Darren Tucker [Tue, 16 Jun 2026 08:16:32 +0000 (18:16 +1000)]
Remove check for OpenSSL w/out AES192/256.
This was the case for some old Solaris versions, but the support for it
has long been removed from our compat layer so there's no point checking
for it.
djm@openbsd.org [Mon, 15 Jun 2026 01:55:44 +0000 (01:55 +0000)]
upstream: fix multiple problems with testing hostkey types that are not
enabled by default.
1) Add all hostkey types in the "multiple hostkeys" subtest.
Previously known_hosts was accidentally clobbered, causing
only the last added hostkey type to be used.
2) Explicitly enable the hostkey types under test via
HostKeyAlgorithms
djm@openbsd.org [Sun, 14 Jun 2026 03:59:34 +0000 (03:59 +0000)]
upstream: Add experimental support for a composite post-quantum
signature scheme that combines ML-DSA 44 and Ed25519 using the construction
specified in draft-ietf-lamps-pq-composite-sigs. There's also an early draft
documenting use of the integration of this scheme into SSH as
draft-miller-sshm-mldsa44-ed25519-composite-sigs
This scheme is not enabled by default. To you use, you'll need
to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.
Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
The ML-DSA implementation comes from libcrux. Thanks to
Jonas Schneider-Bensch and Jonathan Protzenko for their work to
make this available.
Consensus is that it's time to get this in to allow people to
experiment with it.
Damien Miller [Sat, 6 Jun 2026 23:56:41 +0000 (09:56 +1000)]
sync fmt_scaled.c with OpenBSD upstream
Notably picks up this commit:
revision 1.24
date: 2026/06/06 23:49:25; author: djm; state: Exp; lines: +28 -12; commitid: oznzDs0MaUT3FEqO;
rearrange scan_scaled(3) ordering of multiplications and divisions
to better preserve accuracy for large exponents. From metsw24-max
via https://github.com/openssh/openssh-portable/pull/671/
Darren Tucker [Mon, 1 Jun 2026 07:40:03 +0000 (17:40 +1000)]
Pass awk detected by configure to regress tests.
Some platforms' basic awk don't have toupper, but other awks like nawk
or gawk do. Pass the one found by configure through to the regress
tests, and make a wrapper for it so we don't need to modify any tests.
djm@openbsd.org [Mon, 1 Jun 2026 05:49:20 +0000 (05:49 +0000)]
upstream: sk-usbhid: skip unsupported key types in read_rks()
When enumerating resident keys, encountering a credential with an
unsupported COSE key type (not ES256 or EdDSA) caused the entire
enumeration to abort via goto out, discarding all valid keys.
Move the key type check before the per-credential allocation so
unsupported types can be skipped with continue instead. This
preserves all valid resident keys on the token.
djm@openbsd.org [Mon, 1 Jun 2026 05:40:13 +0000 (05:40 +0000)]
upstream: Actually set pollfd.events correctly for socket type
channels; previously we were throwing away the events we computed if the
channel had a c->sock distinct from it's other read and write fds.
Fortunately, it appears that this case happens rarely, if ever.
djm@openbsd.org [Sun, 31 May 2026 04:20:58 +0000 (04:20 +0000)]
upstream: flesh out match_pattern() tests, including a new
comparison test of the new NFA-based implementation against the original one
for all possible combinations of short inputs and patterns constructed from a
small dictionary of possibilities.
djm@openbsd.org [Sun, 31 May 2026 11:30:50 +0000 (11:30 +0000)]
upstream: big refactor of sshd config management code.
This generates much of the initialisation, defaults and keyword table
code from a set of macros rather than hand coding them. These same
macros are also used to generate serialisation and deserialisation
code.
The macros are admittedly ugly but have the advantage of forcing a
good degree of consistency across places that need to stay in sync
with each other.
The new de/serialisation code is used to pass configurations across
the various sshd-* process boundaries. This removes the need to pass
around raw text configurations that need to be re-parsed as well as
eliminating some raw pointer leakage across the processes where
structures were previously clumsily serialised.
djm@openbsd.org [Sun, 31 May 2026 05:55:21 +0000 (05:55 +0000)]
upstream: DNS0x20[1] can randomise the case of domain names returned by
lookup to force some more uniqueness in queries to reduce the likelihood of
spoofing attacks succeeding.
Normally this should be hidden from the user by the resolver, but
in some cases it can leak through. When it does, it can mess up
ssh's CanonicalizePermittedCNAMEs.
Fix this by forcing the name we received from the system resolver to
lowercase.
djm@openbsd.org [Sun, 31 May 2026 04:51:45 +0000 (04:51 +0000)]
upstream: Fix two separate one-byte out-of-cound reads
1) if a server sent an empty reply to a SSH2_FXP_REALPATH request
2) if a batch command used the full 2048 byte buffer but ended in a
literal backslash character
Both reported by Zhenpeng (Leo) Lin from depthfirst
djm@openbsd.org [Sun, 31 May 2026 04:44:38 +0000 (04:44 +0000)]
upstream: make the transport protocol stricter by disconnecting if
the peer sends non-KEX messages during a key re-exchange.
Previously an evil peer could continue sending non-KEX messages
without penalty, causing memory to be wasted up until the
connection terminated or the server/client hit a OOM limit.
djm@openbsd.org [Sun, 31 May 2026 04:37:56 +0000 (04:37 +0000)]
upstream: stricter validation of the transport state passed from
the unprivileged preauth sshd-auth process to the user-privileged postauth
sshd-session process.
These are harmless unless an attacker had an exploit for sshd-auth
in which case they could be used for post-auth memory DoS or to
crash you own session in a new and exciting way.
djm@openbsd.org [Sun, 31 May 2026 04:31:04 +0000 (04:31 +0000)]
upstream: Enforce a maximum size for usernames in agent key use
constraints
Along with the match_pattern() performance change that was just
committed this avoids a denial-of-service where an agent client could
waste CPU on an agent by sending user constraints with lots of
wildcards.
tb@openbsd.org [Wed, 27 May 2026 13:54:15 +0000 (13:54 +0000)]
upstream: ssh: use sentinel idiom for timegm(3) and mktime(3)
There is nothing wrong with times before the epoch, even -1, so use the
idiom recently added to the CAVEATS section to figure out whether there
was an error in the timegm() or mktime() calls.
We should sweep the tree for this. If anyone is bored, feel free to beat
me to it...
djm@openbsd.org [Thu, 21 May 2026 04:04:57 +0000 (04:04 +0000)]
upstream: mention that compression could potentially leak
information about session contents (cf. the CRIME attack on TLS) if a
connection allows attacker- controlled traffic over it alongside trused
traffic. This might occur in some forwarding scenarios.
Instead of freeing struct dns_query and struct dns_rr by walking the
linked lists recursively, use a simple loop. This avoids a possible
stack exhaustion unlikely to be reachable with the limits modern
resolvers impose.
Darren Tucker [Mon, 4 May 2026 11:40:52 +0000 (21:40 +1000)]
Improve Solaris PAM tests.
- Set up and run tests with SUDO.
- Set random password to use for password & kbdint auth tests.
- Only run t-exec when re-testing with PAM, don't rerun unit tests.
- When testing PAM builds, test with and without UsePAM.
Renaud Allard [Sat, 21 Mar 2026 18:23:04 +0000 (19:23 +0100)]
vm.yml: fix solaris PAM tests
Add missing SSHD_CONFOPTS="UsePam yes" to the solaris PAM test
step so it actually tests PAM functionality instead of re-running
the default tests with a PAM-enabled binary.
projects / thirdparty / openssh-portable.git / log
