpenBSD-Commit-ID: fa3518346c21483e9e01a2e4b9436ae501daf8ea
2023-04-06 13:27:16 +10:00
djm@openbsd.org 3b9ceaad7a
upstream: don't care about glob() return value here.
OpenBSD-Commit-ID: 85bb82fea90478a482e9f65a1bec0aa24227fd66
2023-04-06 13:27:16 +10:00
dtucker@openbsd.org 09d8da0849
upstream: Move up null check and simplify process_escapes.
Based on Coverity CID 291863 which points out we check the channel
pointer for NULLness after dereferencing it.  Move this to the start
of the function, and while there simplify initialization of efc a bit.
ok djm@

OpenBSD-Commit-ID: de36e5ad6fde0fe263ca134e986b9095dc59380a
2023-04-03 18:35:04 +10:00
Damien Miller b36b162be5
need va_end() after va_copy(); ok dtucker
spotted by Coverity
2023-04-03 10:01:01 +10:00
dtucker@openbsd.org f703757234
upstream: Explicitly ignore return from waitpid here too.
OpenBSD-Commit-ID: eef2403df083c61028969fc679ee370373eacacb
2023-03-31 17:01:01 +11:00
dtucker@openbsd.org 6b73aa2903
upstream: Explictly ignore return codes
where we don't check them.

OpenBSD-Commit-ID: 1ffb03038ba1b6b72667be50cf5e5e396b5f2740
2023-03-31 16:17:46 +11:00
dtucker@openbsd.org 6f0308a3e7
upstream: Return immediately from get_sock_port
if sock <0 so we don't call getsockname on a negative FD.  From Coverity
CID 291840, ok djm@

OpenBSD-Commit-ID: de1c1130646230c2eda559831fc6bfd1b61d9618
2023-03-31 16:17:22 +11:00
djm@openbsd.org 1c1124dc90
upstream: don't leak arg2 on parse_pubkey_algos error path; ok
dtucker@

OpenBSD-Commit-ID: 7d0270ad3dd102412ca76add2b3760518abdef75
2023-03-31 15:32:37 +11:00
djm@openbsd.org 8ba2d4764b
upstream: clamp max number of GSSAPI mechanisms to 2048; ok dtucker
OpenBSD-Commit-ID: ce66db603a913d3dd57063e330cb5494d70722c4
2023-03-31 15:32:37 +11:00
djm@openbsd.org 1883841fc1
upstream: don't print key if printing hostname failed; with/ok
dtucker@

OpenBSD-Commit-ID: ad42971a6ee5a46feab2d79f7f656f8cf4b119f3
2023-03-31 15:32:36 +11:00
djm@openbsd.org c6011129ca
upstream: remove redundant test
OpenBSD-Commit-ID: 6a0b719f9b1ae9d42ad8c5b144c7962c93792f7c
2023-03-31 15:06:20 +11:00
djm@openbsd.org 4fb29eeafb
upstream: don't attempt to decode a ridiculous number of
attributes; harmless because of bounds elsewhere, but better to be explicit

OpenBSD-Commit-ID: 1a34f4b6896155b80327d15dc7ccf294b538a9f2
2023-03-31 15:06:20 +11:00
djm@openbsd.org fc437c154e
upstream: remove unused variable; prompted by Coverity CID 291879
OpenBSD-Commit-ID: 4c7d20ef776887b0ba1aabcfc1b14690e4ad0a40
2023-03-31 15:06:19 +11:00
dtucker@openbsd.org 0eb8131e4a
upstream: Check fd against >=0 instead of >0 in error path. The
dup could in theory return fd 0 although currently it doesn't in practice.
From Dmitry Belyavskiy vi github PR#238.

OpenBSD-Commit-ID: 4a95f3f7330394dffee5c749d52713cbf3b54846
2023-03-31 15:06:19 +11:00
dtucker@openbsd.org 7174ba6f8a
upstream: Ignore return value from muxclient(). It normally loops
without returning, but it if returns on failure we immediately exit.
Coverity CID 405050.

OpenBSD-Commit-ID: ab3fde6da384ea588226037c38635a6b2e015295
2023-03-31 15:06:18 +11:00
Damien Miller a4c1c2513e
don't call connect() on negative socket
Coverity CID 405037
2023-03-31 14:17:22 +11:00
djm@openbsd.org 34ee842cdd
upstream: return SSH_ERR_KEY_NOT_FOUND if the allowed_signers file
is empty, not SSH_ERR_INTERNAL_ERROR. Also remove some dead code spotted
by Coverity; with/ok dtucker@

OpenBSD-Commit-ID: 898a1e817cda9869554b1f586a434f67bcc3b650
2023-03-30 14:09:51 +11:00
dtucker@openbsd.org f108e77a9d
upstream: Remove dead code from inside if block.
The only way the if statement can be true is if both dup()s fail, and
in that case the tmp2 can never be set. Coverity CID 291805, ok djm@

OpenBSD-Commit-ID: c0d6089b3fb725015462040cd94e23237449f0c8
2023-03-30 14:09:37 +11:00
Darren Tucker 05b8e88ebe
child_set_eng: verify both env pointer and count.
If child_set env was called with a NULL env pointer and a non-zero count
it would end up in a null deref, although we don't currently do this.
Prompted by Coverity CID 291850, tweak & ok djm@
2023-03-30 14:08:35 +11:00
dtucker@openbsd.org 28f1b8ef9b
upstream: Ignore return from sshpkt_disconnect
since we set our own return value for the function.  Coverity CID 291797,
ok djm@

OpenBSD-Commit-ID: 710b57ba954c139240895e23feea41f203201f04
2023-03-29 12:33:32 +11:00
dtucker@openbsd.org c3da05d959
upstream: Plug potential mem leak in process_put.
It allocates abs_dst inside a loop but only frees it on exit, so free
inside the loop if necessary.  Coverity CID 291837, ok djm@

OpenBSD-Commit-ID: a01616503a185519b16f00dde25d34ceaf4ae1a3
2023-03-29 12:22:33 +11:00
djm@openbsd.org 13ae327eae
upstream: fix memory leak; Coverity CID 291848
with/ok dtucker@

OpenBSD-Commit-ID: 37f80cb5d075ead5a00ad1b74175684ab1156ff8
2023-03-29 12:22:23 +11:00
dtucker@openbsd.org 9ffa76e128
upstream: Plug more mem leaks in sftp by making
make_absolute_pwd_glob work in the same way as make_absolute: you
pass it a dynamically allocated string and it either returns it, or
frees it and allocates a new one. Patch from emaste at freebsd.org and
https://reviews.freebsd.org/D37253 ok djm@

OpenBSD-Commit-ID: 85f7404e9d47fd28b222fbc412678f3361d2dffc
2023-03-28 19:03:54 +11:00
dtucker@openbsd.org 82b2b83269
upstream: Remove compat code for OpenSSL < 1.1.*
since -portable no longer supports them.

OpenBSD-Commit-ID: ea2893783331947cd29a67612b4e56f818f185ff
2023-03-28 19:03:29 +11:00
dtucker@openbsd.org b500afcf00
upstream: Remove compat code for OpenSSL 1.0.*
versions now that -portable has dropped support for those versions.

OpenBSD-Regress-ID: 82a8eacd87aec28e4aa19f17246ddde9d5ce7fe7
2023-03-28 19:03:10 +11:00
Darren Tucker 727560e601
Prevent conflicts between Solaris SHA2 and OpenSSL.
We used to prevent conflicts between native SHA2 headers and OpenSSL's
by setting OPENSSL_NO_SHA but that was removed prior to OpenSSL 1.1.0
2023-03-28 19:03:03 +11:00
Darren Tucker 46db8e14b7
Remove HEADER_SHA_H from previous...
since it causes more problems than it solves.
2023-03-28 12:44:03 +11:00
Darren Tucker 72bd68d373
Replace OPENSSL_NO_SHA with HEADER_SHA_H.
Since this test doesn't use OpenSSL's SHA2 and may cause conflicts we
don't want to include it, but OPENSSL_NO_SHA was removed beginning in
OpenSSL's 1.1 series.
2023-03-28 10:35:18 +11:00