Darren Tucker [Wed, 10 Nov 2021 01:34:25 +0000 (12:34 +1100)]
Don't trust closefrom() on Linux.
glibc's closefrom implementation does not work in a chroot when the kernel
does not have close_range. It tries to read from /proc/self/fd and when
that fails dies with an assertion of sorts. Instead, call close_range
ourselves from our compat code and fall back if that fails. bz#3349,
with william.wilson at canonical.com and fweimer at redhat.com.
Darren Tucker [Sat, 6 Nov 2021 10:07:03 +0000 (21:07 +1100)]
Skip getline() on HP-UX 10.x.
HP-UX 10.x has a getline() implementation in libc that does not behave
as we expect so don't use it. With correction from Thorsten Glaser and
typo fix from Larkin Nickle.
djm@openbsd.org [Tue, 2 Nov 2021 22:56:40 +0000 (22:56 +0000)]
upstream: Better handle FIDO keys on tokens that provide user
verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports
on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag
in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities
again and check whether the token is able (right now) to perform user-
verification without a PIN. If it is then the PIN prompt is bypassed
and user verification delegated to the token. If not (e.g. the token
is biometric capable, but no biometric are enrolled), then fall back
to user verification via the usual PIN prompt.
djm@openbsd.org [Fri, 29 Oct 2021 03:03:06 +0000 (03:03 +0000)]
upstream: sshsig: add tests for signing key validity and
find-principals
- adds generic find-principals tests (this command had none before)
- tests certs with a timeboxed validity both with and without a
restriced lifetime for the CA
- test for a revoked CA cert
Damien Miller [Thu, 6 May 2021 00:08:30 +0000 (10:08 +1000)]
remove built-in support for md5crypt()
Users of MD5-hashed password should arrange for ./configure to link
against libxcrypt or similar. Though it would be better to avoid use
of MD5 password hashing entirely, it's arguably worse than DEScrypt.
upstream: For open/openat, if the flags parameter does not contain
O_CREAT, the 3rd (variadic) mode_t parameter is irrelevant. Many developers
in the past have passed mode_t (0, 044, 0644, or such), which might lead
future people to copy this broken idiom, and perhaps even believe this
parameter has some meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from mode_t on
a number of system calls as a safety factor, and his bewilderment that this
appeared to be happening against valid modes (at least visually), but no
sorry, they are all irrelevant junk. They could all be 0xdeafbeef. ok
millert
Prevent mem leaks in the (unlikely) event that getaddrinfo returns
no addresses. ALso, remove an unneeded NULL check in addr_ntop. From
khaleesicodes via github PR#281, ok deraadt@
Darren Tucker [Wed, 6 Oct 2021 06:09:31 +0000 (17:09 +1100)]
Define OPENSSL_NO_SHA including OpenSSL from test.
We don't use SHA256 from OpenSSL in the sk-dummy module and the
definitions can conflict with system sha2.h (eg on NetBSD) so define
OPENSSL_NO_SHA so we don't attempt to redefine them.
Darren Tucker [Wed, 6 Oct 2021 04:40:58 +0000 (15:40 +1100)]
Disable security key on NetBSD4 test.
sk-dummy used for the security key test includes both sha2.h and OpenSSL
causing the definitions conflict so disable security key support on this
platform.
upstream: Dynamically allocate encoded HashKnownHosts and free as
appropriate. Saves 1k of static storage and prevents snprintf "possible
truncation" warnings from newer compilers (although in this case it's false
positive since the actual sizes are limited by the output size of the SHA1).
ok djm@
This removes several do..while loops but does not change the
indentation of the now-shallower loops, which will be done in a separate
whitespace-only commit to keep changes of style and substance separate.
if SUDO isn't set for the *-command tests. This means running "make tests"
without SUDO set will perform all of the tests that it can instead of
failing on the ones it cannot run.
Darren Tucker [Wed, 29 Sep 2021 00:53:55 +0000 (10:53 +1000)]
Add new compiler hardening flags.
Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
compiler hardening flags that configure checks for. These are supported
by clang and gcc, and make ROP gadgets less useful and mitigate
stack-based infoleaks respectively. ok djm@
Darren Tucker [Thu, 23 Sep 2021 22:04:14 +0000 (08:04 +1000)]
Replacement function for buggy fgrep.
GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will
occasionally fail to find ssh host keys in the hostkey-rotate test.
If we have those versions, use awk instead.
upstream: Switch scp back to use the old protocol by default, ahead of
release. We'll wait a little longer for people to pick up sftp-server(8) that
supports the extension that scp needs for ~user paths to continue working in
SFTP protocol mode. Discussed with deraadt@
upstream: Do not ignore SIGINT while waiting for input if editline(3)
is not used. Instead, in non-interactive mode, exit sftp(1), like for other
serious errors. As pointed out by dtucker@, when compiled without editline(3)
support in portable OpenSSH, the el == NULL branch is also used for
interactive mode. In that case, discard the input line and provide a fresh
prompt to the user just like in the case where editline(3) is used. OK djm@
David Carlier [Wed, 8 Sep 2021 18:49:54 +0000 (19:49 +0100)]
Disable tracing on FreeBSD using procctl.
Placed at the start of platform_disable_tracing() to prevent declaration
after code errors from strict C89 compilers (in the unlikely event that
more than one method is enabled).
projects / thirdparty / openssh-portable.git / log
