]>
git.ipfire.org Git - thirdparty/openssh-portable.git/log
Damien Miller [Fri, 15 Nov 2019 04:08:28 +0000 (15:08 +1100)]
upstream commit
Damien Miller [Fri, 15 Nov 2019 04:07:30 +0000 (15:07 +1100)]
upstream commit
djm@openbsd.org [Fri, 15 Nov 2019 03:41:57 +0000 (03:41 +0000)]
upstream: U2F tokens may return FIDO_ERR_USER_PRESENCE_REQUIRED when
probed to see if they own a key handle. Handle this case so the find_device()
look can work for them. Reported by Michael Forney
OpenBSD-Commit-ID:
2ccd5b30a6ddfe4dba228b7159bf168601bd9166
Darren Tucker [Fri, 15 Nov 2019 03:01:00 +0000 (14:01 +1100)]
Add libfido2 to INSTALL.
Darren Tucker [Fri, 15 Nov 2019 02:42:15 +0000 (13:42 +1100)]
libcrypto is now optional.
djm@openbsd.org [Fri, 15 Nov 2019 02:38:07 +0000 (02:38 +0000)]
upstream: show the "please touch your security key" notifier when
using the (default) build-in security key support.
OpenBSD-Commit-ID:
4707643aaa7124501d14e92d1364b20f312a6428
djm@openbsd.org [Fri, 15 Nov 2019 02:37:24 +0000 (02:37 +0000)]
upstream: close the "touch your security key" notifier on the error
path too
OpenBSD-Commit-ID:
c7628bf80505c1aefbb1de7abc8bb5ee51826829
djm@openbsd.org [Fri, 15 Nov 2019 02:20:06 +0000 (02:20 +0000)]
upstream: correct function name in debug message
OpenBSD-Commit-ID:
2482c99d2ce448f39282493050f8a01e3ffc39ab
djm@openbsd.org [Fri, 15 Nov 2019 00:32:40 +0000 (00:32 +0000)]
upstream: follow existing askpass logic for security key notifier:
fall back to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment
variable is set.
OpenBSD-Commit-ID:
cda753726b13fb797bf7a9f7a0b3022d9ade4520
djm@openbsd.org [Thu, 14 Nov 2019 21:56:52 +0000 (21:56 +0000)]
upstream: remove debugging goop that snuck in to last commit
OpenBSD-Commit-ID:
8ea4455a2d9364a0a04f9e4a2cbfa4c9fcefe77e
Damien Miller [Fri, 15 Nov 2019 00:21:26 +0000 (11:21 +1100)]
don't fatal if libfido2 not found
Damien Miller [Fri, 15 Nov 2019 00:17:12 +0000 (11:17 +1100)]
correct object dependency
djm@openbsd.org [Thu, 14 Nov 2019 21:27:29 +0000 (21:27 +0000)]
upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID:
14446cf170ac0351f0d4792ba0bca53024930069
markus@openbsd.org [Wed, 13 Nov 2019 22:00:21 +0000 (22:00 +0000)]
upstream: in order to be able to figure out the number of
signatures left on a shielded key, we need to transfer the number of
signatures left from the private to the public key. ok djm@
OpenBSD-Commit-ID:
8a5d0d260aeace47d372695fdae383ce9b962574
markus@openbsd.org [Wed, 13 Nov 2019 20:25:45 +0000 (20:25 +0000)]
upstream: fix check for sig_s; noted by qsa at qualys.com
OpenBSD-Commit-ID:
34198084e4afb424a859f52c04bb2c9668a52867
dtucker@openbsd.org [Wed, 13 Nov 2019 11:25:11 +0000 (11:25 +0000)]
upstream: When clients get denied by MaxStartups, send a
noification prior to the SSH2 protocol banner according to RFC4253 section
4.2. ok djm@ deraadt@ markus@
OpenBSD-Commit-ID:
e5dabcb722d54dea18eafb336d50b733af4f9c63
markus@openbsd.org [Wed, 13 Nov 2019 07:53:10 +0000 (07:53 +0000)]
upstream: fix shield/unshield for xmss keys: - in ssh-agent we need
to delay the call to shield until we have received key specific options. -
when serializing xmss keys for shield we need to deal with all optional
components (e.g. state might not be loaded). ok djm@
OpenBSD-Commit-ID:
cc2db82524b209468eb176d6b4d6b9486422f41f
deraadt@openbsd.org [Wed, 13 Nov 2019 05:42:26 +0000 (05:42 +0000)]
upstream: remove size_t gl_pathc < 0 test, it is invalid. the
return value from glob() is sufficient. discussed with djm
OpenBSD-Commit-ID:
c91203322db9caaf7efaf5ae90c794a91070be3c
deraadt@openbsd.org [Wed, 13 Nov 2019 04:47:52 +0000 (04:47 +0000)]
upstream: stdarg.h required more broadly; ok djm
OpenBSD-Commit-ID:
b5b15674cde1b54d6dbbae8faf30d47e6e5d6513
Darren Tucker [Thu, 14 Nov 2019 05:08:17 +0000 (16:08 +1100)]
Put sshsk_sign call inside ifdef ENABLE_SK.
Darren Tucker [Wed, 13 Nov 2019 12:27:31 +0000 (23:27 +1100)]
Remove duplicate __NR_clock_nanosleep
Darren Tucker [Wed, 13 Nov 2019 12:19:35 +0000 (23:19 +1100)]
seccomp: Allow clock_nanosleep() in sandbox.
Darren Tucker [Wed, 13 Nov 2019 00:56:56 +0000 (11:56 +1100)]
Include stdarg.h for va_list in xmalloc.h.
Darren Tucker [Wed, 13 Nov 2019 00:19:26 +0000 (11:19 +1100)]
Put headers inside ifdef _AIX.
Darren Tucker [Tue, 12 Nov 2019 23:41:41 +0000 (10:41 +1100)]
Fix comment in match_usergroup_pattern_list.
djm@openbsd.org [Tue, 12 Nov 2019 22:38:19 +0000 (22:38 +0000)]
upstream: allow an empty attestation certificate returned by a
security key enrollment - these are possible for tokens that only offer self-
attestation. This also needs support from the middleware.
ok markus@
OpenBSD-Commit-ID:
135eeeb937088ef6830a25ca0bbe678dfd2c57cc
djm@openbsd.org [Tue, 12 Nov 2019 22:36:44 +0000 (22:36 +0000)]
upstream: security keys typically need to be tapped/touched in
order to perform a signature operation. Notify the user when this is expected
via the TTY (if available) or $SSH_ASKPASS if we can.
ok markus@
OpenBSD-Commit-ID:
0ef90a99a85d4a2a07217a58efb4df8444818609
djm@openbsd.org [Tue, 12 Nov 2019 22:35:02 +0000 (22:35 +0000)]
upstream: pass SSH_ASKPASS_PROMPT hint to y/n key confirm too
OpenBSD-Commit-ID:
08d46712e5e5f1bad0aea68e7717b7bec1ab8959
djm@openbsd.org [Tue, 12 Nov 2019 22:34:20 +0000 (22:34 +0000)]
upstream: dd API for performing one-shot notifications via tty or
SSH_ASKPASS
OpenBSD-Commit-ID:
9484aea33aff5b62ce3642bf259546c7639f23f3
djm@openbsd.org [Tue, 12 Nov 2019 22:32:48 +0000 (22:32 +0000)]
upstream: add xvasprintf()
OpenBSD-Commit-ID:
e5e3671c05c121993b034db935bce1a7aa372247
Darren Tucker [Tue, 12 Nov 2019 22:08:55 +0000 (09:08 +1100)]
Remove leftover if statement from sync.
markus@openbsd.org [Tue, 12 Nov 2019 19:34:40 +0000 (19:34 +0000)]
upstream: remove extra layer for
ed25519 signature; ok djm@
OpenBSD-Commit-ID:
7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
markus@openbsd.org [Tue, 12 Nov 2019 19:34:00 +0000 (19:34 +0000)]
upstream: check sig_r and sig_s for ssh-sk keys; ok djm
OpenBSD-Commit-ID:
1a1e6a85b5f465d447a3800f739e35c5b74e0abc
markus@openbsd.org [Tue, 12 Nov 2019 19:33:08 +0000 (19:33 +0000)]
upstream: enable
ed25519 support; ok djm
OpenBSD-Commit-ID:
1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
markus@openbsd.org [Tue, 12 Nov 2019 19:32:30 +0000 (19:32 +0000)]
upstream: update sk-api to version 2 for
ed25519 support; ok djm
OpenBSD-Commit-ID:
77aa4d5b6ab17987d8a600907b49573940a0044a
markus@openbsd.org [Tue, 12 Nov 2019 19:31:45 +0000 (19:31 +0000)]
upstream: implement sshsk_ed25519_assemble(); ok djm
OpenBSD-Commit-ID:
af9ec838b9bc643786310b5caefc4ca4754e68c6
markus@openbsd.org [Tue, 12 Nov 2019 19:31:18 +0000 (19:31 +0000)]
upstream: implement sshsk_ed25519_inner_sig(); ok djm
OpenBSD-Commit-ID:
f422d0052c6d948fe0e4b04bc961f37fdffa0910
markus@openbsd.org [Tue, 12 Nov 2019 19:30:50 +0000 (19:30 +0000)]
upstream: rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
OpenBSD-Commit-ID:
1524042e09d81e54c4470d7bfcc0194c5b46fe19
markus@openbsd.org [Tue, 12 Nov 2019 19:30:21 +0000 (19:30 +0000)]
upstream: factor out sshsk_ecdsa_inner_sig(); ok djm@
OpenBSD-Commit-ID:
07e41997b542f670a15d7e2807143fe01efef584
markus@openbsd.org [Tue, 12 Nov 2019 19:29:54 +0000 (19:29 +0000)]
upstream: factor out sshsk_ecdsa_assemble(); ok djm@
OpenBSD-Commit-ID:
2313761a3a84ccfe032874d638d3c363e0f14026
markus@openbsd.org [Tue, 12 Nov 2019 19:29:24 +0000 (19:29 +0000)]
upstream: implement ssh-
ed25519 -sk verification; ok djm@
OpenBSD-Commit-ID:
37906d93948a1e3d237c20e713d6ca8fbf7d13f6
Damien Miller [Tue, 12 Nov 2019 21:48:30 +0000 (08:48 +1100)]
ignore ssh-sk-helper
deraadt@openbsd.org [Mon, 11 Nov 2019 19:53:37 +0000 (19:53 +0000)]
upstream: skip demanding -fstack-protector-all on hppa. we never
wrote a stack protector for reverse-stack architectures, and i don't think
anyone else did either. a warning per compiled file is just annoying.
OpenBSD-Commit-ID:
14806a59353152f843eb349e618abbf6f4dd3ada
djm@openbsd.org [Fri, 8 Nov 2019 03:54:02 +0000 (03:54 +0000)]
upstream: duplicate 'x' character in getopt(3) optstring
OpenBSD-Commit-ID:
64c81caa0cb5798de3621eca16b7dd22e5d0d8a7
naddy@openbsd.org [Thu, 7 Nov 2019 08:38:38 +0000 (08:38 +0000)]
upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.
Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.
ok djm@
OpenBSD-Commit-ID:
ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
Darren Tucker [Sat, 2 Nov 2019 13:10:43 +0000 (00:10 +1100)]
Put sftp-realpath in libssh.a
Darren Tucker [Sat, 2 Nov 2019 13:09:21 +0000 (00:09 +1100)]
statfs might be defined in sys/mount.h.
Darren Tucker [Sat, 2 Nov 2019 12:25:01 +0000 (23:25 +1100)]
Put stdint.h inside ifdef HAVE_STDINT_H.
Darren Tucker [Sat, 2 Nov 2019 11:45:44 +0000 (22:45 +1100)]
Rebuild .depend.
Darren Tucker [Sat, 2 Nov 2019 11:42:05 +0000 (22:42 +1100)]
Define __BSD_VISIBLE in fnmatch.h.
Darren Tucker [Sat, 2 Nov 2019 05:39:38 +0000 (16:39 +1100)]
Only enable U2F if OpenSSL supports ECC.
naddy@openbsd.org [Fri, 1 Nov 2019 12:10:43 +0000 (12:10 +0000)]
upstream: fix miscellaneous text problems; ok djm@
OpenBSD-Commit-ID:
0cbf411a14d8fa0b269b69cbb1b4fc0ca699fe9f
Darren Tucker [Fri, 1 Nov 2019 07:26:07 +0000 (18:26 +1100)]
Add flags needed to build and work on Ultrix.
Darren Tucker [Fri, 1 Nov 2019 07:24:29 +0000 (18:24 +1100)]
Hook up fnmatch for platforms that don't have it.
Darren Tucker [Fri, 1 Nov 2019 07:17:42 +0000 (18:17 +1100)]
Add missing bracket in realpath macro.
Darren Tucker [Fri, 1 Nov 2019 06:32:47 +0000 (17:32 +1100)]
Import fnmatch.c from OpenBSD.
Darren Tucker [Fri, 1 Nov 2019 04:22:32 +0000 (15:22 +1100)]
Use sftp_realpath if no native realpath.
Darren Tucker [Fri, 1 Nov 2019 04:06:16 +0000 (15:06 +1100)]
Configure flags for haiku from haikuports.
djm@openbsd.org [Fri, 1 Nov 2019 03:54:33 +0000 (03:54 +0000)]
upstream: fix a race condition in the SIGCHILD handler that could turn
in to a kill(-1); bz3084, reported by Gao Rui, ok dtucker@
OpenBSD-Commit-ID:
ac2742e04a69d4c34223505b6a32f6d686e18896
Damien Miller [Fri, 1 Nov 2019 03:49:25 +0000 (14:49 +1100)]
conditionalise SK sign/verify on ENABLE_SK
Darren Tucker [Fri, 1 Nov 2019 03:41:07 +0000 (14:41 +1100)]
Add prototype for localtime_r if needed.
Darren Tucker [Fri, 1 Nov 2019 02:42:12 +0000 (13:42 +1100)]
Check if IP_TOS is defined before using.
Damien Miller [Fri, 1 Nov 2019 02:34:49 +0000 (13:34 +1100)]
autoconf pieces for U2F support
djm@openbsd.org [Fri, 1 Nov 2019 02:32:05 +0000 (02:32 +0000)]
upstream: remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
OpenBSD-Commit-ID:
95a7cafad2a4665d57cabacc28031fabc0bea9fc
djm@openbsd.org [Fri, 1 Nov 2019 02:06:52 +0000 (02:06 +0000)]
upstream: more additional source files
OpenBSD-Regress-ID:
8eaa25fb901594aee23b76eda99dca5b8db94c6f
djm@openbsd.org [Fri, 1 Nov 2019 02:04:25 +0000 (02:04 +0000)]
upstream: additional source files here too
OpenBSD-Regress-ID:
8809f8e1c8f7459e7096ab6b58d8e56cb2f483fd
djm@openbsd.org [Fri, 1 Nov 2019 02:03:27 +0000 (02:03 +0000)]
upstream: additional source files here too
OpenBSD-Regress-ID:
09297e484327f911fd353489518cceaa0c1b95ce
djm@openbsd.org [Fri, 1 Nov 2019 01:57:59 +0000 (01:57 +0000)]
upstream: adapt to extra sshkey_sign() argument and additional
dependencies
OpenBSD-Regress-ID:
7a25604968486c4d6f81d06e8fbc7d17519de50e
djm@openbsd.org [Fri, 1 Nov 2019 01:55:41 +0000 (01:55 +0000)]
upstream: skip security-key key types for tests until we have a
dummy U2F middleware to use.
OpenBSD-Regress-ID:
37200462b44334a4ad45e6a1f7ad1bd717521a95
jmc@openbsd.org [Fri, 1 Nov 2019 00:52:35 +0000 (00:52 +0000)]
djm@openbsd.org [Thu, 31 Oct 2019 21:37:33 +0000 (21:37 +0000)]
upstream: undo debugging bits that shouldn't have been committed
OpenBSD-Commit-ID:
4bd5551b306df55379afe17d841207990eb773bf
Damien Miller [Thu, 31 Oct 2019 22:24:58 +0000 (09:24 +1100)]
depend
djm@openbsd.org [Thu, 31 Oct 2019 21:28:27 +0000 (21:28 +0000)]
upstream: fix -Wshadow warning
OpenBSD-Commit-ID:
3441eb04f872a00c2483c11a5f1570dfe775103c
djm@openbsd.org [Thu, 31 Oct 2019 21:23:19 +0000 (21:23 +0000)]
upstream: Refactor signing - use sshkey_sign for everything,
including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.
Suggested by / ok markus@
OpenBSD-Commit-ID:
d5193a03fcfa895085d91b2b83d984a9fde76c8c
djm@openbsd.org [Thu, 31 Oct 2019 21:22:01 +0000 (21:22 +0000)]
upstream: ssh-agent support for U2F/FIDO keys
feedback & ok markus@
OpenBSD-Commit-ID:
bb544a44bc32e45d2ec8bf652db2046f38360acb
djm@openbsd.org [Thu, 31 Oct 2019 21:20:38 +0000 (21:20 +0000)]
upstream: ssh AddKeysToAgent support for U2F/FIDO keys
feedback & ok markus@
OpenBSD-Commit-ID:
ac08e45c7f995fa71f8d661b3f582e38cc0a2f91
djm@openbsd.org [Thu, 31 Oct 2019 21:19:56 +0000 (21:19 +0000)]
upstream: ssh-add support for U2F/FIDO keys
OpenBSD-Commit-ID:
7f88a5181c982687afedf3130c6ab2bba60f7644
djm@openbsd.org [Thu, 31 Oct 2019 21:19:14 +0000 (21:19 +0000)]
upstream: add new agent key constraint for U2F/FIDO provider
feedback & ok markus@
OpenBSD-Commit-ID:
d880c380170704280b4003860a1744d286c7a172
djm@openbsd.org [Thu, 31 Oct 2019 21:18:28 +0000 (21:18 +0000)]
upstream: ssh client support for U2F/FIDO keys
OpenBSD-Commit-ID:
eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
djm@openbsd.org [Thu, 31 Oct 2019 21:17:49 +0000 (21:17 +0000)]
upstream: Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need
a separate list for user keys.
feedback & ok markus@
OpenBSD-Commit-ID:
7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
djm@openbsd.org [Thu, 31 Oct 2019 21:17:09 +0000 (21:17 +0000)]
upstream: ssh-keygen support for generating U2F/FIDO keys
OpenBSD-Commit-ID:
6ce04f2b497ac9dd8c327f76f1e6c724fb1d1b37
djm@openbsd.org [Thu, 31 Oct 2019 21:16:20 +0000 (21:16 +0000)]
upstream: U2F/FIDO middleware interface
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
OpenBSD-Commit-ID:
73d1dd5939454f9c7bd840f48236cba41e8ad592
djm@openbsd.org [Thu, 31 Oct 2019 21:15:14 +0000 (21:15 +0000)]
upstream: Initial infrastructure for U2F/FIDO support
Key library support: including allocation, marshalling public/private
keys and certificates, signature validation.
feedback & ok markus@
OpenBSD-Commit-ID:
a17615ba15e0f7932ac4360cb18fc9a9544e68c7
djm@openbsd.org [Thu, 31 Oct 2019 21:14:17 +0000 (21:14 +0000)]
upstream: Protocol documentation for U2F/FIDO keys in OpenSSH
OpenBSD-Commit-ID:
8f3247317c2909870593aeb306dff848bc427915
Damien Miller [Thu, 31 Oct 2019 21:36:16 +0000 (08:36 +1100)]
Missing unit test files
Darren Tucker [Tue, 29 Oct 2019 08:45:03 +0000 (19:45 +1100)]
Add implementation of localtime_r.
dtucker@openbsd.org [Tue, 29 Oct 2019 07:47:27 +0000 (07:47 +0000)]
upstream: Signal handler cleanup: remove leftover support for
unreliable signals and now-unneeded save and restore of errno. ok deraadt@
markus@
OpenBSD-Commit-ID:
01dd8a1ebdd991c8629ba1f5237283341a93cd88
jmc@openbsd.org [Tue, 22 Oct 2019 08:50:35 +0000 (08:50 +0000)]
upstream: fixes from lucas;
OpenBSD-Commit-ID:
4c4bfd2806c5bbc753788ffe19c5ee13aaf418b2
dtucker@openbsd.org [Tue, 22 Oct 2019 07:06:35 +0000 (07:06 +0000)]
upstream: Import regenerated moduli file.
OpenBSD-Commit-ID:
58ec755be4e51978ecfee73539090eb68652a987
Darren Tucker [Mon, 28 Oct 2019 10:19:47 +0000 (21:19 +1100)]
Fix ifdefs to not mask needed bits.
Darren Tucker [Mon, 28 Oct 2019 06:05:36 +0000 (17:05 +1100)]
Only use RLIMIT_NOFILE if it's defined.
Darren Tucker [Mon, 28 Oct 2019 05:09:04 +0000 (16:09 +1100)]
Make sure we have struct statfs before using.
Darren Tucker [Mon, 28 Oct 2019 05:06:59 +0000 (16:06 +1100)]
Define UINT32_MAX if needed.
Darren Tucker [Mon, 28 Oct 2019 05:00:45 +0000 (16:00 +1100)]
Move utimensat definition into timespec section.
Darren Tucker [Mon, 28 Oct 2019 04:57:22 +0000 (15:57 +1100)]
Wrap OpenSSL bits in WITH_OPENSSL.
Darren Tucker [Mon, 28 Oct 2019 04:53:25 +0000 (15:53 +1100)]
Wrap poll.h includes in HAVE_POLL_H.
Darren Tucker [Thu, 24 Oct 2019 03:39:49 +0000 (14:39 +1100)]
Add a function call stackprotector tests.
Darren Tucker [Tue, 22 Oct 2019 07:09:22 +0000 (18:09 +1100)]
Import regenerated moduli file.
djm@openbsd.org [Wed, 16 Oct 2019 06:05:39 +0000 (06:05 +0000)]
upstream: potential NULL dereference for revoked hostkeys; reported
by krishnaiah bommu
OpenBSD-Commit-ID:
35ff685e7cc9dd2e3fe2e3dfcdcb9bc5c79f6506
djm@openbsd.org [Wed, 16 Oct 2019 06:03:30 +0000 (06:03 +0000)]
upstream: free buf before return; reported by krishnaiah bommu
OpenBSD-Commit-ID:
091bb23a6e913af5d4f72c50030b53ce1cef4de1
projects / thirdparty / openssh-portable.git / log
