Darren Tucker [Fri, 5 Jun 2020 03:20:10 +0000 (13:20 +1000)]
Test fallthrough in OSSH_CHECK_CFLAG_COMPILE.
clang 10's -Wimplicit-fallthrough does not understand /* FALLTHROUGH */
comments and we don't use the __attribute__((fallthrough)) that it's
looking for. This has the effect of turning off -Wimplicit-fallthrough
where it does not currently help (particularly with -Werror). ok djm@
upstream: Pass a NULL instead of zeroed out va_list from
dollar_expand. The original intent was in case there's some platform where
va_list is not a pointer equivalent, but on i386 this chokes on the memset.
This unbreaks that build, but will require further consideration.
upstream: Allow some keywords to expand shell-style ${ENV}
environment variables on the client side. The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket paths. This
would for example allow forwarding of Unix domain socket paths that change at
runtime. bz#3140, ok djm@
tobias [Thu, 26 Mar 2015 21:22:50 +0000 (21:22 +0000)]
partial sync of regress/netcat.c with upstream
The code in socks.c writes multiple times in a row to a socket. If the socket becomes invalid between these calls (e.g. connection closed), write will throw SIGPIPE. With this patch, SIGPIPE is ignored so we can handle write's -1 return value (errno will be EPIPE). Ultimately, it leads to program exit, too -- but with nicer error message. :)
djm@openbsd.org [Wed, 27 May 2020 22:35:19 +0000 (22:35 +0000)]
upstream: two new tests for Include in sshd_config, checking whether
Port directives are processed correctly and handling of Include directives
that appear before Match. Both tests currently fail. bz#3122 and bz#3169 -
patch from Jakub Jelen
djm@openbsd.org [Tue, 26 May 2020 01:26:58 +0000 (01:26 +0000)]
upstream: Restrict ssh-agent from signing web challenges for FIDO
keys.
When signing messages in ssh-agent using a FIDO key that has an
application string that does not start with "ssh:", ensure that the
message being signed is one of the forms expected for the SSH protocol
(currently pubkey authentication and sshsig signatures).
This prevents ssh-agent forwarding on a host that has FIDO keys
attached granting the ability for the remote side to sign challenges
for web authentication using those keys too.
Note that the converse case of web browsers signing SSH challenges is
already precluded because no web RP can have the "ssh:" prefix in the
application string that we require.
djm@openbsd.org [Tue, 26 May 2020 01:06:52 +0000 (01:06 +0000)]
upstream: add fmt_timeframe() (from bgpd) to format a time
interval in a human- friendly format. Switch copyright for this file from BSD
to MIT to make it easier to add Henning's copyright for this function. ok
markus@
upstream: sshd listener must not block if reexecd sshd exits
in write(2) on config_s[0] if the forked child exits early before finishing
recv_rexec_state (e.g. with fatal()) because config_s[1] stays open in the
parent. this prevents the parent from accepting new connections. ok djm,
deraadt
djm@openbsd.org [Fri, 15 May 2020 03:57:33 +0000 (03:57 +0000)]
upstream: fix off-by-one error that caused sftp downloads to make
one more concurrent request that desired. This prevented using sftp(1) in
unpipelined request/response mode, which is useful when debugging. Patch from
Stephen Goetze in bz#3054
djm@openbsd.org [Wed, 13 May 2020 10:08:02 +0000 (10:08 +0000)]
upstream: Enable credProtect extension when generating a resident
key.
The FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect"
feature to better protect resident keys. This option allows (amone other
possibilities) requiring a PIN prior to all operations that may retrieve
the key handle.
Damien Miller [Thu, 14 May 2020 02:22:09 +0000 (12:22 +1000)]
prefer ln to cp for temporary copy of sshd
I saw failures on the reexec fallback test on Darwin 19.4 where
fork()ed children of a process that had it's executable removed
would instantly fail. Using ln to preserve the inode avoids this.
Damien Miller [Wed, 13 May 2020 02:08:34 +0000 (12:08 +1000)]
explicitly manage .depend and .depend.bak
Bring back removal of .depend to give the file a known state before
running makedepend, but manually move aside the current .depend file
and restore it as .depend.bak afterwards so the stale .depend check
works as expected.
Damien Miller [Wed, 13 May 2020 02:01:10 +0000 (12:01 +1000)]
revert removal of .depend before makedepend
Commit 83657eac4 started removing .depend before running makedepend
to reset the contents of .depend to a known state. Unfortunately
this broke the depend-check step as now .depend.bak would only ever
be created as an empty file.
Darren Tucker [Fri, 8 May 2020 11:50:43 +0000 (21:50 +1000)]
Ensure SA_SIGNAL test only signals itself.
When the test's child signals its parent and it exits the result of
getppid changes. On Ubuntu 20.04 this results in the ppid being that
of the GDM session, causing it to exit. Analysis and testing from pedro
at ambientworks.net
djm@openbsd.org [Fri, 1 May 2020 04:00:29 +0000 (04:00 +0000)]
upstream: make mktestdata.sh generate old/new format keys that we
expect. This script was written before OpenSSH switched to new-format private
keys by default and was never updated to the change (until now) From Michael
Forney
Darren Tucker [Fri, 1 May 2020 08:32:25 +0000 (18:32 +1000)]
Use LONG_LONG_MAX and friends if available.
If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX}
then use those instead. We do calculate these values in configure,
but it turns out that at least one compiler (old HP ANSI C) can't
parse "-9223372036854775808LL" without mangling it. (It can parse
"-9223372036854775807LL" which is presumably why its limits.h defines
LONG_LONG_MIN as the latter minus 1.)
Fixes rekey test when compiled with the aforementioned compiler.
djm@openbsd.org [Fri, 1 May 2020 06:31:42 +0000 (06:31 +0000)]
upstream: when receving a file in sink(), be careful to send at
most a single error response after the file has been opened. Otherwise the
source() and sink() can become desyncronised. Reported by Daniel Goujot,
Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.
Darren Tucker [Fri, 1 May 2020 05:09:26 +0000 (15:09 +1000)]
See if SA_RESTART signals will interrupt select().
On some platforms (at least older HP-UXes such as 11.11, possibly others)
setting SA_RESTART on signal handers will cause it to not interrupt
select(), at least for calls that do not specify a timeout. Try to
detect this and if found, don't use SA_RESTART.
POSIX says "If SA_RESTART has been set for the interrupting signal, it
is implementation-dependent whether select() restarts or returns with
[EINTR]" so this behaviour is within spec.
upstream: when signing a challenge using a FIDO toke, perform the
hashing in the middleware layer rather than in ssh code. This allows
middlewares that call APIs that perform the hashing implicitly (including
Microsoft's AFAIK). ok markus@
Darren Tucker [Fri, 24 Apr 2020 05:07:55 +0000 (15:07 +1000)]
Error out if given RDomain if unsupported.
If the config contained 'RDomain %D' on a platform that did not support
it, the error would not be detected until runtime resulting in a broken
sshd. Detect this earlier and error out if found. bz#3126, based on a
patch from jjelen at redhat.com, tweaks and ok djm@
projects / thirdparty / openssh-portable.git / log
