tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-04-08 18:35:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

..

396 Commits
v9.5.0.0 ... latestw_al

Author SHA1 Message Date
Tess Gauthier
fdde2326f9
Fix static analysis warning () 
* update function declaration and definition to match usage

* change _Outptr_ to _Out_
 2025-04-01 14:15:59 -04:00
Tess Gauthier
de4c0c7c59
fix warnings () 2025-03-31 15:15:57 -04:00
LainOTN2
31f8d13ab6
Fix for Y2038 gettimeofday for Win32 builds () 
* Fix for Y2038 gettimeofday for Win32 builds

* fixing spaces

* Fixing also the builtin gettimeofday
 2025-03-26 14:50:34 -04:00
Tess Gauthier
ae72d833fd
Crank version () 
* bump libressl version

* bump openssh version
 2025-03-26 11:40:53 -04:00
Tess Gauthier
0096029101
fix non-interactive session regression with sshd-session () 
* change sshd to sshd-session for process flag

* add pester test
 2025-03-13 15:28:04 -04:00
Tess Gauthier
a96b3fbae4
add publish test results step to CI with pester test fix () 
* upload results from setup tests

* Update test results file path in CI

* Update ci.yml

* Update Setup.Tests.ps1

* Add systemDrive variable and update paths

* Update variable names in CI configuration

* Enable task failure on failed tests

* Comment out sshd service stop command to test CI

* uncomment part of pester test
 2025-02-24 16:57:30 -05:00
Tess Gauthier
8514f78233
change default keygen key type () 
* change default keygen key type

* increase DEFAULT_BITS_ECDSA to 384

* change default key path to ECDSA
 2025-02-21 14:26:04 -05:00
Tess Gauthier
41734eb591
Update chroot symlink check () 
* start sftp chroot symlink fix

* update symlink logic chroot check

* fix order
 2025-02-20 16:26:18 -05:00
Leonard Hecker
8fe096c7b7
Increase stdin chunksize from 16 to 1024 chars () 2025-01-13 10:51:15 -05:00
Tess Gauthier
b36bc85f47
Update ssh folder permissions check in SSHD () 
* remove check on progdata/ssh/log folder permissions

* add pester test

* modify permissions check to log event without failing startup

* modify perm check

* update test

* uncomment code

* modify pester test

* address review feedback

* address review feedback

* fix multi-line logging

* cleanup allocations

* address review feedback

* address additional review feedback

* store value in tmp var
 2025-01-10 10:47:23 -05:00
Tess Gauthier
7baad0a474
make env vars optional for default allow list path () 
* make env vars optional for default allow list path

* add pkcs11 pester test

* use lowercasing within method
 2025-01-07 10:02:04 -05:00
Tess Gauthier
86bc0d7df9
remove sntrup761x25519-sha512 from supported kex list () 2025-01-06 14:12:21 -05:00
Tess Gauthier
cdcc8d34d8
Fix tilde expand for Windows paths with backslashes () 
* add backslash support for Windows paths

* add pester tests for tilde_expand

* fix typo
 2025-01-06 14:11:58 -05:00
Andrew
0c3137f621
Fix hang in syncio_close () 2024-12-18 15:36:43 -05:00
Tess Gauthier
265df19787
Fix include paths () 
* fix Include abs path on Windows

* add pester tests for Include directive

* fix tests

* fix typo
 2024-12-10 11:57:15 -05:00
Tess Gauthier
348084cc9a
Update sshd_config to latest defaults () 2024-12-09 11:27:41 -05:00
Tess Gauthier
0dd6d2cd21
username logging fix () 
* initial pass at including username from sftp

* initialize user to unknown

* update tests

* fix spacing

* fix test take 2
 2024-11-21 16:42:02 -05:00
manu0401
27f6cfa7b0
Add an environement variable to control stdio mode () 
* Add an environement variable to control stdio mode

stdio descriptors (stdin, stdout and stderr) can be operated in various
modes by win32compat code. The behavior is set very early in
fd_table_initialize() by setting pio->type.

In https://github.com/PowerShell/Win32-OpenSSH/issues/1427 it was
chosen to set pio->type to NONSOCK_SYNC_FD to resolve an I/O hang
problem. Unfortunately this introduce problems for other ssh usage.

sshfs-wiun uses ssh and has at leas 6 open issues for the same
problem introduced by this NONSOCK_SYNC_FD change:
https://github.com/winfsp/sshfs-win/issues?q=is%3Aissue+cb+%3A87

The sshfs-win workaround it to use an older ssh.exe from cygwin, which
is bundled with sshfs-win. This program is unable to use ssh-agent,
which is quite frustrating. And if PATH is not set to use it, sshfs-win
cannot work.

This change introduce an OPENSSH_STDIO_MODE environment variable that
can be set to the following values: unknown, sock, nonsock, nonsock_sync.
It cause pio->type to be set to UNKNOWN_FD, SOCK_FD, NONSOCK_FD, and
NONSOCK_SYNC_FD respecitively. The default behavior when the variable
is not set is unchanged (which means NONSOCK_SYNC_FD).

Setting OPENSSH_STDIO_MODE="nonsock" lets sshfs-win work again with
openssh-portable ssh.exe. ssh-agent can be used, and this is good.

* Leave out  UNKNOWN_FD as the possible rtpes for stdio descriptors

An assert(pio->type != UNKNOWN_FD) in fd_table_set() causes that
case to fail early anyway.
 2024-11-19 16:14:43 -05:00
Tess Gauthier
796d297a66
fix open call for ssh-keygen () 
* fix open call for ssh-keygen

* fix test

* fix formatting
 2024-11-18 16:55:49 -05:00
Mike Gilbert
a915f06c78
Set argv[argc] to NULL when calling main () 
* Set argv[argc] to NULL when calling main

ISO C states that argv[argc] shall be a null pointer.

The OpenSSH codebase does not appear to rely on this currently, but
better to be safe in case something changes.

* Check for malloc failure in sshd wmain
 2024-10-14 17:43:35 -04:00
Tess Gauthier
d7e886b9f6
Update version.rc () 2024-10-09 16:38:44 -04:00
Tess Gauthier
e1661bfcb4
add sshd-session to msi () 2024-10-09 14:23:52 -04:00
Tess Gauthier
64f148cc3b
fix for msrc cases () 2024-10-08 16:25:04 -04:00
Tess Gauthier
b4d7f739df
Fix banner () 
* update banner

* update banner
 2024-09-26 17:51:06 -04:00
Tess Gauthier
414d8531ce
Update paths.targets () 2024-09-25 13:05:04 -04:00
Tess Gauthier
14ecb9d70e
update openssh banner () 2024-09-18 15:46:24 -04:00
Tess Gauthier
7033d00153
Merge pull request from tgauth/merge-9.8 
Merge upstream 9.8
 2024-09-18 14:27:52 -04:00
Tess Gauthier
d8b0147df2
Merge pull request from tgauth/update-dependencies 
Update dependency versions
 2024-09-17 13:12:13 -04:00
Tess Gauthier
f168dca436 remove DSA from pester tests 2024-09-16 11:37:57 -04:00
Tess Gauthier
0e69c3dd2b fix spacing 2024-09-16 11:24:27 -04:00
Tess Gauthier
10d03163e9 confirm failing tests are due to DSA deprecation 2024-09-16 11:18:06 -04:00
Tess Gauthier
718738b783 merge latestw_all 2024-09-13 16:34:42 -04:00
Tess Gauthier
4d7e9c189c address review feedback 2024-09-13 16:33:01 -04:00
Tess Gauthier
f0d05b5fec cleanup config declarations 2024-09-13 16:32:45 -04:00
Tess Gauthier
251eb8d522 using openbsd compat for arc4random 2024-09-13 15:54:07 -04:00
Tess Gauthier
dcdd707699 fix function definitions 2024-09-13 15:49:07 -04:00
Tess Gauthier
b240ddf209
bump libressl and libfido2 versions 2024-09-13 14:50:53 -04:00
Tess Gauthier
0eab6d5d68
Merge pull request from tgauth/sync-with-upstream-2 
Sync with upstream 9.7
 2024-09-09 14:12:13 -04:00
Tess Gauthier
56d415a029
fix group check for user () 2024-08-27 16:49:50 -04:00
Tess Gauthier
cc2dc243e0
Update ZLib version 2024-08-27 11:22:27 -04:00
Yusi (James) Zhang
59a553e67e
Missing */. () 2024-08-22 13:24:24 -04:00
Tess Gauthier
03ae1035d1
change comment to ifdef 2024-08-20 13:29:41 -04:00
Tess Gauthier
9215a127ba fix bash test failures 2024-08-16 13:12:39 -04:00
Tess Gauthier
8e7aee937a fix inetd 2024-08-15 11:54:04 -04:00
Tess Gauthier
9ad0bff74b
remove credscan from PR CI job () 2024-08-12 12:25:23 -04:00
Tess Gauthier
18f1991754 fix test-exec to find sshd-session on Windows 2024-08-09 15:12:21 -04:00
Tess Gauthier
78fa6b269a fix debug mode 2024-08-08 11:05:21 -04:00
Tess Gauthier
03aa1ed7f2 fix typo 2024-08-06 16:45:50 -04:00
Tess Gauthier
8584d34d60 separate wmain_sshd-session from wmain_sshd 2024-08-06 15:48:02 -04:00
Tess Gauthier
209dad58c7
add sshd-session to ci artifacts 2024-08-06 14:22:58 -04:00
Tess Gauthier
9787cad03a fix compilation error 2024-08-06 11:43:29 -04:00
Tess Gauthier
cfd259fcf1 fix merge conflict properly 2024-08-05 16:29:51 -04:00
Tess Gauthier
442c43da10 disable upstream workflows 2024-08-02 17:44:45 -04:00
Tess Gauthier
9a0bf7d05d
Merge branch 'latestw_all' into merge-9.8 2024-08-02 17:41:45 -04:00
Tess Gauthier
6384372160 merge the rest of the 9.8 changes from upstream 2024-08-02 17:22:58 -04:00
Tess Gauthier
d5d6a52338 fix win32 sshd and sshd-session 2024-08-02 14:21:01 -04:00
djm@openbsd.org
9c25d37697 upstream: missing files from previous 
OpenBSD-Commit-ID: 4b7be4434d8799f02365552b641a7a70a7ebeb2f
 2024-08-02 14:21:00 -04:00
Tess Gauthier
7906ad4cda continue merge - not compiling 2024-08-02 14:20:51 -04:00
Tess Gauthier
57149fe90d
revert Win32 change () 2024-08-01 14:09:20 -04:00
Tess Gauthier
43c6e39474
remove getrnd() to sync with upstream () 2024-08-01 14:04:37 -04:00
Tess Gauthier
429419ba38 start merge - not compiling 2024-07-24 10:25:43 -04:00
LexaPrime
e829ad267c
Fix _rs_init split in half during merge () 2024-07-22 16:27:38 -04:00
djm@openbsd.org
c21fc9d953
upstream: correct keyword; from Yatao Su via GHPR509 
OpenBSD-Commit-ID: 81c778c76dea7ef407603caa157eb0c381c52ad2
 2024-07-11 08:30:18 +10:00
Darren Tucker
b35a64dd7d
Cast to sockaddr * in systemd interface. 
Fixes build with musl libx.  bz#3707.
 2024-07-07 18:47:54 +10:00
Darren Tucker
34f7a962f9
Add 9.8 branch to ci-status page. 2024-07-04 20:12:26 +10:00
Samuel Thibault
20950a7c04
Fix detection of setres*id on GNU/Hurd 
Like Linux, proper _SOURCE macros need to be set to get declarations of
various standard functions, notably setres*id. Now that Debian is using
-Werror=implicit-function-declaration this is really required. While at
it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses
the same glibc.
 2024-07-03 19:25:07 +10:00
Damien Miller
6849957945
autogenerated files for release 2024-07-01 14:36:28 +10:00
Damien Miller
fa41f6592f
version numbers 2024-07-01 14:33:26 +10:00
djm@openbsd.org
bfebb8a513
upstream: openssh-9.8 
OpenBSD-Commit-ID: 5f8b89e38a4c5f7c6d52ffa19f796d49f36fab19
 2024-07-01 14:32:51 +10:00
djm@openbsd.org
146c420d29
upstream: when sending ObscureKeystrokeTiming chaff packets, we 
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@

OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
 2024-07-01 14:32:45 +10:00
djm@openbsd.org
637e4dfea4
upstream: use "lcd" to change directory before "lls" rather then "cd", 
since the directory we're trying to list is local. Spotted by Corinna
Vinschen

OpenBSD-Regress-ID: 821feca4a4bebe491944e624c8f7f2990b891415
 2024-07-01 14:32:39 +10:00
djm@openbsd.org
c8cfe258ce
upstream: delete obsolete comment 
OpenBSD-Commit-ID: 5fb04f298ed155053f3fbfdf0c6fe7cdf84bbfa2
 2024-06-28 09:07:27 +10:00
djm@openbsd.org
94b9d37100
upstream: retire unused API 
OpenBSD-Commit-ID: 3e30d7b0615e2707f6bbe70f61b1c2f72f78161b
 2024-06-28 08:37:11 +10:00
jmc@openbsd.org
268c3a7f57
upstream: ssl(8) no longer contains a HISTORY section; 
OpenBSD-Commit-ID: 83b7ff34433d79595e9c2a5d2a561a6660251245
 2024-06-28 08:36:16 +10:00
djm@openbsd.org
12b6cc09ce
upstream: move child process waitpid() loop out of SIGCHLD handler; 
ok deraadt

OpenBSD-Commit-ID: 65815a39564e431414aed7c5ace8076f4e9ca741
 2024-06-28 08:36:15 +10:00
deraadt@openbsd.org
d6bcd13297
upstream: Instead of using possibly complex ssh_signal(), write all 
the parts of the grace_alarm_handler() using the exact things allowed by the
signal-safe rules.  This is a good rule of thumb: Handlers should be written
to either set a global volatile sig_atomic_t inspected from outside, and/or
directly perform only safe operations listed in our sigaction(2) manual page.
ok djm markus

OpenBSD-Commit-ID: 14168ae8368aab76e4ed79e17a667cb46f404ecd
 2024-06-28 08:34:49 +10:00
deraadt@openbsd.org
b8793e2b08
upstream: save_errno wrappers inside two small signal handlers that 
perform system calls, for systems with libc that do perform libc sigtramps.
ok djm markus

OpenBSD-Commit-ID: 7749b56419a7c9dcfe4c6c04811e429813346c62
 2024-06-28 08:34:49 +10:00
jmc@openbsd.org
f23e9332c4
upstream: - uppercase start of sentence - correct sentence grammar 
ok djm

OpenBSD-Commit-ID: 1ec4b0fdb633a43667f2c8fff1d600bd647dde25
 2024-06-28 08:34:48 +10:00
djm@openbsd.org
1839e3eb71
upstream: mention SshdSessionPath option 
OpenBSD-Commit-ID: c29734d36c21003973b15c1c9965c35f36cef30c
 2024-06-28 08:34:48 +10:00
Darren Tucker
603193e32a
Rerun upstream tests on .sh file changes too. 2024-06-20 18:45:14 +10:00
dtucker@openbsd.org
dbbf9337c1
upstream: Work around dbclient cipher/mac query bug. 
Unlike earlier versions, recent Dropbear (at least v2024.85) requires
a host arg when querying supported ciphers and macs via "-c/-m
help".  Earlier versions accept but do not require it, so always
provide it.  If these queries fail, skip the test with a warning.

OpenBSD-Regress-ID: 98eb863a3f0363416922efb273885e6b3c7f68d4
 2024-06-20 18:34:50 +10:00
dtucker@openbsd.org
8de2c8cebc
upstream: Remove dropbear key types not supported 
by current OpenSSH. Allows subsequent test runs to work if OpenSSH is
rebuilt w/out OpenSSL.

OpenBSD-Regress-ID: e0129eb2b1d31771105903a8055216fbba20a770
 2024-06-20 18:34:35 +10:00
djm@openbsd.org
e9b6471c59
upstream: stricter check for overfull tables in penalty record path 
OpenBSD-Commit-ID: 7df01e648a0723418c554e64a9f2b6d38db060a6
 2024-06-20 10:19:10 +10:00
djm@openbsd.org
d9336d344e
upstream: put back reaping of preauth child process when writes 
from the monitor fail. Not sure how this got lost in the avalanche of
patches.

OpenBSD-Commit-ID: eb7eb36371e1ac01050b32b70fb2b3e5d98e72f5
 2024-06-20 10:19:10 +10:00
naddy@openbsd.org
579d9adb70
upstream: remove one more mention of DSA 
OpenBSD-Commit-ID: 8515f55a15f02836ba657df341415f63c60526ca
 2024-06-20 10:19:09 +10:00
Darren Tucker
7089b5f843
Move -f to the place needed to restart sshd. 2024-06-19 23:09:05 +10:00
Darren Tucker
d5f83cfd85
Need to supply "-f" to restart sshd. 2024-06-19 21:04:01 +10:00
dtucker@openbsd.org
fad34b4ca2
upstream: Provide defaults for ciphers and macs 
if querying for them fails since on some versions of Dropbear (at least
v2024.85) "-m help" doesn't seem to work.  Enable all supported pubkey
algorithms in the server.

OpenBSD-Regress-ID: 4f95556a49ee9f621789f25217c367a33d2745ca
 2024-06-19 20:36:57 +10:00
dtucker@openbsd.org
5521060e35
upstream: Use ed25519 keys for kex tests 
since that's supported by OpenSSH even when built without OpenSSL.
Only test diffie-hellman kex if OpenSSH is compiled with support for it.

OpenBSD-Regress-ID: a5d09ef9bbd171f9e4ec73ed0d9eeb49a8878e97
 2024-06-19 20:36:57 +10:00
dtucker@openbsd.org
dbd3b833f6
upstream: Rework dropbear key setup 
to always generate ed25519 keys, other types only if OpenSSH has support
for the corresponding key type.

OpenBSD-Regress-ID: 8f91f12604cddb9f8d93aa34f3f93a3f6074395d
 2024-06-19 20:36:56 +10:00
Darren Tucker
d6218504e1
Restart sshd after installing it for testing. 
When installing an sshd built without OpenSSL the mismatch between
the running sshd and newly installed sshd-session will cause the
remainder of the test to fail.
 2024-06-19 20:36:54 +10:00
Darren Tucker
786a4465b6
Remove macos-11 runner. 
Github is retiring them soon.
 2024-06-19 20:36:53 +10:00
Damien Miller
df1c72a55e
PAMServiceName may appear in a Match block 2024-06-19 09:35:23 +10:00
dtucker@openbsd.org
de1c2e70e5
upstream: Re-enable ssh-dss tests 
... if ssh is compiled with DSA support

OpenBSD-Regress-ID: bbfaf8c17f2b50a2d46ac35cb97af99b990c990d
 2024-06-18 19:57:41 +10:00
anton@openbsd.org
dabc2c7cf3
upstream: Stop using DSA in dropbear interop tests. 
OpenBSD-Regress-ID: abfd4457d99d8cc1417fd22ca2c570270f74c1cf
 2024-06-18 19:57:36 +10:00
Damien Miller
7614380127
missed a bit of DSA in the fuzzer 2024-06-18 12:29:45 +10:00
Damien Miller
3f9cc47da5
DSA support is disabled, so remove from fuzzers 2024-06-18 09:35:53 +10:00
Tess Gauthier
547baf4e29
Merge branch 'latestw_all' into sync-with-upstream-2 2024-06-17 15:00:49 -04:00
djm@openbsd.org
00eb95957d
upstream: disable the DSA signature algorithm by default; ok 
markus@

(yes, I know this expands to "the Digitial Signature Algorithm
signature algorithm)

OpenBSD-Commit-ID: 961ef594e46dd2dcade8dd5721fa565cee79ffed
 2024-06-17 18:48:29 +10:00
djm@openbsd.org
5603befe11
upstream: promote connection-closed messages from verbose to info 
log level; they could be the only record of the connection terminating if the
client doesn't send a SSH2_MSG_DISCONNECT message. ok dtucker@

OpenBSD-Commit-ID: 0c8bfaf5e9fdff945cee09ac21e641f6c5d65d3c
 2024-06-17 18:31:39 +10:00
Damien Miller
b00331402f
propagate PAM crashes to PerSourcePenalties 
If the PAM subprocess crashes, exit with a crash status that will be
picked up by the sshd(8) listener process where it can be used by
PerSourcePenalties to block the client. This is similar handling to
the privsep preauth process.
 2024-06-17 17:02:18 +10:00
Damien Miller
1c207f456a
minix doesn't have loopback, so skip penalty tests 
pointed out by dtucker@
 2024-06-17 15:06:58 +10:00
djm@openbsd.org
48443d202e
upstream: same treatment for this test 
OpenBSD-Regress-ID: d0cc9efca7833e673ea7b0cb3a679a3acee8d4c7
 2024-06-16 21:55:26 +10:00
djm@openbsd.org
45562a95ea
upstream: penalty test is still a bit racy 
OpenBSD-Regress-ID: 90c9ac224db454637baf1ebee5857e007321e824
 2024-06-16 18:18:43 +10:00
djm@openbsd.org
8d0f7eb147
upstream: crank up penalty timeouts so this should work on even the 
slowest of test builders

OpenBSD-Regress-ID: 70bda39c83e3fc9d0f3c1fad4542ed33e173d468
 2024-06-15 14:03:03 +10:00
jmc@openbsd.org
93c75471a1
upstream: sort -q in the options list; 
OpenBSD-Commit-ID: 6839b38378f38f754de638a5e988c13b4164cc7c
 2024-06-15 14:02:54 +10:00
djm@openbsd.org
dd7807bbe8
upstream: clarify KEXAlgorithms supported vs available. Inspired by 
bz3701 from Colin Watson.

OpenBSD-Commit-ID: e698e69bea19bd52971d253f2b1094490c4701f7
 2024-06-14 15:02:51 +10:00
djm@openbsd.org
d172ad56df
upstream: ssh-keyscan -q man bits 
OpenBSD-Commit-ID: ba28d0e1ac609a4c99c453e57e86560c79079db1
 2024-06-14 15:01:55 +10:00
Damien Miller
092e4ff9cc
skip penalty-expire test in valgrind test env 2024-06-14 14:46:55 +10:00
djm@openbsd.org
2866ad08a9
upstream: split the PerSourcePenalties test in two: one tests penalty 
enforcement but not penalty expiry, the other tests penalty expiry.

This lets us disable the expiry testing in certain CI test environments.

OpenBSD-Regress-ID: f56811064f3e3cb52ee73a206b8c2a06af1c8791
 2024-06-14 14:46:21 +10:00
Damien Miller
b2c64bc170
add a sshd_config PamServiceName option 
Allows selecting which PAM service name to use when UsePAM is
enabled. Defaults to "sshd" unless overridden at compile time
by defining SSHD_PAM_SERVICE.

bz2102, ok dtucker@
 2024-06-14 14:20:54 +10:00
djm@openbsd.org
9f032a4dd1
upstream: don't redirect stderr for ssh-keyscan we expect to succeed 
OpenBSD-Regress-ID: 8878b8eb4e070ed2e343166d3eb86db4a08a216c
 2024-06-14 10:27:39 +10:00
djm@openbsd.org
1e84d0cf40
upstream: make host/banner comments go to stderr instead of stdout, 
so they are useful as comments without extra shell redirection and so they
don't clutter actual errors on stderr.

Add a -q flag to shut them up.

ok dtucker@

OpenBSD-Commit-ID: bec813de56a71adb5c1a76adcf49621130d24264
 2024-06-14 10:27:34 +10:00
naddy@openbsd.org
3e806d0118
upstream: separate keywords with comma 
OpenBSD-Commit-ID: d65a99666202a8188c4991c18d14374a229f7be5
 2024-06-14 10:27:33 +10:00
djm@openbsd.org
abfd1f7a3c
upstream: specify an algorithm for ssh-keyscan, otherwise it will make 
multiple attempts simultaneously and confuse the test

OpenBSD-Regress-ID: 6e910f3315c4345053db1bf5cbf61826b194d0b9
 2024-06-14 10:25:51 +10:00
Damien Miller
a8fbe2f7d0
sshd: don't use argv[0] as PAM service name 
sshd would implicitly use argv[0] as the PAM service name to
allow people to select different PAM service names by making
differently-named copies/links to the sshd binary.

Splitting sshd into sshd/sshd-session broke this, as the process
that starts PAM is always sshd-session and the user has no control
over this.

Hardcode "sshd" as the default PAM service name unless/until we
figure out a better way. Should unbreak OSX integration tests.
 2024-06-13 16:41:29 +10:00
Damien Miller
bf204bd05c
prepare for checking in autogenerated files 
We plan to check in automatically generated files (config.h.in, etc) on
release branches. These files are normally ignored by .gitignore, but
this shuffles the contents of this file to make it easy to un-ignore
them.
 2024-06-13 15:02:26 +10:00
Damien Miller
425f79a837
typo in comment 2024-06-13 14:41:33 +10:00
Damien Miller
afe10313c1
fix PTY allocation on Cygwin, broken by sshd split 
Cygwin doesn't support FD passing and so used to disable post-auth
privilege separation entirely because privsep requires PTY allocation
to happen in the privileged monitor process with the PTY file
descriptors being passed back to the unprivileged process.

This brings back a minimal version of the previous special treatment
for Cygwin (and any other platform that sets DISABLE_FD_PASSING):
privilege separation remains enabled, but PTY allocation happens in
the post-auth user process rather than the monitor.

This either requires PTY allocation to not need privilege to begin
with (this appears to be the case on Cygwin), or the post-auth
privsep process retain privilege (other platforms that set the
DISABLE_FD_PASSING option).

Keeping privileges here is bad, but the non-Cygwin systems that set
DISABLE_FD_PASSING are so deeply legacy that this is likely to be the
least of their problems.
 2024-06-13 14:35:25 +10:00
Damien Miller
f66d4df574
delay lookup of privsep user until config loaded 
sshd-session attempting to use options.kerberos_authentication to
decide whether it needed to lookup the privsep user before the
configuration was loaded. This caused it to get a placeholder value
that caused it always to try to lookup the privsep user, breaking at
least one test environment.
 2024-06-13 11:33:09 +10:00
Damien Miller
f1c42858b9
missing file for PerSourcePenalties regress test 2024-06-13 11:16:57 +10:00
djm@openbsd.org
4de80ff4e6
upstream: split PerSourcePenalties address tracking. Previously it 
used one shared table and overflow policy for IPv4 and IPv6 addresses, now it
will use separate tables and optionally different overflow policies.

This prevents misbehaviour from IPv6 addresses (which are vastly easier
to obtain many of) from affecting IPv4 connections and may allow for
stricter overflow policies.

ok deraadt@

OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
 2024-06-13 08:36:41 +10:00
jmc@openbsd.org
06ab4c6931
upstream: do not mark up "(default: 20ms)"; 
OpenBSD-Commit-ID: 54151ecdecfa1b67dcdda4fd24826ef6e2148ad4
 2024-06-13 08:36:40 +10:00
djm@openbsd.org
cfe243cd9f
upstream: reap preauth net child if it hangs up during privsep message 
send, not just message receive

OpenBSD-Commit-ID: 02a093f4ab4f8f83f0cd1ea2bb35b9ca420448f0
 2024-06-11 12:55:20 +10:00
djm@openbsd.org
b0a711c00b
upstream: fix PIDFILE handling, broken for SUDO=doas in last commit 
here

OpenBSD-Regress-ID: 96fec579af228f87a036e94801eb294af9074625
 2024-06-11 12:02:37 +10:00
djm@openbsd.org
90fb801e2d
upstream: reap the pre-auth [net] child if it hangs up during privsep 
message sending, not just receiving

OpenBSD-Commit-ID: f7341605bf08c4c15830910446e6775323f2f8cb
 2024-06-11 12:01:43 +10:00
djm@openbsd.org
ef878d5879
upstream: a little more RB_TREE paranoia 
OpenBSD-Commit-ID: 8dc2fd21eebd8830c4a4d25461ac4fe228e11156
 2024-06-11 11:26:53 +10:00
djm@openbsd.org
fc4e96b217
upstream: fix off-by-one comparison for PerSourcePenalty 
OpenBSD-Commit-ID: af4f5d01c41ef870b23e55655bfbf73474a6c02b
 2024-06-11 11:26:52 +10:00
djm@openbsd.org
82c836df4f
upstream: move tree init before possible early return 
OpenBSD-Commit-ID: 72e2c5b69f151c08a7c5bf5ad929b97a92c273df
 2024-06-11 11:26:52 +10:00
djm@openbsd.org
a2300f015c
upstream: update to mention that PerSourcePenalties default to 
being enabled and document the default values for each parameter.

OpenBSD-Commit-ID: b981288bddfb097aad269f62df4081c688ce0034
 2024-06-11 11:26:51 +10:00
djm@openbsd.org
41987efd35
upstream: reap the [net] child if it hangs up while writing privsep 
message payloads, not just the message header

OpenBSD-Commit-ID: 24dbd400aa381ac96be7ed2dd49018487dfef6ce
 2024-06-11 11:26:51 +10:00
djm@openbsd.org
6211aa085f
upstream: log waitpid() status for abnormal exits 
OpenBSD-Commit-ID: b317930e06b51819c1a2bc6a4359764fecfb1c2d
 2024-06-11 11:26:50 +10:00
djm@openbsd.org
a59634c7ad
upstream: correct error message 
OpenBSD-Commit-ID: 581f60f73099083392887206860229ab104620ed
 2024-06-11 11:26:50 +10:00
deraadt@openbsd.org
fa7d7a667f
upstream: avoid shadowing issues which some compilers won't accept 
ok djm

OpenBSD-Commit-ID: 1e89572397dda83433d58c4fa6333a08f51170d4
 2024-06-11 11:26:49 +10:00
jmc@openbsd.org
3ad4cd9eec
upstream: escape the final dot at eol in "e.g." to avoid double 
spacing;

OpenBSD-Commit-ID: 0a9fb10bc9f7d577afe2da3f498a08bc431115b9
 2024-06-11 11:26:49 +10:00
djm@openbsd.org
0e0c69761a
upstream: enable PerSourcePenalties by default. 
ok markus

NB. if you run a sshd that accepts connections from behind large NAT
blocks, proxies or anything else that aggregates many possible users
behind few IP addresses, then this change may cause legitimate traffic
to be denied.

Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
PerSourceNetBlockSize options in sshd_config(5) for how to tune your
sshd(8) for your specific circumstances.

OpenBSD-Commit-ID: 24a0e5c23d37e5a63e16d2c6da3920a51078f6ce
 2024-06-07 06:26:15 +10:00
djm@openbsd.org
bd1f74741d
upstream: mention that PerSourcePenalties don't affect concurrent 
in-progress connections.

OpenBSD-Commit-ID: 20389da6264f2c97ac3463edfaa1182c212d420c
 2024-06-07 06:26:15 +10:00
djm@openbsd.org
9774b93857
upstream: regress test for PerSourcePenalties 
OpenBSD-Regress-ID: a1af13d411b25a727742644459d26480b9a1b0f1
 2024-06-07 05:54:32 +10:00
djm@openbsd.org
b8ebd86cef
upstream: make sure logs are saved from sshd run via start_sshd 
OpenBSD-Regress-ID: de4ef0e32e3ab85ff3a6c36eb08d1909c0dd1b4a
 2024-06-07 05:54:15 +10:00
djm@openbsd.org
d7b2070bda
upstream: simplify 
OpenBSD-Regress-ID: 50316e0d1ae0c0a057a45af042253e54ce23d11c
 2024-06-07 05:54:14 +10:00
djm@openbsd.org
e6ea3d2245
upstream: prepare for PerSourcePenalties being enabled by default 
in future

OpenBSD-Regress-ID: 5236c6d1c823997aac5a35e2915da30f1903bec7
 2024-06-07 05:52:59 +10:00
djm@openbsd.org
c0cb3b8c83
upstream: disable stderr redirection before closing fds 
OpenBSD-Commit-ID: d42cb895ee4542098050367fc35321c9303f003a
 2024-06-07 05:52:50 +10:00
djm@openbsd.org
81c1099d22
upstream: Add a facility to sshd(8) to penalise particular 
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.

When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).

When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).

Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.

We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.

PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.

much feedback markus@ and others, ok markus@

OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
 2024-06-07 03:35:40 +10:00
Damien Miller
916b0b6174
whitespace 2024-06-07 03:31:02 +10:00
deraadt@openbsd.org
49b55e4418
upstream: enable -fret-clean on amd64, for libc libcrypto ld.so 
kernel, and all the ssh tools.  The dynamic objects are entirely ret-clean,
static binaries will contain a blend of cleaning and non-cleaning callers.

OpenBSD-Commit-ID: 112aacedd3b61cc5c34b1fa6d9fb759214179172
 2024-06-07 03:18:44 +10:00
Damien Miller
cc80d51d03
remove PRIVSEP macros for osx 2024-06-05 02:21:52 +10:00
djm@openbsd.org
8785491123
upstream: be really strict with fds reserved for communication with the 
separate sshd-session process - reserve them early and fatal if we can't
dup2(2) them later. The pre-split fallback to re-reading the configuration
files is not possible, so sshd-session absolutely requires the fd the
configuration is passed over to be in order.

ok deraadt@

OpenBSD-Commit-ID: 308a98ef3c8a6665ebf92c7c9a0fc9600ccd7065
 2024-06-01 17:05:09 +10:00
Damien Miller
f1c8918cb9
depend 2024-05-31 19:12:26 +10:00
Damien Miller
94b4866cb1
rename need_privsep to need_chroot 
privsep is mandatory, chroot is optional (disabled when running
sshd as non-root)
 2024-05-31 19:11:14 +10:00
Damien Miller
e68a95142e
remove remaining use_privsep mention 2024-05-31 19:05:34 +10:00
djm@openbsd.org
b21d271f65
upstream: warn when -r (deprecated option to disable re-exec) is 
passed

OpenBSD-Commit-ID: 73145ef5150edbe3ce7889f0844ed8fa6155f551
 2024-05-31 19:04:12 +10:00
djm@openbsd.org
a4b5bc246c
upstream: typos 
OpenBSD-Commit-ID: edfa72eb06bfa65da30fabf7d2fe76d2d33f77bf
 2024-05-31 19:04:11 +10:00
djm@openbsd.org
8054b90698
upstream: don't need sys/queue.h here 
OpenBSD-Commit-ID: dd137396828171eb19e4911581812ca58de6c578
 2024-05-27 11:55:15 +10:00
naddy@openbsd.org
210d423973
upstream: remove references to SSH1 and DSA server keys 
OpenBSD-Commit-ID: 57cc1c98d4f998981473734f144b904af7d178a2
 2024-05-27 11:55:03 +10:00
jsg@openbsd.org
f0b9261d7f
upstream: remove unused struct fwd_perm_list, no decl with complete 
type ok djm@

OpenBSD-Commit-ID: 416fb3970b7e73c76d2963c4f00cf96f2b2ee2fb
 2024-05-27 11:55:02 +10:00
naddy@openbsd.org
2477a98c3e
upstream: Do not pass -Werror twice when building with clang. 
OpenBSD-Commit-ID: 5f378c38ad8976d507786dc4db9283a879ec8cd0
 2024-05-27 11:55:01 +10:00
miod@openbsd.org
435844f567
upstream: Do not pass -Werror if building with gcc 3, for asn1.h 
and bio.h cause (admittedly bogus) warnings with gcc 3.

OpenBSD-Commit-ID: fb39324748824cb0387e9d67c41d1bef945c54ea
 2024-05-27 11:54:43 +10:00
djm@openbsd.org
fc5dc09283
upstream: this test has been broken since 2014, and has been 
testing the same key exchange algorithm repeatedly instead of testing all of
them. Spotted by nreilly AT blackberry.com in bz3692

Who broke the test? me.

OpenBSD-Regress-ID: 48f4f5946276f975667141957d25441b3c9a50e2
 2024-05-22 14:21:50 +10:00
anton@openbsd.org
fd4816791b
upstream: Add missing kex-names.c source file required since the 
ssh split.

OpenBSD-Regress-ID: ca666223f828fc4b069cb9016bff1eb50faf9fbb
 2024-05-22 14:21:50 +10:00
naddy@openbsd.org
beccb7319c
upstream: remove duplicate copy of relink kit for sshd-session 
OpenBSD-Commit-ID: 6d2ded4cd91d4d727c2b26e099b91ea935bed504
 2024-05-22 14:21:38 +10:00
jsg@openbsd.org
dcd79fa141
upstream: remove prototypes with no matching function; ok djm@ 
OpenBSD-Commit-ID: 6d9065dadea5f14a01bece0dbfe2fba1be31c693
 2024-05-22 14:21:13 +10:00
jsg@openbsd.org
6454a05e7c
upstream: remove externs for removed vars; ok djm@ 
OpenBSD-Commit-ID: f51ea791d45c15d4927eb4ae7d877ccc1e5a2aab
 2024-05-22 14:20:46 +10:00
deraadt@openbsd.org
f3e4db4601
upstream: -Werror was turned on (probably just for development), 
and this is a simple way to satisfy older gcc.

OpenBSD-Commit-ID: 7f698df54384b437ce33ab7405f0b86c87019e86
 2024-05-22 14:20:46 +10:00
Damien Miller
24a1f3e5ad
attempt at updating RPM specs for sshd-session 2024-05-17 14:50:43 +10:00
djm@openbsd.org
17b566eeb7
upstream: g/c unused variable 
OpenBSD-Commit-ID: aa6ef0778a1f1bde0d73efba72a777c48d2bd010
 2024-05-17 14:42:49 +10:00
jsg@openbsd.org
01fb82eb2a
upstream: spelling; ok djm@ 
OpenBSD-Commit-ID: bdea29bb3ed2a5a7782999c4c663b219d2270483
 2024-05-17 14:42:49 +10:00
djm@openbsd.org
b88b690e99
upstream: allow overriding the sshd-session binary path 
OpenBSD-Regress-ID: 5058cd1c4b6ca1a15474e33546142931d9f964da
 2024-05-17 14:41:39 +10:00
anton@openbsd.org
a68f80f251
upstream: Since ssh-agent(1) is only readable by root by now, use 
ssh(1) while generating data in tests.

OpenBSD-Regress-ID: 24eb40de2e6b0ace185caaba35e2d470331ffe68
 2024-05-17 14:41:39 +10:00
djm@openbsd.org
92e5589031
upstream: fix incorrect debug option name introduce in previous 
commit

OpenBSD-Commit-ID: 66d69e22b1c072c694a7267c847f212284614ed3
 2024-05-17 14:41:38 +10:00
deraadt@openbsd.org
4ad72878af
upstream: construct and install a relink-kit for sshd-session ok 
djm

OpenBSD-Commit-ID: 8b3820adb4da4e139c4b3cffbcc0bde9f08bf0c6
 2024-05-17 14:41:37 +10:00
Damien Miller
02e679a2cb
Makefile support for sshd-session 2024-05-17 14:41:37 +10:00
djm@openbsd.org
03e3de416e
upstream: Start the process of splitting sshd into separate 
binaries. This step splits sshd into a listener and a session binary. More
splits are planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
 2024-05-17 14:41:35 +10:00
djm@openbsd.org
c0416035c5
upstream: missing files from previous 
OpenBSD-Commit-ID: 4b7be4434d8799f02365552b641a7a70a7ebeb2f
 2024-05-17 14:41:35 +10:00
djm@openbsd.org
1c0d813579
upstream: simplify exit message handling, which was more complicated 
than it needed to be because of unexpunged ssh1 remnants. ok markus@

OpenBSD-Commit-ID: 8b0cd2c0dee75fb053718f442aa89510b684610b
 2024-05-10 18:41:01 +10:00
tobias@openbsd.org
cbbbf76aa6
upstream: remove SSH1 leftovers 
Authored with Space Meyer <git at the-space dot agency>

ok djm

OpenBSD-Commit-ID: 81db602e4cb407baae472689db1c222ed7b2afa3
 2024-05-08 14:57:48 +10:00
tobias@openbsd.org
bc5dcb8ab9
upstream: never close stdin 
The sanitise_stdfd call makes sure that standard file descriptors are
open (if they were closed, they are connected with /dev/null).

Do not close stdin in any case to prevent error messages when stdin is
read multiple times and to prevent later usage of fd 0 for connections,
e.g.

echo localhost | ssh-keyscan -f - -f -

While at it, make stdin-related error messages nicer.

Authored with Max Kunzelmann <maxdev at posteo dot de>

ok djm

OpenBSD-Commit-ID: 48e9b7938e2fa2f9bd47e6de6df66a31e0b375d3
 2024-05-08 14:57:47 +10:00
Damien Miller
6a42b70e56
sync getrrsetbyname.c with recent upstream changes 2024-05-08 09:43:59 +10:00
Andrew
661803c9ec
Allow SID strings in sshd_config () 
* SIDs in sshd_config

* add #include <Sddl.h> to servconf.c

---------

Co-authored-by: Tess Gauthier <tessgauthier@microsoft.com>
 2024-05-07 16:15:28 -04:00
Tess Gauthier
afe9007141
remove HAVE_FREEZERO from preprocessor definitions () 2024-05-07 11:52:20 -04:00
djm@openbsd.org
385ecb31e1
upstream: fix home-directory extension implementation, it always 
returned the current user's home directory contrary to the spec.

Patch from Jakub Jelen via GHPR477

OpenBSD-Commit-ID: 5afd775eab7f9cbe222d7fbae4c793de6c3b3d28
 2024-04-30 16:24:22 +10:00
djm@openbsd.org
14e2b16bc6
upstream: flush stdout after writing "sftp>" prompt when not using 
editline.

From Alpine Linux via GHPR480

OpenBSD-Commit-ID: 80bdc7ffe0358dc090eb9b93e6dedb2b087b24cd
 2024-04-30 16:17:20 +10:00
djm@openbsd.org
2e69a72405
upstream: stricter validation of messaging socket fd number; disallow 
usage of stderr. Based on GHPR492 by RealHurrison

OpenBSD-Commit-ID: 73dbbe82ea16f73ce1d044d3232bc869ae2f2ce8
 2024-04-30 15:53:26 +10:00
djm@openbsd.org
da757b022b
upstream: add missing reserved fields to key constraint protocol 
documentation.

from Wiktor Kwapisiewicz via GHPR487

OpenBSD-Commit-ID: 0dfb69998cfdb3fa00cbb0e7809e7d2f6126e3df
 2024-04-30 15:46:39 +10:00
Damien Miller
16d0b82fa0
depend 2024-04-30 12:39:34 +10:00
djm@openbsd.org
66aaa678db
upstream: correctly restore sigprocmask around ppoll() reported 
by Tõivo Leedjärv; ok deraadt@

OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
 2024-04-30 12:23:10 +10:00
djm@openbsd.org
80fb0eb215
upstream: add explict check for server hostkey type against 
HostkeyAlgorithms. Allows HostkeyAlgorithms to disable implicit fallback from
certificate keys to plain keys. ok markus@

OpenBSD-Commit-ID: 364087e4a395ff9b2f42bf3aefdb2090bb23643a
 2024-04-30 12:22:35 +10:00
jsg@openbsd.org
5b28096d31
upstream: correct indentation; no functional change ok tb@ 
OpenBSD-Commit-ID: dd9702fd43de546bc6a3f4f025c74d6f3692a0d4
 2024-04-30 12:22:10 +10:00
semarie@openbsd.org
fd3cb8a827
upstream: set right mode on ssh-agent at boot-time 
which sthen@
ok deraadt@

OpenBSD-Commit-ID: 662b5056a2c6171563e1626f9c69f27862b5e7af
 2024-04-30 12:17:35 +10:00
deraadt@openbsd.org
54343a260e
upstream: Oops, incorrect hex conversion spotted by claudio. 
While here try to improve how it reads a bit better.  Surprising the
regression tests didn't spot this error, maybe it fails to roundtrip the
values.

OpenBSD-Commit-ID: 866cfcc1955aef8f3fc32da0b70c353a1b859f2e
 2024-04-30 12:16:54 +10:00
deraadt@openbsd.org
ec78c31409
upstream: for parse_ipqos(), use strtonum() instead of mostly 
idiomatic strtoul(), but wow it's so gross. ok djm

OpenBSD-Commit-ID: cec14a76af2eb7b225300c80fc0e21052be67b05
 2024-04-30 12:16:53 +10:00
deraadt@openbsd.org
8176e1a6c2
upstream: can shortcut by returning strtonum() value directly; ok 
djm

OpenBSD-Commit-ID: 7bb2dd3d6d1f288dac14247d1de446e3d7ba8b8e
 2024-04-30 12:16:52 +10:00
deraadt@openbsd.org
9f543d7022
upstream: rewrite convtime() to use a isdigit-scanner and 
strtonum() instead of strange strtoul can might be fooled by garage
characters. passes regress/usr.bin/ssh/unittests/misc ok djm

OpenBSD-Commit-ID: 4b1ef826bb16047aea3f3bdcb385b72ffd450abc
 2024-04-30 12:16:52 +10:00
claudio@openbsd.org
8673137f78
upstream: Remove unused ptr[3] char array in pkcs11_decode_hex. 
OK deraadt@

OpenBSD-Commit-ID: 3d14433e39fd558f662d3b0431c4c555ef920481
 2024-04-30 12:16:51 +10:00
deraadt@openbsd.org
c7fec708f3
upstream: Replace non-idiomatic strtoul(, 16) to parse a region 
of 2-character hex sequences with a low-level replacement designed just for
the task. ok djm

OpenBSD-Commit-ID: 67bab8b8a4329a19a0add5085eacd6f4cc215e85
 2024-04-30 12:16:51 +10:00
deraadt@openbsd.org
019a5f483b
upstream: Use strtonum() instead of severely non-idomatic 
strtoul() In particular this will now reject trailing garbage, ie.
'12garbage'. ok djm

OpenBSD-Commit-ID: c82d95e3ccbfedfc91a8041c2f8bf0cf987d1501
 2024-04-30 12:16:50 +10:00
deraadt@openbsd.org
8231ca046f
upstream: also create a relink kit for ssh-agent, since it is a 
long-running setgid program carrying keys with some (not very powerful)
communication channels. solution for testing the binary from dtucker.
agreement from djm. Will add it into /etc/rc in a few days.

OpenBSD-Commit-ID: 2fe8d707ae35ba23c7916adcb818bb5b66837ba0
 2024-04-30 12:16:50 +10:00
deraadt@openbsd.org
bf7bf50bd6
upstream: new-style relink kit for sshd. The old scheme created 
a Makefile by concatenating two Makefiles and was incredibly fragile.  In the
new way a narrow-purposed install.sh script is created and shipped with the
objects. A recently commited /etc/rc script understands these files.

OpenBSD-Commit-ID: ef9341d5a50f0d33e3a6fbe995e92964bc7ef2d3
 2024-04-30 12:16:19 +10:00
Steve Lee
b89ee6aa37
fix how build script finds repo root () 
Co-authored-by: Steve Lee (POWERSHELL HE/HIM) (from Dev Box) <slee@ntdev.microsoft.com>
 2024-04-29 11:43:53 -04:00
renmingshuai
00e6368892
Shell syntax fix (leftover from a sync). 
Signed-off-by: renmingshuai <renmingshuai@huawei.com>
 2024-04-25 13:33:39 +10:00
Darren Tucker
2eded551ba
Merge flags for OpenSSL 3.x versions. 
OpenSSL has moved to 3.4 which we don't currently accept.  Based on
the OpenSSL versioning policy[0] it looks like all of the 3.x versions
should work with OpenSSH, so remove the distinction in configure and
accept all of them.

[0] https://openssl.org/policies/general/versioning-policy.html
 2024-04-25 13:20:19 +10:00
Darren Tucker
8673245918
Remove 9.6 branch from status page. 2024-04-25 13:19:03 +10:00
Darren Tucker
70d4304974
Update LibreSSL and OpenSSL versions tested. 
Update LibreSSL versions to current releases (3.8.4 & 3.9.1).
Add newly-released OpenSSL 3.3.0, and add tests against the 3.1 and
3.3 branches.
 2024-04-25 13:16:58 +10:00
Tess Gauthier
3af5ef810d
remove manifest files from msi () 2024-04-22 14:27:03 -04:00
90
88351eca17
Fix missing header for systemd notification 2024-04-06 08:16:25 +11:00
Damien Miller
08f579231c
notify systemd on listen and reload 
Standalone implementation that does not depend on libsystemd.
With assistance from Luca Boccassi, and feedback/testing from Colin
Watson. bz2641
 2024-04-03 14:40:32 +11:00
Darren Tucker
43e7c1c07c
Port changes from selfhosted to upstream tests. 
Should get them working again.
 2024-03-31 22:26:45 +11:00
Darren Tucker
281ea25a44
Check if OpenSSL implementation supports DSA. 
If --enable/disable-dsa-keys is not specified, set based on what OpenSSL
supports.  If specified as enabled, but not supported by OpenSSL error
out.  ok djm@
 2024-03-30 18:22:09 +11:00
djm@openbsd.org
2d2c068de8
upstream: in OpenSSH private key format, correct type for subsequent 
private keys in blob. From Jakub Jelen via GHPR430

OpenBSD-Commit-ID: d17dbf47554de2d752061592f95b5d772baab50b
 2024-03-30 16:57:32 +11:00
Eero Häkkinen
c2c0bdd3e9
Expose SSH_AUTH_INFO_0 always to PAM auth modules. 
This changes SSH_AUTH_INFO_0 to be exposed to PAM auth modules also
when a password authentication method is in use and not only
when a keyboard-interactive authentication method is in use.
 2024-03-30 16:48:04 +11:00
Darren Tucker
02c5ad2312
Rearrange selfhosted VM scheduling. 
Instead of trying to infer the type of the self hosted tests in each of
the driver scripts (inconsistently...), set one of the following
variables to "true" in the workflow:

VM: tests run in a virtual machine.
EPHEMERAL: tests run on an ephemeral virtual machine.
PERSISTENT: tests run on a persistent virtual machine
REMOTE: tests run on a physical remote host.

EPHEMERAL VMs can have multiple instances of any given VM can exist
simultaneously and are run by a runner pool.  The other types have a
dedicated runner instance and can only run a single test at a time.

Other settings:
SSHFS: We need to sshfs mount over the repo so the workflow can collect
	build artifacts.  This also implies the tests must be run over ssh.
DEBUG_ACTIONS: enable "set -x" in scripts for debugging.
 2024-03-30 16:40:07 +11:00
Damien Miller
cd8a72707c
add new token-based signing key for dtucker@ 
Verified in person and via signature with old key.
Will remove old key in a bit.
 2024-03-30 16:05:59 +11:00
Alkaid
8d0e46c1dd
Fix OpenSSL ED25519 support detection 
Wrong function signature in configure.ac prevents openssh from enabling
the recently new support for ED25519 priv keys in PEM PKCS8 format.
 2024-03-30 15:36:18 +11:00
djm@openbsd.org
697359be9c
upstream: allow WAYLAND_DISPLAY to enable SSH_ASKPASS 
From dkg via GHPR479; ok dtucker@

OpenBSD-Commit-ID: 1ac1f9c45da44eabbae89375393c662349239257
 2024-03-30 15:35:03 +11:00
dtucker@openbsd.org
7844705b03
upstream: Use egrep instead of grep -E. 
Some plaforms don't have the latter so this makes things easier
in -portable.

OpenBSD-Regress-ID: ff82260eb0db1f11130200b25d820cf73753bbe3
 2024-03-29 22:01:20 +11:00
dtucker@openbsd.org
22b2b6c555
upstream: test -h is the POSIXly way of testing for a symlink. Reduces 
diff vs Portable.

OpenBSD-Regress-ID: 6f31cd6e231e3b8c5c2ca0307573ccb7484bff7d
 2024-03-29 21:43:24 +11:00
Darren Tucker
edcff77f82
Fix name of OpenBSD upstream CI jobs. 2024-03-26 18:58:58 +11:00
Darren Tucker
861b084429
Resync with upstream: ${} around DATAFILE. 2024-03-26 18:55:33 +11:00
djm@openbsd.org
63f248c769
upstream: optional debugging 
OpenBSD-Regress-ID: b4852bf97ac8fb2e3530f2d5f999edd66058d7bc
 2024-03-26 18:54:38 +11:00
dtucker@openbsd.org
16e2ebe06a
upstream: Verify string returned from local shell command. 
OpenBSD-Regress-ID: 5039bde24d33d809aebfa8d3ad7fe9053224e6f8
 2024-03-26 18:54:38 +11:00
dtucker@openbsd.org
b326f7a1f3
upstream: Improve shell portability: grep -q is not portable so 
redirect stdout, and use printf instead of relying on echo to do \n
substitution.  Reduces diff vs Portable.

Also resync somewhat with upstream.

OpenBSD-Regress-ID: 9ae876a8ec4c4725f1e9820a0667360ee2398337
 2024-03-26 18:54:14 +11:00
dtucker@openbsd.org
dbf2e319f0
upstream: Save error code from SSH for use inside case statement, 
from portable. In some shells, "case" will reset the value of $?, so save it
first.

OpenBSD-Regress-ID: da32e5be19299cb4f0f7de7f29c11257a62d6949
 2024-03-26 18:47:22 +11:00
dtucker@openbsd.org
d2c8c4fa7d
upstream: Increase timeout. Resyncs with portable where some of 
the test VMs are slow enough for this to matter.

OpenBSD-Regress-ID: 6a83a693602eb0312f06a4ad2cd6f40d99d24b26
 2024-03-26 18:46:58 +11:00
dtucker@openbsd.org
83621b6351
upstream: In PuTTY interop test, don't assume the PuTTY major 
version is 0. Patch from cjwatson at debian.org via bz#3671.

OpenBSD-Regress-ID: 835ed03c1b04ad46be82e674495521f11b840191
 2024-03-26 18:46:29 +11:00
Darren Tucker
8a421b9277
Really mkdir /usr/local/etc in CI tests. 2024-03-26 18:38:14 +11:00
Darren Tucker
2946ed522c
Better short name for OpenBSD upstream CI jobs too. 2024-03-26 17:19:09 +11:00
Darren Tucker
18dbe8eff6
Ensure /usr/local/etc exists before using in tests. 2024-03-26 17:13:52 +11:00
Darren Tucker
5fc1085128
Be more specific about when to rerun workflows. 2024-03-26 16:50:46 +11:00
Darren Tucker
5516923e8a
Add short names for test jobs on github CI. 2024-03-26 16:39:50 +11:00
Darren Tucker
dc37d2d247
If we're using xpg4's id, remember to pass args. 2024-03-26 16:26:14 +11:00
dtucker@openbsd.org
fe16948793
upstream: Import regenerated moduli. 
OpenBSD-Commit-ID: ad3d1486d105b008c93e952d158e5af4d9d4c531
 2024-03-26 13:03:00 +11:00
job@openbsd.org
151146f03b
upstream: Clarify how literal IPv6 addresses can be used in -J mode 
OK djm@

OpenBSD-Commit-ID: 524ddae97746b3563ad4a887dfd0a6e6ba114c50
 2024-03-26 13:02:27 +11:00
Darren Tucker
0d5bdc87a6
Add Mac OS X 14 test targets. 2024-03-25 16:14:21 +11:00
Darren Tucker
2d7964a03e
Move xpg4 'id' handling into test-exec.sh. 
Handle replacement of 'id' the same way as we do other Portable specific
replacements in test-exec.sh.  This brings percent.sh back into sync
with upstream.
 2024-03-25 14:05:40 +11:00
Darren Tucker
75d1d49ed1
Update branches shown on ci-status to 9.7 and 9.6. 2024-03-25 10:38:03 +11:00
Darren Tucker
f9193f03db
Improve detection of -fzero-call-used-regs=used. 
Should better detect problems with gcc 13 on m68k.  bz#3673 from Colin
Watson via bz#3673 and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110934

Signed-off-by: Darren Tucker <dtucker@dtucker.net>
 2024-03-25 10:12:58 +11:00
Tess Gauthier
607df771b2
Delete contrib/win32/openssh/DockerFile () 2024-03-18 13:58:04 -04:00
Tess Gauthier
0d44bc9b49 fix merge conflict 2024-03-11 11:46:39 -04:00
Damien Miller
86bdd3853f
version number in README 2024-03-11 16:20:49 +11:00
Damien Miller
282721418e
crank RPM spec versions 2024-03-11 16:20:08 +11:00
djm@openbsd.org
3876a3bbd2
upstream: openssh-9.7 
OpenBSD-Commit-ID: 618ececf58b8cdae016b149787af06240f7b0cbc
 2024-03-11 16:19:44 +11:00
Darren Tucker
8fc109cc61
Test against current OpenSSL and LibreSSL releases. 
Add LibreSSL 3.9.0, bump older branches to their respective current
releases.
 2024-03-11 12:59:26 +11:00
Damien Miller
26b09b45fe
quote regexes used to test for algorithm support 
Fixes test failures on Solaris 8 reported by Tom G. Christensen
 2024-03-10 16:24:57 +11:00
djm@openbsd.org
a6a740a494
upstream: avoid logging in signal handler by converting mainloop to 
ppoll() bz3670, reported by Ben Hamilton; ok dtucker@

OpenBSD-Commit-ID: e58f18042b86425405ca09e6e9d7dfa1df9f5f7f
 2024-03-09 16:13:57 +11:00
djm@openbsd.org
cd82f7526e
upstream: skip more whitespace, fixes find-principals on 
allowed_signers files with blank lines; reported by Wiktor Kwapisiewicz

OpenBSD-Commit-ID: b3a22a2afd753d70766f34bc7f309c03706b5298
 2024-03-09 09:17:22 +11:00
dtucker@openbsd.org
2f9d2af5cb
upstream: Invoke ProxyCommand that uses stderr redirection via 
$TEST_SHELL. Fixes test when run by a user whose login shell is tcsh.
Found by vinschen at redhat.com.

OpenBSD-Regress-ID: f68d79e7f00caa8d216ebe00ee5f0adbb944062a
 2024-03-08 23:12:10 +11:00
Darren Tucker
9b3f0beb40
Prefer openssl binary from --with-ssl-dir directory. 
Use openssl in the directory specified by --with-ssl-dir as long
as it's functional.  Reported by The Doctor.
 2024-03-07 19:25:17 +11:00
djm@openbsd.org
c47e1c9c79
upstream: fix memory leak in mux proxy mode when requesting forwarding. 
found by RASU JSC, reported by Maks Mishin in GHPR#467

OpenBSD-Commit-ID: 97d96a166b1ad4b8d229864a553e3e56d3116860
 2024-03-06 14:03:28 +11:00
djm@openbsd.org
242742827f
upstream: wrap a few PKCS#11-specific bits in ENABLE_PKCS11 
OpenBSD-Commit-ID: 463e4a69eef3426a43a2b922c4e7b2011885d923
 2024-03-06 11:33:18 +11:00
Damien Miller
d52b650921
disable RSA tests when algorithm is not supported 
Unbreaks "make test" when compiled --without-openssl.

Similar treatment to how we do DSA and ECDSA.
 2024-03-06 11:31:36 +11:00
Damien Miller
668d270a6c
add a --without-retpoline configure option 
discussed with deraadt and dtucker a while ago
 2024-03-06 10:33:20 +11:00
Tess Gauthier
ed376e945e fix merge conflict 2024-03-04 12:13:33 -05:00
djm@openbsd.org
3deb501f86
upstream: fix leak of CanonicalizePermittedCNAMEs on error path; 
spotted by Coverity (CID 438039)

OpenBSD-Commit-ID: 208839699939721f452a4418afc028a9f9d3d8af
 2024-03-04 15:19:29 +11:00
djm@openbsd.org
65a44a8a4f
upstream: Separate parsing of string array options from applying them 
to the active configuration. This fixes the config parser from erroneously
rejecting cases like:

AuthenticationMethods password
Match User ivy
 AuthenticationMethods any

bz3657 ok markus@

OpenBSD-Commit-ID: 7f196cba634c2a3dba115f3fac3c4635a2199491
 2024-03-04 14:46:46 +11:00
Darren Tucker
6886e1b1f5
Add nbsd10 test target. 2024-02-22 17:59:35 +11:00
Damien Miller
d86bf8a3f6
more descriptive configure test name 2024-02-22 12:06:10 +11:00
djm@openbsd.org
9ee335aacc
upstream: explain arguments of internal-sftp GHPR#454 from Niklas 
Hambüchen
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: 0335d641ae6b5b6201b9ffd5dd06345ebbd0a3f3
 2024-02-21 17:18:02 +11:00
djm@openbsd.org
d1164cb100
upstream: clarify permissions requirements for ChrootDirectory Part 
of GHPR#454 from Niklas Hambüchen
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: d37bc8786317a11649c62ff5e2936441186ef7a0
 2024-02-21 17:18:01 +11:00
djm@openbsd.org
d410e17d18
upstream: .Cm for a keyword. Part of GHPR#454 from Niklas Hambüchen 
OpenBSD-Commit-ID: d59c52559f926fa82859035d79749fbb4a3ce18a
 2024-02-21 17:18:01 +11:00
djm@openbsd.org
ab73f9678e
upstream: fix typo in match directive predicate (s/tagged/tag) GHPR#462 
from Tobias Manske

OpenBSD-Commit-ID: 05b23b772677d48aa82eefd7ebebd369ae758908
 2024-02-21 17:01:37 +11:00
djm@openbsd.org
9844aa2521
upstream: fix proxy multiplexing mode, broken when keystroke timing 
obfuscation was added. GHPR#463 from montag451

OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
 2024-02-21 16:58:02 +11:00
Tess Gauthier
c02b47e35d Merge remote-tracking branch 'upstream-openssh-portable/master' into sync-with-upstream-2 2024-02-20 11:50:49 -05:00
djm@openbsd.org
ee6d932acb
upstream: don't append a gratuitous space to the end of subsystem 
arguments; bz3667

OpenBSD-Commit-ID: e11023aeb3f30b77a674e37b8292c862926d5dc6
 2024-02-20 15:10:55 +11:00
dtucker@openbsd.org
e27f032aa8
upstream: Always define puttysetup function. 
OpenBSD-Regress-ID: b4c0ccfa4006a1bc5dfd99ccf21c854d3ce2aee0
 2024-02-19 20:35:31 +11:00
dtucker@openbsd.org
84046f9991
upstream: Exapnd PuTTY test coverage. 
Expand the set of ciphers, MACs and KEX methods in the PuTTY interop
tests.

OpenBSD-Regress-ID: dd28d97d48efe7329a396d0d505ee2907bf7fc57
 2024-02-19 18:49:00 +11:00
dtucker@openbsd.org
bbf541ee2a
upstream: Factor out PuTTY setup. 
Factor out PuTTY and call only when needed.

This allows us to avoid PuTTY key setup when it's not needed, which
speeds up the overall test run by a couple of percent.

OpenBSD-Regress-ID: c25eaccc3c91bc874400f7c85ce40e9032358c1c
 2024-02-19 18:48:26 +11:00
naddy@openbsd.org
d31c21c57f
upstream: clean sshd random relinking kit; ok miod@ 
OpenBSD-Commit-ID: 509bb19bb9762a4b3b589af98bac2e730541b6d4
 2024-02-19 18:41:19 +11:00
djm@openbsd.org
4dbc5a363f
upstream: whitespace 
OpenBSD-Commit-ID: b24680bc755b621ea801ff8edf6f0f02b68edae1
 2024-02-19 18:40:09 +11:00
Darren Tucker
efde85dda2
Improve error message for OpenSSL header check. 
bz#3668, ok djm@
 2024-02-19 17:29:31 +11:00
Tess Gauthier
915c6e367c Merge remote-tracking branch 'upstream-openssh-portable/master' into sync-with-upstream-2 2024-02-12 18:28:02 -05:00
Marc-André Moreau
5622b51825
fix freezero duplicate symbol () 
Co-authored-by: Marc-André Moreau <mamoreau@devolutions.net>
 2024-02-12 18:26:32 -05:00
Marc-André Moreau
727d4dbac0
fix resource.h file encoding () 
Co-authored-by: Marc-André Moreau <mamoreau@devolutions.net>
 2024-02-12 18:18:08 -05:00
Darren Tucker
cbbdf868bc
Interop test against PuTTY snapshot and releases. 2024-02-07 23:10:34 +11:00
Darren Tucker
91898bf786
Put privsep dir on OS X on /usr/local. 
On some runners we can't create /var/empty, so put it some place we can
write.  Should fix test breakage on Max OS X 11.
 2024-02-06 16:37:07 +11:00
Darren Tucker
be5ed8ebed
Add --disable-fd-passing option. 
.. and enable for the minix3 test VM.  This will cause it to more reliably
skip tests that need FD passing and should fix the current test breakage.
 2024-02-06 11:22:20 +11:00
Darren Tucker
0f6a8a0d0a
Use "skip" function instead doing it ourselves. 2024-02-06 11:18:44 +11:00
tgauth@bu.edu
e4dbee4f11 Merge remote-tracking branch 'upstream-openssh-portable/master' into sync-with-upstream-2 2024-02-05 12:12:38 -05:00
Damien Miller
3ad669f81a
ignore some vim droppings 2024-02-01 14:01:18 +11:00
djm@openbsd.org
c283f29d23
upstream: whitespace 
OpenBSD-Commit-ID: bf9e4a1049562ee4322684fbdce07142f04fdbb7
 2024-02-01 13:42:45 +11:00
tgauth@bu.edu
9015aa2eca add WITH_DSA flag to compilation options 2024-01-22 14:16:56 -05:00
tgauth@bu.edu
afd613528f skip bash tests that use multiplexing on Windows with explicit if 2024-01-22 13:07:57 -05:00
tgauth@bu.edu
0c166db115 Merge remote-tracking branch 'upstream-pwsh-openssh-portable/latestw_all' into sync-with-upstream-2 2024-01-22 13:07:05 -05:00
Tess Gauthier
6ad8fc3b05
Merge pull request from tgauth/sync-with-upstream 
Sync with upstream 9.6
 2024-01-22 12:40:26 -05:00
tgauth@bu.edu
83b59226a4 Merge remote-tracking branch 'upstrem-bsd/master' into sync-with-upstream-2 2024-01-22 11:09:08 -05:00
Damien Miller
0d96b1506b
skip tests that use multiplexing on Windows 
Some tests here use multiplexing, skip these if DISABLE_FD_PASSING
is set. Should unbreak tests on Windows.
 2024-01-16 14:40:18 +11:00
djm@openbsd.org
50080fa42f
upstream: don't disable RSA test when DSA is disabled; bug introduced 
in last commit

OpenBSD-Regress-ID: 8780a7250bf742b33010e9336359a1c516f2d7b5
 2024-01-11 15:56:37 +11:00
djm@openbsd.org
415c94ce17
upstream: make DSA testing optional, defaulting to on 
ok markus

OpenBSD-Regress-ID: dfc27b5574e3f19dc4043395594cea5f90b8572a
 2024-01-11 15:55:19 +11:00
djm@openbsd.org
f9311e8921
upstream: ensure key_fd is filled when DSA is disabled; spotted by 
tb@

OpenBSD-Commit-ID: 9dd417b6eec3cf67e870f147464a8d93f076dce7
 2024-01-11 15:46:22 +11:00
djm@openbsd.org
4e838120a7
upstream: make DSA key support compile-time optional, defaulting to 
on

ok markus@

OpenBSD-Commit-ID: 4f8e98fc1fd6de399d0921d5b31b3127a03f581d
 2024-01-11 15:46:22 +11:00
jmc@openbsd.org
afcc9028bf
upstream: fix incorrect capitalisation; 
OpenBSD-Commit-ID: cb07eb06e15fa2334660ac73e98f29b6a1931984
 2024-01-11 14:20:29 +11:00
djm@openbsd.org
9707c8170c
upstream: extend ChannelTimeout regression test to exercise multiplexed 
connections and the new "global" timeout type. ok dtucker@

OpenBSD-Regress-ID: f10d19f697024e9941acad7c2057f73d6eacb8a2
 2024-01-10 09:25:04 +11:00
djm@openbsd.org
b31b12d28d
upstream: add a "global" ChannelTimeout type to ssh(1) and sshd(8) 
that watches all open channels and will close all open channels if there is
no traffic on any of them for the specified interval. This is in addition to
the existing per-channel timeouts added a few releases ago.

This supports use-cases like having a session + x11 forwarding channel
open where one may be idle for an extended period but the other is
actively used. The global timeout would allow closing both channels when
both have been idle for too long.

ok dtucker@

OpenBSD-Commit-ID: 0054157d24d2eaa5dc1a9a9859afefc13d1d7eb3
 2024-01-10 09:24:53 +11:00
djm@openbsd.org
602f4beeed
upstream: adapt ssh_api.c code for kex-strict 
from markus@ ok me

OpenBSD-Commit-ID: 4d9f256852af2a5b882b12cae9447f8f00f933ac
 2024-01-10 09:24:06 +11:00
tgauth@bu.edu
9142077e39 fix merge conflicts 2024-01-08 16:05:29 -05:00
tgauth@bu.edu
b39454951f fix failing bash test 2024-01-08 16:00:54 -05:00
Damien Miller
42ba34aba8
nite that recent OSX tun/tap is unsupported 2024-01-08 16:26:37 +11:00
Sevan Janiyan
690bc125f9
README.platform: update tuntap url 2024-01-08 16:24:43 +11:00
Rose
6b8be2ccd7
Fix compilation error in ssh-pcks11-client.c 
Compilation fails becaus of an undefined reference to helper_by_ec,
because we forgot the preprocessor conditional that excludes that function
from being called in unsupported configurations.
 2024-01-08 16:23:19 +11:00
djm@openbsd.org
219c813415
upstream: Remove outdated note from PROTOCOL.mux 
Port forward close by control master is already implemented
by `mux_master_process_close_fwd` in `mux.c`

GHPR442 from bigb4ng

OpenBSD-Commit-ID: ad0734fe5916d2dc7dd02b588906cea4df0482fb
 2024-01-08 16:12:17 +11:00
djm@openbsd.org
4c3cf36263
upstream: fix missing field in users-groups-by-id@openssh.com reply 
documentation

GHPR441 from TJ Saunders

OpenBSD-Commit-ID: ff5733ff6ef4cd24e0758ebeed557aa91184c674
 2024-01-08 16:06:29 +11:00
djm@openbsd.org
f64cede2a3
upstream: make kex-strict section more explicit about its intent: 
banning all messages not strictly required in KEX

OpenBSD-Commit-ID: fc33a2d7f3b7013a7fb7500bdbaa8254ebc88116
 2024-01-08 16:06:28 +11:00
Damien Miller
698fe6fd61
update fuzzer example makefile to clang16 2024-01-08 14:46:19 +11:00
Damien Miller
fc332cb2d6
unbreak fuzzers - missing pkcs11_make_cert() 
provide stub for use in fuzzer harness
 2024-01-08 14:45:49 +11:00
Damien Miller
9ea0a4524a
unbreak fuzzers for clang16 
getopt() needs a throw() attribute to compile, so supply one when compiling
things with C++
 2024-01-08 14:45:14 +11:00
djm@openbsd.org
a72833d007
upstream: remove ext-info-* in the kex.c code, not in callers; 
with/ok markus@

OpenBSD-Commit-ID: c06fe2d3a0605c517ff7d65e38ec7b2d1b0b2799
 2024-01-08 13:26:43 +11:00
djm@openbsd.org
86f9e96d9b
upstream: fix typo; spotted by Albert Chin 
OpenBSD-Commit-ID: 77140b520a43375b886e535eb8bd842a268f9368
 2024-01-08 13:26:42 +11:00
dtucker@openbsd.org
f0cbd26ec9
upstream: Import regenerated moduli. 
OpenBSD-Commit-ID: 5a636f6ca7f25bfe775df4952f7aac90a7fcbbee
 2024-01-08 13:26:29 +11:00
jsg@openbsd.org
64ddf77653
upstream: spelling; ok markus@ 
OpenBSD-Commit-ID: 9d01f2e9d59a999d5d42fc3b3efcf8dfb892e31b
 2024-01-08 13:25:21 +11:00
jmc@openbsd.org
503fbe9ea2
upstream: sort -C, and add to usage(); ok djm 
OpenBSD-Commit-ID: 80141b2a5d60c8593e3c65ca3c53c431262c812f
 2024-01-08 13:25:20 +11:00
djm@openbsd.org
5413b1c7ff
upstream: correct section numbers; from Ed Maste 
OpenBSD-Commit-ID: e289576ee5651528404cb2fb68945556052cf83f
 2024-01-08 13:25:20 +11:00
djm@openbsd.org
430ef86464
upstream: match flag type (s/int/u_int) 
OpenBSD-Commit-ID: 9422289747c35ccb7b31d0e1888ccd5e74ad566a
 2024-01-08 13:25:19 +11:00
Damien Miller
1036d77b34
better detection of broken -fzero-call-used-regs 
gcc 13.2.0 on ppc64le refuses to compile some function, including
cipher.c:compression_alg_list() with an error:

> sorry, unimplemented: argument ‘used’ is not supportedcw
> for ‘-fzero-call-used-regs’ on this target

This extends the autoconf will-it-work test with a similarly-
structured function that seems to catch this.

Spotted/tested by Colin Watson; bz3645
 2023-12-22 17:56:26 +11:00
Tess Gauthier
e98172c2eb update ssh-add where imaginary i GNU syntax is used 2023-12-19 20:46:01 -05:00
Tess Gauthier
aeb3bbe81d resolve merge conflict 2023-12-19 20:33:17 -05:00
Damien Miller
8241b9c052
crank versions 2023-12-19 01:59:50 +11:00
Damien Miller
2f2c65cb5f
depend 2023-12-19 01:59:06 +11:00
djm@openbsd.org
e48cdee8e1
upstream: regress test for agent PKCS#11-backed certificates 
OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
 2023-12-19 01:57:37 +11:00
djm@openbsd.org
2f512f862d
upstream: regress test for constrained PKCS#11 keys 
OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff
 2023-12-19 01:57:16 +11:00
djm@openbsd.org
cdddd66412
upstream: openssh-9.6 
OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b
 2023-12-19 01:53:47 +11:00
djm@openbsd.org
6d51feab15
upstream: ssh-agent: record failed session-bind attempts 
Record failed attempts to session-bind a connection and refuse signing
operations on that connection henceforth.

Prevents a future situation where we add a new hostkey type that is not
recognised by an older ssh-agent, that consequently causes session-bind
to fail (this situation is only likely to arise when people mix ssh(1)
and ssh-agent(1) of different versions on the same host). Previously,
after such a failure the agent socket would be considered unbound and
not subject to restriction.

Spotted by Jann Horn

OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
 2023-12-19 01:53:40 +11:00
djm@openbsd.org
7ef3787c84
upstream: ban user/hostnames with most shell metacharacters 
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.

Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.

It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.

To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.

feedback/ok millert@ markus@ dtucker@ deraadt@

OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
 2023-12-19 01:53:40 +11:00
djm@openbsd.org
0cb50eefdd
upstream: stricter handling of channel window limits 
This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.

ok markus@

OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
 2023-12-19 01:52:55 +11:00
djm@openbsd.org
4448a2938a
upstream: Make it possible to load certs from PKCS#11 tokens 
Adds a protocol extension to allow grafting certificates supplied by
ssh-add to keys loaded from PKCS#11 tokens in the agent.

feedback/ok markus@

OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
 2023-12-19 01:52:55 +11:00
djm@openbsd.org
881d9c6af9
upstream: apply destination constraints to all p11 keys 
Previously applied only to the first key returned from each token.

ok markus@

OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
 2023-12-19 01:51:46 +11:00
djm@openbsd.org
a7ed931cae
upstream: add "ext-info-in-auth@openssh.com" extension 
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.

This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.

Full details in the PROTOCOL file

OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
 2023-12-19 01:51:46 +11:00
djm@openbsd.org
1edb00c58f
upstream: implement "strict key exchange" in ssh and sshd 
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
 2023-12-19 01:51:11 +11:00
Damien Miller
59d691b886
better detection of broken -fzero-call-used-regs 
Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend
test program to exercise varargs, which seems to catch more stuff.

ok dtucker@
 2023-12-18 14:49:11 +11:00
djm@openbsd.org
aa7b217085
upstream: when invoking KnownHostsCommand to determine the order of 
host key algorithms to request, ensure that the hostname passed to the
command is decorated with the port number for ports other than 22.

This matches the behaviour of KnownHostsCommand when invoked to look
up the actual host key.

bz3643, ok dtucker@

OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
 2023-12-13 14:33:50 +11:00
markus@openbsd.org
4086bd6652
upstream: prevent leak in sshsig_match_principals; ok djm@ 
OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae
 2023-12-13 14:33:50 +11:00
djm@openbsd.org
19d3ee2f3a
upstream: short circuit debug log processing early if we're not going 
to log anything. From Kobe Housen

OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea
 2023-12-07 08:09:11 +11:00
Darren Tucker
947affad48
Add tests for OpenSSL 3.2.0 and 3.2 stable branch. 2023-11-27 09:37:28 +11:00
Darren Tucker
747dce3620
Use non-zero arg in compiler test program. 
Now that we're running the test program, passing zero to the test function
can cause divide-by-zero exceptions which might show up in logs.
 2023-11-25 09:03:38 +11:00
dtucker@openbsd.org
3d44a5c565
upstream: Plug mem leak of msg when processing a quit message. 
Coverity CID#427852, ok djm@

OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7
 2023-11-24 12:01:34 +11:00
dtucker@openbsd.org
1d7f9b6e29
upstream: Include existing mux path in debug message. 
OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16
 2023-11-24 12:01:31 +11:00
Darren Tucker
f29934066b
Add an Ubuntu 22.04 test VM. 
This is the same version as Github's runners so most of the testing on
it is over there, but having a local VM makes debugging much easier.
 2023-11-23 19:41:27 +11:00
Darren Tucker
a93284a780
Add gcc-12 -Werror test on Ubuntu 22.04. 
Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler).
 2023-11-23 19:36:22 +11:00
Darren Tucker
670f5a647e
Check return value from write to prevent warning. 
... and since we're testing for flags with -Werror, this caused
configure to mis-detect compiler flags.
 2023-11-23 19:34:57 +11:00
Darren Tucker
cea007d691
Run compiler test program when compiling natively. 
ok djm@
 2023-11-23 14:40:51 +11:00
Darren Tucker
ee0d305828
Factor out compiler test program into a macro. 
ok djm@
 2023-11-23 14:40:48 +11:00
Darren Tucker
de304c7631
Add fbsd14 VM to test pool. 2023-11-22 08:55:36 +11:00
Darren Tucker
99a2df5e19
Expand -fzero-call-used-regs test to cover gcc 11. 
It turns out that gcc also has some problems with -fzero-call-used-regs,
at least v11 on mips.  Previously the test in OSSH_CHECK_CFLAG_COMPILE
was sufficient to catch it with "=all", but not sufficient for "=used".
Expand the testcase and include it in the other tests for good measure.
See bz#3629.  ok djm@.
 2023-11-21 16:24:17 +11:00
Darren Tucker
ff220d4010
Stop using -fzero-call-used-regs=all 
... since it seems to be problematic with several different versions of
clang.  Only use -fzero-call-used-regs=used which is less
problematic, except with Apple's clang where we don't use it at all.
bz#3629, ok djm@
 2023-11-21 14:04:34 +11:00
Darren Tucker
2a19e02f36
Allow for vendor prefix on clang version numbers. 
Correctly detects the version of OpenBSD's native clang, as well as
Apple's.  Spotted tb@, ok djm@.
 2023-11-21 14:02:18 +11:00
djm@openbsd.org
c52db01148
upstream: set errno=EAFNOSUPPORT when filtering addresses that don't 
match AddressFamily; yields slightly better error message if no address
matches. bz#3526

OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
 2023-11-20 13:51:15 +11:00
djm@openbsd.org
26f3f3bbc6
upstream: when connecting via socket (the default case), filter 
addresses by AddressFamily if one was specified. Fixes the case where, if
CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
dtucker

OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
 2023-11-16 10:05:32 +11:00
djm@openbsd.org
050c335c8d
upstream: when deciding whether to enable keystroke timing 
obfuscation, only consider enabling it when a channel with a tty is open.

Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh

OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
 2023-11-16 09:53:42 +11:00
tobhe@openbsd.org
676377ce67
upstream: Make sure sftp_get_limits() only returns 0 if 'limits' 
was initialized. This fixes a potential uninitialized use of 'limits' in
sftp_init() if sftp_get_limits() returned early because of an unexpected
message type.

ok djm@

OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
 2023-11-16 09:53:42 +11:00
Darren Tucker
64e0600f23
Test current releases of LibreSSL and OpenSSL. 
Retire some of the older releases.
 2023-11-13 20:03:31 +11:00
dtucker@openbsd.org
c8ed7cc545
upstream: Specify ssh binary to use 
... instead of relying on installed one.  Fixes test failures in -portable
when running tests prior to installation.

OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
 2023-11-01 13:55:45 +11:00
Darren Tucker
e9fc2c4812
Put long-running test targets on hipri runners. 
Some of the selfhosted test targets take a long time to run for various
reasons, so label them for "libvirt-hipri" runners so that they can
start immediately.  This should reduce the time to complete all tests.
 2023-11-01 13:11:31 +11:00
djm@openbsd.org
7ddf27668f
upstream: add some tests of forced commands overriding Subsystem 
directives

OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
 2023-11-01 11:39:55 +11:00
dtucker@openbsd.org
fb06f9b5a0
upstream: Don't try to use sudo inside sshd log wrapper. 
We still need to check if we're using sudo since we don't want to chown
unecessarily, as on some platforms this causes an error which pollutes
stderr. We also don't want to unnecessarily invoke sudo, since it's
running in the context of the proxycommand, on *other* platforms it
may not be able to authenticate, and if we're using SUDO then it should
already be privileged.

OpenBSD-Regress-ID: 70d58df7503db699de579a9479300e5f3735f4ee
 2023-10-31 15:35:53 +11:00
dtucker@openbsd.org
fc3cc33e88
upstream: Only try to chmod logfile if we have sudo. If we don't have 
sudo then we won't need to chmod.

OpenBSD-Regress-ID: dbad2f5ece839658ef8af3376cb1fb1cabe2e324
 2023-10-31 14:01:25 +11:00
djm@openbsd.org
3a506598fd
upstream: move PKCS#11 setup code to test-exec.sh so it can be reused 
elsewhere

OpenBSD-Regress-ID: 1d29e6be40f994419795d9e660a8d07f538f0acb
 2023-10-31 10:04:32 +11:00
djm@openbsd.org
f82fa227a5
upstream: tidy and refactor PKCS#11 setup code 
Replace the use of a perl script to delete the controlling TTY with a
SSH_ASKPASS script to directly load the PIN.

Move PKCS#11 setup code to functions in anticipation of it being used
elsewhere in additional tests.

Reduce stdout spam

OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262
 2023-10-31 04:36:27 +11:00
Darren Tucker
3cf698c6d4
Add obsd74 test VM and retire obsd69 and obsd70. 2023-10-30 21:35:03 +11:00
Darren Tucker
3e21d58a09
Add OpenSSL 3.3.0 as a known dev version. 2023-10-30 18:34:12 +11:00
Darren Tucker
917ba181c2
Restore nopasswd sudo rule on Mac OS X. 
This seems to be missing from some (but not all) github runners, so
restore it if it seems to be missing.
 2023-10-30 16:13:04 +11:00
Darren Tucker
c5698abad6
Don't exit early when setting up on Mac OS X. 
We probably need some of the other bits in there (specifically, setting
the perms on the home directory) so make it less of a special snowflake.
 2023-10-30 13:54:00 +11:00
dtucker@openbsd.org
1d6a878ceb
upstream: Only try to chown logfiles that exist to prevent spurious 
errors.

OpenBSD-Regress-ID: f1b20a476734e885078c481f1324c9ea03af991e
 2023-10-29 17:33:18 +11:00
anton@openbsd.org
e612376427
upstream: make use of bsd.regress.mk in extra and interop targets; ok 
dtucker@

OpenBSD-Regress-ID: 7ea21b5f6fc4506165093b2123d88d20ff13a4f0
 2023-10-29 17:32:47 +11:00
dtucker@openbsd.org
ea00391739
upstream: Skip conch interop tests when not enabled instead of fatal. 
OpenBSD-Regress-ID: b0abf81c24ac6c21f367233663228ba16fa96a46
 2023-10-27 00:02:26 +11:00
dtucker@openbsd.org
d220b9ed54
upstream: Import regenerated moduli. 
OpenBSD-Commit-ID: 95f5dd6107e8902b87dc5b005ef2b53f1ff378b8
 2023-10-26 23:46:03 +11:00
anton@openbsd.org
a611e4db40
upstream: ssh conch interop tests requires a controlling terminal; 
ok dtucker@

OpenBSD-Regress-ID: cbf2701bc347c2f19d907f113779c666f1ecae4a
 2023-10-26 23:44:53 +11:00
anton@openbsd.org
da951b5e08
upstream: Use private key that is allowed by sshd defaults in conch 
interop tests.

ok dtucker@

OpenBSD-Regress-ID: 3b7f65c8f409c328bcd4b704f60cb3d31746f045
 2023-10-26 23:34:29 +11:00
Darren Tucker
1ca166dbb3
Install Dropbear for interop testing. 2023-10-20 20:43:00 +11:00
Darren Tucker
f993bb5835
Resync PuTTY and Conch path handling with upstream. 
Now that configure finds these for us we can remove these -portable
specific changes.
 2023-10-20 20:39:03 +11:00
Darren Tucker
ff85becd5f
Have configure find PuTTY and Conch binaries. 
This will let us remove some -portable specific changes from
test-exec.sh.
 2023-10-20 20:35:46 +11:00
dtucker@openbsd.org
c54a50359b
upstream: Allow overriding the locations of the Dropbear binaries 
similar to what we do for the PuTTY ones.

OpenBSD-Regress-ID: 7de0e00518fb0c8fdc5f243b7f82f523c936049c
 2023-10-20 20:28:20 +11:00
dtucker@openbsd.org
fbaa707d45
upstream: Add interop test with Dropbear. 
Right now this is only dbclient not the Dropbear server since it won't
currently run as a ProxyCommand.

OpenBSD-Regress-ID: 8cb898c414fcdb252ca6328896b0687acdaee496
 2023-10-20 18:35:32 +11:00
Fabio Pedretti
c2003d0dbd
Update openssl-devel dependency in RPM spec. 
Since openssh 9.4p1, openssl >= 1.1.1 is required, so
build with --without-openssl elsewhere.
According to https://repology.org/project/openssl/versions
openssl 1.1.1 is available on fedora >= 29 and rhel >= 8.
Successfully build tested, installed and run on rhel 6
 2023-10-16 21:40:01 +11:00
Fabio Pedretti
064e09cd63
Remove reference of dropped sshd.pam.old file 
The file was removed in openssh 8.8
 2023-10-16 20:14:04 +11:00
dtucker@openbsd.org
62db354b69
upstream: Move declaration of "len" into the block where it's used. 
This lets us compile Portable with -Werror with when OpenSSL doesn't have
Ed25519 support.

OpenBSD-Commit-ID: e02e4b4af351946562a7caee905da60eff16ba29
 2023-10-16 20:13:41 +11:00
Damien Miller
6eee8c972d
run t-extra regress tests 
This exposes the t-extra regress tests (including agent-pkcs11.sh) as
a new extra-tests target in the top level Makefile and runs them by
default. ok dtucker@
 2023-10-13 15:15:05 +11:00
Darren Tucker
637624dbba
Don't use make -j2. 
While we have 2 cores available on github runners, not using it means
that the most recent log message is the actual failure, rather than
having to search back through the log for it.
 2023-10-12 22:01:23 +11:00
Darren Tucker
971e0cfcfd
Correct arg order for ED255519 AC_LINK_IFELSE test. 2023-10-12 16:23:05 +11:00
djm@openbsd.org
c616e64688
upstream: typos and extra debug trace calls 
OpenBSD-Regress-ID: 98a2a6b9333743274359e3c0f0e65cf919a591d1
 2023-10-12 14:52:46 +11:00
djm@openbsd.org
c49a3fbf10
upstream: ensure logs are owned by correct user; feedback/ok 
dtucker@

OpenBSD-Regress-ID: c3297af8f07717f1d400a5d34529962f1a76b5a3
 2023-10-12 14:52:45 +11:00
djm@openbsd.org
5ec0ed79ac
upstream: 64 %-expansion keys ought to be enough for anybody; ok 
dtucker (we just hit the previous limit in some cases)

OpenBSD-Commit-ID: 84070f8001ec22ff5d669f836b62f206e08c5787
 2023-10-12 14:37:52 +11:00
djm@openbsd.org
f59a94e22e
upstream: don't dereference NULL pointer when hashing jumphost 
OpenBSD-Commit-ID: 251c0263e1759a921341c7efe7f1d4c73e1c70f4
 2023-10-12 13:58:19 +11:00
Damien Miller
281c79168e
Solaris: prefer PRIV_XPOLICY to PRIV_LIMIT 
If the system support PRIV_XPOLICY and one is set, then don't
modify PRIV_LIMIT. bz2833, patch from Ron Jordan, ok dtucker@
 2023-10-12 13:20:01 +11:00
djm@openbsd.org
98fc34df83
upstream: add %j token that expands to the configured ProxyJump 
hostname (or the empty string if this option is not being used). bz3610, ok
dtucker

OpenBSD-Commit-ID: ce9983f7efe6a178db90dc5c1698df025df5e339
 2023-10-12 13:19:41 +11:00
djm@openbsd.org
7f3180be8a
upstream: release GSS OIDs only at end of authentication; bz2982, 
ok dtucker@

OpenBSD-Commit-ID: 0daa41e0525ae63cae4483519ecaa37ac485d94c
 2023-10-12 13:19:41 +11:00
djm@openbsd.org
a612b93de5
upstream: mask SIGINT/TERM/QUIT/HUP before checking quit_pending 
and use ppoll() to unmask them in the mainloop. Avoids race condition between
signaling ssh to exit and polling. bz3531; ok dtucker

OpenBSD-Commit-ID: 5c14e1aabcddedb95cdf972283d9c0d5083229e7
 2023-10-12 13:19:40 +11:00
djm@openbsd.org
531b27a006
upstream: sync usage() with ssh.1; spotted by kn@ 
OpenBSD-Commit-ID: 191a85639477dcb5fa1616d270d93b7c8d5c1dfd
 2023-10-12 13:19:40 +11:00
djm@openbsd.org
64f7ca881b
upstream: ssh -Q does not make sense with other command-line options, 
so give it its own line in the manpage

OpenBSD-Commit-ID: 00a747f0655c12122bbb77c2796be0013c105361
 2023-10-12 10:15:47 +11:00
djm@openbsd.org
a752a6c0e1
upstream: add ChannelTimeout support to the client, mirroring the 
same option in the server. ok markus@

OpenBSD-Commit-ID: 55630b26f390ac063980cfe7ad8c54b03284ef02
 2023-10-12 10:00:13 +11:00
djm@openbsd.org
76e91e7238
upstream: add support for reading ED25519 private keys in PEM PKCS8 
format; ok markus@ tb@

OpenBSD-Commit-ID: 01b85c91757e6b057e9b23b8a23f96415c3c7174
 2023-10-12 09:59:44 +11:00
djm@openbsd.org
fc77c8e352
upstream: mention "none" is a valid argument to IdentityFile; bz3080 
OpenBSD-Commit-ID: 1b4fb590ef731099349a7d468b77f02b240ac926
 2023-10-11 17:41:52 +11:00
djm@openbsd.org
c97520d23d
upstream: in olde rcp/scp protocol mode, when rejecting a path from the 
server as not matching the glob that the client sent, log (at debug level)
the received pathname as well as the list of possible expected paths expanded
from the glob. bz2966

OpenBSD-Commit-ID: 0bd8db8a595334ca86bca8f36e23fc0395315765
 2023-10-11 16:44:40 +11:00
djm@openbsd.org
208c2b7198
upstream: s/%.100s/%s/ in SSH- banner construction as there's no 
reason to limit its size: the version string bring included is a compile time
constant going into an allocated banner string.

OpenBSD-Commit-ID: 0ef73304b9bf3e534c60900cd84ab699f859ebcd
 2023-10-11 15:57:09 +11:00
tb@openbsd.org
0354790826
upstream: Garbage collect cipher_get_keyiv_len() 
This is a compat20 leftover, unused since 2017.

ok djm

OpenBSD-Commit-ID: 91fa5497c9dc6883064624ac27813a567883fdce
 2023-10-11 15:57:08 +11:00
djm@openbsd.org
8d29ee4115
upstream: Reserve a range of "local extension" message numbers that 
OpenSSH promises not to use (comment change only)

OpenBSD-Commit-ID: e61795b453d4892d2c99ce1039112c4a00250e03
 2023-10-10 14:58:55 +11:00
djm@openbsd.org
90b0d73d63
upstream: typo in error message 
OpenBSD-Regress-ID: 6a8edf0dc39941298e3780b147b10c0a600b4fee
 2023-10-06 14:33:37 +11:00
djm@openbsd.org
e84517f515
upstream: Perform the softhsm2 setup as discrete steps rather than 
as a long shell pipeline. Makes it easier to figure out what has happened
when it breaks.

OpenBSD-Regress-ID: b3f1292115fed65765d0a95414df16e27772d81c
 2023-10-06 14:31:20 +11:00
claudio@openbsd.org
cb54becff4
upstream: REGRESS_FAIL_EARLY defaults to yes now. So no need to 
overload the value here anymore. OK tb@ bluhm@

OpenBSD-Regress-ID: f063330f1bebbcd373100afccebc91a965b14496
 2023-10-06 14:31:13 +11:00
jmc@openbsd.org
f01f5137ce
upstream: spelling fix; 
OpenBSD-Commit-ID: 493f95121567e5ab0d9dd1150f873b5535ca0195
 2023-10-06 14:30:35 +11:00
234 changed files with 55712 additions and 4754 deletions

50
.azdo/ci.yml

@ -10,13 +10,6 @@ pr:
include:
- latestw_all
resources:
repositories:
- repository: ComplianceRepo
type: github
endpoint: ComplianceGHRepo
name: PowerShell/compliance
stages:
- stage: Build
displayName: Build Win32-OpenSSH
@ -88,36 +81,6 @@ stages:
Write-Host "##vso[artifact.upload containerfolder=$artifactName;artifactname=$artifactName;]$configFilePath"
displayName: Upload Win32-OpenSSH build artifacts
- stage: Compliance
displayName: Compliance
dependsOn: Build
jobs:
- job: ComplianceJob
pool:
vmImage: windows-latest
steps:
- checkout: self
clean: true
- checkout: ComplianceRepo
clean: true
- download: current
artifact: 'Win32-OpenSSH'
- template: ci-compliance.yml@ComplianceRepo
parameters:
# credscan
suppressionsFile: ''
# Documentation: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/security-analysis-report-build-task
- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@2
continueOnError: true
displayName: 'Guardian Export'
inputs:
GdnExportVstsConsole: true
GdnExportSarifFile: true
GdnExportHtmlFile: true
GdnExportAllTools: false
GdnExportGdnToolCredScan: true
#this didn't do anything GdnExportCustomLogsFolder: '$(Build.ArtifactStagingDirectory)/Guardian'
- stage: Test
displayName: Test Win32-OpenSSH
dependsOn: Build
@ -126,6 +89,8 @@ stages:
pool:
vmImage: windows-latest
displayName: Win32-OpenSSH On Windows
variables:
testFilesDrivePath: '**'
steps:
- powershell: |
$powerShellPath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'powershell'
@ -201,6 +166,17 @@ stages:
Invoke-OpenSSHTests -OpenSSHBinPath "$env:SystemDrive/OpenSSH"
displayName: Run tests
- pwsh: |
Write-Host "##vso[task.setvariable variable=testFilesDrivePath;]$env:SystemDrive"
displayName: Set variable
- task: PublishTestResults@2
inputs:
testResultsFormat: 'NUnit'
testResultsFiles: '$(testFilesDrivePath)/OpenSSHTests/*.xml'
failTaskOnFailedTests: true
condition: always()
- pwsh: |
Import-Module -Name "$(Build.SourcesDirectory)/contrib/win32/openssh/AzDOBuildTools" -Force
#

22
.depend

@ -23,12 +23,14 @@ auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com
auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h canohost.h
auth2-hostbased.o: monitor_wrap.h pathnames.h match.h
auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h log.h ssherr.h misc.h servconf.h
auth2-methods.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h misc.h servconf.h openbsd-compat/sys-queue.h xmalloc.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h misc.h servconf.h ssh2.h monitor_wrap.h
auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h
auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h
auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h
auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h
auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h kex.h
auth2.o: mac.h crypto_api.h
authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h log.h ssherr.h atomicio.h misc.h
authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h ssherr.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h krl.h
bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h
@ -59,6 +61,7 @@ gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-comp
hash.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h
hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h digest.h hmac.h
hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h ssherr.h misc.h pathnames.h digest.h hmac.h sshbuf.h
kex-names.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h kex.h mac.h crypto_api.h log.h ssherr.h match.h digest.h misc.h xmalloc.h
kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h ssh2.h atomicio.h version.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h log.h ssherr.h
kex.o: match.h misc.h monitor.h myproposal.h sshbuf.h digest.h xmalloc.h
kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ssherr.h ssh2.h
@ -81,12 +84,13 @@ monitor.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api
monitor.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h openbsd-compat/openssl-compat.h atomicio.h xmalloc.h ssh.h sshkey.h sshbuf.h hostfile.h auth.h auth-pam.h audit.h loginrec.h cipher.h cipher-chachapoly.h
monitor_fdpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h monitor_fdpass.h
monitor_wrap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h
monitor_wrap.o: loginrec.h auth-options.h packet.h dispatch.h log.h ssherr.h monitor.h monitor_wrap.h atomicio.h monitor_fdpass.h misc.h channels.h session.h servconf.h
monitor_wrap.o: loginrec.h auth-options.h packet.h dispatch.h log.h ssherr.h monitor.h atomicio.h monitor_fdpass.h misc.h channels.h session.h servconf.h monitor_wrap.h srclimit.h
msg.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h ssherr.h log.h atomicio.h msg.h misc.h
mux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h log.h ssherr.h ssh.h ssh2.h pathnames.h misc.h match.h sshbuf.h channels.h msg.h packet.h dispatch.h monitor_fdpass.h sshpty.h sshkey.h readconf.h clientloop.h
nchan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h ssh2.h sshbuf.h ssherr.h packet.h dispatch.h channels.h compat.h log.h
packet.o: channels.h ssh.h packet.h dispatch.h sshbuf.h
packet.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h compat.h ssh2.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h digest.h log.h ssherr.h canohost.h misc.h
platform-listen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h misc.h
platform-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
platform-pledge.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
platform-tracing.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h
@ -122,7 +126,7 @@ sftp-usergroup.o: includes.h config.h defines.h platform.h openbsd-compat/openbs
sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-usergroup.h
sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h
srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h servconf.h openbsd-compat/sys-queue.h match.h
ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h hostfile.h
ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h myproposal.h
ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
@ -145,19 +149,21 @@ ssh-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat
ssh-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
ssh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h canohost.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h packet.h dispatch.h sshbuf.h channels.h
ssh.o: sshkey.h authfd.h authfile.h pathnames.h clientloop.h log.h ssherr.h misc.h readconf.h sshconnect.h kex.h mac.h crypto_api.h sshpty.h match.h msg.h version.h myproposal.h utf8.h
ssh_api.o: authfile.h misc.h version.h myproposal.h sshbuf.h openbsd-compat/openssl-compat.h
ssh_api.o: authfile.h dh.h misc.h version.h myproposal.h sshbuf.h openbsd-compat/openssl-compat.h
ssh_api.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh_api.h openbsd-compat/sys-queue.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h ssh.h ssh2.h packet.h dispatch.h compat.h log.h ssherr.h
sshbuf-getput-basic.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h
sshbuf-getput-crypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sshbuf-io.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h atomicio.h
sshbuf-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h
sshbuf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h misc.h
sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h sshkey.h sshconnect.h log.h ssherr.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h authfd.h
sshconnect.o: kex.h mac.h crypto_api.h
sshconnect.o: authfd.h kex.h mac.h crypto_api.h
sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h sshkey.h sshconnect.h log.h ssherr.h match.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h
sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h
sshconnect2.o: sshconnect.h authfile.h dh.h authfd.h log.h ssherr.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h utf8.h ssh-sk.h sk-api.h
sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h
sshd.o: poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h sk-api.h srclimit.h dh.h
sshd-session.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h sk-api.h srclimit.h dh.h
sshd-session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h
sshd.o: audit.h loginrec.h authfd.h msg.h version.h sk-api.h addr.h srclimit.h
sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshpty.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h digest.h sshkey.h authfile.h pathnames.h canohost.h hostfile.h auth.h auth-pam.h
ssherr.o: ssherr.h
sshkey-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sshkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh2.h ssherr.h misc.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h match.h ssh-sk.h openbsd-compat/openssl-compat.h

2
.git_allowed_signers

@ -1,4 +1,6 @@
dtucker@dtucker.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG
dtucker@dtucker.net sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDV81zWQ1+XVfWH5z4L4klDQ/z/6l2GLphfSTX/Rmq6kL5H8mkfzUlryxLlkN8cD9srtVJBAmwJWfJBNsCo958YAAAAEc3NoOg==
djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLnJo3ZVDENYZGXm5uO9lU7b0iDFq5gHpTu1MaHPWTEfPdvw+AjFQQ/q5YizuMJkXGsMdYmblJEJZYHpm9IS7ZkAAAAEc3NoOg==
djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJoAXBTQalfg+kC5wy1vE7HkIHtVnmV6AUuuIo9KQ1P+70juHwvsFKpsGaqQbrHJkTVgYDGVP02XHj8+Fb18yBIAAAAEc3NoOg==
djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBH+z1I48s6ydOhP5SJmI02zVCLf0K15B+UMHgoTIKVfUIv5oDoVX7e9f+7QiRmTeEOdZfQydiaVqsfi7qPSve+0AAAAEc3NoOg==

26
.git_allowed_signers.asc

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmMMMiIACgkQKj9BTnNg
YLpyGhAAhZ1RxmD62JnT0gnor1aD0inq1fGPRadaFvXH2OScPcxXMIZWx+otnyZ/
H9s0bIti42dPHqurgh92KS2mDGVIW8Y8MvxFUr678+hdem1U7Xvjoo0uaveNhJhe
GxuQDOvXKRmmfL2c6w3wnFChFA1o3K+JNshjCHhWz7u6+UmY0Q9yIxqbSi+vmEPP
NfWPfGdu4h8r7q11UgTxRSUQkfZXMqpBtb367B9BLduGuKRFKEJNyi6WpjBrqy38
BvEbAaL52KX8hEp3TKMjo38RbOK+veSoPV5zlLui0WlEwwasgljal3f4RkqCAJob
hqpFJRogM5XNnA2e68TDTf3buJ3wRRjuK39/CusOJz5v4i6+VCdte+BET1Y4gD6y
v8KV4pRyumcdbN3khFUkmaQsjo+fyQjWNrgOvv60J2xUWZdchn8lxHOxrfRVKnOi
BD4bdks7tPQY/XsS5GNJIp21Ji9HGyBajjHo0BlesLodw7FEOf6YE18A3n9qzosR
RliuP4Hs/Z4sCUuDTbpKtQiUVs40kBbkhEL8kS8FsXz3VO89hAWaUqNUYom8AkKv
nfDjrZDBLXuVj1Mi8qNPXxqrB/1Cza2/W4U7SK4TlMFXfoXXWxxhefN5vIdMhAJB
u9Mdz1pY9mowKbd0c0dR+3fauvjM133dzKuyeDHMqDa5JPyd59o=
=kgnS
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmYHnZ8ACgkQKj9BTnNg
YLquuQ/6A8E6P2jcgn3wmbbCTXP7kmxoh3nmw/e6PC8CEua1512oT3GHOKVD5cGK
cgYRObpWvjOjg7L1HRABftq7a9M2zfsGnY/WNe3/fbetfkyY8hG8c31vA1ePIOt2
AjBLCWFblH0CtyH/MssoQ19JCLtXK/GmekB1Q0JzyOog7w/0r3CKuUnZ0juCYR1R
4FBePl5l3nFSZEcFEdptGlNGeuolS5XBCqB9Y91TCzkVkH5eXUUW+shgjNhWCEhT
pZvkxfhsmOEnwNofyPdgKVfDBVkHmvuC67EU395mJVN4c2NZ8pOztb9hOt3xr980
q44I4kT2NpaApCx1dWIGhMy/37LJ8heI0W1B+ofTA5n34/RU8UXH3SCkj2AK6Ao5
H2u8vbmuWKUCiECmrw35EeKGmtuK/bWJzx3KBP7fx5J9S3mWUgT4W4xlWNN9RWoU
sSvH1ppie5ARINVaAWl5k44fk60ahTf80DbQBIOZBmQn7myZZka+yGcQbAiZZ1Gc
0l8+Nf5Ao1ckmuyY5o8FyWdsyDeK3+MqjPn5Rr1CqbKCn2VnqrVWbI33Eyu8c96U
bxVgU5H1BDhNjJC8UrT3LFPvJMO8p3a0IJ3eHydjk2jVOhOdBZmA0yoqUTrhPpXq
ymIHESjDJR8TDe4TCfb46o9oEC3cdbDwgnzPqdg0n+0uIsJLYiU=
=gl+l
-----END PGP SIGNATURE-----

12
.github/ci-status.md vendored

@ -6,10 +6,10 @@ master :
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
9.4 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_4)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_4)
9.8 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
9.3 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_3)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_3)
9.7 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)

38
.github/configs vendored

@ -108,9 +108,19 @@ case "$config" in
SKIP_LTESTS=sftp-chroot
;;
gcc-11-Werror)
CC="gcc"
CC="gcc-11"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
# -Wunused-result ignores (void) so is not useful. See
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
CONFIGFLAGS="--with-pam --with-Werror"
;;
gcc-12-Werror)
CC="gcc-12"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
# -Wunused-result ignores (void) so is not useful. See
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
CONFIGFLAGS="--with-pam --with-Werror"
;;
clang*|gcc*)
@ -154,6 +164,11 @@ case "$config" in
libressl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
;;
putty-*)
CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen"
# We don't need to rerun the regular tests, just the interop ones.
TEST_TARGET=interop-tests
;;
openssl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
@ -193,6 +208,7 @@ case "$config" in
# and hostbased (since valgrind won't let ssh exec keysign).
# Slow ones are run separately to increase parallelism.
SKIP_LTESTS="agent-timeout connection-timeout hostbased"
SKIP_LTESTS="$SKIP_LTESTS penalty-expire"
SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
;;
valgrind-2)
@ -259,20 +275,22 @@ case "${TARGET_HOST}" in
;;
minix3)
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
# Unix domain sockets don't work quite like we expect, so also
# disable FD passing (and thus multiplexing).
CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing"
LIBCRYPTOFLAGS="--without-openssl"
# Minix does not have a loopback interface so we have to skip any
# test that relies on one.
# Also, Minix seems to be very limited in the number of select()
# calls that can be operating concurrently, so prune additional tests for that.
T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
connect connect-uri exit-status forwarding hostkey-agent
key-options keyscan knownhosts-command login-timeout
connect connect-uri dynamic-forward exit-status forwarding
forward-control
hostkey-agent key-options keyscan knownhosts-command login-timeout
reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
transfer"
# Unix domain sockets don't work quite like we expect, so also skip any tests
# that use multiplexing.
T="$T connection-timeout dynamic-forward forward-control multiplex"
transfer penalty penalty-expire"
SKIP_LTESTS="$(echo $T)"
TEST_TARGET=t-exec
SUDO=""
@ -310,6 +328,10 @@ case "$host" in
# modern versions don't ship with libcrypto.
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
# On some OS X runners we can't write to /var/empty.
CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty"
case "$host" in
*-darwin22.*)
# sudo -S nobody doesn't work on macos 13 for some reason.

1
.github/run_test.sh vendored

@ -9,6 +9,7 @@ set -ex
# If we want to test hostbased auth, set up the host for it.
if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
sshconf=/usr/local/etc
$SUDO mkdir -p "${sshconf}"
hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
$SUDO mkdir -p $sshconf

79
.github/setup_ci.sh vendored

@ -18,8 +18,7 @@ case "$host" in
;;
*-darwin*)
PACKAGER=brew
brew install automake
exit 0
PACKAGES="automake"
;;
*)
PACKAGER=apt
@ -30,20 +29,30 @@ TARGETS=$@
INSTALL_FIDO_PPA="no"
export DEBIAN_FRONTEND=noninteractive
#echo "Setting up for '$TARGETS'"
set -ex
set -e
if [ -x "`which lsb_release 2>&1`" ]; then
lsb_release -a
fi
# Ubuntu 22.04 defaults to private home dirs which prevent the
# agent-getpeerid test from running ssh-add as nobody. See
# https://github.com/actions/runner-images/issues/6106
if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
echo ~ is not executable by nobody, adding perms.
chmod go+x ~
if [ ! -z "$SUDO" ]; then
# Ubuntu 22.04 defaults to private home dirs which prevent the
# agent-getpeerid test from running ssh-add as nobody. See
# https://github.com/actions/runner-images/issues/6106
if ! "$SUDO" -u nobody test -x ~; then
echo ~ is not executable by nobody, adding perms.
chmod go+x ~
fi
# Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
# sudo still works, but sudo -u doesn't. Restore the sudo rule.
if ! "$SUDO" grep -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
echo "Restoring runner nopasswd rule to sudoers."
echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
fi
if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
echo "Still can't sudo to nobody."
exit 1
fi
fi
if [ "${TARGETS}" = "kitchensink" ]; then
@ -57,6 +66,7 @@ for flag in $CONFIGFLAGS; do
esac
done
echo "Setting up for '$TARGETS'"
for TARGET in $TARGETS; do
case $TARGET in
default|without-openssl|without-zlib|c89)
@ -87,7 +97,9 @@ for TARGET in $TARGETS; do
esac
;;
*pam)
PACKAGES="$PACKAGES libpam0g-dev"
case "$PACKAGER" in
apt) PACKAGES="$PACKAGES libpam0g-dev" ;;
esac
;;
sk)
INSTALL_FIDO_PPA="yes"
@ -116,7 +128,7 @@ for TARGET in $TARGETS; do
1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
esac
PACKAGES="${PACKAGES} putty-tools"
PACKAGES="${PACKAGES} putty-tools dropbear-bin"
;;
libressl-*)
INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
@ -124,12 +136,16 @@ for TARGET in $TARGETS; do
master) ;;
*) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
esac
PACKAGES="${PACKAGES} putty-tools"
PACKAGES="${PACKAGES} putty-tools dropbear-bin"
;;
boringssl)
INSTALL_BORINGSSL=1
PACKAGES="${PACKAGES} cmake ninja-build"
;;
putty-*)
INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
PACKAGES="${PACKAGES} cmake"
;;
valgrind*)
PACKAGES="$PACKAGES valgrind"
;;
@ -156,6 +172,13 @@ while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
PACKAGES=""
fi
;;
brew)
if [ ! -z "PACKAGES" ]; then
if brew install $PACKAGES; then
PACKAGES=""
fi
fi
;;
setup)
if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
PACKAGES=""
@ -176,7 +199,7 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
(cd ${HOME} &&
git clone https://github.com/GrapheneOS/hardened_malloc.git &&
cd ${HOME}/hardened_malloc &&
make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/)
make && sudo cp out/libhardened_malloc.so /usr/lib/)
fi
if [ ! -z "${INSTALL_OPENSSL}" ]; then
@ -197,14 +220,14 @@ if [ ! -z "${INSTALL_LIBRESSL}" ]; then
git checkout ${INSTALL_LIBRESSL} &&
sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl &&
make -j2 && sudo make install)
make && sudo make install)
else
LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
(cd ${HOME} &&
wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
cd libressl-${INSTALL_LIBRESSL} &&
./configure --prefix=/opt/libressl && make -j2 && sudo make install)
./configure --prefix=/opt/libressl && make && sudo make install)
fi
fi
@ -222,3 +245,25 @@ if [ ! -z "${INSTALL_ZLIB}" ]; then
cd ${HOME}/zlib && ./configure && make &&
sudo make install prefix=/opt/zlib)
fi
if [ ! -z "${INSTALL_PUTTY}" ]; then
ver="${INSTALL_PUTTY}"
case "${INSTALL_PUTTY}" in
snapshot)
tarball=putty.tar.gz
(cd /tmp && wget https://tartarus.org/~simon/putty-snapshots/${tarball})
;;
*)
tarball=putty-${ver}.tar.gz
(cd /tmp && wget https://the.earth.li/~sgtatham/putty/${ver}/${tarball})
;;
esac
(cd ${HOME} && tar xfz /tmp/${tarball} && cd putty-*
if [ -f CMakeLists.txt ]; then
cmake . && cmake --build . && sudo cmake --build . --target install
else
./configure && make && sudo make install
fi
)
/usr/local/bin/plink -V
fi

43
.github/workflows/c-cpp.yml vendored

@ -1,10 +1,15 @@
name: C/C++ CI
on:
workflow_dispatch:
workflow_dispatch: # disable for win32-openssh fork
# push:
# paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
# pull_request:
# paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
jobs:
ci:
name: "${{ matrix.target }} ${{ matrix.config }}"
if: github.repository != 'openssh/openssh-portable-selfhosted'
strategy:
fail-fast: false
@ -13,9 +18,9 @@ jobs:
target:
- ubuntu-20.04
- ubuntu-22.04
- macos-11
- macos-12
- macos-13
- macos-14
- windows-2019
- windows-2022
config: [default]
@ -44,7 +49,8 @@ jobs:
- { target: ubuntu-20.04, config: gcc-7 }
- { target: ubuntu-20.04, config: gcc-8 }
- { target: ubuntu-20.04, config: gcc-10 }
- { target: ubuntu-20.04, config: gcc-11-Werror }
- { target: ubuntu-22.04, config: gcc-11-Werror }
- { target: ubuntu-22.04, config: gcc-12-Werror }
- { target: ubuntu-20.04, config: pam }
- { target: ubuntu-20.04, config: kitchensink }
- { target: ubuntu-22.04, config: hardenedmalloc }
@ -58,18 +64,35 @@ jobs:
- { target: ubuntu-latest, config: libressl-3.5.3 }
- { target: ubuntu-latest, config: libressl-3.6.1 }
- { target: ubuntu-latest, config: libressl-3.7.2 }
- { target: ubuntu-latest, config: libressl-3.8.4 }
- { target: ubuntu-latest, config: libressl-3.9.1 }
- { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec }
- { target: ubuntu-latest, config: openssl-1.1.1 }
- { target: ubuntu-latest, config: openssl-1.1.1k }
- { target: ubuntu-latest, config: openssl-1.1.1n }
- { target: ubuntu-latest, config: openssl-1.1.1q }
- { target: ubuntu-latest, config: openssl-1.1.1t }
- { target: ubuntu-latest, config: openssl-1.1.1w }
- { target: ubuntu-latest, config: openssl-3.0.0 }
- { target: ubuntu-latest, config: openssl-3.0.7 }
- { target: ubuntu-latest, config: openssl-3.0.13 }
- { target: ubuntu-latest, config: openssl-3.1.0 }
- { target: ubuntu-latest, config: openssl-3.1.5 }
- { target: ubuntu-latest, config: openssl-3.2.1 }
- { target: ubuntu-latest, config: openssl-3.3.0 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch
- { target: ubuntu-latest, config: openssl-3.1 } # stable branch
- { target: ubuntu-latest, config: openssl-3.2 } # stable branch
- { target: ubuntu-latest, config: openssl-3.3 } # stable branch
- { target: ubuntu-latest, config: putty-0.71 }
- { target: ubuntu-latest, config: putty-0.72 }
- { target: ubuntu-latest, config: putty-0.73 }
- { target: ubuntu-latest, config: putty-0.74 }
- { target: ubuntu-latest, config: putty-0.75 }
- { target: ubuntu-latest, config: putty-0.76 }
- { target: ubuntu-latest, config: putty-0.77 }
- { target: ubuntu-latest, config: putty-0.78 }
- { target: ubuntu-latest, config: putty-0.79 }
- { target: ubuntu-latest, config: putty-0.80 }
- { target: ubuntu-latest, config: putty-snapshot }
- { target: ubuntu-latest, config: zlib-develop }
- { target: ubuntu-22.04, config: pam }
- { target: ubuntu-22.04, config: krb5 }
@ -79,9 +102,9 @@ jobs:
- { target: ubuntu-22.04, config: selinux }
- { target: ubuntu-22.04, config: kitchensink }
- { target: ubuntu-22.04, config: without-openssl }
- { target: macos-11, config: pam }
- { target: macos-12, config: pam }
- { target: macos-13, config: pam }
- { target: macos-14, config: pam }
runs-on: ${{ matrix.target }}
steps:
- name: set cygwin git params
@ -105,7 +128,7 @@ jobs:
- name: make clean
run: make clean
- name: make
run: make -j2
run: make
- name: make tests
run: sh ./.github/run_test.sh ${{ matrix.config }}
env:

6
.github/workflows/cifuzz.yml vendored

@ -1,6 +1,10 @@
name: CIFuzz
on:
workflow_dispatch:
workflow_dispatch: # disable for win32-openssh fork
# push:
# paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
# pull_request:
# paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
jobs:
Fuzzing:

83
.github/workflows/selfhosted.yml vendored

@ -1,17 +1,27 @@
name: C/C++ CI self-hosted
on:
workflow_dispatch:
workflow_dispatch: # disable for win32-openssh fork
# push:
# paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/selfhosted.yml' ]
jobs:
selfhosted:
name: "${{ matrix.target }} ${{ matrix.config }}"
if: github.repository == 'openssh/openssh-portable-selfhosted'
runs-on: ${{ matrix.host }}
timeout-minutes: 600
env:
DEBUG_ACTIONS: false
HOST: ${{ matrix.host }}
TARGET_HOST: ${{ matrix.target }}
TARGET_CONFIG: ${{ matrix.config }}
TARGET_DOMAIN: ${{ startsWith(matrix.host, 'libvirt') && format('{0}-{1}-{2}', matrix.target, matrix.config, github.run_id) || matrix.target }}
EPHEMERAL: ${{ startsWith(matrix.host, 'libvirt') }}
PERSISTENT: ${{ startsWith(matrix.host, 'persist') }}
REMOTE: ${{ startsWith(matrix.host, 'remote') }}
VM: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') }}
SSHFS: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') || startsWith(matrix.host, 'remote') }}
strategy:
fail-fast: false
# We use a matrix in two parts: firstly all of the VMs are tested with the
@ -30,6 +40,7 @@ jobs:
- fbsd10
- fbsd12
- fbsd13
- fbsd14
- minix3
- nbsd3
- nbsd4
@ -37,22 +48,27 @@ jobs:
- nbsd9
- obsd51
- obsd67
- obsd69
- obsd70
- obsd72
- obsd73
- obsd74
- obsdsnap
- obsdsnap-i386
- openindiana
- sol10
- sol11
- ubuntu-2204
config:
- default
host:
- libvirt
include:
# Long-running/slow tests have access to high priority runners.
- { target: aix51, config: default, host: libvirt-hipri }
- { target: openindiana, config: pam, host: libvirt-hipri }
- { target: sol10, config: default, host: libvirt-hipri }
- { target: sol10, config: pam, host: libvirt-hipri }
- { target: sol11, config: default, host: libvirt-hipri }
- { target: sol11, config: pam-krb5, host: libvirt-hipri }
- { target: sol11, config: sol64, host: libvirt-hipri }
# Then we include extra libvirt test configs.
- { target: aix51, config: default, host: libvirt }
- { target: centos7, config: pam, host: libvirt }
- { target: debian-i386, config: pam, host: libvirt }
- { target: dfly30, config: without-openssl, host: libvirt}
@ -63,40 +79,50 @@ jobs:
- { target: fbsd10, config: pam, host: libvirt }
- { target: fbsd12, config: pam, host: libvirt }
- { target: fbsd13, config: pam, host: libvirt }
- { target: fbsd14, config: pam, host: libvirt }
- { target: nbsd8, config: pam, host: libvirt }
- { target: nbsd9, config: pam, host: libvirt }
- { target: openindiana, config: pam, host: libvirt }
- { target: sol10, config: pam, host: libvirt }
- { target: sol11, config: pam-krb5, host: libvirt }
- { target: sol11, config: sol64, host: libvirt }
- { target: nbsd10, config: pam, host: libvirt }
# ARM64 VMs
- { target: obsd-arm64, config: default, host: libvirt-arm64 }
# VMs with persistent disks that have their own runner.
- { target: win10, config: default, host: win10 }
- { target: win10, config: cygwin-release, host: win10 }
# Physical hosts, with either native runners or remote via ssh.
- { target: win10, config: default, host: persist-win10 }
- { target: win10, config: cygwin-release, host: persist-win10 }
# Physical hosts with native runners.
- { target: ARM, config: default, host: ARM }
- { target: ARM64, config: default, host: ARM64 }
- { target: ARM64, config: pam, host: ARM64 }
- { target: debian-riscv64, config: default, host: debian-riscv64 }
- { target: obsd-arm64, config: default, host: obsd-arm64 }
- { target: openwrt-mips, config: default, host: openwrt-mips }
- { target: openwrt-mipsel, config: default, host: openwrt-mipsel }
# Physical hosts with remote runners.
- { target: debian-riscv64, config: default, host: remote-debian-riscv64 }
- { target: openwrt-mips, config: default, host: remote-openwrt-mips }
- { target: openwrt-mipsel, config: default, host: remote-openwrt-mipsel }
steps:
- name: shutdown VM if running
run: vmshutdown
- name: unmount stale workspace
if: env.SSHFS == 'true'
run: fusermount -u ${GITHUB_WORKSPACE} || true
working-directory: ${{ runner.temp }}
- name: shutdown VM if running
if: env.VM == 'true'
run: vmshutdown
- uses: actions/checkout@main
- name: autoreconf
run: autoreconf
- name: startup VM
if: env.VM == 'true'
run: vmstartup
working-directory: ${{ runner.temp }}
- name: copy and mount workspace
if: env.SSHFS == 'true'
run: sshfs_mount
working-directory: ${{ runner.temp }}
- name: configure
run: vmrun ./.github/configure.sh ${{ matrix.config }}
- name: save config
uses: actions/upload-artifact@main
with:
name: ${{ matrix.target }}-${{ matrix.config }}-config
path: config.h
# - name: save config
# uses: actions/upload-artifact@main
# with:
# name: ${{ matrix.target }}-${{ matrix.config }}-config
# path: config.h
- name: make clean
run: vmrun make clean
- name: make
@ -115,7 +141,10 @@ jobs:
regress/*.log
regress/log/*
regress/valgrind-out/
- name: shutdown VM
if: always()
run: vmshutdown
- name: unmount workspace
if: always() && env.SSHFS == 'true'
run: fusermount -u ${GITHUB_WORKSPACE} || true
working-directory: ${{ runner.temp }}
- name: shutdown VM
if: always() && env.VM == 'true'
run: vmshutdown

23
.github/workflows/upstream.yml vendored

@ -1,24 +1,32 @@
name: Upstream self-hosted
on:
push:
branches: [ master ]
paths: [ '**.c', '**.h', '.github/**' ]
workflow_dispatch: # disable for win32-openssh fork
# push:
# branches: [ master ]
# paths: [ '**.c', '**.h', '**.sh', '.github/configs', '.github/workflows/upstream.yml' ]
jobs:
selfhosted:
name: "upstream ${{ matrix.target }} ${{ matrix.config }}"
if: github.repository == 'openssh/openssh-portable-selfhosted'
runs-on: 'libvirt'
env:
DEBUG_ACTIONS: true
EPHEMERAL: true
HOST: 'libvirt'
TARGET_HOST: ${{ matrix.target }}
TARGET_CONFIG: ${{ matrix.config }}
TARGET_DOMAIN: ${{ format('{0}-{1}-{2}', matrix.target, matrix.config, github.run_id) || matrix.target }}
strategy:
fail-fast: false
matrix:
target: [ obsdsnap, obsdsnap-i386 ]
config: [ default, without-openssl, ubsan ]
steps:
- name: unmount stale workspace
run: fusermount -u ${GITHUB_WORKSPACE} || true
working-directory: ${{ runner.temp }}
- name: shutdown VM if running
run: vmshutdown
working-directory: ${{ runner.temp }}
@ -26,6 +34,9 @@ jobs:
- name: startup VM
run: vmstartup
working-directory: ${{ runner.temp }}
- name: copy and mount workspace
run: sshfs_mount
working-directory: ${{ runner.temp }}
- name: update source
run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh"
- name: make clean
@ -33,7 +44,7 @@ jobs:
- name: make
run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
- name: make install
run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install && sudo /etc/rc.d/sshd -f restart"
- name: make tests`
run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
env:
@ -47,6 +58,10 @@ jobs:
path: |
/usr/obj/regress/usr.bin/ssh/obj/*.log
/usr/obj/regress/usr.bin/ssh/obj/log/*
- name: unmount workspace
if: always()
run: fusermount -u ${GITHUB_WORKSPACE} || true
working-directory: ${{ runner.temp }}
- name: shutdown VM
if: always()
run: vmshutdown

6
.gitignore vendored

@ -2,23 +2,21 @@
Makefile
buildpkg.sh
config.h
config.h.in
config.h.in~
config.log
config.status
configure
aclocal.m4
openbsd-compat/Makefile
openbsd-compat/regress/Makefile
openssh.xml
opensshd.init
survey.sh
**/*.0
**/*.o
**/*.lo
**/*.so
**/*.out
**/*.a
**/*.un~
**/.*.swp
autom4te.cache/
scp
sftp

10
.skipped-commit-ids

@ -1,3 +1,4 @@
509bb19bb9762a4b3b589af98bac2e730541b6d4 clean sshd random relinking kit
5317f294d63a876bfc861e19773b1575f96f027d remove libssh from makefiles
a337e886a49f96701ccbc4832bed086a68abfa85 Makefile changes
f2c9feb26963615c4fece921906cf72e248b61ee more Makefile
@ -27,6 +28,15 @@ cc12a9029833d222043aecd252d654965c351a69 moduli-gen Makefile
f9a0726d957cf10692a231996a1f34e7f9cdfeb0 moduli update
1e0a2692b7e20b126dda60bf04999d1d30d959d8 sshd relinking makefile changes
e1dc11143f83082e3154d6094f9136d0dc2637ad more relinking makefile tweaks
5a636f6ca7f25bfe775df4952f7aac90a7fcbbee moduli update
ef9341d5a50f0d33e3a6fbe995e92964bc7ef2d3 Makefile relinking changes
2fe8d707ae35ba23c7916adcb818bb5b66837ba0 ssh-agent relink kit
866cfcc1955aef8f3fc32da0b70c353a1b859f2e ssh-agent relink changes
8b3820adb4da4e139c4b3cffbcc0bde9f08bf0c6 sshd-session relink kit
6d2ded4cd91d4d727c2b26e099b91ea935bed504 relink kit
fb39324748824cb0387e9d67c41d1bef945c54ea Makefile change
5f378c38ad8976d507786dc4db9283a879ec8cd0 Makefile change
112aacedd3b61cc5c34b1fa6d9fb759214179172 Makefile change
Old upstream tree:

8666
ChangeLog Normal file

File diff suppressed because it is too large Load Diff

39
Makefile.in

@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
@ -37,6 +38,7 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
-D_PATH_SSHD_SESSION=\"$(SSHD_SESSION)\" \
-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
-D_PATH_SSH_SK_HELPER=\"$(SSH_SK_HELPER)\" \
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
@ -69,7 +71,7 @@ MKDIR_P=@MKDIR_P@
.SUFFIXES: .lo
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@ -107,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
ssh-ed25519.o digest-openssl.o digest-libc.o \
hmac.o ed25519.o hash.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \
kexsntrup761x25519.o sntrup761.o kexgen.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
@ -118,17 +120,23 @@ SKOBJS= ssh-sk-client.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
SSHDOBJS=sshd.o \
platform-listen.o \
servconf.o sshpty.o srclimit.o groupaccess.o auth2-methods.o \
dns.o fatal.o compat.o utf8.o authfd.o canohost.o \
$(SKOBJS)
SSHD_SESSION_OBJS=sshd-session.o auth-rhosts.o auth-passwd.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth2.o auth-options.o session.o \
auth.o auth2.o auth2-methods.o auth-options.o session.o \
auth2-chall.o groupaccess.o \
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
monitor.o monitor_wrap.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
srclimit.o sftp-server.o sftp-common.o \
sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o $(SKOBJS)
@ -207,7 +215,10 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -399,6 +410,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
@ -715,7 +727,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
regress/unittests/sshsig/test_sshsig$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT)
tests: file-tests t-exec interop-tests unit
tests: file-tests t-exec interop-tests extra-tests unit
echo all tests passed
unit: regress-unit-binaries
@ -726,7 +738,7 @@ unit: regress-unit-binaries
OBJ="$(BUILDDIR)/regress" \
$@ && echo $@ tests passed
interop-tests t-exec file-tests: regress-prep regress-binaries $(TARGETS)
interop-tests t-exec file-tests extra-tests: regress-prep regress-binaries $(TARGETS)
cd $(srcdir)/regress || exit $$?; \
EGREP='@EGREP@' \
OPENSSL_BIN='@OPENSSL_BIN@' \
@ -741,6 +753,7 @@ interop-tests t-exec file-tests: regress-prep regress-binaries $(TARGETS)
TEST_SSH_SCP="$(BUILDDIR)/scp" \
TEST_SSH_SSH="$(BUILDDIR)/ssh" \
TEST_SSH_SSHD="$(BUILDDIR)/sshd" \
TEST_SSH_SSHD_SESSION="$(BUILDDIR)/sshd-session" \
TEST_SSH_SSHAGENT="$(BUILDDIR)/ssh-agent" \
TEST_SSH_SSHADD="$(BUILDDIR)/ssh-add" \
TEST_SSH_SSHKEYGEN="$(BUILDDIR)/ssh-keygen" \
@ -751,9 +764,13 @@ interop-tests t-exec file-tests: regress-prep regress-binaries $(TARGETS)
TEST_SSH_SK_HELPER="$(BUILDDIR)/ssh-sk-helper" \
TEST_SSH_SFTPSERVER="$(BUILDDIR)/sftp-server" \
TEST_SSH_MODULI_FILE="$(abs_top_srcdir)/moduli" \
TEST_SSH_PLINK="plink" \
TEST_SSH_PUTTYGEN="puttygen" \
TEST_SSH_CONCH="conch" \
TEST_SSH_PLINK="@PLINK@" \
TEST_SSH_PUTTYGEN="@PUTTYGEN@" \
TEST_SSH_CONCH="@CONCH@" \
TEST_SSH_DROPBEAR="@DROPBEAR@" \
TEST_SSH_DROPBEARKEY="@DROPBEARKEY@" \
TEST_SSH_DROPBEARCONVERT="@DROPBEARCONVERT@" \
TEST_SSH_DBCLIENT="@DBCLIENT@" \
TEST_SSH_IPV6="@TEST_SSH_IPV6@" \
TEST_SSH_UTF8="@TEST_SSH_UTF8@" \
TEST_SHELL="$(TEST_SHELL)" \

52
PROTOCOL

@ -137,24 +137,51 @@ than as a named global or channel request to allow pings with very
short packet lengths, which would not be possible with other
approaches.
1.9 transport: strict key exchange extension
1.10 transport: strict key exchange extension
OpenSSH supports a number of transport-layer hardening measures under
a "strict KEX" feature. This feature is signalled similarly to the
RFC8305 ext-info feature: by including a additional algorithm in the
SSH2_MSG_KEXINIT kex_algorithms field. The client may append
RFC8308 ext-info feature: by including a additional algorithm in the
initial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
may append "kex-strict-s-v00@openssh.com".
may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
if they are present in subsequent SSH2_MSG_KEXINIT packets.
When endpoint that supports this extension observes this algorithm
When an endpoint that supports this extension observes this algorithm
name in a peer's KEXINIT packet, it MUST make the following changes to
the the protocol:
the protocol:
a) During initial KEX, terminate the connection if any unexpected or
out-of-sequence packet is received. This includes terminating the
connection if the first packet received is not SSH2_MSG_KEXINIT.
b) At each SSH2_MSG_NEWKEYS message, reset the packet sequence number
to zero.
a) During initial KEX, terminate the connection if out-of-sequence
packet or any message that is not strictly required by KEX is
received. This includes terminating the connection if the first
packet received is not SSH2_MSG_KEXINIT. Unexpected packets for
the purpose of strict KEX include messages that are otherwise
valid at any time during the connection such as SSH2_MSG_DEBUG,
SSH2_MSG_IGNORE or SSH2_MSG_UNIMPLEMENTED.
b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
packet sequence number to zero. This behaviour persists for the
duration of the connection (i.e. not just the first
SSH2_MSG_NEWKEYS).
1.11 transport: SSH2_MSG_EXT_INFO during user authentication
This protocol extension allows the SSH2_MSG_EXT_INFO to be sent
during user authentication. RFC8308 does allow a second
SSH2_MSG_EXT_INFO notification, but it may only be sent at the end
of user authentication and this is too late to signal per-user
server signature algorithms.
Support for receiving the SSH2_MSG_EXT_INFO message during user
authentication is signalled by the client including a
"ext-info-in-auth@openssh.com" key via its initial SSH2_MSG_EXT_INFO
set after the SSH2_MSG_NEWKEYS message.
A server that supports this extension MAY send a second
SSH2_MSG_EXT_INFO message any time after the client's first
SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails.
The client SHOULD be prepared to update the server-sig-algs that
it received during an earlier SSH2_MSG_EXT_INFO with the later one.
2. Connection protocol changes
@ -709,6 +736,7 @@ identifiers:
The server will reply with a SSH_FXP_EXTENDED_REPLY:
byte SSH_FXP_EXTENDED_REPLY
uint32 id
string usernames
string groupnames
@ -764,4 +792,4 @@ master instance and later clients.
OpenSSH extends the usual agent protocol. These changes are documented
in the PROTOCOL.agent file.
$OpenBSD: PROTOCOL,v 1.49 2023/08/28 03:28:43 djm Exp $
$OpenBSD: PROTOCOL,v 1.55 2024/01/08 05:05:15 djm Exp $

36
PROTOCOL.agent

@ -49,10 +49,13 @@ Where a constraint consists of:
string from_username (must be empty)
string from_hostname
string reserved
keyspec[] from_hostkeys
string to_username
string to_hostname
string reserved
keyspec[] to_hostkeys
string reserved
And a keyspec consists of:
@ -81,4 +84,35 @@ the constraint is:
This option is only valid for XMSS keys.
$OpenBSD: PROTOCOL.agent,v 1.20 2023/10/03 23:56:10 djm Exp $
3. associated-certs-v00@openssh.com key constraint extension
The key constraint extension allows certificates to be associated
with private keys as they are loaded from a PKCS#11 token.
byte SSH_AGENT_CONSTRAIN_EXTENSION (0xff)
string associated-certs-v00@openssh.com
bool certs_only
string certsblob
Where "certsblob" consists of one or more certificates encoded as public
key blobs:
string[] certificates
This extension is only valid for SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED
requests. When an agent receives this extension, it will attempt to match
each certificate in the request with a corresponding private key loaded
from the requested PKCS#11 token. When a matching key is found, the
agent will graft the certificate contents to the token-hosted private key
and store the result for subsequent use by regular agent operations.
If the "certs_only" flag is set, then this extension will cause ONLY
the resultant certificates to be loaded to the agent. The default
behaviour is to load the PKCS#11-hosted private key as well as the
resultant certificate.
A SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED will return SSH_AGENT_SUCCESS
if any key (plain private or certificate) was successfully loaded, or
SSH_AGENT_FAILURE if no key was loaded.
$OpenBSD: PROTOCOL.agent,v 1.23 2024/04/30 05:45:56 djm Exp $

4
PROTOCOL.key

@ -40,7 +40,7 @@ of the cipher block size.
byte[] privatekey2
string comment2
...
string privatekeyN
byte[] privatekeyN
string commentN
byte 1
byte 2
@ -68,4 +68,4 @@ For unencrypted keys the cipher "none" and the KDF "none"
are used with empty passphrases. The options if the KDF "none"
are the empty string.
$OpenBSD: PROTOCOL.key,v 1.3 2022/07/01 04:45:50 djm Exp $
$OpenBSD: PROTOCOL.key,v 1.4 2024/03/30 05:56:22 djm Exp $

4
PROTOCOL.mux

@ -188,8 +188,6 @@ For dynamically allocated listen port the server replies with
7. Requesting closure of port forwards
Note: currently unimplemented (server will always reply with MUX_S_FAILURE).
A client may request the master to close a port forward:
uint32 MUX_C_CLOSE_FWD
@ -295,4 +293,4 @@ XXX session inspection via master
XXX signals via mux request
XXX list active connections via mux
$OpenBSD: PROTOCOL.mux,v 1.13 2022/01/01 01:55:30 jsg Exp $
$OpenBSD: PROTOCOL.mux,v 1.14 2024/01/08 05:11:18 djm Exp $

2
README

@ -1,4 +1,4 @@
See https://www.openssh.com/releasenotes.html#9.5p1 for the release
See https://www.openssh.com/releasenotes.html#9.8p1 for the release
notes.
Please read https://www.openssh.com/report.html for bug reporting

9
README.platform

@ -53,11 +53,12 @@ Darwin does not provide a tun(4) driver required for OpenSSH-based
virtual private networks. The BSD manpage still exists, but the driver
has been removed in recent releases of Darwin and MacOS X.
Nevertheless, tunnel support is known to work with Darwin 8 and
MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
using a third party driver. More information is available at:
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
Tunnel support is known to work with Darwin 8 and MacOS X 10.4 in
Point-to-Point (Layer 3) and Ethernet (Layer 2) mode using a third
party driver. More information is available at:
https://tuntaposx.sourceforge.net
Recent Darwin/MacOS X versions are likely unsupported.
Linux
-----

15
aclocal.m4 vendored Normal file

@ -0,0 +1,15 @@
# generated automatically by aclocal 1.16.5 -*- Autoconf -*-
# Copyright (C) 1996-2021 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
m4_include([m4/openssh.m4])

12
addr.c

@ -1,4 +1,4 @@
/* $OpenBSD: addr.c,v 1.7 2023/03/27 03:31:05 djm Exp $ */
/* $OpenBSD: addr.c,v 1.8 2024/04/02 09:29:31 deraadt Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
@ -27,6 +27,7 @@
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <limits.h>
#include "addr.h"
@ -457,8 +458,9 @@ int
addr_pton_cidr(const char *p, struct xaddr *n, u_int *l)
{
struct xaddr tmp;
long unsigned int masklen = 999;
char addrbuf[64], *mp, *cp;
u_int masklen = 999;
char addrbuf[64], *mp;
const char *errstr;
/* Don't modify argument */
if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) >= sizeof(addrbuf))
@ -467,8 +469,8 @@ addr_pton_cidr(const char *p, struct xaddr *n, u_int *l)
if ((mp = strchr(addrbuf, '/')) != NULL) {
*mp = '\0';
mp++;
masklen = strtoul(mp, &cp, 10); // CodeQL [SM02313]: strtoul will initialize cp
if (*mp < '0' || *mp > '9' || *cp != '\0' || masklen > 128)
masklen = (u_int)strtonum(mp, 0, INT_MAX, &errstr);
if (errstr)
return -1;
}

54
auth-pam.c

@ -67,11 +67,6 @@
#include <pam/pam_appl.h>
#endif
#if !defined(SSHD_PAM_SERVICE)
extern char *__progname;
# define SSHD_PAM_SERVICE __progname
#endif
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, SunOS */
@ -105,6 +100,7 @@ extern char *__progname;
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "srclimit.h"
extern ServerOptions options;
extern struct sshbuf *loginmsg;
@ -171,13 +167,13 @@ sshpam_sigchld_handler(int sig)
return;
}
}
if (WIFSIGNALED(sshpam_thread_status) &&
WTERMSIG(sshpam_thread_status) == SIGTERM)
return; /* terminated by pthread_cancel */
if (!WIFEXITED(sshpam_thread_status))
sigdie("PAM: authentication thread exited unexpectedly");
if (WEXITSTATUS(sshpam_thread_status) != 0)
sigdie("PAM: authentication thread exited uncleanly");
if (sshpam_thread_status == -1)
return;
if (WIFSIGNALED(sshpam_thread_status)) {
if (signal_is_crash(WTERMSIG(sshpam_thread_status)))
_exit(EXIT_CHILD_CRASH);
} else if (!WIFEXITED(sshpam_thread_status))
_exit(EXIT_CHILD_CRASH);
}
/* ARGSUSED */
@ -668,7 +664,7 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL };
void
sshpam_cleanup(void)
{
if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
if (sshpam_handle == NULL || !mm_is_monitor())
return;
debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
@ -694,6 +690,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
const char **ptr_pam_user = &pam_user;
int r;
if (options.pam_service_name == NULL)
fatal_f("internal error: NULL PAM service name");
#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
/* Protect buggy PAM implementations from excessively long usernames */
if (strlen(user) >= PAM_MAX_RESP_SIZE)
@ -705,7 +703,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
fatal("%s: called initially with no "
"packet context", __func__);
}
} if (sshpam_handle != NULL) {
}
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
sshpam_err = pam_get_item(sshpam_handle,
PAM_USER, (sshpam_const void **)ptr_pam_user);
@ -714,9 +713,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
}
debug("PAM: initializing for \"%s\"", user);
sshpam_err =
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
debug("PAM: initializing for \"%s\" with service \"%s\"", user,
options.pam_service_name);
sshpam_err = pam_start(options.pam_service_name, user,
&store_conv, &sshpam_handle);
sshpam_authctxt = authctxt;
if (sshpam_err != PAM_SUCCESS) {
@ -1101,20 +1101,15 @@ do_pam_account(void)
}
void
do_pam_setcred(int init)
do_pam_setcred(void)
{
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
if (init) {
debug("PAM: establishing credentials");
sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
}
debug("PAM: establishing credentials");
sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
if (sshpam_err == PAM_SUCCESS) {
sshpam_cred_established = 1;
return;
@ -1127,6 +1122,7 @@ do_pam_setcred(int init)
pam_strerror(sshpam_handle, sshpam_err));
}
#if 0
static int
sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
@ -1182,6 +1178,7 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
}
static struct pam_conv tty_conv = { sshpam_tty_conv, NULL };
#endif
/*
* XXX this should be done in the authentication phase, but ssh1 doesn't
@ -1190,8 +1187,8 @@ static struct pam_conv tty_conv = { sshpam_tty_conv, NULL };
void
do_pam_chauthtok(void)
{
if (use_privsep)
fatal("Password expired (unable to change with privsep)");
fatal("Password expired");
#if 0
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS)
@ -1202,6 +1199,7 @@ do_pam_chauthtok(void)
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: pam_chauthtok(): %s",
pam_strerror(sshpam_handle, sshpam_err));
#endif
}
void
@ -1375,6 +1373,8 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
pam_strerror(sshpam_handle, sshpam_err));
expose_authinfo(__func__);
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
free(fake);

2
auth-pam.h

@ -31,7 +31,7 @@ void start_pam(struct ssh *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(struct ssh *);
void do_pam_setcred(int );
void do_pam_setcred(void);
void do_pam_chauthtok(void);
int do_pam_putenv(char *, char *);
char ** fetch_pam_environment(void);

3
auth-rhosts.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth-rhosts.c,v 1.57 2022/12/09 00:17:40 dtucker Exp $ */
/* $OpenBSD: auth-rhosts.c,v 1.58 2024/05/17 00:30:23 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -46,7 +46,6 @@
/* import */
extern ServerOptions options;
extern int use_privsep;
/*
* This function processes an rhosts-style file (.rhosts, .shosts, or

110
auth.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth.c,v 1.160 2023/03/05 05:34:09 dtucker Exp $ */
/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -85,7 +85,6 @@
/* import */
extern ServerOptions options;
extern struct include_list includes;
extern int use_privsep;
extern struct sshbuf *loginmsg;
extern struct passwd *privsep_pw;
extern struct sshauthopt *auth_opts;
@ -285,7 +284,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
const char *authmsg;
char *extra = NULL;
if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
if (!mm_is_monitor() && !authctxt->postponed)
return;
/* Raise logging level */
@ -494,11 +493,11 @@ getpwnamallow(struct ssh *ssh, const char *user)
struct connection_info *ci;
u_int i;
ci = get_connection_info(ssh, 1, options.use_dns);
ci = server_get_connection_info(ssh, 1, options.use_dns);
#ifdef WINDOWS
/* getpwname - normalizes the incoming user and makes it lowercase
/* it must be duped as the server matching routines may use getpwnam() and
* and free the name being assigned to the connection info structure
* and free the name being assigned to the connection info structure
*/
pw = getpwnam(user);
ci->user = pw? xstrdup(pw->pw_name): user;
@ -510,7 +509,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
log_verbose_reset();
for (i = 0; i < options.num_log_verbose; i++)
log_verbose_add(options.log_verbose[i]);
process_permitopen(ssh, &options);
server_process_permitopen(ssh);
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_setauthdb(user);
@ -669,97 +668,6 @@ fakepw(void)
return (&fake);
}
/*
* Returns the remote DNS hostname as a string. The returned string must not
* be freed. NB. this will usually trigger a DNS query the first time it is
* called.
* This function does additional checks on the hostname to mitigate some
* attacks on based on conflation of hostnames and IP addresses.
*/
static char *
remote_hostname(struct ssh *ssh)
{
struct sockaddr_storage from;
socklen_t fromlen;
struct addrinfo hints, *ai, *aitop;
char name[NI_MAXHOST], ntop2[NI_MAXHOST];
const char *ntop = ssh_remote_ipaddr(ssh);
/* Get IP address of client. */
fromlen = sizeof(from);
memset(&from, 0, sizeof(from));
if (getpeername(ssh_packet_get_connection_in(ssh),
(struct sockaddr *)&from, &fromlen) == -1) {
debug("getpeername failed: %.100s", strerror(errno));
return xstrdup(ntop);
}
ipv64_normalise_mapped(&from, &fromlen);
if (from.ss_family == AF_INET6)
fromlen = sizeof(struct sockaddr_in6);
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
return xstrdup(ntop);
}
/*
* if reverse lookup result looks like a numeric hostname,
* someone is trying to trick us by PTR record like following:
* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
*/
memset(&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
name, ntop);
freeaddrinfo(ai);
return xstrdup(ntop);
}
/* Names are stored in lowercase. */
lowercase(name);
/*
* Map it back to an IP address and check that the given
* address actually is an address of this host. This is
* necessary because anyone with access to a name server can
* define arbitrary names for an IP address. Mapping from
* name to IP address can be trusted better (but can still be
* fooled if the intruder has access to the name server of
* the domain).
*/
memset(&hints, 0, sizeof(hints));
hints.ai_family = from.ss_family;
hints.ai_socktype = SOCK_STREAM;
if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
logit("reverse mapping checking getaddrinfo for %.700s "
"[%s] failed.", name, ntop);
return xstrdup(ntop);
}
/* Look for the address from the list of addresses. */
for (ai = aitop; ai; ai = ai->ai_next) {
if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
(strcmp(ntop, ntop2) == 0))
break;
}
freeaddrinfo(aitop);
/* If we reached the end of the list, the address was not there. */
if (ai == NULL) {
/* Address not found for the host name. */
logit("Address %.100s maps to %.600s, but this does not "
"map back to the address.", ntop, name);
return xstrdup(ntop);
}
return xstrdup(name);
}
/*
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
@ -773,12 +681,10 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
if (!use_dns)
return ssh_remote_ipaddr(ssh);
else if (dnsname != NULL)
if (dnsname != NULL)
return dnsname;
else {
dnsname = remote_hostname(ssh);
return dnsname;
}
dnsname = ssh_remote_hostname(ssh);
return dnsname;
}
/* These functions link key/cert options to the auth framework */

15
auth.h

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.106 2022/06/15 16:08:25 djm Exp $ */
/* $OpenBSD: auth.h,v 1.108 2024/05/17 06:42:04 jsg Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -108,11 +108,15 @@ struct Authctxt {
* the client.
*/
struct authmethod_cfg {
const char *name;
const char *synonym;
int *enabled;
};
struct Authmethod {
char *name;
char *synonym;
struct authmethod_cfg *cfg;
int (*userauth)(struct ssh *, const char *);
int *enabled;
};
/*
@ -155,8 +159,6 @@ void auth2_record_info(Authctxt *authctxt, const char *, ...)
void auth2_update_session_info(Authctxt *, const char *, const char *);
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
int auth_krb5_password(Authctxt *authctxt, const char *password);
void krb5_cleanup_proc(Authctxt *authctxt);
#endif /* KRB5 */
@ -215,7 +217,6 @@ int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
u_char **, size_t *, const u_char *, size_t, const char *);
/* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *);
int auth_activate_options(struct ssh *, struct sshauthopt *);
void auth_restrict_session(struct ssh *);
void auth_log_authopts(const char *, const struct sshauthopt *, int);

41
auth2-gss.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.36 2024/05/17 04:42:13 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -51,6 +51,7 @@
#define SSH_GSSAPI_MAX_MECHS 2048
extern ServerOptions options;
extern struct authmethod_cfg methodcfg_gssapi;
static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh);
static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
@ -116,7 +117,7 @@ userauth_gssapi(struct ssh *ssh, const char *method)
return (0);
}
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctxt, &goid))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
free(doid);
@ -153,7 +154,7 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
size_t len;
int r;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
if (authctxt == NULL)
fatal("No authentication or GSSAPI context");
gssctxt = authctxt->methoddata;
@ -163,8 +164,8 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
recv_tok.value = p;
recv_tok.length = len;
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, &flags));
maj_status = mm_ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, &flags);
free(p);
@ -217,7 +218,7 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
u_char *p;
size_t len;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
if (authctxt == NULL)
fatal("No authentication or GSSAPI context");
gssctxt = authctxt->methoddata;
@ -228,8 +229,8 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
recv_tok.length = len;
/* Push the error token into GSSAPI to see what it says */
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, NULL));
maj_status = mm_ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, NULL);
free(recv_tok.value);
@ -254,9 +255,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
int r, authenticated;
const char *displayname;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
if (authctxt == NULL)
fatal("No authentication or GSSAPI context");
/*
@ -267,11 +267,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0)
fatal_fr(r, "parse packet");
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
if ((!use_privsep || mm_is_monitor()) &&
(displayname = ssh_gssapi_displayname()) != NULL)
auth2_record_info(authctxt, "%s", displayname);
authenticated = mm_ssh_gssapi_userok(authctxt->user);
authctxt->postponed = 0;
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@ -290,11 +286,10 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
int r, authenticated = 0;
struct sshbuf *b;
gss_buffer_desc mic, gssbuf;
const char *displayname;
u_char *p;
size_t len;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
if (authctxt == NULL)
fatal("No authentication or GSSAPI context");
gssctxt = authctxt->methoddata;
@ -312,18 +307,14 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
fatal_f("sshbuf_mutable_ptr failed");
gssbuf.length = sshbuf_len(b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
if (!GSS_ERROR(mm_ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))
authenticated = mm_ssh_gssapi_userok(authctxt->user);
else
logit("GSSAPI MIC check failed");
sshbuf_free(b);
free(mic.value);
if ((!use_privsep || mm_is_monitor()) &&
(displayname = ssh_gssapi_displayname()) != NULL)
auth2_record_info(authctxt, "%s", displayname);
authctxt->postponed = 0;
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
@ -334,10 +325,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
}
Authmethod method_gssapi = {
"gssapi-with-mic",
NULL,
&methodcfg_gssapi,
userauth_gssapi,
&options.gss_authentication
};
#endif /* GSSAPI */

15
auth2-hostbased.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-hostbased.c,v 1.52 2023/03/05 05:34:09 dtucker Exp $ */
/* $OpenBSD: auth2-hostbased.c,v 1.53 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -54,6 +54,7 @@
/* import */
extern ServerOptions options;
extern struct authmethod_cfg methodcfg_hostbased;
static int
userauth_hostbased(struct ssh *ssh, const char *method)
@ -145,10 +146,10 @@ userauth_hostbased(struct ssh *ssh, const char *method)
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
chost, key)) &&
PRIVSEP(sshkey_verify(key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,
chost, key) &&
mm_sshkey_verify(key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)
authenticated = 1;
auth2_record_key(authctxt, authenticated, key);
@ -252,8 +253,6 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
}
Authmethod method_hostbased = {
"hostbased",
NULL,
&methodcfg_hostbased,
userauth_hostbased,
&options.hostbased_authentication
};

7
auth2-kbdint.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-kbdint.c,v 1.14 2021/12/19 22:12:07 djm Exp $ */
/* $OpenBSD: auth2-kbdint.c,v 1.15 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -42,6 +42,7 @@
/* import */
extern ServerOptions options;
extern struct authmethod_cfg methodcfg_kbdint;
static int
userauth_kbdint(struct ssh *ssh, const char *method)
@ -65,8 +66,6 @@ userauth_kbdint(struct ssh *ssh, const char *method)
}
Authmethod method_kbdint = {
"keyboard-interactive",
NULL,
&methodcfg_kbdint,
userauth_kbdint,
&options.kbd_interactive_authentication
};

134
auth2-methods.c Normal file

@ -0,0 +1,134 @@
/*
* Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "xmalloc.h"
#include "hostfile.h"
#include "auth.h"
extern ServerOptions options;
/*
* Configuration of enabled authentication methods. Separate from the rest of
* auth2-*.c because we want to query it during server configuration validity
* checking in the sshd listener process without pulling all the auth code in
* too.
*/
/* "none" is allowed only one time and it is cleared by userauth_none() later */
int none_enabled = 1;
struct authmethod_cfg methodcfg_none = {
"none",
NULL,
&none_enabled
};
struct authmethod_cfg methodcfg_pubkey = {
"publickey",
"publickey-hostbound-v00@openssh.com",
&options.pubkey_authentication
};
#ifdef GSSAPI
struct authmethod_cfg methodcfg_gssapi = {
"gssapi-with-mic",
NULL,
&options.gss_authentication
};
#endif
struct authmethod_cfg methodcfg_passwd = {
"password",
NULL,
&options.password_authentication
};
struct authmethod_cfg methodcfg_kbdint = {
"keyboard-interactive",
NULL,
&options.kbd_interactive_authentication
};
struct authmethod_cfg methodcfg_hostbased = {
"hostbased",
NULL,
&options.hostbased_authentication
};
static struct authmethod_cfg *authmethod_cfgs[] = {
&methodcfg_none,
&methodcfg_pubkey,
#ifdef GSSAPI
&methodcfg_gssapi,
#endif
&methodcfg_passwd,
&methodcfg_kbdint,
&methodcfg_hostbased,
NULL
};
/*
* Check a comma-separated list of methods for validity. If need_enable is
* non-zero, then also require that the methods are enabled.
* Returns 0 on success or -1 if the methods list is invalid.
*/
int
auth2_methods_valid(const char *_methods, int need_enable)
{
char *methods, *omethods, *method, *p;
u_int i, found;
int ret = -1;
const struct authmethod_cfg *cfg;
if (*_methods == '\0') {
error("empty authentication method list");
return -1;
}
omethods = methods = xstrdup(_methods);
while ((method = strsep(&methods, ",")) != NULL) {
for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
cfg = authmethod_cfgs[i];
if ((p = strchr(method, ':')) != NULL)
*p = '\0';
if (strcmp(method, cfg->name) != 0)
continue;
if (need_enable) {
if (cfg->enabled == NULL ||
*(cfg->enabled) == 0) {
error("Disabled method \"%s\" in "
"AuthenticationMethods list \"%s\"",
method, _methods);
goto out;
}
}
found = 1;
break;
}
if (!found) {
error("Unknown authentication method \"%s\" in list",
method);
goto out;
}
}
ret = 0;
out:
free(omethods);
return ret;
}

12
auth2-none.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-none.c,v 1.25 2023/03/05 05:34:09 dtucker Exp $ */
/* $OpenBSD: auth2-none.c,v 1.26 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -53,9 +53,9 @@
/* import */
extern ServerOptions options;
extern struct authmethod_cfg methodcfg_none;
/* "none" is allowed only one time */
static int none_enabled = 1;
extern int none_enabled;
static int
userauth_none(struct ssh *ssh, const char *method)
@ -66,13 +66,11 @@ userauth_none(struct ssh *ssh, const char *method)
if ((r = sshpkt_get_end(ssh)) != 0)
fatal_fr(r, "parse packet");
if (options.permit_empty_passwd && options.password_authentication)
return (PRIVSEP(auth_password(ssh, "")));
return mm_auth_password(ssh, "");
return (0);
}
Authmethod method_none = {
"none",
NULL,
&methodcfg_none,
userauth_none,
&none_enabled
};

9
auth2-passwd.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-passwd.c,v 1.21 2022/05/27 04:29:40 dtucker Exp $ */
/* $OpenBSD: auth2-passwd.c,v 1.22 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -47,6 +47,7 @@
/* import */
extern ServerOptions options;
extern struct authmethod_cfg methodcfg_passwd;
static int
userauth_passwd(struct ssh *ssh, const char *method)
@ -66,15 +67,13 @@ userauth_passwd(struct ssh *ssh, const char *method)
if (change)
logit("password change not supported");
else if (PRIVSEP(auth_password(ssh, password)) == 1) // CodeQL [SM01714] false positive: password is null terminated
else if (mm_auth_password(ssh, password) == 1)
authenticated = 1;
freezero(password, len);
return authenticated;
}
Authmethod method_passwd = {
"password",
NULL,
&methodcfg_passwd,
userauth_passwd,
&options.password_authentication
};

15
auth2-pubkey.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.119 2023/07/27 22:25:17 djm Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.120 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@ -72,6 +72,7 @@
/* import */
extern ServerOptions options;
extern struct authmethod_cfg methodcfg_pubkey;
static char *
format_key(const struct sshkey *key)
@ -219,11 +220,11 @@ userauth_pubkey(struct ssh *ssh, const char *method)
#endif
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
PRIVSEP(sshkey_verify(key, sig, slen,
if (mm_user_key_allowed(ssh, pw, key, 1, &authopts) &&
mm_sshkey_verify(key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat, &sig_details)) == 0) {
ssh->compat, &sig_details) == 0) {
authenticated = 1;
}
if (authenticated == 1 && sig_details != NULL) {
@ -281,7 +282,7 @@ userauth_pubkey(struct ssh *ssh, const char *method)
* if a user is not allowed to login. is this an
* issue? -markus
*/
if (PRIVSEP(user_key_allowed(ssh, pw, key, 0, NULL))) {
if (mm_user_key_allowed(ssh, pw, key, 0, NULL)) {
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_PK_OK))
!= 0 ||
(r = sshpkt_put_cstring(ssh, pkalg)) != 0 ||
@ -813,8 +814,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
}
Authmethod method_pubkey = {
"publickey",
"publickey-hostbound-v00@openssh.com",
&methodcfg_pubkey,
userauth_pubkey,
&options.pubkey_authentication
};

97
auth2.c

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.167 2023/08/28 09:48:11 djm Exp $ */
/* $OpenBSD: auth2.c,v 1.169 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -57,6 +57,7 @@
#endif
#include "monitor_wrap.h"
#include "digest.h"
#include "kex.h"
#ifdef WINDOWS
#include "sshTelemetry.h"
#endif
@ -158,7 +159,7 @@ userauth_banner(struct ssh *ssh)
if (options.banner == NULL)
return;
if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
if ((banner = mm_auth2_read_banner()) == NULL)
goto done;
userauth_send_banner(ssh, banner);
@ -175,6 +176,8 @@ do_authentication2(struct ssh *ssh)
Authctxt *authctxt = ssh->authctxt;
ssh_dispatch_init(ssh, &dispatch_protocol_error);
if (ssh->kex->ext_info_c)
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_input_ext_info);
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt->success);
ssh->authctxt = NULL;
@ -214,6 +217,7 @@ input_service_request(int type, u_int32_t seq, struct ssh *ssh)
debug("bad service request %s", service);
ssh_packet_disconnect(ssh, "bad service request %s", service);
}
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &dispatch_protocol_error);
r = 0;
out:
free(service);
@ -290,7 +294,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
auth_maxtries_exceeded(ssh);
if (authctxt->attempt++ == 0) {
/* setup auth context */
authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
authctxt->pw = mm_getpwnamallow(ssh, user);
authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
@ -300,22 +304,22 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
/* Invalid user, fake password information */
authctxt->pw = fakepw();
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
mm_audit_event(ssh, SSH_INVALID_USER);
#endif
}
#ifdef USE_PAM
if (options.use_pam)
PRIVSEP(start_pam(ssh));
mm_start_pam(ssh);
#endif
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating " : "invalid ", user);
setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : "");
setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
if (use_privsep)
mm_inform_authserv(service, style);
mm_inform_authserv(service, style);
userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
if (auth2_setup_methods_lists(authctxt) != 0)
ssh_packet_disconnect(ssh,
"no authentication methods enabled");
@ -376,7 +380,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
/* prefer primary authmethod name to possible synonym */
if ((m = authmethod_byname(method)) == NULL)
fatal("INTERNAL ERROR: bad method %s", method);
method = m->name;
method = m->cfg->name;
}
/* Special handling for root */
@ -384,7 +388,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
!auth_root_allowed(ssh, method)) {
authenticated = 0;
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_LOGIN_ROOT_DENIED));
mm_audit_event(ssh, SSH_LOGIN_ROOT_DENIED);
#endif
}
@ -407,7 +411,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
#ifdef USE_PAM
if (options.use_pam && authenticated) {
int r, success = PRIVSEP(do_pam_account());
int r, success = mm_do_pam_account();
/* If PAM returned a message, send it to the user. */
if (sshbuf_len(loginmsg) > 0) {
@ -445,7 +449,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
#endif
auth_maxtries_exceeded(ssh);
}
@ -500,16 +504,16 @@ authmethods_get(Authctxt *authctxt)
if ((b = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(authmethods[i]->name, "none") == 0)
if (strcmp(authmethods[i]->cfg->name, "none") == 0)
continue;
if (authmethods[i]->enabled == NULL ||
*(authmethods[i]->enabled) == 0)
if (authmethods[i]->cfg->enabled == NULL ||
*(authmethods[i]->cfg->enabled) == 0)
continue;
if (!auth2_method_allowed(authctxt, authmethods[i]->name,
if (!auth2_method_allowed(authctxt, authmethods[i]->cfg->name,
NULL))
continue;
if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "",
authmethods[i]->name)) != 0)
authmethods[i]->cfg->name)) != 0)
fatal_fr(r, "buffer error");
}
if ((list = sshbuf_dup_string(b)) == NULL)
@ -526,9 +530,9 @@ authmethod_byname(const char *name)
if (name == NULL)
fatal_f("NULL authentication method name");
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(name, authmethods[i]->name) == 0 ||
(authmethods[i]->synonym != NULL &&
strcmp(name, authmethods[i]->synonym) == 0))
if (strcmp(name, authmethods[i]->cfg->name) == 0 ||
(authmethods[i]->cfg->synonym != NULL &&
strcmp(name, authmethods[i]->cfg->synonym) == 0))
return authmethods[i];
}
debug_f("unrecognized authentication method name: %s", name);
@ -543,11 +547,11 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
if ((method = authmethod_byname(name)) == NULL)
return NULL;
if (method->enabled == NULL || *(method->enabled) == 0) {
if (method->cfg->enabled == NULL || *(method->cfg->enabled) == 0) {
debug3_f("method %s not enabled", name);
return NULL;
}
if (!auth2_method_allowed(authctxt, method->name, NULL)) {
if (!auth2_method_allowed(authctxt, method->cfg->name, NULL)) {
debug3_f("method %s not allowed "
"by AuthenticationMethods", name);
return NULL;
@ -555,53 +559,6 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
return method;
}
/*
* Check a comma-separated list of methods for validity. Is need_enable is
* non-zero, then also require that the methods are enabled.
* Returns 0 on success or -1 if the methods list is invalid.
*/
int
auth2_methods_valid(const char *_methods, int need_enable)
{
char *methods, *omethods, *method, *p;
u_int i, found;
int ret = -1;
if (*_methods == '\0') {
error("empty authentication method list");
return -1;
}
omethods = methods = xstrdup(_methods);
while ((method = strsep(&methods, ",")) != NULL) {
for (found = i = 0; !found && authmethods[i] != NULL; i++) {
if ((p = strchr(method, ':')) != NULL)
*p = '\0';
if (strcmp(method, authmethods[i]->name) != 0)
continue;
if (need_enable) {
if (authmethods[i]->enabled == NULL ||
*(authmethods[i]->enabled) == 0) {
error("Disabled method \"%s\" in "
"AuthenticationMethods list \"%s\"",
method, _methods);
goto out;
}
}
found = 1;
break;
}
if (!found) {
error("Unknown authentication method \"%s\" in list",
method);
goto out;
}
}
ret = 0;
out:
free(omethods);
return ret;
}
/*
* Prune the AuthenticationMethods supplied in the configuration, removing
* any methods lists that include disabled methods. Note that this might

40
authfd.c

@ -1,4 +1,4 @@
/* $OpenBSD: authfd.c,v 1.133 2023/03/09 21:06:24 jcs Exp $ */
/* $OpenBSD: authfd.c,v 1.134 2023/12/18 14:46:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -504,9 +504,10 @@ encode_dest_constraint(struct sshbuf *m, const struct dest_constraint *dc)
}
static int
encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign,
const char *provider, struct dest_constraint **dest_constraints,
size_t ndest_constraints)
encode_constraints(struct sshbuf *m, u_int life, u_int confirm,
u_int maxsign, const char *provider,
struct dest_constraint **dest_constraints, size_t ndest_constraints,
int cert_only, struct sshkey **certs, size_t ncerts)
{
int r;
struct sshbuf *b = NULL;
@ -550,6 +551,27 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign,
"restrict-destination-v00@openssh.com")) != 0 ||
(r = sshbuf_put_stringb(m, b)) != 0)
goto out;
sshbuf_free(b);
b = NULL;
}
if (ncerts != 0) {
if ((b = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
for (i = 0; i < ncerts; i++) {
if ((r = sshkey_puts(certs[i], b)) != 0)
goto out;
}
if ((r = sshbuf_put_u8(m,
SSH_AGENT_CONSTRAIN_EXTENSION)) != 0 ||
(r = sshbuf_put_cstring(m,
"associated-certs-v00@openssh.com")) != 0 ||
(r = sshbuf_put_u8(m, cert_only != 0)) != 0 ||
(r = sshbuf_put_stringb(m, b)) != 0)
goto out;
sshbuf_free(b);
b = NULL;
}
r = 0;
out:
@ -607,7 +629,7 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
}
if (constrained &&
(r = encode_constraints(msg, life, confirm, maxsign,
provider, dest_constraints, ndest_constraints)) != 0)
provider, dest_constraints, ndest_constraints, 0, NULL, 0)) != 0)
goto out;
if ((r = ssh_request_reply_decode(sock, msg)) != 0)
goto out;
@ -662,10 +684,11 @@ ssh_remove_identity(int sock, const struct sshkey *key)
int
ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
u_int life, u_int confirm,
struct dest_constraint **dest_constraints, size_t ndest_constraints)
struct dest_constraint **dest_constraints, size_t ndest_constraints,
int cert_only, struct sshkey **certs, size_t ncerts)
{
struct sshbuf *msg;
int r, constrained = (life || confirm || dest_constraints);
int r, constrained = (life || confirm || dest_constraints || certs);
u_char type;
if (add) {
@ -683,7 +706,8 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
goto out;
if (constrained &&
(r = encode_constraints(msg, life, confirm, 0, NULL,
dest_constraints, ndest_constraints)) != 0)
dest_constraints, ndest_constraints,
cert_only, certs, ncerts)) != 0)
goto out;
if ((r = ssh_request_reply_decode(sock, msg)) != 0)
goto out;

5
authfd.h

@ -1,4 +1,4 @@
/* $OpenBSD: authfd.h,v 1.51 2021/12/19 22:10:24 djm Exp $ */
/* $OpenBSD: authfd.h,v 1.52 2023/12/18 14:46:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -56,7 +56,8 @@ int ssh_remove_identity(int sock, const struct sshkey *key);
int ssh_update_card(int sock, int add, const char *reader_id,
const char *pin, u_int life, u_int confirm,
struct dest_constraint **dest_constraints,
size_t ndest_constraints);
size_t ndest_constraints,
int cert_only, struct sshkey **certs, size_t ncerts);
int ssh_remove_all_identities(int sock, int version);
int ssh_agent_sign(int sock, const struct sshkey *key,

8
authfile.c

@ -515,11 +515,19 @@ sshkey_save_public(const struct sshkey *key, const char *path,
if ((fd = open(path, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)
return SSH_ERR_SYSTEM_ERROR;
#ifdef WINDOWS
/* Windows POSIX adapter does not support fdopen() on open(file)
but still want file created with same owner as upstream */
close(fd);
if ((f = fopen(path, "w")) == NULL)
return SSH_ERR_SYSTEM_ERROR;
#else /* WINDOWS */
if ((f = fdopen(fd, "w")) == NULL) {
r = SSH_ERR_SYSTEM_ERROR;
close(fd);
goto fail;
}
#endif /* WINDOWS */
if ((r = sshkey_write(key, f)) != 0)
goto fail;
fprintf(f, " %s\n", comment);

133
channels.c

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.433 2023/09/04 00:01:46 djm Exp $ */
/* $OpenBSD: channels.c,v 1.438 2024/05/17 00:30:23 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -93,13 +93,6 @@
/* -- agent forwarding */
#define NUM_SOCKS 10
/* -- tcp forwarding */
/* special-case port number meaning allow any port */
#define FWD_PERMIT_ANY_PORT 0
/* special-case wildcard meaning allow any host */
#define FWD_PERMIT_ANY_HOST "*"
/* -- X11 forwarding */
/* Maximum number of fake X11 displays to try. */
#define MAX_DISPLAYS 1000
@ -214,6 +207,9 @@ struct ssh_channels {
/* Channel timeouts by type */
struct ssh_channel_timeout *timeouts;
size_t ntimeouts;
/* Global timeout for all OPEN channels */
int global_deadline;
time_t lastused;
};
/* helper */
@ -316,6 +312,11 @@ channel_add_timeout(struct ssh *ssh, const char *type_pattern,
{
struct ssh_channels *sc = ssh->chanctxt;
if (strcmp(type_pattern, "global") == 0) {
debug2_f("global channel timeout %d seconds", timeout_secs);
sc->global_deadline = timeout_secs;
return;
}
debug2_f("channel type \"%s\" timeout %d seconds",
type_pattern, timeout_secs);
sc->timeouts = xrecallocarray(sc->timeouts, sc->ntimeouts,
@ -376,6 +377,38 @@ channel_set_xtype(struct ssh *ssh, int id, const char *xctype)
c->inactive_deadline);
}
/*
* update "last used" time on a channel.
* NB. nothing else should update lastused except to clear it.
*/
static void
channel_set_used_time(struct ssh *ssh, Channel *c)
{
ssh->chanctxt->lastused = monotime();
if (c != NULL)
c->lastused = ssh->chanctxt->lastused;
}
/*
* Get the time at which a channel is due to time out for inactivity.
* Returns 0 if the channel is not due to time out ever.
*/
static time_t
channel_get_expiry(struct ssh *ssh, Channel *c)
{
struct ssh_channels *sc = ssh->chanctxt;
time_t expiry = 0, channel_expiry;
if (sc->lastused != 0 && sc->global_deadline != 0)
expiry = sc->lastused + sc->global_deadline;
if (c->lastused != 0 && c->inactive_deadline != 0) {
channel_expiry = c->lastused + c->inactive_deadline;
if (expiry == 0 || channel_expiry < expiry)
expiry = channel_expiry;
}
return expiry;
}
/*
* Register filedescriptors for a channel, used when allocating a channel or
* when the channel consumer/producer is ready, e.g. shell exec'd
@ -441,6 +474,8 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
if (efd != -1)
set_nonblock(efd);
}
/* channel might be entering a larval state, so reset global timeout */
channel_set_used_time(ssh, NULL);
}
/*
@ -898,6 +933,23 @@ channel_still_open(struct ssh *ssh)
return 0;
}
/* Returns true if a channel with a TTY is open. */
int
channel_tty_open(struct ssh *ssh)
{
u_int i;
Channel *c;
for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
c = ssh->chanctxt->channels[i];
if (c == NULL || c->type != SSH_CHANNEL_OPEN)
continue;
if (c->client_tty)
return 1;
}
return 0;
}
/* Returns the id of an open channel suitable for keepaliving */
int
channel_find_open(struct ssh *ssh)
@ -1180,7 +1232,7 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
c->type = SSH_CHANNEL_OPEN;
c->lastused = monotime();
channel_set_used_time(ssh, c);
c->local_window = c->local_window_max = window_max;
if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
@ -1352,7 +1404,7 @@ channel_pre_x11_open(struct ssh *ssh, Channel *c)
if (ret == 1) {
c->type = SSH_CHANNEL_OPEN;
c->lastused = monotime();
channel_set_used_time(ssh, c);
channel_pre_open(ssh, c);
} else if (ret == -1) {
logit("X11 connection rejected because of wrong "
@ -2008,7 +2060,7 @@ channel_post_connecting(struct ssh *ssh, Channel *c)
c->self, c->connect_ctx.host, c->connect_ctx.port);
channel_connect_ctx_free(&c->connect_ctx);
c->type = SSH_CHANNEL_OPEN;
c->lastused = monotime();
channel_set_used_time(ssh, c);
if (isopen) {
/* no message necessary */
} else {
@ -2100,7 +2152,7 @@ channel_handle_rfd(struct ssh *ssh, Channel *c)
goto rfail;
}
if (nr != 0)
c->lastused = monotime();
channel_set_used_time(ssh, c);
return 1;
}
@ -2126,7 +2178,7 @@ channel_handle_rfd(struct ssh *ssh, Channel *c)
}
return -1;
}
c->lastused = monotime();
channel_set_used_time(ssh, c);
if (c->input_filter != NULL) {
if (c->input_filter(ssh, c, buf, len) == -1) {
debug2("channel %d: filter stops", c->self);
@ -2207,7 +2259,7 @@ channel_handle_wfd(struct ssh *ssh, Channel *c)
}
return -1;
}
c->lastused = monotime();
channel_set_used_time(ssh, c);
#ifndef BROKEN_TCGETATTR_ICANON
if (c->isatty && dlen >= 1 && buf[0] != '\r') {
if (tcgetattr(c->wfd, &tio) == 0 &&
@ -2256,7 +2308,7 @@ channel_handle_efd_write(struct ssh *ssh, Channel *c)
if ((r = sshbuf_consume(c->extended, len)) != 0)
fatal_fr(r, "channel %i: consume", c->self);
c->local_consumed += len;
c->lastused = monotime();
channel_set_used_time(ssh, c);
}
return 1;
}
@ -2283,7 +2335,7 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c)
channel_close_fd(ssh, c, &c->efd);
return 1;
}
c->lastused = monotime();
channel_set_used_time(ssh, c);
if (c->extended_usage == CHAN_EXTENDED_IGNORE)
debug3("channel %d: discard efd", c->self);
else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
@ -2573,10 +2625,9 @@ channel_handler(struct ssh *ssh, int table, struct timespec *timeout)
continue;
}
if (ftab[c->type] != NULL) {
if (table == CHAN_PRE &&
c->type == SSH_CHANNEL_OPEN &&
c->inactive_deadline != 0 && c->lastused != 0 &&
now >= c->lastused + c->inactive_deadline) {
if (table == CHAN_PRE && c->type == SSH_CHANNEL_OPEN &&
channel_get_expiry(ssh, c) != 0 &&
now >= channel_get_expiry(ssh, c)) {
/* channel closed for inactivity */
verbose("channel %d: closing after %u seconds "
"of inactivity", c->self,
@ -2588,10 +2639,9 @@ channel_handler(struct ssh *ssh, int table, struct timespec *timeout)
/* inactivity timeouts must interrupt poll() */
if (timeout != NULL &&
c->type == SSH_CHANNEL_OPEN &&
c->lastused != 0 &&
c->inactive_deadline != 0) {
channel_get_expiry(ssh, c) != 0) {
ptimeout_deadline_monotime(timeout,
c->lastused + c->inactive_deadline);
channel_get_expiry(ssh, c));
}
} else if (timeout != NULL) {
/*
@ -3197,9 +3247,8 @@ channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
goto out;
}
/* Record that connection to this host/port is permitted. */
permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
listen_host, NULL, (int)listen_port, downstream);
listen_host = NULL;
permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>",
-1, listen_host, NULL, (int)listen_port, downstream);
break;
case SSH2_MSG_CHANNEL_CLOSE:
if (have < 4)
@ -3399,11 +3448,20 @@ channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
return 0;
}
if (win_len > c->local_window) {
logit("channel %d: rcvd too much data %zu, win %u",
c->self, win_len, c->local_window);
return 0;
c->local_window_exceeded += win_len - c->local_window;
logit("channel %d: rcvd too much data %zu, win %u/%u "
"(excess %u)", c->self, win_len, c->local_window,
c->local_window_max, c->local_window_exceeded);
c->local_window = 0;
/* Allow 10% grace before bringing the hammer down */
if (c->local_window_exceeded > (c->local_window_max / 10)) {
ssh_packet_disconnect(ssh, "channel %d: peer ignored "
"channel window", c->self);
}
} else {
c->local_window -= win_len;
c->local_window_exceeded = 0;
}
c->local_window -= win_len;
if (c->datagram) {
if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
@ -3541,7 +3599,7 @@ channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
debug2_f("channel %d: callback done", c->self);
}
c->lastused = monotime();
channel_set_used_time(ssh, c);
debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
c->remote_window, c->remote_maxpacket);
return 0;
@ -4523,19 +4581,6 @@ channel_update_permission(struct ssh *ssh, int idx, int newport)
}
}
/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
int
permitopen_port(const char *p)
{
int port;
if (strcmp(p, "*") == 0)
return FWD_PERMIT_ANY_PORT;
if ((port = a2port(p)) > 0)
return port;
return -1;
}
/* Try to start non-blocking connect to next host in cctx list */
static int
connect_next(struct channel_connect *cctx)

6
channels.h

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.152 2023/09/04 00:01:46 djm Exp $ */
/* $OpenBSD: channels.h,v 1.156 2024/05/23 23:47:16 jsg Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -85,7 +85,6 @@
struct ssh;
struct Channel;
typedef struct Channel Channel;
struct fwd_perm_list;
typedef void channel_open_fn(struct ssh *, int, int, void *);
typedef void channel_callback_fn(struct ssh *, int, int, void *);
@ -170,6 +169,7 @@ struct Channel {
u_int remote_window;
u_int remote_maxpacket;
u_int local_window;
u_int local_window_exceeded;
u_int local_window_max;
u_int local_consumed;
u_int local_maxpacket;
@ -324,7 +324,6 @@ int channel_input_ieof(int, u_int32_t, struct ssh *);
int channel_input_oclose(int, u_int32_t, struct ssh *);
int channel_input_open_confirmation(int, u_int32_t, struct ssh *);
int channel_input_open_failure(int, u_int32_t, struct ssh *);
int channel_input_port_open(int, u_int32_t, struct ssh *);
int channel_input_window_adjust(int, u_int32_t, struct ssh *);
int channel_input_status_confirm(int, u_int32_t, struct ssh *);
@ -340,6 +339,7 @@ int channel_output_poll(struct ssh *);
int channel_not_very_much_buffered_data(struct ssh *);
void channel_close_all(struct ssh *);
int channel_still_open(struct ssh *);
int channel_tty_open(struct ssh *);
const char *channel_format_extended_usage(const Channel *);
char *channel_open_message(struct ssh *);
int channel_find_open(struct ssh *);

25
cipher.c

@ -1,4 +1,4 @@
/* $OpenBSD: cipher.c,v 1.119 2021/04/03 06:18:40 djm Exp $ */
/* $OpenBSD: cipher.c,v 1.121 2024/05/17 02:39:11 jsg Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -372,7 +372,7 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
1, lastiv))
return SSH_ERR_LIBCRYPTO_ERROR;
/* set tag on decyption */
/* set tag on decryption */
if (!cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
authlen, (u_char *)src + aadlen + len))
@ -434,27 +434,6 @@ cipher_free(struct sshcipher_ctx *cc)
freezero(cc, sizeof(*cc));
}
/*
* Exports an IV from the sshcipher_ctx required to export the key
* state back from the unprivileged child to the privileged parent
* process.
*/
int
cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
{
const struct sshcipher *c = cc->cipher;
if ((c->flags & CFLAG_CHACHAPOLY) != 0)
return 0;
else if ((c->flags & CFLAG_AESCTR) != 0)
return sizeof(cc->ac_ctx.ctr);
#ifdef WITH_OPENSSL
return EVP_CIPHER_CTX_iv_length(cc->evp);
#else
return 0;
#endif
}
int
cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, size_t len)
{

3
cipher.h

@ -1,4 +1,4 @@
/* $OpenBSD: cipher.h,v 1.55 2020/01/23 10:24:29 dtucker Exp $ */
/* $OpenBSD: cipher.h,v 1.56 2023/10/10 06:49:54 tb Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -73,6 +73,5 @@ u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, size_t);
int cipher_set_keyiv(struct sshcipher_ctx *, const u_char *, size_t);
int cipher_get_keyiv_len(const struct sshcipher_ctx *);
#endif /* CIPHER_H */

110
clientloop.c

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.398 2023/09/10 03:51:55 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -156,7 +156,6 @@ static time_t control_persist_exit_time = 0;
volatile sig_atomic_t quit_pending; /* Set non-zero to quit the loop. */
static int last_was_cr; /* Last character was a newline. */
static int exit_status; /* Used to store the command exit status. */
static struct sshbuf *stderr_buffer; /* Used for final exit message. */
static int connection_in; /* Connection to server (input). */
static int connection_out; /* Connection to server (output). */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */
@ -194,23 +193,24 @@ TAILQ_HEAD(global_confirms, global_confirm);
static struct global_confirms global_confirms =
TAILQ_HEAD_INITIALIZER(global_confirms);
void ssh_process_session2_setup(int, int, int, struct sshbuf *);
static void quit_message(const char *fmt, ...)
__attribute__((__format__ (printf, 1, 2)));
static void
quit_message(const char *fmt, ...)
{
char *msg;
char *msg, *fmt2;
va_list args;
int r;
xasprintf(&fmt2, "%s\r\n", fmt);
va_start(args, fmt);
xvasprintf(&msg, fmt, args);
xvasprintf(&msg, fmt2, args);
va_end(args);
if ((r = sshbuf_putf(stderr_buffer, "%s\r\n", msg)) != 0)
fatal_fr(r, "sshbuf_putf");
(void)atomicio(vwrite, STDERR_FILENO, msg, strlen(msg));
free(msg);
free(fmt2);
quit_pending = 1;
}
@ -524,7 +524,7 @@ send_chaff(struct ssh *ssh)
{
int r;
if ((ssh->kex->flags & KEX_HAS_PING) == 0)
if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
return 0;
/* XXX probabilistically send chaff? */
/*
@ -597,7 +597,7 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
if (options.obscure_keystroke_timing_interval <= 0)
return 1; /* disabled in config */
if (!channel_still_open(ssh) || quit_pending) {
if (!channel_tty_open(ssh) || quit_pending) {
/* Stop if no channels left of we're waiting for one to close */
stop_reason = "no active channels";
} else if (ssh_packet_is_rekeying(ssh)) {
@ -615,8 +615,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
} else if (timespeccmp(&now, &next_interval, >=)) {
/* Otherwise if we were due to send, then send chaff */
} else if (timespeccmp(&now, &next_interval, >=) &&
!ssh_packet_have_data_to_write(ssh)) {
/* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}
@ -689,7 +690,7 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
static void
client_wait_until_can_do_something(struct ssh *ssh, struct pollfd **pfdp,
u_int *npfd_allocp, u_int *npfd_activep, int channel_did_enqueue,
int *conn_in_readyp, int *conn_out_readyp)
sigset_t *sigsetp, int *conn_in_readyp, int *conn_out_readyp)
{
struct timespec timeout;
int ret, oready;
@ -736,7 +737,7 @@ client_wait_until_can_do_something(struct ssh *ssh, struct pollfd **pfdp,
ssh_packet_get_rekey_timeout(ssh));
}
ret = ppoll(*pfdp, *npfd_activep, ptimeout_get_tsp(&timeout), NULL);
ret = ppoll(*pfdp, *npfd_activep, ptimeout_get_tsp(&timeout), sigsetp);
if (ret == -1) {
/*
@ -1453,9 +1454,10 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
struct pollfd *pfd = NULL;
u_int npfd_alloc = 0, npfd_active = 0;
double start_time, total_time;
int channel_did_enqueue = 0, r, len;
int channel_did_enqueue = 0, r;
u_int64_t ibytes, obytes;
int conn_in_ready, conn_out_ready;
sigset_t bsigset, osigset;
debug("Entering interactive session.");
session_ident = ssh2_chan_id;
@ -1504,10 +1506,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
quit_pending = 0;
/* Initialize buffer. */
if ((stderr_buffer = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
client_init_dispatch(ssh);
/*
@ -1541,6 +1539,13 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
schedule_server_alive_check();
if (sigemptyset(&bsigset) == -1 ||
sigaddset(&bsigset, SIGHUP) == -1 ||
sigaddset(&bsigset, SIGINT) == -1 ||
sigaddset(&bsigset, SIGQUIT) == -1 ||
sigaddset(&bsigset, SIGTERM) == -1)
error_f("bsigset setup: %s", strerror(errno));
/* Main loop of the client for the interactive session mode. */
while (!quit_pending) {
channel_did_enqueue = 0;
@ -1572,17 +1577,20 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
* message about it to the server if so.
*/
client_check_window_change(ssh);
if (quit_pending)
break;
}
/*
* Wait until we have something to do (something becomes
* available on one of the descriptors).
*/
if (sigprocmask(SIG_BLOCK, &bsigset, &osigset) == -1)
error_f("bsigset sigprocmask: %s", strerror(errno));
if (quit_pending)
break;
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
&npfd_active, channel_did_enqueue,
&npfd_active, channel_did_enqueue, &osigset,
&conn_in_ready, &conn_out_ready);
if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (quit_pending)
break;
@ -1628,6 +1636,14 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
/* Terminate the session. */
/*
* In interactive mode (with pseudo tty) display a message indicating
* that the connection has been closed.
*/
if (have_pty && options.log_level >= SYSLOG_LEVEL_INFO)
quit_message("Connection to %s closed.", host);
/* Stop watching for window change. */
ssh_signal(SIGWINCH, SIG_DFL);
@ -1660,27 +1676,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
cleanup_exit(255);
}
/*
* In interactive mode (with pseudo tty) display a message indicating
* that the connection has been closed.
*/
if (have_pty && options.log_level >= SYSLOG_LEVEL_INFO)
quit_message("Connection to %s closed.", host);
/* Output any buffered data for stderr. */
if (sshbuf_len(stderr_buffer) > 0) {
len = atomicio(vwrite, fileno(stderr),
(u_char *)sshbuf_ptr(stderr_buffer),
sshbuf_len(stderr_buffer));
if (len < 0 || (u_int)len != sshbuf_len(stderr_buffer))
error("Write failed flushing stderr buffer.");
else if ((r = sshbuf_consume(stderr_buffer, len)) != 0)
fatal_fr(r, "sshbuf_consume");
}
/* Clear and free any buffers. */
sshbuf_free(stderr_buffer);
/* Report bytes transferred, and transfer rates. */
total_time = monotime_double() - start_time;
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
@ -1809,7 +1804,7 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
c = channel_new(ssh, "x11",
c = channel_new(ssh, "x11-connection",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
c->force_drain = 1;
@ -1844,7 +1839,7 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
else
debug2_fr(r, "ssh_agent_bind_hostkey");
c = channel_new(ssh, "authentication agent connection",
c = channel_new(ssh, "agent-connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
"authentication agent connection", 1);
@ -1872,7 +1867,7 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
@ -2437,25 +2432,6 @@ client_global_hostkeys_prove_confirm(struct ssh *ssh, int type,
client_repledge();
}
/*
* Returns non-zero if the key is accepted by HostkeyAlgorithms.
* Made slightly less trivial by the multiple RSA signature algorithm names.
*/
static int
key_accepted_by_hostkeyalgs(const struct sshkey *key)
{
const char *ktype = sshkey_ssh_name(key);
const char *hostkeyalgs = options.hostkeyalgorithms;
if (key->type == KEY_UNSPEC)
return 0;
if (key->type == KEY_RSA &&
(match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 ||
match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1))
return 1;
return match_pattern_list(ktype, hostkeyalgs, 0) == 1;
}
/*
* Handle hostkeys-00@openssh.com global request to inform the client of all
* the server's hostkeys. The keys are checked against the user's
@ -2500,7 +2476,7 @@ client_input_hostkeys(struct ssh *ssh)
debug3_f("received %s key %s", sshkey_type(key), fp); // CodeQL [SM02311]: debug3_f can accept NULL value for fp
free(fp);
if (!key_accepted_by_hostkeyalgs(key)) {
if (!hostkey_accepted_by_hostkeyalgs(key)) {
debug3_f("%s key not permitted by "
"HostkeyAlgorithms", sshkey_ssh_name(key));
continue;

3
clientloop.h

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.h,v 1.37 2020/04/03 02:40:32 djm Exp $ */
/* $OpenBSD: clientloop.h,v 1.38 2024/05/17 06:42:04 jsg Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -43,7 +43,6 @@ struct ssh;
int client_loop(struct ssh *, int, int, int);
int client_x11_get_proto(struct ssh *, const char *, const char *,
u_int, u_int, char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(struct ssh *, int, int, int,
const char *, struct termios *, int, struct sshbuf *, char **);
char *client_request_tun_fwd(struct ssh *, int, int, int,

2051
config.h.in Normal file

File diff suppressed because it is too large Load Diff

27691
configure vendored Executable file

File diff suppressed because it is too large Load Diff

130
configure.ac

@ -149,6 +149,7 @@ fi
use_stack_protector=1
use_toolchain_hardening=1
use_retpoline=1
AC_ARG_WITH([stackprotect],
[ --without-stackprotect Don't use compiler's stack protection], [
if test "x$withval" = "xno"; then
@ -159,6 +160,11 @@ AC_ARG_WITH([hardening],
if test "x$withval" = "xno"; then
use_toolchain_hardening=0
fi ])
AC_ARG_WITH([retpoline],
[ --without-retpoline Enable retpoline spectre mitigation], [
if test "x$withval" = "xno"; then
use_retpoline=0
fi ])
# We use -Werror for the tests only so that we catch warnings like "this is
# on by default" for things like -fPIE.
@ -189,10 +195,11 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
AC_MSG_CHECKING([clang version])
ver="`$CC -v 2>&1`"
if echo "$ver" | grep "Apple" >/dev/null; then
CLANG_VER="apple-`echo "$ver" | \
awk '/Apple LLVM/ {print $4"-"$5}'`"
CLANG_VER=apple-`echo "$ver" | grep 'clang version' | \
$SED 's/.*clang version //g' | $AWK '{print $1}'`
else
CLANG_VER=`echo "$ver" | $AWK '/clang version /{print $3}'`
CLANG_VER=`echo "$ver" | grep 'clang version' | \
$SED 's/.*clang version //g' | $AWK '{print $1}'`
fi
AC_MSG_RESULT([$CLANG_VER])
@ -215,8 +222,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
if test "x$use_toolchain_hardening" = "x1"; then
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
@ -230,12 +235,19 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
# clang 15 seems to have a bug in -fzero-call-used-regs=all. See
# https://bugzilla.mindrot.org/show_bug.cgi?id=3475 and
# https://github.com/llvm/llvm-project/issues/59242
# clang 17 has a different bug that causes an ICE when using this
# flag at all (https://bugzilla.mindrot.org/show_bug.cgi?id=3629)
case "$CLANG_VER" in
15.*|apple*) OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=used]) ;;
*) OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all]) ;;
apple-15*) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
17*) ;;
*) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
esac
OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
fi
if test "x$use_retpoline" = "x1"; then
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
fi
AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
saved_CFLAGS="$CFLAGS"
@ -903,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
AC_DEFINE([USE_BTMP])
AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
inet6_default_4in6=yes
case `uname -r` in
1.*|2.0.*)
@ -1335,6 +1348,13 @@ EOD
AC_DEFINE([BROKEN_SETVBUF], [1],
[LynxOS has broken setvbuf() implementation])
;;
*-*-gnu*)
dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries.
dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
dnl _GNU_SOURCE is needed for setres*id prototypes.
CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
;;
esac
AC_MSG_CHECKING([compiler and flags for sanity])
@ -2063,6 +2083,16 @@ AC_ARG_WITH([security-key-builtin],
[ enable_sk_internal=$withval ]
)
enable_dsa=
AC_ARG_ENABLE([dsa-keys],
[ --enable-dsa-keys enable DSA key support [no]],
[
if test "x$enableval" != "xno" ; then
enable_dsa=1
fi
]
)
AC_SEARCH_LIBS([dlopen], [dl])
AC_CHECK_FUNCS([dlopen])
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
@ -2719,7 +2749,15 @@ AC_ARG_WITH([ssl-dir],
else
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps"
dnl Ensure specified openssl binary works, eg it can
dnl find its runtime libraries, before trying to use.
if test -x "${withval}/bin/openssl" && \
"${withval}/bin/openssl" version >/dev/null 2>&1; then
openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}"
elif test -x "${withval}/apps/openssl" && \
"${withval}/apps/openssl" version >/dev/null 2>&1; then
openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}"
fi
fi
]
)
@ -2786,8 +2824,8 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_RESULT([$ssl_header_ver])
],
[
AC_MSG_RESULT([not found])
AC_MSG_ERROR([OpenSSL version header not found.])
AC_MSG_RESULT([failed])
AC_MSG_ERROR([OpenSSL version test program failed.])
],
[
AC_MSG_WARN([cross compiling: not checking])
@ -2851,12 +2889,9 @@ if test "x$openssl" = "xyes" ; then
*) ;; # Assume all other versions are good.
esac
;;
300*)
30*)
# OpenSSL 3; we use the 1.1x API
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
;;
301*|302*)
# OpenSSL development branch; request 1.1x API
# https://openssl.org/policies/general/versioning-policy.html
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
;;
*)
@ -2990,7 +3025,7 @@ if test "x$openssl" = "xyes" ; then
fi
# Check for OpenSSL without EVP_aes_{192,256}_cbc
AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
AC_MSG_CHECKING([whether OpenSSL lacks support for AES 192/256])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdlib.h>
@ -3140,6 +3175,50 @@ if test "x$openssl" = "xyes" ; then
ecdsa-sha2-nistp521 \
ecdsa-sha2-nistp521-cert-v01@openssh.com"
fi
# Check libcrypto ED25519 support
AC_CHECK_FUNCS([EVP_PKEY_get_raw_public_key])
AC_CHECK_FUNCS([EVP_PKEY_get_raw_private_key])
AC_MSG_CHECKING([whether OpenSSL has ED25519 support])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
unsigned char buf[64];
memset(buf, 0, sizeof(buf));
exit(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
buf, sizeof(buf)) == NULL);
]])],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_HAS_ED25519], [1],
[libcrypto has ed25519 support])
],
[
AC_MSG_RESULT([no])
]
)
openssl_dsa=no
if test ! -z "$enable_dsa" ; then
AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
[ openssl_dsa=yes ],
[ #include <openssl/opensslconf.h> ]
)
],
[ #include <openssl/opensslconf.h> ]
)
AC_MSG_CHECKING([whether to enable DSA key support])
if test "x$openssl_dsa" = "xno"; then
AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
else
AC_MSG_RESULT([yes])
AC_DEFINE([WITH_DSA], [1],
[DSA keys explicitly enabled])
fi
fi
fi
# PKCS11/U2F depend on OpenSSL and dlopen().
@ -5265,6 +5344,16 @@ AC_DEFINE_UNQUOTED([_PATH_SSH_PIDDIR], ["$piddir"],
[Specify location of ssh.pid])
AC_SUBST([piddir])
AC_ARG_ENABLE([fd-passing],
[ --disable-fd-passing disable file descriptor passsing [no]],
[
if test "x$enableval" = "xno" ; then
AC_DEFINE([DISABLE_FD_PASSING])
fi
]
)
dnl allow user to disable some login recording features
AC_ARG_ENABLE([lastlog],
[ --disable-lastlog disable use of lastlog even if detected [no]],
@ -5552,6 +5641,15 @@ AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
# Binaries for interop tests.
AC_PATH_PROG([PLINK], [plink])
AC_PATH_PROG([PUTTYGEN], [puttygen])
AC_PATH_PROG([CONCH], [conch])
AC_PATH_PROG([DROPBEAR], [dropbear])
AC_PATH_PROG([DBCLIENT], [dbclient])
AC_PATH_PROG([DROPBEARKEY], [dropbearkey])
AC_PATH_PROG([DROPBEARCONVERT], [dropbearconvert])
CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"

35
contrib/redhat/openssh.spec

@ -1,4 +1,4 @@
%global ver 9.5p1
%global ver 9.8p1
%global rel 1%{?dist}
# OpenSSH privilege separation requires a user & group ID
@ -31,10 +31,13 @@
%global build6x 1
%endif
%if 0%{?fedora} >= 26
%global compat_openssl 1
%else
%global compat_openssl 0
%global without_openssl 0
# build without openssl where 1.1.1 is not available
%if 0%{?fedora} <= 28
%global without_openssl 1
%endif
%if 0%{?rhel} <= 7
%global without_openssl 1
%endif
# Do we want kerberos5 support (1=yes 0=no)
@ -96,11 +99,8 @@ PreReq: initscripts >= 5.00
Requires: initscripts >= 5.20
%endif
BuildRequires: perl
%if %{compat_openssl}
BuildRequires: compat-openssl10-devel
%else
BuildRequires: openssl-devel >= 1.0.1
BuildRequires: openssl-devel < 1.1
%if ! %{without_openssl}
BuildRequires: openssl-devel >= 1.1.1
%endif
BuildRequires: /bin/login
%if ! %{build6x}
@ -214,6 +214,9 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
--mandir=%{_mandir} \
--with-mantype=man \
--disable-strip \
%if %{without_openssl}
--without-openssl \
%endif
%if %{scard}
--with-smartcard \
%endif
@ -272,11 +275,7 @@ make install DESTDIR=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
%if %{build6x}
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
%else
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
%endif
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
%if ! %{no_x11_askpass}
@ -394,6 +393,7 @@ fi
%defattr(-,root,root)
%dir %attr(0111,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-session
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
@ -423,6 +423,11 @@ fi
%endif
%changelog
* Mon Oct 16 2023 Fabio Pedretti <pedretti.fabio@gmail.com>
- Remove reference of dropped sshd.pam.old file
- Update openssl-devel dependency to require >= 1.1.1
- Build with --without-openssl elsewhere
* Thu Oct 28 2021 Damien Miller <djm@mindrot.org>
- Remove remaining traces of --with-md5-passwords

3
contrib/suse/openssh.spec

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 9.5p1
Version: 9.8p1
URL: https://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
@ -211,6 +211,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %dir %{_libdir}/ssh
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
%attr(0755,root,root) %{_libdir}/ssh/sshd-session
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libdir}/ssh/ssh-sk-helper

1
contrib/win32/install/client.wxs

@ -3,7 +3,6 @@
<!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
<ComponentGroup Id="Client" Directory="INSTALLFOLDER">
<ComponentGroupRef Id="Shared" />
<ComponentGroupRef Id="Manifest" />
<Component>
<File Name="ssh.exe" KeyPath="yes" />
</Component>

6
contrib/win32/install/product.wxs

@ -38,11 +38,7 @@
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="$(var.ProgramFilesFolder)" Name="Program Files">
<Directory Id="INSTALLFOLDER" Name="OpenSSH" >
<Directory Id="MANIFESTFOLDER" Name="_manifest" >
<Directory Id="SPDXFOLDER" Name="spdx_2.2" />
</Directory>
</Directory>
<Directory Id="INSTALLFOLDER" Name="OpenSSH" />
</Directory>
</Directory>
</Product>

4
contrib/win32/install/server.wxs

@ -3,13 +3,15 @@
<!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
<ComponentGroup Id="Server" Directory="INSTALLFOLDER">
<ComponentGroupRef Id="Shared" />
<ComponentGroupRef Id="Manifest" />
<Component>
<File Name="sftp-server.exe" KeyPath="yes" />
</Component>
<Component>
<File Name="ssh-shellhost.exe" KeyPath="yes" />
</Component>
<Component>
<File Name="sshd-session.exe" KeyPath="yes" />
</Component>
<Component>
<File Id="sshd.exe" Name="sshd.exe" KeyPath="yes" />
<RegistryKey Root="HKLM" Key="SOFTWARE\OpenSSH" ForceCreateOnInstall="yes">

9
contrib/win32/install/shared.wxs

@ -70,15 +70,6 @@
</Component>
</ComponentGroup>
<ComponentGroup Id="Manifest" Directory="SPDXFOLDER">
<Component>
<File Name="manifest.spdx.json" Source="_manifest\spdx_2.2\manifest.spdx.json" KeyPath="yes" />
</Component>
<Component>
<File Name="manifest.spdx.json.sha256" Source="_manifest\spdx_2.2\manifest.spdx.json.sha256" KeyPath="yes" />
</Component>
</ComponentGroup>
<!-- Automatically add custom actions if referencing the Shared component group. -->
<SetProperty Id="SetPrivilegesOnSshAgent" Value="&quot;[SystemFolder]sc.exe&quot; privs ssh-agent SeAssignPrimaryTokenPrivilege/SeTcbPrivilege/SeBackupPrivilege/SeRestorePrivilege/SeImpersonatePrivilege" Sequence="execute" Before="SetPrivilegesOnSshAgent" />
<CustomAction Id="SetPrivilegesOnSshAgent" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />

10
contrib/win32/openssh/DockerFile

@ -1,10 +0,0 @@
# escape=`
#0.3.6 (no powershell 6)
FROM balu1202/openssh-dockerbuildimage-ltsc2019-new:latest
SHELL ["PowerShell.exe", "-command"]
RUN Set-ExecutionPolicy Unrestricted
COPY ./OpenSSH-build.ps1 /OpenSSH-build.ps1
ENTRYPOINT ["powershell", "-executionpolicy", "unrestricted"]

2
contrib/win32/openssh/OpenSSH-build.ps1

@ -1,7 +1,7 @@
[cmdletbinding()]
# PowerShell Script to clone, build and package PowerShell from specified fork and branch
param (
[string] $repolocation = "$pwd\openssh-portable",
[string] $repolocation = "$PSScriptRoot\..\..\..",
[string] $destination = "$env:WORKSPACE",
[ValidateSet('x86', 'x64', 'arm64', 'arm')]
[String]$NativeHostArch = 'x64',

2
contrib/win32/openssh/OpenSSHBuildHelper.psm1

@ -317,7 +317,7 @@ function Start-OpenSSHPackage
}
$buildDir = Join-Path $repositoryRoot ("bin\" + $folderName + "\" + $Configuration)
$payload = "sshd.exe", "ssh.exe", "ssh-agent.exe", "ssh-add.exe", "sftp.exe"
$payload = "sshd.exe", "sshd-session.exe", "ssh.exe", "ssh-agent.exe", "ssh-add.exe", "sftp.exe"
$payload += "sftp-server.exe", "scp.exe", "ssh-shellhost.exe", "ssh-keygen.exe", "ssh-keyscan.exe", "ssh-sk-helper.exe", "ssh-pkcs11-helper.exe"
$payload += "sshd_config_default", "install-sshd.ps1", "uninstall-sshd.ps1"
$payload += "FixHostFilePermissions.ps1", "FixUserFilePermissions.ps1", "OpenSSHUtils.psm1", "OpenSSHUtils.psd1"

65
contrib/win32/openssh/Win32-OpenSSH.sln

@ -1,13 +1,13 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.27027.1
# Visual Studio Version 17
VisualStudioVersion = 17.10.35027.167
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh", "ssh.vcxproj", "{74E69D5E-A1EF-46EA-9173-19A412774104}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libssh", "libssh.vcxproj", "{05E1115F-8529-46D0-AAAF-52A404CE79A7}"
@ -23,33 +23,33 @@ EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-keygen", "keygen.vcxproj", "{47496135-131B-41D6-BF2B-EE7144873DD0}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sftp", "sftp.vcxproj", "{BBEFF9D7-0BC3-41D1-908B-8052158B5052}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sftp-server", "sftp-server.vcxproj", "{6657614F-7821-4D55-96EF-7C3C4B551880}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sshd", "sshd.vcxproj", "{F58FF6BA-098B-4DB9-9609-A030DFB4D03F}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "config", "config.vcxproj", "{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}"
@ -68,72 +68,72 @@ EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-agent", "ssh-agent.vcxproj", "{F6644EC5-D6B6-42A1-828C-75E2977470E0}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-add", "ssh-add.vcxproj", "{029797FF-C986-43DE-95CD-2E771E86AEBC}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "scp", "scp.vcxproj", "{29B98ADF-1285-49CE-BF6C-AA92C5D2FB24}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-bitmap", "unittest-bitmap.vcxproj", "{D901596E-76C7-4608-9CFA-2B42A9FD7250}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-kex", "unittest-kex.vcxproj", "{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-sshbuf", "unittest-sshbuf.vcxproj", "{CD9740CE-C96E-49B3-823F-012E09D17806}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-win32compat", "unittest-win32compat.vcxproj", "{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-hostkeys", "unittest-hostkeys.vcxproj", "{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-sshkey", "unittest-sshkey.vcxproj", "{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "core", "core", "{17322AAF-808F-4646-AD37-5B0EDDCB8F3E}"
@ -143,41 +143,49 @@ EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-match", "unittest-match.vcxproj", "{484A8CDE-B949-4BDA-B447-74685C8E032F}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-misc", "unittest-misc.vcxproj", "{0B527504-2AF5-4E6E-A84F-10BADFAEDA88}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-keyscan", "ssh-keyscan.vcxproj", "{7D0A75FC-F366-4B60-B72F-B37C3EA07CCA}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-sk-helper", "ssh-sk-helper.vcxproj", "{7D0A75FC-F366-4B60-B72F-B37C3EA07CCB}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-pkcs11-helper", "ssh-pkcs11-helper.vcxproj", "{21D772C3-0EB0-47B7-A93C-FF624675A58D}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sshd-session", "sshd-session.vcxproj", "{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8F9D3B74-8D33-448E-9762-26E8DCC6B2F4} = {8F9D3B74-8D33-448E-9762-26E8DCC6B2F4}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
EndProjectSection
EndProject
Global
@ -576,6 +584,22 @@ Global
{21D772C3-0EB0-47B7-A93C-FF624675A58D}.Release|x64.Build.0 = Release|x64
{21D772C3-0EB0-47B7-A93C-FF624675A58D}.Release|x86.ActiveCfg = Release|Win32
{21D772C3-0EB0-47B7-A93C-FF624675A58D}.Release|x86.Build.0 = Release|Win32
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|ARM.ActiveCfg = Debug|ARM
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|ARM.Build.0 = Debug|ARM
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|ARM64.ActiveCfg = Debug|ARM64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|ARM64.Build.0 = Debug|ARM64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|x64.ActiveCfg = Debug|x64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|x64.Build.0 = Debug|x64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|x86.ActiveCfg = Debug|Win32
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Debug|x86.Build.0 = Debug|Win32
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|ARM.ActiveCfg = Release|ARM
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|ARM.Build.0 = Release|ARM
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|ARM64.ActiveCfg = Release|ARM64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|ARM64.Build.0 = Release|ARM64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|x64.ActiveCfg = Release|x64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|x64.Build.0 = Release|x64
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|x86.ActiveCfg = Release|Win32
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
@ -605,6 +629,7 @@ Global
{7D0A75FC-F366-4B60-B72F-B37C3EA07CCA} = {17322AAF-808F-4646-AD37-5B0EDDCB8F3E}
{7D0A75FC-F366-4B60-B72F-B37C3EA07CCB} = {17322AAF-808F-4646-AD37-5B0EDDCB8F3E}
{21D772C3-0EB0-47B7-A93C-FF624675A58D} = {17322AAF-808F-4646-AD37-5B0EDDCB8F3E}
{86D5F580-EFB0-4BEA-96B7-7181F9BC6171} = {17322AAF-808F-4646-AD37-5B0EDDCB8F3E}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {0AC224E8-C215-4270-954A-A2ACEE06DE58}

15
contrib/win32/openssh/config.h.vs

@ -102,7 +102,7 @@
/* Define if your platform needs to skip post auth
file descriptor passing */
/* #undef DISABLE_FD_PASSING */
#define DISABLE_FD_PASSING
/* Define if you don't want to use lastlog */
/* #undef DISABLE_LASTLOG */
@ -207,13 +207,13 @@
/* #undef HAVE_ADDR_V6_IN_UTMPX */
/* Define to 1 if you have the `arc4random' function. */
#define HAVE_ARC4RANDOM 1
/* #undef HAVE_ARC4RANDOM */
/* Define to 1 if you have the `arc4random_buf' function. */
#define HAVE_ARC4RANDOM_BUF 1
/* #undef HAVE_ARC4RANDOM_BUF */
/* Define to 1 if you have the `arc4random_uniform' function. */
#define HAVE_ARC4RANDOM_UNIFORM 1
/* #undef HAVE_ARC4RANDOM_UNIFORM */
/* Define to 1 if you have the `asprintf' function. */
/* #undef HAVE_ASPRINTF */
@ -349,7 +349,7 @@
/* #undef HAVE_DEV_PTS_AND_PTC */
/* Define to 1 if you have the <dirent.h> header file. */
/* #undef HAVE_DIRENT_H
/* #undef HAVE_DIRENT_H */
/* Define to 1 if you have the `dirfd' function. */
/* #undef HAVE_DIRFD */
@ -1698,7 +1698,7 @@
#define HAVE_BZERO 1
#define PATH_MAX 32768
#define S_IFIFO 0x1000
#define S_IFIFO 0x1000
#define HAVE_EXPLICIT_BZERO
#define HAVE_MBTOWC 1
#define HAVE_LLABS 1
@ -1713,7 +1713,7 @@
#define __STDC__ 1
#define umac128_new umac_new
#define umac128_update umac_update
#define umac128_update umac_update
#define umac_final umac128_final
#define umac_delete umac128_delete
@ -1727,7 +1727,6 @@
#define _PATH_LS "dir"
#define _PATH_DEVNULL "NUL"
#define FORK_NOT_SUPPORTED
#define HAVE_FREEZERO
#define FILESYSTEM_NO_BACKSLASH
#define HAVE_LOCALTIME_R
#define HAVE_DECL_MEMMEM 0

1
contrib/win32/openssh/libssh.vcxproj

@ -450,6 +450,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)ssh-sk.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sshbuf-io.c" />
<ClCompile Include="..\..\..\cipher-chachapoly-libcrypto.c" />
<ClCompile Include="..\..\..\kex-names.c" />
<ClCompile Include="..\win32compat\spawn-ext.c" />
</ItemGroup>
<ItemGroup>

8
contrib/win32/openssh/libssh.vcxproj.filters

@ -22,8 +22,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)ed25519.c" />
<ClCompile Include="$(OpenSSH-Src-Path)entropy.c" />
<ClCompile Include="$(OpenSSH-Src-Path)fatal.c" />
<ClCompile Include="$(OpenSSH-Src-Path)fe25519.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ge25519.c" />
<ClCompile Include="$(OpenSSH-Src-Path)gss-genr.c" />
<ClCompile Include="$(OpenSSH-Src-Path)hash.c" />
<ClCompile Include="$(OpenSSH-Src-Path)hmac.c" />
@ -42,7 +40,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)nchan.c" />
<ClCompile Include="$(OpenSSH-Src-Path)packet.c" />
<ClCompile Include="$(OpenSSH-Src-Path)poly1305.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sc25519.c" />
<ClCompile Include="$(OpenSSH-Src-Path)smult_curve25519_ref.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-dss.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-ecdsa.c" />
@ -70,7 +67,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)progressmeter.c" />
<ClCompile Include="$(OpenSSH-Src-Path)readpass.c" />
<ClCompile Include="$(OpenSSH-Src-Path)rijndael.c" />
<ClCompile Include="$(OpenSSH-Src-Path)verify.c" />
<ClCompile Include="$(OpenSSH-Src-Path)xmalloc.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexgexs.c" />
<ClCompile Include="$(OpenSSH-Src-Path)platform-misc.c" />
@ -84,6 +80,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)sshbuf-io.c" />
<ClCompile Include="..\win32compat\spawn-ext.c" />
<ClCompile Include="..\..\..\cipher-chachapoly-libcrypto.c" />
<ClCompile Include="..\..\..\kex-names.c" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="$(OpenSSH-Src-Path)addrmatch.c">
@ -119,9 +116,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)cipher-chachapoly.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)cipher-ctr.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)cipher.c">
<Filter>Source Files</Filter>
</ClCompile>

5
contrib/win32/openssh/openbsd_compat.vcxproj

@ -58,6 +58,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-waitpid.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\daemon.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\dirname.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\freezero.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\explicit_bzero.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fake-rfc2553.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fmt_scaled.c" />
@ -102,7 +103,10 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\glob.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strcasestr.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strndup.c" />
<ClCompile Include="..\..\..\openbsd-compat\arc4random_uniform.c" />
<ClCompile Include="..\..\..\openbsd-compat\bsd-getentropy.c" />
<ClCompile Include="..\..\..\openbsd-compat\bsd-pselect.c" />
<ClCompile Include="..\..\..\openbsd-compat\bsd-timegm.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\base64.h" />
@ -136,6 +140,7 @@
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\sys-queue.h" />
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\sys-tree.h" />
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\vis.h" />
<ClInclude Include="..\..\..\openbsd-compat\arc4random_win.h" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{DD483F7D-C553-4740-BC1A-903805AD0174}</ProjectGuid>

17
contrib/win32/openssh/openbsd_compat.vcxproj.filters

@ -75,6 +75,9 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\dirname.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\freezero.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\explicit_bzero.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -216,6 +219,15 @@
<ClCompile Include="..\..\..\openbsd-compat\bsd-pselect.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\openbsd-compat\bsd-timegm.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\openbsd-compat\arc4random_uniform.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\openbsd-compat\bsd-getentropy.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\base64.h">
@ -311,5 +323,8 @@
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\vis.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="..\..\..\openbsd-compat\arc4random_win.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
</Project>

8
contrib/win32/openssh/paths.targets

@ -4,11 +4,11 @@
<OpenSSH-Src-Path>$(SolutionDir)..\..\..\</OpenSSH-Src-Path>
<OpenSSH-Bin-Path>$(SolutionDir)..\..\..\bin\</OpenSSH-Bin-Path>
<OpenSSH-Lib-Path>$(SolutionDir)lib\</OpenSSH-Lib-Path>
<LibreSSLVersion>3.8.2.0</LibreSSLVersion>
<ZLibVersion>1.3</ZLibVersion>
<fido2Version>1.14.0</fido2Version>
<LibreSSLVersion>4.0.0.0</LibreSSLVersion>
<ZLibVersion>1.3.1</ZLibVersion>
<fido2Version>1.15.0</fido2Version>
<!--libcbor version is not used in the build; it is needed for pipeline compliance tasks-->
<libcborVersion>0.10.1</libcborVersion>
<libcborVersion>0.11.0</libcborVersion>
<LibreSSL-Path>$(SolutionDir)\LibreSSL\sdk\</LibreSSL-Path>
<LibreSSL-x86-Path>$(SolutionDir)\LibreSSL\bin\desktop\x86\</LibreSSL-x86-Path>
<LibreSSL-x64-Path>$(SolutionDir)\LibreSSL\bin\desktop\x64\</LibreSSL-x64-Path>

BIN
contrib/win32/openssh/resource.h

Binary file not shown.

484
contrib/win32/openssh/sshd-session.vcxproj Normal file

@ -0,0 +1,484 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="paths.targets" />
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{86D5F580-EFB0-4BEA-96B7-7181F9BC6171}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>keygen</RootNamespace>
<WindowsTargetPlatformVersion>$(WindowsSDKVersion)</WindowsTargetPlatformVersion>
<ProjectName>sshd-session</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(OpenSSH-Bin-Path)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\$(TargetName)\</IntDir>
<IncludePath>$(OpenSSH-Src-Path)contrib\win32\win32compat\inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level1</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;WIN32;_DEBUG;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>false</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-x86-Path);$(ZLib-x86-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 /ignore:4098 /CETCOMPAT %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level1</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;WIN32;_DEBUG;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>false</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-x64-Path);$(ZLib-x64-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 /ignore:4098 /CETCOMPAT %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level1</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;WIN32;_DEBUG;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>false</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-arm64-Path);$(ZLib-arm64-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 /ignore:4098 %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level1</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;WIN32;_DEBUG;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>false</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-arm-Path);$(ZLib-arm-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 /ignore:4098 %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level1</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-x86-Path);$(ZLib-x86-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<FullProgramDatabaseFile>true</FullProgramDatabaseFile>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 /CETCOMPAT %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level1</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<WholeProgramOptimization>true</WholeProgramOptimization>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-x64-Path);$(ZLib-x64-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<FullProgramDatabaseFile>true</FullProgramDatabaseFile>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 /CETCOMPAT %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<ClCompile>
<WarningLevel>Level1</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<WholeProgramOptimization>true</WholeProgramOptimization>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-arm64-Path);$(ZLib-arm64-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<FullProgramDatabaseFile>true</FullProgramDatabaseFile>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<WarningLevel>Level1</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>_CRT_DECLARE_NONSTDC_NAMES=0;_WIN32_WINNT=0x601;;_LIB;_CRT_SECURE_NO_WARNINGS;_CRT_NONSTDC_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>$(SolutionDir);$(LibreSSL-Path)include;$(ZLib-Path);$(OpenSSH-Src-Path)includes;$(OpenSSH-Src-Path);$(OpenSSH-Src-Path)contrib\win32\win32compat;$(OpenSSH-Src-Path)libkrb;$(OpenSSH-Src-Path)libkrb\libKrb5;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<WholeProgramOptimization>true</WholeProgramOptimization>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalOptions>/Gy /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>posix_compat.lib;libssh.lib;openbsd_compat.lib;zlib.lib;$(SSLLib)$(AdditionalDependentLibs);%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(LibreSSL-arm-Path);$(ZLib-arm-Path);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
<FullProgramDatabaseFile>true</FullProgramDatabaseFile>
<ShowProgress>NotSet</ShowProgress>
<AdditionalOptions>/debug /debugtype:cv,fixup /opt:ref /opt:icf /incremental:no /ignore:4099 %(AdditionalOptions)</AdditionalOptions>
</Link>
<Manifest>
<AdditionalManifestFiles>targetos.manifest</AdditionalManifestFiles>
</Manifest>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="$(OpenSSH-Src-Path)audit-bsm.c" />
<ClCompile Include="$(OpenSSH-Src-Path)audit-linux.c" />
<ClCompile Include="$(OpenSSH-Src-Path)audit.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-bsdauth.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-krb5.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-options.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-pam.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-passwd.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-rhosts.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-shadow.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-sia.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-chall.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-gss.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-hostbased.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-kbdint.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-none.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-passwd.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-pubkey.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2.c" />
<ClCompile Include="$(OpenSSH-Src-Path)gss-serv-krb5.c" />
<ClCompile Include="$(OpenSSH-Src-Path)gss-serv.c" />
<ClCompile Include="$(OpenSSH-Src-Path)loginrec.c" />
<ClCompile Include="$(OpenSSH-Src-Path)monitor.c" />
<ClCompile Include="$(OpenSSH-Src-Path)monitor_wrap.c" />
<ClCompile Include="$(OpenSSH-Src-Path)platform.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-capsicum.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-darwin.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-null.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-rlimit.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-seccomp-filter.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-systrace.c" />
<ClCompile Include="$(OpenSSH-Src-Path)servconf.c" />
<ClCompile Include="$(OpenSSH-Src-Path)serverloop.c" />
<ClCompile Include="$(OpenSSH-Src-Path)session.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sshd-session.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sshlogin.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\win32_groupaccess.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\win32_sshpty.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\w32-doexec.c" />
<ClCompile Include="..\..\..\auth2-methods.c" />
<ClCompile Include="..\..\..\auth2-pubkeyfile.c" />
<ClCompile Include="..\..\..\misc.c" />
<ClCompile Include="..\..\..\srclimit.c" />
<ClCompile Include="..\..\..\ssh-sk-client.c" />
<ClCompile Include="..\..\..\sshkey.c" />
<ClCompile Include="..\win32compat\win32-utf8.c" />
<ClCompile Include="..\win32compat\wmain_sshd-session.c" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

171
contrib/win32/openssh/sshd-session.vcxproj.filters Normal file

@ -0,0 +1,171 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="$(OpenSSH-Src-Path)audit-bsm.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)audit-linux.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)audit.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-bsdauth.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-krb5.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-options.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-pam.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-passwd.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-rhosts.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-shadow.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-sia.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-chall.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-gss.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-hostbased.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-kbdint.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-none.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-passwd.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-pubkey.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)gss-serv-krb5.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)gss-serv.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)loginrec.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)monitor.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)monitor_wrap.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)platform.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-capsicum.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-darwin.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-null.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-rlimit.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-seccomp-filter.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-systrace.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)servconf.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)serverloop.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)session.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sshd-session.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sshlogin.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\win32_sshpty.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\win32_groupaccess.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\w32-doexec.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\win32compat\win32-utf8.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\srclimit.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\ssh-sk-client.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\auth2-pubkeyfile.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\misc.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\sshkey.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\auth2-methods.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\win32compat\wmain_sshd-session.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

25
contrib/win32/openssh/sshd.vcxproj

@ -428,28 +428,9 @@
<ClCompile Include="$(OpenSSH-Src-Path)audit-bsm.c" />
<ClCompile Include="$(OpenSSH-Src-Path)audit-linux.c" />
<ClCompile Include="$(OpenSSH-Src-Path)audit.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-bsdauth.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-krb5.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-options.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-pam.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-passwd.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-rhosts.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-shadow.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth-sia.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-chall.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-gss.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-hostbased.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-kbdint.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-none.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-passwd.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2-pubkey.c" />
<ClCompile Include="$(OpenSSH-Src-Path)auth2.c" />
<ClCompile Include="$(OpenSSH-Src-Path)gss-serv-krb5.c" />
<ClCompile Include="$(OpenSSH-Src-Path)gss-serv.c" />
<ClCompile Include="$(OpenSSH-Src-Path)loginrec.c" />
<ClCompile Include="$(OpenSSH-Src-Path)monitor.c" />
<ClCompile Include="$(OpenSSH-Src-Path)monitor_wrap.c" />
<ClCompile Include="$(OpenSSH-Src-Path)platform.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-capsicum.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-darwin.c" />
@ -458,17 +439,15 @@
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-seccomp-filter.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sandbox-systrace.c" />
<ClCompile Include="$(OpenSSH-Src-Path)servconf.c" />
<ClCompile Include="$(OpenSSH-Src-Path)serverloop.c" />
<ClCompile Include="$(OpenSSH-Src-Path)session.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sshd.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sshlogin.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\win32_groupaccess.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\win32_sshpty.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_sshd.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\w32-doexec.c" />
<ClCompile Include="..\..\..\auth2-pubkeyfile.c" />
<ClCompile Include="..\..\..\auth2-methods.c" />
<ClCompile Include="..\..\..\misc.c" />
<ClCompile Include="..\..\..\platform-listen.c" />
<ClCompile Include="..\..\..\srclimit.c" />
<ClCompile Include="..\..\..\ssh-sk-client.c" />
<ClCompile Include="..\..\..\sshkey.c" />

75
contrib/win32/openssh/sshd.vcxproj.filters

@ -24,57 +24,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)audit.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-bsdauth.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-krb5.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-options.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-pam.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-passwd.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-rhosts.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-shadow.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth-sia.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-chall.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-gss.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-hostbased.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-kbdint.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-none.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-passwd.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2-pubkey.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)auth2.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)gss-serv-krb5.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -84,12 +33,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)loginrec.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)monitor.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)monitor_wrap.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)platform.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -114,12 +57,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)servconf.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)serverloop.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)session.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -138,9 +75,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\win32_groupaccess.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\w32-doexec.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\win32compat\win32-utf8.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -150,15 +84,18 @@
<ClCompile Include="..\..\..\ssh-sk-client.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\auth2-pubkeyfile.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\misc.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\sshkey.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\auth2-methods.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\platform-listen.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc">

4
contrib/win32/openssh/sshd_config

@ -12,7 +12,6 @@
#ListenAddress ::
#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
@ -61,12 +60,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

8
contrib/win32/openssh/version.rc

@ -51,8 +51,8 @@ END
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 9,5,0,0
PRODUCTVERSION 9,5,0,0
FILEVERSION 9,8,2,0
PRODUCTVERSION 9,8,2,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@ -67,9 +67,9 @@ BEGIN
BEGIN
BLOCK "040904b0"
BEGIN
VALUE "FileVersion", "9.5.0.0"
VALUE "FileVersion", "9.8.2.0"
VALUE "ProductName", "OpenSSH for Windows"
VALUE "ProductVersion", "OpenSSH_9.5p1 for Windows"
VALUE "ProductVersion", "OpenSSH_9.8p2 for Windows"
END
END
BLOCK "VarFileInfo"

36
contrib/win32/win32compat/fileio.c

@ -435,14 +435,20 @@ file_in_chroot_jail(HANDLE handle) {
return 1;
}
return file_in_chroot_jail_helper(final_path);
}
/* returns 1 if true, 0 otherwise */
int
file_in_chroot_jail_helper(wchar_t* final_path) {
/* ensure final path is within chroot */
to_wlower_case(final_path);
if ((wcslen(final_path) < wcslen(chroot_pathw)) ||
memcmp(final_path, chroot_pathw, 2 * wcslen(chroot_pathw)) != 0 ||
final_path[wcslen(chroot_pathw)] != '\\') {
memcmp(final_path, chroot_pathw, 2 * wcslen(chroot_pathw)) != 0 ||
final_path[wcslen(chroot_pathw)] != '\\') {
debug3("access denied due to attempt to escape chroot jail");
return 0;
}
return 1;
}
@ -1268,6 +1274,7 @@ fileio_symlink(const char *target, const char *linkpath)
DWORD ret = -1;
char target_modified[PATH_MAX] = { 0 };
char *linkpath_resolved = NULL, *target_resolved = NULL;
wchar_t *linkpath_utf16 = NULL, *resolved_target_utf16 = NULL, *resolved_target_chroot = NULL;
if (target == NULL || linkpath == NULL) {
errno = EFAULT;
@ -1301,13 +1308,21 @@ fileio_symlink(const char *target, const char *linkpath)
strcpy_s(target_modified, _countof(target_modified), target_resolved);
}
wchar_t *linkpath_utf16 = resolved_path_utf16(linkpath);
wchar_t *resolved_target_utf16 = utf8_to_utf16(target_modified);
if (resolved_target_utf16 == NULL || linkpath_utf16 == NULL) {
if ((linkpath_utf16 = resolved_path_utf16(linkpath)) == NULL ||
(resolved_target_utf16 = utf8_to_utf16(target_modified)) == NULL) {
errno = ENOMEM;
goto cleanup;
}
/* if chroot, get full path for target, similar to behavior in realpath() in misc.c
note: _wfullpath() is required to resolve paths containing unicode characters */
if (chroot_pathw != NULL &&
(resolved_target_chroot = _wfullpath(NULL, resolved_target_utf16, 0)) != NULL &&
file_in_chroot_jail_helper(resolved_target_chroot) != 1) {
errno = EPERM;
goto cleanup;
}
/* unlike other platforms, we need to know whether the symbolic link target is
* a file or a directory. the only way we can confidently do this is to
* get the attributes of the target. therefore, our symlink() has the
@ -1338,15 +1353,18 @@ fileio_symlink(const char *target, const char *linkpath)
ret = 0;
cleanup:
if (linkpath_resolved)
free(linkpath_resolved);
if (linkpath_utf16)
free(linkpath_utf16);
if (resolved_target_chroot)
free(resolved_target_chroot);
if (resolved_target_utf16)
free(resolved_target_utf16);
if (linkpath_resolved)
free(linkpath_resolved);
if (target_resolved)
free(target_resolved);

2
contrib/win32/win32compat/gss-sspi.c

@ -808,7 +808,7 @@ done:
OM_uint32
gss_accept_sec_context(_Out_ OM_uint32 * minor_status, _Inout_opt_ gss_ctx_id_t * context_handle,
_In_opt_ gss_cred_id_t acceptor_cred_handle, _In_ gss_buffer_t input_token_buffer, _In_opt_ gss_channel_bindings_t input_chan_bindings,
_Out_opt_ gss_name_t * src_name, _Out_opt_ gss_OID * mech_type, _Outptr_ gss_buffer_t output_token,
_Out_opt_ gss_name_t * src_name, _Out_opt_ gss_OID * mech_type, _Out_ gss_buffer_t output_token,
_Out_ OM_uint32 * ret_flags, _Out_opt_ OM_uint32 * time_rec, _Outptr_opt_ gss_cred_id_t * delegated_cred_handle)
{
OM_uint32 ret = GSS_S_FAILURE;

2
contrib/win32/win32compat/inc/gssapi.h

@ -177,7 +177,7 @@ OM_uint32
gss_accept_sec_context(_Out_ OM_uint32 * minor_status, _Inout_opt_ gss_ctx_id_t * context_handle,
_In_opt_ gss_cred_id_t acceptor_cred_handle, _In_ gss_buffer_t input_token_buffer,
_In_opt_ gss_channel_bindings_t input_chan_bindings, _Out_opt_ gss_name_t * src_name,
_Out_opt_ gss_OID * mech_type, _Outptr_ gss_buffer_t output_token, _Out_ OM_uint32 * ret_flags,
_Out_opt_ gss_OID * mech_type, _Out_ gss_buffer_t output_token, _Out_ OM_uint32 * ret_flags,
_Out_opt_ OM_uint32 * time_rec, _Outptr_opt_ gss_cred_id_t * delegated_cred_handle);
OM_uint32

6
contrib/win32/win32compat/inc/signal.h

@ -33,6 +33,9 @@
#define W32_SIGKILL 17
#define W32_SIGUSR1 18
#define W32_SIGUSR2 19
#define W32_SIGBUS 20
#define W32_SIGTRAP 21
#define W32_SIGSYS 22
/* singprocmask "how" codes*/
#define SIG_BLOCK 0
@ -96,6 +99,9 @@ int sigaction(int signum, const struct sigaction * act, struct sigaction * oldac
#define SIGKILL W32_SIGKILL
#define SIGUSR1 W32_SIGUSR1
#define SIGUSR2 W32_SIGUSR2
#define SIGBUS W32_SIGBUS
#define SIGTRAP W32_SIGTRAP
#define SIGSYS W32_SIGSYS
#define SIG_DFL W32_SIG_DFL
#define SIG_IGN W32_SIG_IGN

2
contrib/win32/win32compat/inc/sys/select.h

@ -27,7 +27,7 @@ typedef struct w32_fd_set_ {
#define FD_SETSIZE MAX_FDS
int w32_select(int fds, w32_fd_set * , w32_fd_set * , w32_fd_set * ,
const struct timeval *);
const struct w32_timeval *);
#define select(a,b,c,d,e) w32_select((a), (b), (c), (d), (e))

8
contrib/win32/win32compat/inc/sys/time.h

@ -1,8 +1,16 @@
#pragma once
#include <sys\utime.h>
#define utimbuf _utimbuf
#define utimes w32_utimes
#define timeval w32_timeval
struct timeval
{
long long tv_sec;
long tv_usec;
};
int usleep(unsigned int);
int gettimeofday(struct timeval *, void *);
int nanosleep(const struct timespec *, struct timespec *);

24
contrib/win32/win32compat/misc.c

@ -191,7 +191,7 @@ nanosleep(const struct timespec *req, struct timespec *rem)
* Copyright (c) 2009, 2010 NoMachine
* All rights reserved
*/
static int
int
gettimeofday(struct timeval *tv, void *tz)
{
union {
@ -207,13 +207,13 @@ gettimeofday(struct timeval *tv, void *tz)
us = (timehelper.ns - EPOCH_DELTA) / 10;
/* Stuff result into the timeval */
tv->tv_sec = (long)(us / USEC_IN_SEC);
tv->tv_sec = (long long)(us / USEC_IN_SEC);
tv->tv_usec = (long)(us % USEC_IN_SEC);
return 0;
}
static void
void
explicit_bzero(void *b, size_t len)
{
SecureZeroMemory(b, len);
@ -1419,7 +1419,7 @@ is_absolute_path(const char *path)
/* return -1 - in case of failure, 0 - success */
int
create_directory_withsddl(wchar_t *path_w, wchar_t *sddl_w)
create_directory_withsddl(wchar_t *path_w, wchar_t *sddl_w, BOOL check_permissions)
{
if (GetFileAttributesW(path_w) == INVALID_FILE_ATTRIBUTES) {
PSECURITY_DESCRIPTOR pSD = NULL;
@ -1444,12 +1444,9 @@ create_directory_withsddl(wchar_t *path_w, wchar_t *sddl_w)
return -1;
}
}
else {
else if (check_permissions) {
// directory already exists; need to confirm permissions are correct
if (check_secure_folder_permission(path_w, 1) != 0) {
error("Directory already exists but folder permissions are invalid");
return -1;
}
check_secure_folder_permission(path_w, 1);
}
return 0;
@ -1512,15 +1509,6 @@ w32_ctime(const time_t* sourceTime)
return ctime_s(destTime, 26, sourceTime) == 0 ? destTime : NULL;
}
void
freezero(void *ptr, size_t sz)
{
if (ptr == NULL)
return;
explicit_bzero(ptr, sz);
free(ptr);
}
int
setenv(const char *name, const char *value, int rewrite)
{

3
contrib/win32/win32compat/misc_internal.h

@ -67,9 +67,10 @@ void to_lower_case(char *s);
void to_wlower_case(wchar_t *s);
HANDLE get_user_token(const char* user, int impersonation);
int load_user_profile(HANDLE user_token, char* user);
int create_directory_withsddl(wchar_t *path, wchar_t *sddl);
int create_directory_withsddl(wchar_t *path, wchar_t *sddl, BOOL check_permissions);
int is_absolute_path(const char *);
int file_in_chroot_jail(HANDLE);
int file_in_chroot_jail_helper(wchar_t*);
PSID lookup_sid(const wchar_t* name_utf16, PSID psid, DWORD * psid_len);
PSID get_sid(const char*);
int am_system();

20
contrib/win32/win32compat/ssh-agent/agent-main.c

@ -37,6 +37,9 @@
#pragma warning(push, 3)
/* Pattern-list of allowed PKCS#11/Security key paths */
char* allowed_providers = NULL;
int remote_add_provider;
int scm_start_service(DWORD, LPWSTR*);
@ -134,8 +137,25 @@ wmain(int argc, wchar_t **wargv)
fatal("Unknown -O option; only allow-remote-pkcs11 is supported");
}
}
else if (wcsncmp(wargv[i], L"-P", 2) == 0) {
if (allowed_providers != NULL)
fatal("-P option already specified");
if ((i + 1) < argc) {
i++;
if ((allowed_providers = utf16_to_utf8(wargv[i])) == NULL)
fatal("Invalid argument for -P option");
}
else {
fatal("Missing argument for -P option");
}
}
}
}
if (allowed_providers == NULL) {
agent_initialize_allow_list();
}
if (!StartServiceCtrlDispatcherW(dispatch_table)) {
if (GetLastError() == ERROR_FAILED_SERVICE_CONTROLLER_CONNECT) {
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */

48
contrib/win32/win32compat/ssh-agent/agent.c

@ -34,9 +34,11 @@
#include <UserEnv.h>
#include "..\misc_internal.h"
#include <pwd.h>
#include "xmalloc.h"
#define BUFSIZE 5 * 1024
extern char* allowed_providers;
extern int remote_add_provider;
char* sshagent_con_username;
@ -170,11 +172,11 @@ agent_listen_loop()
GetModuleFileNameW(NULL, module_path, PATH_MAX);
SetHandleInformation(con, HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);
if (remote_add_provider == 1) {
if (swprintf_s(path, PATH_MAX, L"%s %d %s", module_path, (int)(intptr_t)con, L"-Oallow-remote-pkcs11") == -1)
if (swprintf_s(path, PATH_MAX, L"%s %d %s -P \"%S\"", module_path, (int)(intptr_t)con, L"-Oallow-remote-pkcs11", allowed_providers) == -1)
verbose("Failed to create child process %ls ERROR:%d", module_path, GetLastError());
}
else {
if (swprintf_s(path, PATH_MAX, L"%s %d", module_path, (int)(intptr_t)con) == -1)
if (swprintf_s(path, PATH_MAX, L"%s %d -P \"%S\"", module_path, (int)(intptr_t)con, allowed_providers) == -1)
verbose("Failed to create child process %ls ERROR:%d", module_path, GetLastError());
}
if (CreateProcessW(NULL, path, NULL, NULL, TRUE, DETACHED_PROCESS, NULL, NULL, &si, &pi) == FALSE) {
@ -408,3 +410,45 @@ agent_process_connection(HANDLE pipe)
iocp_work(NULL);
}
void
agent_initialize_allow_list() {
/*
* allowed paths for PKCS11 libraries,
* attempt to initialize to ProgramFiles and ProgramFiles(x86) by default
* upstream uses /usr/lib/* and /usr/local/lib/*
*/
size_t allowed_len = 0, prog_files_len = 0, prog_files_x86_len = 0;
char* allowed_path = NULL, *prog_files = NULL, *prog_files_x86 = NULL;
_dupenv_s(&prog_files, &prog_files_len, "ProgramFiles");
_dupenv_s(&prog_files_x86, &prog_files_x86_len, "ProgramFiles(x86)");
if (!prog_files && !prog_files_x86) {
allowed_providers = xstrdup("");
return;
}
if (prog_files && prog_files_x86) {
allowed_len = prog_files_len + 3 + prog_files_x86_len + 1;
allowed_path = xmalloc(allowed_len);
sprintf_s(allowed_path, allowed_len, "%s\\*,%s", prog_files, prog_files_x86);
free(prog_files);
free(prog_files_x86);
}
else if (prog_files) {
allowed_len = prog_files_len;
allowed_path = prog_files;
}
else if (prog_files_x86) {
allowed_len = prog_files_x86_len;
allowed_path = prog_files_x86;
}
allowed_len += 3; /* for additional characters below */
allowed_providers = xmalloc(allowed_len);
sprintf_s(allowed_providers, allowed_len, "%s\\*", allowed_path);
if (allowed_path) {
free(allowed_path);
}
}

1
contrib/win32/win32compat/ssh-agent/agent.h

@ -63,3 +63,4 @@ void agent_start(BOOL);
void agent_process_connection(HANDLE);
void agent_shutdown();
void agent_cleanup_connection(struct agent_connection*);
void agent_initialize_allow_list();

13
contrib/win32/win32compat/ssh-agent/keyagent-request.c

@ -32,6 +32,7 @@
#include "agent.h"
#include "agent-request.h"
#include "config.h"
#include "match.h"
#include <sddl.h>
#ifdef ENABLE_PKCS11
#include "ssh-pkcs11.h"
@ -44,6 +45,7 @@
#define MAX_VALUE_NAME_LENGTH 16383
#define MAX_VALUE_DATA_LENGTH 2048
extern char* allowed_providers;
extern int remote_add_provider;
/*
@ -675,6 +677,15 @@ int process_add_smartcard_key(struct sshbuf* request, struct sshbuf* response, s
goto done;
}
to_lower_case(provider);
verbose("provider realpath: \"%.100s\"", provider);
verbose("allowed provider paths: \"%.100s\"", allowed_providers);
if (match_pattern_list(provider, allowed_providers, 1) != 1) {
verbose("refusing PKCS#11 add of \"%.100s\": "
"provider not allowed", provider);
goto done;
}
// Remove 'drive root' if exists
if (canonical_provider[0] == '/')
memmove(canonical_provider, canonical_provider + 1, strlen(canonical_provider));
@ -766,6 +777,8 @@ done:
free(pubkey_blob);
if (provider)
free(provider);
if (allowed_providers)
free(allowed_providers);
if (pin) {
SecureZeroMemory(pin, (DWORD)pin_len);
free(pin);

7
contrib/win32/win32compat/termio.c

@ -48,8 +48,6 @@
#include "tnnet.h"
#include "misc_internal.h"
#define TERM_IO_BUF_SIZE 2048
extern int in_raw_mode;
BOOL isFirstTime = TRUE;
@ -293,7 +291,10 @@ syncio_close(struct w32_io* pio)
CancelSynchronousIo(pio->read_overlapped.hEvent);
}
WaitForSingleObject(pio->read_overlapped.hEvent, INFINITE);
// give the read thread some time to wind down, but don't block syncio_close
if (WAIT_TIMEOUT == WaitForSingleObject(pio->read_overlapped.hEvent, 1000)) {
debug4("read_overlapped thread timed out");
}
}
/* drain queued APCs */

95
contrib/win32/win32compat/tncon.c

@ -124,11 +124,84 @@ GetModifierKey(DWORD dwControlKeyState)
return modKey;
}
// ReadConsoleForTermEmul() but for ENABLE_VIRTUAL_TERMINAL_INPUT.
static int
ReadConsoleForTermEmulModern(HANDLE hInput, char *destin, int destinlen)
{
// If the previous input ended on a lead (high) surrogate,
// we stash it here to combine it with the next input.
static wchar_t s_previous_lead;
INPUT_RECORD records[TERM_IO_BUF_SIZE_UTF16];
DWORD records_cap = ARRAYSIZE(records);
DWORD records_len = 0;
wchar_t text[TERM_IO_BUF_SIZE_UTF16];
int text_len = 0;
// If we'll restore the previous lead surrogate, we can only read
// ARRAYSIZE(records)-1 records before the storage overflows.
if (s_previous_lead) {
records_cap--;
}
// As this application heavily relies on APCs, it's important that we call
// DataAvailable(), because it calls WaitForSingleObjectEx with bAlertable=TRUE.
if (!DataAvailable(hInput) ||
!ReadConsoleInputW(hInput, records, records_cap, &records_len) ||
records_len == 0)
return 0;
// Restore the previous lead surrogate if we have one.
if (s_previous_lead) {
text[text_len++] = s_previous_lead;
s_previous_lead = 0;
}
// Accumulate the UTF-16 text.
for (DWORD i = 0; i < records_len; i++) {
switch (records[i].EventType) {
case WINDOW_BUFFER_SIZE_EVENT:
queue_terminal_window_change_event();
break;
case KEY_EVENT: {
const KEY_EVENT_RECORD* k = &records[i].Event.KeyEvent;
if (
// The old Windows console added support for Unicode by encoding the characters in the
// current code page as usual, while stuffing a UCS2 value into a trailing VK_MENU event.
// Modern terminals on Windows stopped doing this and the Windows console may as well at some point.
(k->bKeyDown || k->wVirtualKeyCode == VK_MENU) &&
// Current versions of ConPTY suffer from a bug where pressing modifier keys enqueues
// a KEY_EVENT with UnicodeChar=0 despite ENABLE_VIRTUAL_TERMINAL_INPUT being enabled.
// They can be identified by the fact that their UnicodeChar value is zero,
// but they still have a non-zero wVirtualScanCode.
(k->uChar.UnicodeChar != L'\0' || k->wVirtualScanCode == 0))
text[text_len++] = k->uChar.UnicodeChar;
break;
}
default:
break;
}
}
// Pop any lone lead surrogate from the input for later.
const wchar_t last_char = text[text_len - 1];
if (IS_HIGH_SURROGATE(last_char)) {
s_previous_lead = last_char;
text_len--;
}
// ...and finally convert everything to UTF-8.
// It'll always fit, because we sized TERM_IO_BUF_SIZE to be large enough.
return WideCharToMultiByte(CP_UTF8, 0, text, text_len, destin, destinlen, NULL, NULL);
}
int
ReadConsoleForTermEmul(HANDLE hInput, char *destin, int destinlen)
{
HANDLE hHandle[] = { hInput, NULL };
DWORD nHandle = 1;
if (isConsoleVTSeqAvailable) {
return ReadConsoleForTermEmulModern(hInput, destin, destinlen);
}
DWORD dwInput = 0;
DWORD rc = 0;
unsigned char octets[20];
@ -187,23 +260,7 @@ ReadConsoleForTermEmul(HANDLE hInput, char *destin, int destinlen)
break;
}
if (isConsoleVTSeqAvailable) {
if (inputRecord.Event.KeyEvent.uChar.UnicodeChar != L'\0' || inputRecord.Event.KeyEvent.wVirtualScanCode == 0) {
n = WideCharToMultiByte(
CP_UTF8,
0,
&(inputRecord.Event.KeyEvent.uChar.UnicodeChar),
1,
(LPSTR)octets,
20,
NULL,
NULL);
WriteToBuffer((char *)octets, n);
}
} else {
GetVTSeqFromKeyStroke(inputRecord);
}
GetVTSeqFromKeyStroke(inputRecord);
}
break;
}

3
contrib/win32/win32compat/tncon.h

@ -37,6 +37,9 @@
#include "console.h"
#define TERM_IO_BUF_SIZE_UTF16 1024
#define TERM_IO_BUF_SIZE (3 * TERM_IO_BUF_SIZE_UTF16)
#define UP_ARROW "\x1b[A"
#define DOWN_ARROW "\x1b[B"
#define RIGHT_ARROW "\x1b[C"

131
contrib/win32/win32compat/w32-sshfileperm.c

@ -33,6 +33,8 @@
#include <Aclapi.h>
#include <lm.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "inc\pwd.h"
#include "sshfileperm.h"
@ -40,6 +42,12 @@
#include "misc_internal.h"
#include "config.h"
#define NULL_TERMINATOR_LEN 1
#define COMMA_SPACE_LEN 2
#define BACKSLASH_LEN 1
extern int log_on_stderr;
/*
* The function is to check if current user is secure to access to the file.
* Check the owner of the file is one of these types: Local Administrators groups, system account, current user account
@ -178,18 +186,22 @@ cleanup:
* Check the owner of the file is one of these types: Local Administrators groups or system account
* Check the users have access permission to the file don't violate the following rules:
1. no user other than local administrators group and system account have write permission on the folder
* Returns 0 on success and -1 on failure
* Logs a message if the rules are violated, but does not prevent further execution
*/
int
void
check_secure_folder_permission(const wchar_t* path_utf16, int read_ok)
{
PSECURITY_DESCRIPTOR pSD = NULL;
PSID owner_sid = NULL, ti_sid = NULL;
PACL dacl = NULL;
DWORD error_code = ERROR_SUCCESS;
BOOL is_valid_sid = FALSE, is_valid_acl = FALSE;
BOOL is_valid_sid = FALSE, is_valid_acl = FALSE, need_log_msg = FALSE, is_first = TRUE;
wchar_t* bad_user = NULL;
int ret = 0;
size_t log_msg_len = (DNLEN + BACKSLASH_LEN + UNLEN) * 2 + COMMA_SPACE_LEN + NULL_TERMINATOR_LEN;
wchar_t* log_msg = (wchar_t*)malloc(log_msg_len * sizeof(wchar_t));
if (log_msg != NULL) {
log_msg[0] = '\0';
}
/*Get the owner sid of the file.*/
if ((error_code = GetNamedSecurityInfoW(path_utf16, SE_FILE_OBJECT,
@ -197,18 +209,15 @@ check_secure_folder_permission(const wchar_t* path_utf16, int read_ok)
&owner_sid, NULL, &dacl, NULL, &pSD)) != ERROR_SUCCESS) {
printf("failed to retrieve the owner sid and dacl of file %S with error code: %d", path_utf16, error_code);
errno = EOTHER;
ret = -1;
goto cleanup;
}
if (((is_valid_sid = IsValidSid(owner_sid)) == FALSE) || ((is_valid_acl = IsValidAcl(dacl)) == FALSE)) {
printf("IsValidSid: %d; is_valid_acl: %d", is_valid_sid, is_valid_acl);
ret = -1;
goto cleanup;
}
if (!IsWellKnownSid(owner_sid, WinBuiltinAdministratorsSid) &&
!IsWellKnownSid(owner_sid, WinLocalSystemSid)) {
printf("Bad owner on %S", path_utf16);
ret = -1;
goto cleanup;
}
/*
@ -224,7 +233,6 @@ check_secure_folder_permission(const wchar_t* path_utf16, int read_ok)
if (!GetAce(dacl, i, &current_ace)) {
printf("GetAce() failed");
errno = EOTHER;
ret = -1;
goto cleanup;
}
@ -247,15 +255,112 @@ check_secure_folder_permission(const wchar_t* path_utf16, int read_ok)
continue;
}
else {
ret = -1;
/* collect all SIDs with write permissions */
wchar_t resolved_trustee[UNLEN + NULL_TERMINATOR_LEN] = L"UNKNOWN";
wchar_t resolved_trustee_domain[DNLEN + NULL_TERMINATOR_LEN] = L"UNKNOWN";
DWORD resolved_trustee_len = _countof(resolved_trustee), resolved_trustee_domain_len = _countof(resolved_trustee_domain);
SID_NAME_USE resolved_trustee_type;
need_log_msg = TRUE;
if (log_msg != NULL &&
LookupAccountSidW(NULL, current_trustee_sid, resolved_trustee, &resolved_trustee_len,
resolved_trustee_domain, &resolved_trustee_domain_len, &resolved_trustee_type) != 0) {
if (is_first) {
_snwprintf_s(log_msg, log_msg_len, _TRUNCATE, L"%ls\\%ls", resolved_trustee_domain, resolved_trustee);
is_first = FALSE;
}
else {
size_t currentLength = wcslen(log_msg);
size_t userLength = resolved_trustee_domain_len + BACKSLASH_LEN + resolved_trustee_len + COMMA_SPACE_LEN;
if (wcslen(log_msg) + userLength + NULL_TERMINATOR_LEN > log_msg_len) {
log_msg_len *= 2;
wchar_t* temp_log_msg = (wchar_t*)malloc(log_msg_len * sizeof(wchar_t));
if (temp_log_msg == NULL) {
break;
}
wcscpy_s(temp_log_msg, log_msg_len, log_msg);
if (log_msg)
free(log_msg);
log_msg = temp_log_msg;
}
_snwprintf_s(log_msg + currentLength, log_msg_len - currentLength, _TRUNCATE,
L", %ls\\%ls", resolved_trustee_domain, resolved_trustee);
}
}
}
}
if (need_log_msg) {
log_folder_perms_msg_etw(path_utf16, log_msg);
}
cleanup:
if (bad_user)
if (bad_user) {
LocalFree(bad_user);
if (pSD)
}
if (log_msg) {
free(log_msg);
}
if (pSD) {
LocalFree(pSD);
if (ti_sid)
}
if (ti_sid) {
free(ti_sid);
return ret;
}
}
/*
* This function takes in the full path to the ProgramData\ssh folder
* and a string of comma-separated domain\usernames. The function converts
* the well-known built-in Administrators group sid and the Local System
* sid to their corresponding names. With these names, and the input string,
* it logs a message to the Event Viewer. If logging the detailed message fails,
* a generic log message is written to the Event Viewer instead.
*/
void log_folder_perms_msg_etw(const wchar_t* path_utf16, wchar_t* log_msg) {
PSID adminSid = NULL;
WCHAR adminName[UNLEN + NULL_TERMINATOR_LEN];
WCHAR adminDomain[DNLEN + NULL_TERMINATOR_LEN];
DWORD adminNameSize = UNLEN + NULL_TERMINATOR_LEN;
DWORD adminDomainSize = DNLEN + NULL_TERMINATOR_LEN;
DWORD adminSidSize = SECURITY_MAX_SID_SIZE;
PSID systemSid = NULL;
WCHAR systemName[UNLEN + NULL_TERMINATOR_LEN];
WCHAR systemDomain[DNLEN + NULL_TERMINATOR_LEN];
DWORD systemNameSize = UNLEN + NULL_TERMINATOR_LEN;
DWORD systemDomainSize = DNLEN + NULL_TERMINATOR_LEN;
DWORD systemSidSize = SECURITY_MAX_SID_SIZE;
SID_NAME_USE sidType;
BOOL needLog = TRUE;
int temp_log_on_stderr = log_on_stderr;
log_on_stderr = 0;
adminSid = (PSID)malloc(SECURITY_MAX_SID_SIZE);
if (log_msg != NULL && adminSid != NULL &&
CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, adminSid, &adminSidSize) != 0 &&
LookupAccountSidW(NULL, adminSid, adminName, &adminNameSize, adminDomain, &adminDomainSize, &sidType) != 0) {
systemSid = (PSID)malloc(SECURITY_MAX_SID_SIZE);
if (systemSid != NULL &&
CreateWellKnownSid(WinLocalSystemSid, NULL, systemSid, &systemSidSize) != 0 &&
LookupAccountSidW(NULL, systemSid, systemName, &systemNameSize, systemDomain, &systemDomainSize, &sidType) != 0) {
logit("For '%S' folder, write access is granted to the following users: %S. "
"Consider reviewing users to ensure that only %S\\%S, and the %S\\%S group, and its members, have write access.",
path_utf16, log_msg, systemDomain, systemName, adminDomain, adminName);
needLog = FALSE;
}
}
if (needLog) {
/* log generic warning message in unlikely case that lookup for either well-known SID fails or user list is empty */
logit("for '%S' folder, consider downgrading permissions for any users with unnecessary write access.", path_utf16);
}
log_on_stderr = temp_log_on_stderr;
if (adminSid) {
free(adminSid);
}
if (systemSid) {
free(systemSid);
}
}

23
contrib/win32/win32compat/w32fd.c

@ -32,6 +32,7 @@
#include "inc\sys\socket.h"
#include "inc\sys\select.h"
#include "inc\sys\uio.h"
#include "inc\sys\time.h"
#include "inc\sys\types.h"
#include "inc\sys\stat.h"
#include "inc\unistd.h"
@ -88,6 +89,19 @@ fd_table_initialize()
{
struct w32_io *pio;
HANDLE wh;
char *stdio_mode_env;
int stdio_mode = NONSOCK_SYNC_FD;
stdio_mode_env = getenv("OPENSSH_STDIO_MODE");
if (stdio_mode_env != NULL) {
if (strcmp(stdio_mode_env, "sock") == 0)
stdio_mode = SOCK_FD;
else if (strcmp(stdio_mode_env, "nonsock") == 0)
stdio_mode = NONSOCK_FD;
else if (strcmp(stdio_mode_env, "nonsock_sync") == 0)
stdio_mode = NONSOCK_SYNC_FD;
}
/* table entries representing std in, out and error*/
DWORD wh_index[] = { STD_INPUT_HANDLE , STD_OUTPUT_HANDLE , STD_ERROR_HANDLE };
int fd_num = 0;
@ -104,7 +118,7 @@ fd_table_initialize()
return -1;
}
memset(pio, 0, sizeof(struct w32_io));
pio->type = NONSOCK_SYNC_FD;
pio->type = stdio_mode;
pio->handle = wh;
fd_table_set(pio, fd_num);
}
@ -715,12 +729,11 @@ w32_fcntl(int fd, int cmd, ... /* arg */)
int
w32_select(int fds, w32_fd_set* readfds, w32_fd_set* writefds, w32_fd_set* exceptfds, const struct timeval *timeout)
{
ULONGLONG ticks_start = GetTickCount64(), ticks_spent;
ULONGLONG ticks_start = GetTickCount64(), ticks_spent, timeout_ms = 0, time_rem = 0;
w32_fd_set read_ready_fds, write_ready_fds;
HANDLE events[SELECT_EVENT_LIMIT];
int num_events = 0;
int in_set_fds = 0, out_ready_fds = 0, i;
unsigned int timeout_ms = 0, time_rem = 0;
errno = 0;
/* TODO - the size of these can be reduced based on fds */
@ -843,7 +856,7 @@ w32_select(int fds, w32_fd_set* readfds, w32_fd_set* writefds, w32_fd_set* excep
else
time_rem = INFINITE;
if (0 != wait_for_any_event(events, num_events, time_rem))
if (0 != wait_for_any_event(events, num_events, (DWORD)time_rem))
return -1;
/* check on fd status */
@ -1071,7 +1084,7 @@ spawn_child_internal(const char* cmd, char *const argv[], HANDLE in, HANDLE out,
si.hStdError = err;
si.dwFlags = STARTF_USESTDHANDLES;
if (strstr(cmd, "sshd.exe")) {
if (strstr(cmd, "sshd-session.exe")) {
flags |= DETACHED_PROCESS;
}

42
contrib/win32/win32compat/win32_groupaccess.c

@ -190,6 +190,29 @@ check_group_membership(const char* group)
{
PSID sid = NULL;
BOOL is_member = 0;
char* utf8_group_name = NULL;
// it can be a SID string; if it is - use localized name for that SID
wchar_t* group_utf16 = utf8_to_utf16(group);
if (ConvertStringSidToSidW(group_utf16, &sid) != 0) {
WCHAR group_name[UNLEN + 1];
DWORD group_name_length = UNLEN + 1;
WCHAR domain_name[DNLEN + 1] = L"";
DWORD domain_name_size = DNLEN + 1;
SID_NAME_USE account_type = 0;
if (LookupAccountSidW(NULL, sid, group_name, &group_name_length,
domain_name, &domain_name_size, &account_type) != 0) {
utf8_group_name = utf16_to_utf8(group_name);
debug3_f("'%s' is translated to '%s'", group, utf8_group_name);
group = utf8_group_name;
} else {
debug3_f("LookupAccountSid failed for '%s'", group);
}
}
else
{
debug3_f("'%s' not recognized as SID", group);
}
if ((sid = get_sid(group)) == NULL) {
error("unable to resolve group %s", group);
@ -202,6 +225,10 @@ check_group_membership(const char* group)
cleanup:
if (sid)
free(sid);
if (group_utf16)
free(group_utf16);
if (utf8_group_name)
free(utf8_group_name);
return is_member? 1: 0;
}
@ -221,18 +248,17 @@ ga_init(const char *user, gid_t base)
if ((user_token = get_user_token(user_name, 0)) == NULL) {
/*
* TODO - We need to fatal() all the times when we fail to generate the user token.
* No fatal call here so experience when called by servconf parsing Match block
* is consistent for an invalid user (does not find password, but is not fatal yet)
* and a valid user without a token (ex: group policy forbidding login)
*/
if (get_custom_lsa_package()) {
error("%s, unable to resolve user %s", __func__, user_name);
return 0;
} else {
fatal("%s, unable to resolve user %s", __func__, user_name);
}
get_custom_lsa_package();
error("%s, unable to resolve user %s", __func__, user_name);
return 0;
}
/*
* supposed to retun number of groups associated with user
* supposed to return number of groups associated with user
* since we do lazy group evaluation, returning 1 here
*/

11
contrib/win32/win32compat/wmain_common.c

@ -43,13 +43,12 @@ wmain(int argc, wchar_t **wargv) {
char** argv = NULL;
int i, r;
_set_invalid_parameter_handler(invalid_parameter_handler);
if (argc) {
if ((argv = malloc(argc * sizeof(char*))) == NULL)
if ((argv = malloc((argc + 1) * sizeof(char*))) == NULL)
fatal("out of memory");
for (i = 0; i < argc; i++)
if ((argv[i] = utf16_to_utf8(wargv[i])) == NULL)
fatal("out of memory");
for (i = 0; i < argc; i++)
if ((argv[i] = utf16_to_utf8(wargv[i])) == NULL)
fatal("out of memory");
}
argv[argc] = NULL;
if (getenv("SSH_AUTH_SOCK") == NULL)
_putenv("SSH_AUTH_SOCK=\\\\.\\pipe\\openssh-ssh-agent");

115
contrib/win32/win32compat/wmain_sshd-session.c Normal file

@ -0,0 +1,115 @@
/*
* Author: Manoj Ampalam <manoj.ampalam@microsoft.com>
*
* wmain entry for sshd-session.
*
* Copyright (c) 2015 Microsoft Corp.
* All rights reserved
*
* Microsoft openssh win32 port
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* disable inclusion of compatability defitnitions in CRT headers */
#define __STDC__ 1
#include <Windows.h>
#include <wchar.h>
#include <Lm.h>
#include <sddl.h>
#include <stdio.h>
#include "inc\utf.h"
#include "misc_internal.h"
#include "Debug.h"
int main(int, char **);
extern HANDLE main_thread;
int sshd_session_main(int argc, wchar_t **wargv) {
char** argv = NULL;
int i, r;
_set_invalid_parameter_handler(invalid_parameter_handler);
if ((argv = malloc((argc + 1) * sizeof(char*))) == NULL)
fatal("out of memory");
for (i = 0; i < argc; i++)
if ((argv[i] = utf16_to_utf8(wargv[i])) == NULL)
fatal("out of memory");
argv[argc] = NULL;
w32posix_initialize();
r = main(argc, argv);
w32posix_done();
return r;
}
int argc_original = 0;
wchar_t **wargv_original = NULL;
int wmain(int argc, wchar_t **wargv) {
wchar_t *path_value = NULL, *path_new_value;
errno_t result = 0;
size_t path_new_len = 0, len;
argc_original = argc;
wargv_original = wargv;
init_prog_paths();
/* change current directory to sshd-session.exe root */
_wchdir(__wprogdir);
/*
* we want to launch scp and sftp executables from the binary directory
* that sshd is hosted in. This will facilitate hosting and evaluating
* multiple versions of OpenSSH at the same time.
* it does not work well for powershell, cygwin, etc if program path is
* prepended to executable directory.
* To achive above, PATH is set to process environment
*/
_wdupenv_s(&path_value, &len, L"PATH");
if (!path_value || (wcsstr(path_value, __wprogdir)) == NULL) {
path_new_len = wcslen(__wprogdir) + wcslen(path_value) + 2;
if ((path_new_value = (wchar_t *) malloc(path_new_len * sizeof(wchar_t))) == NULL) {
errno = ENOMEM;
error("failed to allocation memory");
return -1;
}
swprintf_s(path_new_value, path_new_len, L"%s%s%s", __wprogdir, path_value ? L";" : L"", path_value);
if (result = _wputenv_s(L"PATH", path_new_value)) {
error("failed to set PATH environment variable: to value:%s, error:%d", path_new_value, result);
errno = result;
if (path_new_value)
free(path_new_value);
if(path_value)
free(path_value);
return -1;
}
if (path_new_value)
free(path_new_value);
if(path_value)
free(path_value);
}
return sshd_session_main(argc, wargv);
}

19
contrib/win32/win32compat/wmain_sshd.c

@ -135,7 +135,7 @@ create_prgdata_ssh_folder()
wchar_t ssh_cfg_dir[PATH_MAX] = { 0, };
wcscpy_s(ssh_cfg_dir, _countof(ssh_cfg_dir), __wprogdata);
wcscat_s(ssh_cfg_dir, _countof(ssh_cfg_dir), L"\\ssh");
if (create_directory_withsddl(ssh_cfg_dir, L"O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)") < 0) {
if (create_directory_withsddl(ssh_cfg_dir, L"O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)", TRUE) < 0) {
printf("failed to create %S", ssh_cfg_dir);
exit(255);
}
@ -144,7 +144,7 @@ create_prgdata_ssh_folder()
wchar_t logs_dir[PATH_MAX] = { 0, };
wcscat_s(logs_dir, _countof(logs_dir), ssh_cfg_dir);
wcscat_s(logs_dir, _countof(logs_dir), L"\\logs");
if (create_directory_withsddl(logs_dir, L"O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)") < 0) {
if (create_directory_withsddl(logs_dir, L"O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)", FALSE) < 0) {
printf("failed to create %S", logs_dir);
exit(255);
}
@ -202,15 +202,14 @@ int sshd_main(int argc, wchar_t **wargv) {
int i, r;
_set_invalid_parameter_handler(invalid_parameter_handler);
if (argc) {
if ((argv = malloc(argc * sizeof(char*))) == NULL) {
printf("out of memory");
exit(255);
}
if ((argv = malloc((argc + 1) * sizeof(char*))) == NULL)
fatal("out of memory");
for (i = 0; i < argc; i++)
argv[i] = utf16_to_utf8(wargv[i]);
}
for (i = 0; i < argc; i++)
if ((argv[i] = utf16_to_utf8(wargv[i])) == NULL)
fatal("out of memory");
argv[argc] = NULL;
w32posix_initialize();

4
ed25519.sh

@ -1,5 +1,5 @@
#!/bin/sh
# $OpenBSD: ed25519.sh,v 1.1 2023/01/15 23:05:32 djm Exp $
# $OpenBSD: ed25519.sh,v 1.2 2024/05/17 02:39:11 jsg Exp $
# Placed in the Public Domain.
#
AUTHOR="supercop-20221122/crypto_sign/ed25519/ref/implementors"
@ -74,7 +74,7 @@ for i in $FILES; do
sed -e "s/crypto_sign_open/crypto_sign_ed25519_open/g"
;;
*/crypto_sign/ed25519/ref/fe25519.*)
# avoid a couple of name collions with other files
# avoid a couple of name collisions with other files
sed -e "s/reduce_add_sub/fe25519_reduce_add_sub/g" \
-e "s/ equal[(]/ fe25519_equal(/g" \
-e "s/^int /static int /g"

8
gss-genr.c

@ -1,4 +1,4 @@
/* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
/* $OpenBSD: gss-genr.c,v 1.29 2024/02/01 02:37:33 djm Exp $ */
/*
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -278,7 +278,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
if (oid->length == spnego_oid.length &&
(memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
return 0; /* false */
@ -286,7 +286,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host);
if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
gss_release_buffer(&minor, &token);
if ((*ctx)->context != GSS_C_NO_CONTEXT)
@ -294,7 +294,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
GSS_C_NO_BUFFER);
}
if (GSS_ERROR(major))
if (GSS_ERROR(major))
ssh_gssapi_delete_ctx(ctx);
return (!GSS_ERROR(major));

330
kex-names.c Normal file

@ -0,0 +1,330 @@
/* $OpenBSD: kex-names.c,v 1.1 2024/05/17 00:32:32 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/evp.h>
#endif
#include "kex.h"
#include "log.h"
#include "match.h"
#include "digest.h"
#include "misc.h"
#include "ssherr.h"
#include "xmalloc.h"
struct kexalg {
char *name;
u_int type;
int ec_nid;
int hash_alg;
};
static const struct kexalg kexalgs[] = {
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
#ifdef HAVE_EVP_SHA256
{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 */
#ifdef OPENSSL_HAS_ECC
{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
SSH_DIGEST_SHA384 },
# ifdef OPENSSL_HAS_NISTP521
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
SSH_DIGEST_SHA512 },
# endif /* OPENSSL_HAS_NISTP521 */
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#ifdef USE_SNTRUP761X25519
{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
SSH_DIGEST_SHA512 },
#endif
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
char *
kex_alg_list(char sep)
{
char *ret = NULL, *tmp;
size_t nlen, rlen = 0;
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
free(ret);
return NULL;
}
ret = tmp;
memcpy(ret + rlen, k->name, nlen + 1);
rlen += nlen;
}
return ret;
}
static const struct kexalg *
kex_alg_by_name(const char *name)
{
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
}
return NULL;
}
int
kex_name_valid(const char *name)
{
return kex_alg_by_name(name) != NULL;
}
u_int
kex_type_from_name(const char *name)
{
const struct kexalg *k;
if ((k = kex_alg_by_name(name)) == NULL)
return 0;
return k->type;
}
int
kex_hash_from_name(const char *name)
{
const struct kexalg *k;
if ((k = kex_alg_by_name(name)) == NULL)
return -1;
return k->hash_alg;
}
int
kex_nid_from_name(const char *name)
{
const struct kexalg *k;
if ((k = kex_alg_by_name(name)) == NULL)
return -1;
return k->ec_nid;
}
/* Validate KEX method name list */
int
kex_names_valid(const char *names)
{
char *s, *cp, *p;
if (names == NULL || strcmp(names, "") == 0)
return 0;
if ((s = cp = strdup(names)) == NULL)
return 0;
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
error("Unsupported KEX algorithm \"%.100s\"", p);
free(s);
return 0;
}
}
debug3("kex names ok: [%s]", names);
free(s);
return 1;
}
/* returns non-zero if proposal contains any algorithm from algs */
int
kex_has_any_alg(const char *proposal, const char *algs)
{
char *cp;
if ((cp = match_list(proposal, algs, NULL)) == NULL)
return 0;
free(cp);
return 1;
}
/*
* Concatenate algorithm names, avoiding duplicates in the process.
* Caller must free returned string.
*/
char *
kex_names_cat(const char *a, const char *b)
{
char *ret = NULL, *tmp = NULL, *cp, *p;
size_t len;
if (a == NULL || *a == '\0')
return strdup(b);
if (b == NULL || *b == '\0')
return strdup(a);
if (strlen(b) > 1024*1024)
return NULL;
len = strlen(a) + strlen(b) + 2;
if ((tmp = cp = strdup(b)) == NULL ||
(ret = calloc(1, len)) == NULL) {
free(tmp);
return NULL;
}
strlcpy(ret, a, len);
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
if (kex_has_any_alg(ret, p))
continue; /* Algorithm already present */
if (strlcat(ret, ",", len) >= len ||
strlcat(ret, p, len) >= len) {
free(tmp);
free(ret);
return NULL; /* Shouldn't happen */
}
}
free(tmp);
return ret;
}
/*
* Assemble a list of algorithms from a default list and a string from a
* configuration file. The user-provided string may begin with '+' to
* indicate that it should be appended to the default, '-' that the
* specified names should be removed, or '^' that they should be placed
* at the head.
*/
int
kex_assemble_names(char **listp, const char *def, const char *all)
{
char *cp, *tmp, *patterns;
char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
if (listp == NULL || def == NULL || all == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (*listp == NULL || **listp == '\0') {
if ((*listp = strdup(def)) == NULL)
return SSH_ERR_ALLOC_FAIL;
return 0;
}
list = *listp;
*listp = NULL;
if (*list == '+') {
/* Append names to default list */
if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(list);
list = tmp;
} else if (*list == '-') {
/* Remove names from default list */
if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(list);
/* filtering has already been done */
return 0;
} else if (*list == '^') {
/* Place names at head of default list */
if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(list);
list = tmp;
} else {
/* Explicit list, overrides default - just use "list" as is */
}
/*
* The supplied names may be a pattern-list. For the -list case,
* the patterns are applied above. For the +list and explicit list
* cases we need to do it now.
*/
ret = NULL;
if ((patterns = opatterns = strdup(list)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
/* Apply positive (i.e. non-negated) patterns from the list */
while ((cp = strsep(&patterns, ",")) != NULL) {
if (*cp == '!') {
/* negated matches are not supported here */
r = SSH_ERR_INVALID_ARGUMENT;
goto fail;
}
free(matching);
if ((matching = match_filter_allowlist(all, cp)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
if ((tmp = kex_names_cat(ret, matching)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(ret);
ret = tmp;
}
if (ret == NULL || *ret == '\0') {
/* An empty name-list is an error */
/* XXX better error code? */
r = SSH_ERR_INVALID_ARGUMENT;
goto fail;
}
/* success */
*listp = ret;
ret = NULL;
r = 0;
fail:
free(matching);
free(opatterns);
free(list);
free(ret);
return r;
}

526
kex.c

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.181 2023/08/28 03:28:43 djm Exp $ */
/* $OpenBSD: kex.c,v 1.186 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@ -85,254 +85,6 @@ static const char * const proposal_names[PROPOSAL_MAX] = {
"languages stoc",
};
struct kexalg {
char *name;
u_int type;
int ec_nid;
int hash_alg;
};
static const struct kexalg kexalgs[] = {
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
#ifdef HAVE_EVP_SHA256
{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 */
#ifdef OPENSSL_HAS_ECC
{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
SSH_DIGEST_SHA384 },
# ifdef OPENSSL_HAS_NISTP521
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
SSH_DIGEST_SHA512 },
# endif /* OPENSSL_HAS_NISTP521 */
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#ifdef USE_SNTRUP761X25519
{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
SSH_DIGEST_SHA512 },
#endif
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
char *
kex_alg_list(char sep)
{
char *ret = NULL, *tmp;
size_t nlen, rlen = 0;
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
free(ret);
return NULL;
}
ret = tmp;
memcpy(ret + rlen, k->name, nlen + 1);
rlen += nlen;
}
return ret;
}
static const struct kexalg *
kex_alg_by_name(const char *name)
{
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
}
return NULL;
}
/* Validate KEX method name list */
int
kex_names_valid(const char *names)
{
char *s, *cp, *p;
if (names == NULL || strcmp(names, "") == 0)
return 0;
if ((s = cp = strdup(names)) == NULL)
return 0;
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
error("Unsupported KEX algorithm \"%.100s\"", p);
free(s);
return 0;
}
}
debug3("kex names ok: [%s]", names);
free(s);
return 1;
}
/* returns non-zero if proposal contains any algorithm from algs */
static int
has_any_alg(const char *proposal, const char *algs)
{
char *cp;
if ((cp = match_list(proposal, algs, NULL)) == NULL)
return 0;
free(cp);
return 1;
}
/*
* Concatenate algorithm names, avoiding duplicates in the process.
* Caller must free returned string.
*/
char *
kex_names_cat(const char *a, const char *b)
{
char *ret = NULL, *tmp = NULL, *cp, *p;
size_t len;
if (a == NULL || *a == '\0')
return strdup(b);
if (b == NULL || *b == '\0')
return strdup(a);
if (strlen(b) > 1024*1024)
return NULL;
len = strlen(a) + strlen(b) + 2;
if ((tmp = cp = strdup(b)) == NULL ||
(ret = calloc(1, len)) == NULL) {
free(tmp);
return NULL;
}
strlcpy(ret, a, len);
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
if (has_any_alg(ret, p))
continue; /* Algorithm already present */
if (strlcat(ret, ",", len) >= len ||
strlcat(ret, p, len) >= len) {
free(tmp);
free(ret);
return NULL; /* Shouldn't happen */
}
}
free(tmp);
return ret;
}
/*
* Assemble a list of algorithms from a default list and a string from a
* configuration file. The user-provided string may begin with '+' to
* indicate that it should be appended to the default, '-' that the
* specified names should be removed, or '^' that they should be placed
* at the head.
*/
int
kex_assemble_names(char **listp, const char *def, const char *all)
{
char *cp, *tmp, *patterns;
char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
if (listp == NULL || def == NULL || all == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (*listp == NULL || **listp == '\0') {
if ((*listp = strdup(def)) == NULL)
return SSH_ERR_ALLOC_FAIL;
return 0;
}
list = *listp;
*listp = NULL;
if (*list == '+') {
/* Append names to default list */
if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(list);
list = tmp;
} else if (*list == '-') {
/* Remove names from default list */
if ((*listp = match_filter_denylist(def, list + 1)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(list);
/* filtering has already been done */
return 0;
} else if (*list == '^') {
/* Place names at head of default list */
if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(list);
list = tmp;
} else {
/* Explicit list, overrides default - just use "list" as is */
}
/*
* The supplied names may be a pattern-list. For the -list case,
* the patterns are applied above. For the +list and explicit list
* cases we need to do it now.
*/
ret = NULL;
if ((patterns = opatterns = strdup(list)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
/* Apply positive (i.e. non-negated) patterns from the list */
while ((cp = strsep(&patterns, ",")) != NULL) {
if (*cp == '!') {
/* negated matches are not supported here */
r = SSH_ERR_INVALID_ARGUMENT;
goto fail;
}
free(matching);
if ((matching = match_filter_allowlist(all, cp)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
if ((tmp = kex_names_cat(ret, matching)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto fail;
}
free(ret);
ret = tmp;
}
if (ret == NULL || *ret == '\0') {
/* An empty name-list is an error */
/* XXX better error code? */
r = SSH_ERR_INVALID_ARGUMENT;
goto fail;
}
/* success */
*listp = ret;
ret = NULL;
r = 0;
fail:
free(matching);
free(opatterns);
free(list);
free(ret);
return r;
}
/*
* Fill out a proposal array with dynamically allocated values, which may
* be modified as required for compatibility reasons.
@ -357,7 +109,7 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
if (kexalgos == NULL)
kexalgos = defprop[PROPOSAL_KEX_ALGS];
if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
"kex-strict-s-v00@openssh.com" :
"ext-info-s,kex-strict-s-v00@openssh.com" :
"ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
fatal_f("kex_names_cat");
@ -509,36 +261,138 @@ kex_reset_dispatch(struct ssh *ssh)
SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
}
void
kex_set_server_sig_algs(struct ssh *ssh, const char *allowed_algs)
{
char *alg, *oalgs, *algs, *sigalgs;
const char *sigalg;
/*
* NB. allowed algorithms may contain certificate algorithms that
* map to a specific plain signature type, e.g.
* rsa-sha2-512-cert-v01@openssh.com => rsa-sha2-512
* We need to be careful here to match these, retain the mapping
* and only add each signature algorithm once.
*/
if ((sigalgs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
fatal_f("sshkey_alg_list failed");
oalgs = algs = xstrdup(allowed_algs);
free(ssh->kex->server_sig_algs);
ssh->kex->server_sig_algs = NULL;
for ((alg = strsep(&algs, ",")); alg != NULL && *alg != '\0';
(alg = strsep(&algs, ","))) {
if ((sigalg = sshkey_sigalg_by_name(alg)) == NULL)
continue;
if (!kex_has_any_alg(sigalg, sigalgs))
continue;
/* Don't add an algorithm twice. */
if (ssh->kex->server_sig_algs != NULL &&
kex_has_any_alg(sigalg, ssh->kex->server_sig_algs))
continue;
xextendf(&ssh->kex->server_sig_algs, ",", "%s", sigalg);
}
free(oalgs);
free(sigalgs);
if (ssh->kex->server_sig_algs == NULL)
ssh->kex->server_sig_algs = xstrdup("");
}
static int
kex_send_ext_info(struct ssh *ssh)
kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m)
{
int r;
char *algs;
debug("Sending SSH2_MSG_EXT_INFO");
if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
if (ssh->kex->server_sig_algs == NULL &&
(ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
return SSH_ERR_ALLOC_FAIL;
/* XXX filter algs list by allowed pubkey/hostbased types */
if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
(r = sshpkt_put_u32(ssh, 3)) != 0 ||
(r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
(r = sshpkt_put_cstring(ssh, algs)) != 0 ||
(r = sshpkt_put_cstring(ssh,
if ((r = sshbuf_put_u32(m, 3)) != 0 ||
(r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 ||
(r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 ||
(r = sshbuf_put_cstring(m,
"publickey-hostbound@openssh.com")) != 0 ||
(r = sshpkt_put_cstring(ssh, "0")) != 0 ||
(r = sshpkt_put_cstring(ssh, "ping@openssh.com")) != 0 ||
(r = sshpkt_put_cstring(ssh, "0")) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
(r = sshbuf_put_cstring(m, "0")) != 0 ||
(r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
(r = sshbuf_put_cstring(m, "0")) != 0) {
error_fr(r, "compose");
return r;
}
return 0;
}
static int
kex_compose_ext_info_client(struct ssh *ssh, struct sshbuf *m)
{
int r;
if ((r = sshbuf_put_u32(m, 1)) != 0 ||
(r = sshbuf_put_cstring(m, "ext-info-in-auth@openssh.com")) != 0 ||
(r = sshbuf_put_cstring(m, "0")) != 0) {
error_fr(r, "compose");
goto out;
}
/* success */
r = 0;
out:
free(algs);
return r;
}
static int
kex_maybe_send_ext_info(struct ssh *ssh)
{
int r;
struct sshbuf *m = NULL;
if ((ssh->kex->flags & KEX_INITIAL) == 0)
return 0;
if (!ssh->kex->ext_info_c && !ssh->kex->ext_info_s)
return 0;
/* Compose EXT_INFO packet. */
if ((m = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
if (ssh->kex->ext_info_c &&
(r = kex_compose_ext_info_server(ssh, m)) != 0)
goto fail;
if (ssh->kex->ext_info_s &&
(r = kex_compose_ext_info_client(ssh, m)) != 0)
goto fail;
/* Send the actual KEX_INFO packet */
debug("Sending SSH2_MSG_EXT_INFO");
if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
(r = sshpkt_putb(ssh, m)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
error_f("send EXT_INFO");
goto fail;
}
r = 0;
fail:
sshbuf_free(m);
return r;
}
int
kex_server_update_ext_info(struct ssh *ssh)
{
int r;
if ((ssh->kex->flags & KEX_HAS_EXT_INFO_IN_AUTH) == 0)
return 0;
debug_f("Sending SSH2_MSG_EXT_INFO");
if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
(r = sshpkt_put_u32(ssh, 1)) != 0 ||
(r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
(r = sshpkt_put_cstring(ssh, ssh->kex->server_sig_algs)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
error_f("send EXT_INFO");
return r;
}
return 0;
}
int
kex_send_newkeys(struct ssh *ssh)
{
@ -550,9 +404,8 @@ kex_send_newkeys(struct ssh *ssh)
return r;
debug("SSH2_MSG_NEWKEYS sent");
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
if ((r = kex_send_ext_info(ssh)) != 0)
return r;
if ((r = kex_maybe_send_ext_info(ssh)) != 0)
return r;
debug("expecting SSH2_MSG_NEWKEYS");
return 0;
}
@ -574,10 +427,61 @@ kex_ext_info_check_ver(struct kex *kex, const char *name,
return 0;
}
static int
kex_ext_info_client_parse(struct ssh *ssh, const char *name,
const u_char *value, size_t vlen)
{
int r;
/* NB. some messages are only accepted in the initial EXT_INFO */
if (strcmp(name, "server-sig-algs") == 0) {
/* Ensure no \0 lurking in value */
if (memchr(value, '\0', vlen) != NULL) {
error_f("nul byte in %s", name);
return SSH_ERR_INVALID_FORMAT;
}
debug_f("%s=<%s>", name, value);
free(ssh->kex->server_sig_algs);
ssh->kex->server_sig_algs = xstrdup((const char *)value);
} else if (ssh->kex->ext_info_received == 1 &&
strcmp(name, "publickey-hostbound@openssh.com") == 0) {
if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen,
"0", KEX_HAS_PUBKEY_HOSTBOUND)) != 0) {
return r;
}
} else if (ssh->kex->ext_info_received == 1 &&
strcmp(name, "ping@openssh.com") == 0) {
if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen,
"0", KEX_HAS_PING)) != 0) {
return r;
}
} else
debug_f("%s (unrecognised)", name);
return 0;
}
static int
kex_ext_info_server_parse(struct ssh *ssh, const char *name,
const u_char *value, size_t vlen)
{
int r;
if (strcmp(name, "ext-info-in-auth@openssh.com") == 0) {
if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen,
"0", KEX_HAS_EXT_INFO_IN_AUTH)) != 0) {
return r;
}
} else
debug_f("%s (unrecognised)", name);
return 0;
}
int
kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
const int max_ext_info = kex->server ? 1 : 2;
u_int32_t i, ninfo;
char *name;
u_char *val;
@ -585,6 +489,10 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
int r;
debug("SSH2_MSG_EXT_INFO received");
if (++kex->ext_info_received > max_ext_info) {
error("too many SSH2_MSG_EXT_INFO messages sent by peer");
return dispatch_protocol_error(type, seq, ssh);
}
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
return r;
@ -600,34 +508,16 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
free(name);
return r;
}
if (strcmp(name, "server-sig-algs") == 0) {
/* Ensure no \0 lurking in value */
if (memchr(val, '\0', vlen) != NULL) {
error_f("nul byte in %s", name);
free(name);
free(val);
return SSH_ERR_INVALID_FORMAT;
}
debug_f("%s=<%s>", name, val);
kex->server_sig_algs = val;
val = NULL;
} else if (strcmp(name,
"publickey-hostbound@openssh.com") == 0) {
if ((r = kex_ext_info_check_ver(kex, name, val, vlen,
"0", KEX_HAS_PUBKEY_HOSTBOUND)) != 0) {
free(name);
free(val);
debug3_f("extension %s", name);
if (kex->server) {
if ((r = kex_ext_info_server_parse(ssh, name,
val, vlen)) != 0)
return r;
}
} else if (strcmp(name, "ping@openssh.com") == 0) {
if ((r = kex_ext_info_check_ver(kex, name, val, vlen,
"0", KEX_HAS_PING)) != 0) {
free(name);
free(val);
} else {
if ((r = kex_ext_info_client_parse(ssh, name,
val, vlen)) != 0)
return r;
}
} else
debug_f("%s (unrecognised)", name);
}
free(name);
free(val);
}
@ -638,19 +528,44 @@ static int
kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
int r;
int r, initial = (kex->flags & KEX_INITIAL) != 0;
char *cp, **prop;
debug("SSH2_MSG_NEWKEYS received");
if (kex->ext_info_c && initial)
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_input_ext_info);
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
if ((r = sshpkt_get_end(ssh)) != 0)
return r;
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
return r;
if (initial) {
/* Remove initial KEX signalling from proposal for rekeying */
if ((r = kex_buf2prop(kex->my, NULL, &prop)) != 0)
return r;
if ((cp = match_filter_denylist(prop[PROPOSAL_KEX_ALGS],
kex->server ?
"ext-info-s,kex-strict-s-v00@openssh.com" :
"ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) {
error_f("match_filter_denylist failed");
goto fail;
}
free(prop[PROPOSAL_KEX_ALGS]);
prop[PROPOSAL_KEX_ALGS] = cp;
if ((r = kex_prop2buf(ssh->kex->my, prop)) != 0) {
error_f("kex_prop2buf failed");
fail:
kex_proposal_free_entries(prop);
free(prop);
return SSH_ERR_INTERNAL_ERROR;
}
kex_proposal_free_entries(prop);
free(prop);
}
kex->done = 1;
kex->flags &= ~KEX_INITIAL;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
kex->flags &= ~KEX_INIT_SENT;
free(kex->name);
kex->name = NULL;
@ -953,20 +868,18 @@ choose_comp(struct sshcomp *comp, char *client, char *server)
static int
choose_kex(struct kex *k, char *client, char *server)
{
const struct kexalg *kexalg;
k->name = match_list(client, server, NULL);
debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
if (k->name == NULL)
return SSH_ERR_NO_KEX_ALG_MATCH;
if ((kexalg = kex_alg_by_name(k->name)) == NULL) {
if (!kex_name_valid(k->name)) {
error_f("unsupported KEX method %s", k->name);
return SSH_ERR_INTERNAL_ERROR;
}
k->kex_type = kexalg->type;
k->hash_alg = kexalg->hash_alg;
k->ec_nid = kexalg->ec_nid;
k->kex_type = kex_type_from_name(k->name);
k->hash_alg = kex_hash_from_name(k->name);
k->ec_nid = kex_nid_from_name(k->name);
return 0;
}
@ -1016,7 +929,7 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
static int
kexalgs_contains(char **peer, const char *ext)
{
return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
return kex_has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
}
static int
@ -1052,6 +965,7 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq)
kex->kex_strict = kexalgs_contains(peer,
"kex-strict-c-v00@openssh.com");
} else {
kex->ext_info_s = kexalgs_contains(peer, "ext-info-s");
kex->kex_strict = kexalgs_contains(peer,
"kex-strict-s-v00@openssh.com");
}
@ -1066,10 +980,10 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq)
/* Check whether client supports rsa-sha2 algorithms */
if (kex->server && (kex->flags & KEX_INITIAL)) {
if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
if (kex_has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
"rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com"))
kex->flags |= KEX_RSA_SHA2_256_SUPPORTED;
if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
if (kex_has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
"rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"))
kex->flags |= KEX_RSA_SHA2_512_SUPPORTED;
}
@ -1354,7 +1268,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
sshbuf_reset(our_version);
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {

20
kex.h

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.119 2023/08/28 03:28:43 djm Exp $ */
/* $OpenBSD: kex.h,v 1.123 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -92,7 +92,7 @@ enum kex_modes {
};
enum kex_exchange {
KEX_DH_GRP1_SHA1,
KEX_DH_GRP1_SHA1 = 1,
KEX_DH_GRP14_SHA1,
KEX_DH_GRP14_SHA256,
KEX_DH_GRP16_SHA512,
@ -109,9 +109,10 @@ enum kex_exchange {
#define KEX_INIT_SENT 0x0001
#define KEX_INITIAL 0x0002
#define KEX_HAS_PUBKEY_HOSTBOUND 0x0004
#define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */
#define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */
#define KEX_HAS_PING 0x0020
#define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */
#define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */
#define KEX_HAS_PING 0x0020
#define KEX_HAS_EXT_INFO_IN_AUTH 0x0040
struct sshenc {
char *name;
@ -149,7 +150,9 @@ struct kex {
u_int kex_type;
char *server_sig_algs;
int ext_info_c;
int ext_info_s;
int kex_strict;
int ext_info_received;
struct sshbuf *my;
struct sshbuf *peer;
struct sshbuf *client_version;
@ -180,9 +183,14 @@ struct kex {
struct sshbuf *client_pub;
};
int kex_name_valid(const char *);
u_int kex_type_from_name(const char *);
int kex_hash_from_name(const char *);
int kex_nid_from_name(const char *);
int kex_names_valid(const char *);
char *kex_alg_list(char);
char *kex_names_cat(const char *, const char *);
int kex_has_any_alg(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
const char *, const char *, const char *, const char *, const char *);
@ -209,6 +217,8 @@ int kex_protocol_error(int, u_int32_t, struct ssh *);
int kex_derive_keys(struct ssh *, u_char *, u_int, const struct sshbuf *);
int kex_send_newkeys(struct ssh *);
int kex_start_rekex(struct ssh *);
int kex_server_update_ext_info(struct ssh *);
void kex_set_server_sig_algs(struct ssh *, const char *);
int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *);

4
kexgexs.c

@ -1,4 +1,4 @@
/* $OpenBSD: kexgexs.c,v 1.46 2023/03/29 01:07:48 dtucker Exp $ */
/* $OpenBSD: kexgexs.c,v 1.47 2024/05/17 00:30:23 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -98,7 +98,7 @@ input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh)
}
/* Contact privileged parent */
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
kex->dh = mm_choose_dh(min, nbits, max);
if (kex->dh == NULL) {
(void)sshpkt_disconnect(ssh, "no matching DH grp found");
r = SSH_ERR_ALLOC_FAIL;

23
log.c

@ -1,4 +1,4 @@
/* $OpenBSD: log.c,v 1.60 2021/09/16 15:11:19 djm Exp $ */
/* $OpenBSD: log.c,v 1.62 2024/06/27 22:36:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -54,7 +54,11 @@
#include "match.h"
static LogLevel log_level = SYSLOG_LEVEL_INFO;
#ifdef WINDOWS
int log_on_stderr = 1;
#else
static int log_on_stderr = 1;
#endif /* WINDOWS */
static int log_stderr_fd = STDERR_FILENO;
static int log_facility = LOG_AUTH;
static const char *argv0;
@ -452,19 +456,6 @@ sshlogdie(const char *file, const char *func, int line, int showfunc,
cleanup_exit(255);
}
void
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
_exit(1);
}
void
sshlogv(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, va_list args)
@ -474,6 +465,10 @@ sshlogv(const char *file, const char *func, int line, int showfunc,
const char *cp;
size_t i;
/* short circuit processing early if we're not going to log anything */
if (nlog_verbose == 0 && level > log_level)
return;
snprintf(tag, sizeof(tag), "%.48s:%.48s():%d (pid=%ld)",
(cp = strrchr(file, '/')) == NULL ? file : cp + 1, func, line,
(long)getpid());

Some files were not shown because too many files have changed in this diff Show More