diff options
author | Ed Maste <emaste@FreeBSD.org> | 2020-02-14 19:47:15 +0000 |
---|---|---|
committer | Ed Maste <emaste@FreeBSD.org> | 2020-02-14 19:47:15 +0000 |
commit | f02e39982452024dafcf0ea6e536ebff586ffce4 (patch) | |
tree | 78cdaad953cc879dc7d97272436a4d84b228d94c /ChangeLog | |
parent | dc9e8d9c8401178683a1f53bc816389a1160dc41 (diff) | |
download | src-vendor/openssh/8.0p1.tar.gz src-vendor/openssh/8.0p1.zip |
Vendor import of OpenSSH 8.0p1.vendor/openssh/8.0p1
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 4562 |
1 files changed, 2599 insertions, 1963 deletions
diff --git a/ChangeLog b/ChangeLog index 0307f62e0557..fdc0a0619c63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,2602 @@ +commit fd0fa130ecf06d7d092932adcd5d77f1549bfc8d +Author: Damien Miller <djm@mindrot.org> +Date: Thu Apr 18 08:52:57 2019 +1000 + + makedepend + +commit 5de397a876b587ba05a9169237deffdc71f273b0 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Apr 5 11:29:51 2019 -0700 + + second thoughts: leave README in place + + A number of contrib/* files refer to the existing README so let's leave + it in place for release and add the new markdown version in parallel. + + I'll get rid of README after release. + +commit 5d3127d9274519b25ed10e320f45045ba8d7f3be +Author: Damien Miller <djm@mindrot.org> +Date: Fri Apr 5 11:29:31 2019 -0700 + + Revert "rewrite README" + + This reverts commit 9444d82678cb7781820da4d1c23b3c2b9fb1e12f. + +commit 9444d82678cb7781820da4d1c23b3c2b9fb1e12f +Author: Damien Miller <djm@mindrot.org> +Date: Fri Apr 5 11:21:48 2019 -0700 + + rewrite README + + Include basic build instructions and comments on commonly-used build- + time flags, links to the manual pages and other resources. + + Now in Markdown format for better viewing on github, etc. + +commit a924de0c4908902433813ba205bee1446bd1a157 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Apr 5 03:41:52 2019 +1100 + + update versions + +commit 312dcee739bca5d6878c536537b2a8a497314b75 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Apr 3 15:48:45 2019 +0000 + + upstream: openssh-8.0 + + OpenBSD-Commit-ID: 5aafdf218679dab982fea20771afd643be9a127b + +commit 885bc114692046d55e2a170b932bdc0092fa3456 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Apr 4 02:47:40 2019 +1100 + + session: Do not use removed API + + from Jakub Jelen + +commit 9d7b2882b0c9a5e9bf8312ce4075bf178e2b98be +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 29 11:31:40 2019 +0000 + + upstream: when logging/fataling on error, include a bit more detail + + than just the function name and the error message + + OpenBSD-Commit-ID: dd72d7eba2215fcb89be516c378f633ea5bcca9f + +commit 79a87d32783d6c9db40af8f35e091d9d30365ae7 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Apr 3 06:27:45 2019 +1100 + + Remove "struct ssh" from sys_auth_record_login. + + It's not needed, and is not available from the call site in loginrec.c + Should only affect AIX, spotted by Kevin Brott. + +commit 138c0d52cdc90f9895333b82fc57d81cce7a3d90 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Apr 2 18:21:35 2019 +1100 + + Adapt custom_failed_login to new prototype. + + Spotted by Kevin Brott. + +commit a0ca4009ab2f0b1007ec8ab6864dbf9b760a8ed5 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Apr 1 20:07:23 2019 +1100 + + Add includes.h for compat layer. + + Should fix build on AIX 7.2. + +commit 00991151786ce9b1d577bdad1f83a81d19c8236d +Author: Tim Rice <tim@multitalents.net> +Date: Sun Mar 31 22:14:22 2019 -0700 + + Stop USL compilers for erroring with "integral constant expression expected" + +commit 43f47ebbdd4037b569c23b8f4f7981f53b567f1d +Author: Tim Rice <tim@multitalents.net> +Date: Sun Mar 31 19:22:19 2019 -0700 + + Only use O_NOFOLLOW in fchownat and fchmodat if defined + +commit 342d6e51589b184c337cccfc4c788b60ff8b3765 +Author: Jakub Jelen <jjelen@redhat.com> +Date: Fri Mar 29 12:29:41 2019 +0100 + + Adjust softhsm2 path on Fedora Linux for regress + + The SoftHSM lives in Fedora in /usr/lib64/pkcs11/libsofthsm2.so + +commit f5abb05f8c7358dacdcb866fe2813f6d8efd5830 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Mar 28 09:26:14 2019 +1100 + + Only use O_NOFOLLOW in utimensat if defined. + + Fixes build on systems that don't have it (Solaris <=9) Found by + Tom G. Christensen. + +commit 786cd4c1837fdc3fe7b4befe54a3f37db7df8715 +Author: Corinna Vinschen <vinschen@redhat.com> +Date: Wed Mar 27 18:18:21 2019 +0100 + + drop old Cygwin considerations + + - Cygwin supports non-DOS characters in filenames + - Cygwin does not support Windows XP anymore + + Signed-off-by: Corinna Vinschen <vinschen@redhat.com> + +commit 21da87f439b48a85b951ef1518fe85ac0273e719 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Mar 27 09:29:14 2019 +0000 + + upstream: fix interaction between ClientAliveInterval and RekeyLimit + + that could cause connection to close incorrectly; Report and patch from Jakub + Jelen in bz#2757; ok dtucker@ markus@ + + OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb + +commit 4f0019a9afdb4a94d83b75e82dbbbe0cbe826c56 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Mar 25 22:34:52 2019 +0000 + + upstream: Fix authentication failures when "AuthenticationMethods + + any" in a Match block overrides a more restrictive global default. + + Spotted by jmc@, ok markus@ + + OpenBSD-Commit-ID: a90a4fe2ab81d0eeeb8fdfc21af81f7eabda6666 + +commit d6e5def308610f194c0ec3ef97a34a3e9630e190 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Mar 25 22:33:44 2019 +0000 + + upstream: whitespace + + OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07 + +commit 26e0cef07b04479537c971dec898741df1290fe5 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Mar 25 16:19:44 2019 +0000 + + upstream: Expand comment to document rationale for default key + + sizes. "seems worthwhile" deraadt. + + OpenBSD-Commit-ID: 72e5c0983d7da1fb72f191870f36cb58263a2456 + +commit f47269ea67eb4ff87454bf0d2a03e55532786482 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Mar 25 15:49:00 2019 +0000 + + upstream: Increase the default RSA key size to 3072 bits. Based on + + the estimates from NIST Special Publication 800-57, 3k bits provides security + equivalent to 128 bits which is the smallest symmetric cipher we enable by + default. ok markus@ deraadt@ + + OpenBSD-Commit-ID: 461dd32ebe808f88f4fc3ec74749b0e6bef2276b + +commit 62949c5b37af28d8490d94866e314a76be683a5e +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Mar 22 20:58:34 2019 +0000 + + upstream: full stop in the wrong place; + + OpenBSD-Commit-ID: 478a0567c83553a2aebf95d0f1bd67ac1b1253e4 + +commit 1b1332b5bb975d759a50b37f0e8bc8cfb07a0bb0 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Sat Mar 16 19:14:21 2019 +0000 + + upstream: benno helped me clean up the tcp forwarding section; + + OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08 + +commit 2aee9a49f668092ac5c9d34e904ef7a9722e541d +Author: markus@openbsd.org <markus@openbsd.org> +Date: Fri Mar 8 17:24:43 2019 +0000 + + upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL + + OpenBSD-Commit-ID: febce81cca72b71f70513fbee4ff52ca050f675c + +commit 9edbd7821e6837e98e7e95546cede804dac96754 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Mar 14 10:17:28 2019 +1100 + + Fix build when configured --without-openssl. + + ok djm@ + +commit 825ab32f0d04a791e9d19d743c61ff8ed9b4d8e5 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Mar 14 08:51:17 2019 +1100 + + On Cygwin run sshd as SYSTEM where possible. + + Seteuid now creates user token using S4U. We don't create a token + from scratch anymore, so we don't need the "Create a process token" + privilege. The service can run under SYSTEM again... + + ...unless Cygwin is running on Windows Vista or Windows 7 in the + WOW64 32 bit emulation layer. It turns out that WOW64 on these systems + didn't implement MsV1_0 S4U Logon so we still need the fallback + to NtCreateToken for these systems. + + Signed-off-by: Corinna Vinschen <vinschen@redhat.com> + +commit a212107bfdf4d3e870ab7a443e4d906e5b9578c3 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Mar 13 10:49:16 2019 +1100 + + Replace alloca with xcalloc. + + The latter checks for memory exhaustion and integer overflow and may be + at a less predictable place. Sanity check by vinschen at redhat.com, ok + djm@ + +commit daa7505aadca68ba1a2c70cbdfce423208eb91ee +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Mar 12 09:19:19 2019 +1100 + + Use Cygwin-specific matching only for users+groups. + + Patch from vinschen at redhat.com, updated a little by me. + +commit fd10cf027b56f9aaa80c9e3844626a05066589a4 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Mar 6 22:14:23 2019 +0000 + + upstream: Move checks for lists of users or groups into their own + + function. This is a no-op on OpenBSD but will make things easier in + -portable, eg on systems where these checks should be case-insensitive. ok + djm@ + + OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e + +commit ab5fee8eb6a011002fd9e32b1597f02aa8804a25 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Mar 6 21:06:59 2019 +0000 + + upstream: Reset last-seen time when sending a keepalive. Prevents + + sending two keepalives successively and prematurely terminating connection + when ClientAliveCount=1. While there, collapse two similar tests into one. + ok markus@ + + OpenBSD-Commit-ID: 043670d201dfe222537a2a4bed16ce1087de5ddd + +commit c13b74530f9f1d9df7aeae012004b31b2de4438e +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Tue Mar 5 16:17:12 2019 +0000 + + upstream: PKCS#11 support is no longer limited to RSA; ok benno@ + + kn@ + + OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826 + +commit e9552d6043db7cd170ac6ba1b4d2c7a5eb2c3201 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 1 03:29:32 2019 +0000 + + upstream: in ssh_set_newkeys(), mention the direction that we're + + keying in debug messages. Previously it would be difficult to tell which + direction it was talking about + + OpenBSD-Commit-ID: c2b71bfcceb2a7389b9d0b497fb2122a406a522d + +commit 76a24b3fa193a9ca3e47a8779d497cb06500798b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 1 02:32:39 2019 +0000 + + upstream: Fix two race conditions in sshd relating to SIGHUP: + + 1. Recently-forked child processes will briefly remain listening to + listen_socks. If the main server sshd process completes its restart + via execv() before these sockets are closed by the child processes + then it can fail to listen at the desired addresses/ports and/or + fail to restart. + + 2. When a SIGHUP is received, there may be forked child processes that + are awaiting their reexecution state. If the main server sshd + process restarts before passing this state, these child processes + will yield errors and use a fallback path of reading the current + sshd_config from the filesystem rather than use the one that sshd + was started with. + + To fix both of these cases, we reuse the startup_pipes that are shared + between the main server sshd and forked children. Previously this was + used solely to implement tracking of pre-auth child processes for + MaxStartups, but this extends the messaging over these pipes to include + a child->parent message that the parent process is safe to restart. This + message is sent from the child after it has completed its preliminaries: + closing listen_socks and receiving its reexec state. + + bz#2953, reported by Michal Koutný; ok markus@ dtucker@ + + OpenBSD-Commit-ID: 7df09eacfa3ce13e9a7b1e9f17276ecc924d65ab + +commit de817e9dfab99473017d28cdf69e60397d00ea21 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 1 02:16:47 2019 +0000 + + upstream: mention PKCS11Provide=none, reword a little and remove + + mention of RSA keys only (since we support ECDSA now and might support others + in the future). Inspired by Jakub Jelen via bz#2974 + + OpenBSD-Commit-ID: a92e3686561bf624ccc64ab320c96c9e9a263aa5 + +commit 95a8058c1a90a27acbb91392ba206854abc85226 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Mar 1 02:08:50 2019 +0000 + + upstream: let PKCS11Provider=none do what users expect + + print PKCS11Provider instead of obsolete SmartcardDevice in config dump. + + bz#2974 ok dtucker@ + + OpenBSD-Commit-ID: c303d6f0230a33aa2dd92dc9b68843d56a64f846 + +commit 8e7bac35aa576d2fd7560836da83733e864ce649 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Feb 27 19:37:01 2019 +0000 + + upstream: dup stdout/in for proxycommand=-, otherwise stdout might + + be redirected to /dev/null; ok djm@ + + OpenBSD-Commit-ID: 97dfce4c47ed4055042de8ebde85b7d88793e595 + +commit 9b61130fbd95d196bce81ebeca94a4cb7c0d5ba0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Feb 23 08:20:43 2019 +0000 + + upstream: openssh-7.9 accidentally reused the server's algorithm lists + + in the client for KEX, ciphers and MACs. The ciphers and MACs were identical + between the client and server, but the error accidentially disabled the + diffie-hellman-group-exchange-sha1 KEX method. + + This fixes the client code to use the correct method list, but + because nobody complained, it also disables the + diffie-hellman-group-exchange-sha1 KEX method. + + Reported by nuxi AT vault24.org via bz#2697; ok dtucker + + OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57 + +commit 37638c752041d591371900df820f070037878a2d +Author: Corinna Vinschen <vinschen@redhat.com> +Date: Wed Feb 20 13:41:25 2019 +0100 + + Cygwin: implement case-insensitive Unicode user and group name matching + + The previous revert enabled case-insensitive user names again. This + patch implements the case-insensitive user and group name matching. + To allow Unicode chars, implement the matcher using wchar_t chars in + Cygwin-specific code. Keep the generic code changes as small as possible. + Cygwin: implement case-insensitive Unicode user and group name matching + + Signed-off-by: Corinna Vinschen <vinschen@redhat.com> + +commit bed1d43698807a07bb4ddb93a46b0bd84b9970b3 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Feb 22 15:21:21 2019 +1100 + + Revert unintended parts of previous commit. + +commit f02afa350afac1b2f2d1413259a27a4ba1e2ca24 +Author: Corinna Vinschen <vinschen@redhat.com> +Date: Wed Feb 20 13:41:24 2019 +0100 + + Revert "[auth.c] On Cygwin, refuse usernames that have differences in case" + + This reverts commit acc9b29486dfd649dfda474e5c1a03b317449f1c. + + Signed-off-by: Corinna Vinschen <vinschen@redhat.com> + +commit 4c55b674835478eb80a1a7aeae588aa654e2a433 +Author: Corinna Vinschen <vinschen@redhat.com> +Date: Sat Feb 16 14:13:43 2019 +0100 + + Add tags to .gitignore + + Signed-off-by: Corinna Vinschen <vinschen@redhat.com> + +commit 625b62634c33eaef4b80d07529954fe5c6435fe5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Feb 22 03:37:11 2019 +0000 + + upstream: perform removal of agent-forwarding directory in forward + + setup error path with user's privileged. This is a no-op as this code always + runs with user privilege now that we no longer support running sshd with + privilege separation disabled, but as long as the privsep skeleton is there + we should follow the rules. + MIME-Version: 1.0 + Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit + + bz#2969 with patch from Erik Sjölund + + OpenBSD-Commit-ID: 2b708401a5a8d6133c865d7698d9852210dca846 + +commit d9ecfaba0b2f1887d20e4368230632e709ca83be +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Mon Feb 18 07:02:34 2019 +0000 + + upstream: sync the description of ~/.ssh/config with djm's updated + + description in ssh.1; issue pointed out by andreas kahari + + ok dtucker djm + + OpenBSD-Commit-ID: 1b01ef0ae2c6328165150badae317ec92e52b01c + +commit 38e83e4f219c752ebb1560633b73f06f0392018b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Feb 12 23:53:10 2019 +0000 + + upstream: fix regression in r1.302 reported by naddy@ - only the first + + public key from the agent was being attempted for use. + + OpenBSD-Commit-ID: 07116aea521a04888718b2157f1ca723b2f46c8d + +commit 5c68ea8da790d711e6dd5f4c30d089c54032c59a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Feb 11 09:44:42 2019 +0000 + + upstream: cleanup GSSAPI authentication context after completion of the + + authmethod. Move function-static GSSAPI state to the client Authctxt + structure. Make static a bunch of functions that aren't used outside this + file. + + Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@ + + OpenBSD-Commit-ID: 497fb792c0ddb4f1ba631b6eed526861f115dbe5 + +commit a8c807f1956f81a92a758d3d0237d0ff06d0be5d +Author: benno@openbsd.org <benno@openbsd.org> +Date: Sun Feb 10 16:35:41 2019 +0000 + + upstream: ssh-keygen -D pkcs11.so needs to initialize pkcs11 + + interactive, so it can ask for the smartcards PIN. ok markus@ + + OpenBSD-Commit-ID: 1be7ccf88f1876e0fc4d7c9b3f96019ac5655bab + +commit 3d896c157c722bc47adca51a58dca859225b5874 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Feb 10 11:15:52 2019 +0000 + + upstream: when checking that filenames sent by the server side + + match what the client requested, be prepared to handle shell-style brace + alternations, e.g. "{foo,bar}". + + "looks good to me" millert@ + in snaps for the last week courtesy + deraadt@ + + OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e + +commit 318e4f8548a4f5c0c913f61e27d4fc21ffb1eaae +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Feb 10 11:10:57 2019 +0000 + + upstream: syslog when connection is dropped for attempting to run a + + command when ForceCommand=internal-sftp is in effect; bz2960; ok dtucker@ + + OpenBSD-Commit-ID: 8c87fa66d7fc6c0fffa3a3c28e8ab5e8dde234b8 + +commit 2ff2e19653b8c0798b8b8eff209651bdb1be2761 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Feb 8 14:53:35 2019 +1100 + + don't set $MAIL if UsePam=yes + + PAM typically specifies the user environment if it's enabled, so don't + second guess. bz#2937; ok dtucker@ + +commit 03e92dd27d491fe6d1a54e7b2f44ef1b0a916e52 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Feb 8 14:50:36 2019 +1100 + + use same close logic for stderr as stdout + + Avoids sending SIGPIPE to child processes after their parent exits + if they attempt to write to stderr. + + Analysis and patch from JD Paul; patch reworked by Jakub Jelen and + myself. bz#2071; ok dtucker@ + +commit 8c53d409baeeaf652c0c125a9b164edc9dbeb6de +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Feb 5 11:35:56 2019 +0000 + + upstream: Adapt code in the non-USE_PIPES codepath to the new packet + + API. This code is not normally reachable since USE_PIPES is always defined. + bz#2961, patch from adrian.fita at gmail com. + + OpenBSD-Commit-ID: 8d8428d678d1d5eb4bb21921df34e8173e6d238a + +commit 7a7fdca78de4b4774950be056099e579ef595414 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Feb 4 23:37:54 2019 +0000 + + upstream: fix NULL-deref crash in PKCS#11 code when attempting + + login to a token requiring a PIN; reported by benno@ fix mostly by markus@ + + OpenBSD-Commit-ID: 438d0b114b1b4ba25a9869733db1921209aa9a31 + +commit cac302a4b42a988e54d32eb254b29b79b648dbf5 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Feb 4 02:39:42 2019 +0000 + + upstream: Remove obsolete "Protocol" from commented out examples. Patch + + from samy.mahmoudi at gmail com. + + OpenBSD-Commit-ID: 16aede33dae299725a03abdac5dcb4d73f5d0cbf + +commit 483b3b638500fd498b4b529356e5a0e18cf76891 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Feb 1 03:52:23 2019 +0000 + + upstream: Save connection timeout and restore for 2nd and + + subsequent attempts, preventing them from having no timeout. bz#2918, ok + djm@ + + OpenBSD-Commit-ID: 4977f1d0521d9b6bba0c9a20d3d226cefac48292 + +commit 5f004620fdc1b2108139300ee12f4014530fb559 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jan 30 19:51:15 2019 +0000 + + upstream: Add authors for public domain sntrup4591761 code; + + confirmed by Daniel J. Bernstein + + OpenBSD-Commit-ID: b4621f22b8b8ef13e063c852af5e54dbbfa413c1 + +commit 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Sun Jan 27 07:14:11 2019 +0000 + + upstream: add -T to usage(); + + OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 + +commit 19a0f0529d3df04118da829528cac7ceff380b24 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Jan 28 03:50:39 2019 +0000 + + upstream: The test sshd_config in in $OBJ. + + OpenBSD-Regress-ID: 1e5d908a286d8e7de3a15a0020c8857f3a7c9172 + +commit 8fe25440206319d15b52d12b948a5dfdec14dca3 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Jan 28 03:28:10 2019 +0000 + + upstream: Remove leftover debugging. + + OpenBSD-Regress-ID: 3d86c3d4867e46b35af3fd2ac8c96df0ffdcfeb9 + +commit e30d32364d12c351eec9e14be6c61116f9d6cc90 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Jan 28 00:12:36 2019 +0000 + + upstream: Enable ssh-dss for the agent test. Disable it for the + + certificate test. + + OpenBSD-Regress-ID: 388c1e03e1def539d350f139b37d69f12334668d + +commit ffdde469ed56249f5dc8af98da468dde35531398 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Jan 28 00:08:26 2019 +0000 + + upstream: Count the number of key types instead of assuming there + + are only two. + + OpenBSD-Regress-ID: 0998702c41235782cf0beee396ec49b5056eaed9 + +commit 1d05b4adcba08ab068466e5c08dee2f5417ec53a +Author: Corinna Vinschen <vinschen@redhat.com> +Date: Sat Jan 26 23:42:40 2019 +0100 + + Cygwin: only tweak sshd_config file if it's new, drop creating sshd user + + The sshd_config tweaks were executed even if the old file was + still in place. Fix that. Also disable sshd user creation. + It's not used on Cygwin. + +commit 89843de0c4c733501f6b4f988098e6e06963df37 +Author: Corinna Vinschen <vinschen@redhat.com> +Date: Sat Jan 26 23:03:12 2019 +0100 + + Cygwin: Change service name to cygsshd + + Microsoft hijacked the sshd service name without asking. + +commit 2a9b3a2ce411d16cda9c79ab713c55f65b0ec257 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Sun Jan 27 06:30:53 2019 +0000 + + upstream: Generate all key supported key types and enable for keyscan + + test. + + OpenBSD-Regress-ID: 72f72ff49946c61bc949e1692dd9e3d71370891b + +commit 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 26 22:41:28 2019 +0000 + + upstream: check in scp client that filenames sent during + + remote->local directory copies satisfy the wildcard specified by the user. + + This checking provides some protection against a malicious server + sending unexpected filenames, but it comes at a risk of rejecting wanted + files due to differences between client and server wildcard expansion rules. + + For this reason, this also adds a new -T flag to disable the check. + + reported by Harry Sintonen + fix approach suggested by markus@; + has been in snaps for ~1wk courtesy deraadt@ + + OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda + +commit c2c18a39683db382a15b438632afab3f551d50ce +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 26 22:35:01 2019 +0000 + + upstream: make ssh-keyscan return a non-zero exit status if it + + finds no keys. bz#2903 + + OpenBSD-Commit-ID: 89f1081fb81d950ebb48e6e73d21807b2723d488 + +commit 05b9a466700b44d49492edc2aa415fc2e8913dfe +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Jan 24 17:00:29 2019 +0000 + + upstream: Accept the host key fingerprint as a synonym for "yes" + + when accepting an unknown host key. This allows you to paste a fingerprint + obtained out of band into the yes/no prompt and have the client do the + comparison for you. ok markus@ djm@ + + OpenBSD-Commit-ID: 3c47d10b9f43d3d345e044fd9ec09709583a2767 + +commit bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Jan 24 16:52:17 2019 +0000 + + upstream: Have progressmeter force an update at the beginning and + + end of each transfer. Fixes the problem recently introduces where very quick + transfers do not display the progressmeter at all. Spotted by naddy@ + + OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a + +commit 258e6ca003e47f944688ad8b8de087b58a7d966c +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Jan 24 02:42:23 2019 +0000 + + upstream: Check for both EAGAIN and EWOULDBLOCK. This is a no-op + + in OpenBSD (they are the same value) but makes things easier in -portable + where they may be distinct values. "sigh ok" deraadt@ + + (ID sync only, portable already had this change). + + OpenBSD-Commit-ID: 91f2bc7c0ecec905915ed59fa37feb9cc90e17d7 + +commit 281ce042579b834cdc1e74314f1fb2eeb75d2612 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Jan 24 02:34:52 2019 +0000 + + upstream: Always initialize 2nd arg to hpdelim2. It populates that + + *ONLY IF* there's a delimiter. If there's not (the common case) it checked + uninitialized memory, which usually passed, but if not would cause spurious + failures when the uninitialized memory happens to contain "/". ok deraadt. + + OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3 + +commit d05ea255678d9402beda4416cd0360f3e5dfe938 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jan 23 21:50:56 2019 +0000 + + upstream: Remove support for obsolete host/port syntax. + + host/port was added in 2001 as an alternative to host:port syntax for + the benefit of IPv6 users. These days there are establised standards + for this like [::1]:22 and the slash syntax is easily mistaken for CIDR + notation, which OpenSSH now supports for some things. Remove the slash + notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen + at redhat.com, ok markus@ + + OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7 + +commit 177d6c80c557a5e060cd343a0c116a2f1a7f43db +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jan 23 20:48:52 2019 +0000 + + upstream: Remove duplicate word. bz#2958, patch from jjelen at + + redhat.com + + OpenBSD-Commit-ID: cca3965a8333f2b6aae48b79ec1d72f7a830dd2c + +commit be3e6cba95dffe5fcf190c713525b48c837e7875 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jan 23 09:49:00 2019 +0000 + + upstream: Remove 3 as a guess for possible generator during moduli + + generation. It's not mentioned in RFC4419 and it's not possible for + Sophie-Germain primes greater than 5. bz#2330, from Christian Wittenhorst , + ok djm@ tb@ + + OpenBSD-Commit-ID: 1467652e6802ad3333b0959282d8d49dfe22c8cd + +commit 8976f1c4b2721c26e878151f52bdf346dfe2d54c +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jan 23 08:01:46 2019 +0000 + + upstream: Sanitize scp filenames via snmprintf. To do this we move + + the progressmeter formatting outside of signal handler context and have the + atomicio callback called for EINTR too. bz#2434 with contributions from djm + and jjelen at redhat.com, ok djm@ + + OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 + +commit 6249451f381755f792c6b9e2c2f80cdc699c14e2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Jan 24 10:00:20 2019 +1100 + + For broken read/readv comparisons, poll(RW). + + In the cases where we can't compare to read or readv function pointers + for some reason we currently ifdef out the poll() used to block while + waiting for reads or writes, falling back to busy waiting. This restores + the poll() in this case, but has it always check for read or write, + removing an inline ifdef in the process. + +commit 5cb503dff4db251520e8bf7d23b9c97c06eee031 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Jan 24 09:55:16 2019 +1100 + + Include unistd.h for strmode(). + +commit f236ca2741f29b5c443c0b2db3aa9afb9ad9befe +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Jan 24 09:50:58 2019 +1100 + + Also undef SIMPLEQ_FOREACH_SAFE. + + Prevents macro redefinition warning on at least NetBSD 6.1. + +commit be063945e4e7d46b1734d973bf244c350fae172a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jan 23 04:51:02 2019 +0000 + + upstream: allow auto-incrementing certificate serial number for certs + + signed in a single commandline. + + OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b + +commit 851f80328931975fe68f71af363c4537cb896da2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jan 23 04:16:22 2019 +0000 + + upstream: move a bunch of global flag variables to main(); make the + + rest static + + OpenBSD-Commit-ID: fa431d92584e81fe99f95882f4c56b43fe3242dc + +commit 2265402dc7d701a9aca9f8a7b7b0fd45b65c479f +Author: Damien Miller <djm@mindrot.org> +Date: Wed Jan 23 13:03:16 2019 +1100 + + depend + +commit 2c223878e53cc46def760add459f5f7c4fb43e35 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jan 23 02:01:10 2019 +0000 + + upstream: switch mainloop from select(2) to poll(2); ok deraadt@ + + OpenBSD-Commit-ID: 37645419a330037d297f6f0adc3b3663e7ae7b2e + +commit bb956eaa94757ad058ff43631c3a7d6c94d38c2f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jan 23 00:30:41 2019 +0000 + + upstream: pass most arguments to the KEX hash functions as sshbuf + + rather than pointer+length; ok markus@ + + OpenBSD-Commit-ID: ef0c89c52ccc89817a13a5205725148a28492bf7 + +commit d691588b8e29622c66abf8932362b522cf7f4051 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 22:58:50 2019 +0000 + + upstream: backoff reading messages from active connections when the + + input buffer is too full to read one, or if the output buffer is too full to + enqueue a response; feedback & ok dtucker@ + + OpenBSD-Commit-ID: df3c5b6d57c968975875de40d8955cbfed05a6c8 + +commit f99ef8de967949a1fc25a5c28263ea32736e5943 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 20:48:01 2019 +0000 + + upstream: add -m to usage(); reminded by jmc@ + + OpenBSD-Commit-ID: bca476a5236e8f94210290b3e6a507af0434613e + +commit 41923ce06ac149453debe472238e0cca7d5a2e5f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 12:03:58 2019 +0000 + + upstream: Correct some bugs in PKCS#11 token PIN handling at + + initial login, the attempt at reading the PIN could be skipped in some cases + especially on devices with integrated PIN readers. + + based on patch from Daniel Kucera in bz#2652; ok markus@ + + OpenBSD-Commit-ID: fad70a61c60610afe8bb0db538c90e343e75e58e + +commit 2162171ad517501ba511fa9f8191945d01857bb4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 12:00:50 2019 +0000 + + upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE by + + requring a fresh login after the C_SignInit operation. + + based on patch from Jakub Jelen in bz#2638; ok markus + + OpenBSD-Commit-ID: a76e66996ba7c0923b46b74d46d499b811786661 + +commit 7a2cb18a215b2cb335da3dc99489c52a91f4925b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 11:51:25 2019 +0000 + + upstream: Mention that configuration for the destination host is + + not applied to any ProxyJump/-J hosts. This has confused a few people... + + OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b + +commit ecd2f33cb772db4fa76776543599f1c1ab6f9fa0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 11:40:42 2019 +0000 + + upstream: Include -m in the synopsis for a few more commands that + + support it + + Be more explicit in the description of -m about where it may be used + + Prompted by Jakub Jelen in bz2904 + + OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c + +commit ff5d2cf4ca373bb4002eef395ed2cbe2ff0826c1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 11:26:16 2019 +0000 + + upstream: print the full pubkey being attempted at loglevel >= + + debug2; bz2939 + + OpenBSD-Commit-ID: ac0fe5ca1429ebf4d460bad602adc96de0d7e290 + +commit 180b520e2bab33b566b4b0cbac7d5f9940935011 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 11:19:42 2019 +0000 + + upstream: clarify: ssh-keygen -e only writes public keys, never + + private + + OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb + +commit c45616a199c322ca674315de88e788f1d2596e26 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 22 11:00:15 2019 +0000 + + upstream: mention the new vs. old key formats in the introduction + + and give some hints on how keys may be converted or written in the old + format. + + OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823 + +commit fd8eb1383a34c986a00ef13d745ae9bd3ea21760 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Tue Jan 22 06:58:31 2019 +0000 + + upstream: tweak previous; + + OpenBSD-Commit-ID: d2a80e389da8e7ed71978643d8cbaa8605b597a8 + +commit 68e924d5473c00057f8532af57741d258c478223 +Author: tb@openbsd.org <tb@openbsd.org> +Date: Mon Jan 21 23:55:12 2019 +0000 + + upstream: Forgot to add -J to the synopsis. + + OpenBSD-Commit-ID: 26d95e409a0b72526526fc56ca1caca5cc3d3c5e + +commit 622dedf1a884f2927a9121e672bd9955e12ba108 +Author: tb@openbsd.org <tb@openbsd.org> +Date: Mon Jan 21 22:50:42 2019 +0000 + + upstream: Add a -J option as a shortcut for -o Proxyjump= to scp(1) + + and sftp(1) to match ssh(1)'s interface. + + ok djm + + OpenBSD-Commit-ID: a75bc2d5f329caa7229a7e9fe346c4f41c2663fc + +commit c882d74652800150d538e22c80dd2bd3cdd5fae2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Jan 22 20:38:40 2019 +1100 + + Allow building against OpenSSL dev (3.x) version. + +commit d5520393572eb24aa0e001a1c61f49b104396e45 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Jan 22 10:50:40 2019 +1100 + + typo + +commit 2de9cec54230998ab10161576f77860a2559ccb7 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Jan 22 10:49:52 2019 +1100 + + add missing header + +commit 533cfb01e49a2a30354e191669dc3159e03e99a7 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 22:18:24 2019 +0000 + + upstream: switch sntrup implementation source from supercop to + + libpqcrypto; the latter is almost identical but doesn't rely on signed + underflow to implement an optimised integer sort; from markus@ + + OpenBSD-Commit-ID: cd09bbf0e0fcef1bedca69fdf7990dc360567cf8 + +commit d50ab3cd6fb859888a26b4d4e333239b4f6bf573 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Jan 22 00:02:23 2019 +1100 + + new files need includes.h + +commit c7670b091a7174760d619ef6738b4f26b2093301 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 12:53:35 2019 +0000 + + upstream: add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up + + debug verbosity. + + Make ssh-agent turn on ssh-pkcs11-helper's verbosity when it is run + in debug mode ("ssh-agent -d"), so we get to see errors from the + PKCS#11 code. + + ok markus@ + + OpenBSD-Commit-ID: 0a798643c6a92a508df6bd121253ba1c8bee659d + +commit 49d8c8e214d39acf752903566b105d06c565442a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 12:50:12 2019 +0000 + + upstream: adapt to changes in KEX APIs and file removals + + OpenBSD-Regress-ID: 54d6857e7c58999c7a6d40942ab0fed3529f43ca + +commit 35ecc53a83f8e8baab2e37549addfd05c73c30f1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 12:35:20 2019 +0000 + + upstream: adapt to changes in KEX API and file removals + + OpenBSD-Regress-ID: 92cad022d3b0d11e08f3e0055d6a14b8f994c0d7 + +commit 7d69aae64c35868cc4f644583ab973113a79480e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 12:29:35 2019 +0000 + + upstream: adapt to bignum1 API removal and bignum2 API change + + OpenBSD-Regress-ID: cea6ff270f3d560de86b355a87a2c95b55a5ca63 + +commit beab553f0a9578ef9bffe28b2c779725e77b39ec +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 09:13:41 2019 +0000 + + upstream: remove hack to use non-system libcrypto + + OpenBSD-Regress-ID: ce72487327eee4dfae1ab0212a1f33871fe0809f + +commit 4dc06bd57996f1a46b4c3bababe0d09bc89098f7 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 23:14:04 2019 +1100 + + depend + +commit 70edd73edc4df54e5eee50cd27c25427b34612f8 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 12:08:13 2019 +0000 + + upstream: fix reversed arguments to kex_load_hostkey(); manifested as + + errors in cert-hostkey.sh regress failures. + + OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba + +commit f1185abbf0c9108e639297addc77f8757ee00eb3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 11:22:00 2019 +0000 + + upstream: forgot to cvs add this file in previous series of commits; + + grrr + + OpenBSD-Commit-ID: bcff316c3e7da8fd15333e05d244442c3aaa66b0 + +commit 7bef390b625bdc080f0fd4499ef03cef60fca4fa +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:44:21 2019 +0000 + + upstream: nothing shall escape this purge + + OpenBSD-Commit-ID: 4795b0ff142b45448f7e15f3c2f77a947191b217 + +commit aaca72d6f1279b842066e07bff797019efeb2c23 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:40:11 2019 +0000 + + upstream: rename kex->kem_client_pub -> kex->client_pub now that + + KEM has been renamed to kexgen + + from markus@ ok djm@ + + OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8 + +commit 70867e1ca2eb08bbd494fe9c568df4fd3b35b867 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:38:54 2019 +0000 + + upstream: merge kexkem[cs] into kexgen + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 87d886b7f1812ff9355fda1435f6ea9b71a0ac89 + +commit 71e67fff946396caa110a7964da23480757258ff +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:35:09 2019 +0000 + + upstream: pass values used in KEX hash computation as sshbuf + + rather than pointer+len + + suggested by me; implemented by markus@ ok me + + OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0 + +commit 4b83e2a2cc0c12e671a77eaba1c1245894f4e884 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:33:49 2019 +0000 + + upstream: remove kex_derive_keys_bn wrapper; no unused since the + + DH-like KEX methods have moved to KEM + + from markus@ ok djm@ + + OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060 + +commit 92dda34e373832f34a1944e5d9ebbebb184dedc1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:29:56 2019 +0000 + + upstream: use KEM API for vanilla ECDH + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c + +commit b72357217cbe510a3ae155307a7be6b9181f1d1b +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 23:11:21 2019 +1100 + + fixup missing ssherr.h + +commit 9c9c97e14fe190931f341876ad98213e1e1dc19f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:28:01 2019 +0000 + + upstream: use KEM API for vanilla DH KEX + + from markus@ ok djm@ + + OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9 + +commit 2f6a9ddbbf6ca8623c53c323ff17fb6d68d66970 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:24:09 2019 +0000 + + upstream: use KEM API for vanilla c25519 KEX + + OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f + +commit dfd591618cdf2c96727ac0eb65f89cf54af0d97e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:20:12 2019 +0000 + + upstream: Add support for a PQC KEX/KEM: + + sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime + 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not + enabled by default. + + introduce KEM API; a simplified framework for DH-ish KEX methods. + + from markus@ feedback & ok djm@ + + OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7 + +commit b1b2ff4ed559051d1035419f8f236275fa66d5d6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:07:22 2019 +0000 + + upstream: factor out kex_verify_hostkey() - again, duplicated + + almost exactly across client and server for several KEX methods. + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c + +commit bb39bafb6dc520cc097780f4611a52da7f19c3e2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:05:09 2019 +0000 + + upstream: factor out kex_load_hostkey() - this is duplicated in + + both the client and server implementations for most KEX methods. + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c + +commit dec5e9d33891e3bc3f1395d7db0e56fdc7f86dfc +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:03:37 2019 +0000 + + upstream: factor out kex_dh_compute_key() - it's shared between + + plain DH KEX and DH GEX in both the client and server implementations + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec + +commit e93bd98eab79b9a78f64ee8dd4dffc4d3979c7ae +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 10:00:23 2019 +0000 + + upstream: factor out DH keygen; it's identical between the client + + and the server + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9 + +commit 5ae3f6d314465026d028af82609c1d49ad197655 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 09:55:52 2019 +0000 + + upstream: save the derived session id in kex_derive_keys() rather + + than making each kex method implementation do it. + + from markus@ ok djm@ + + OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673 + +commit 7be8572b32a15d5c3dba897f252e2e04e991c307 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 09:54:11 2019 +0000 + + upstream: Make sshpkt_get_bignum2() allocate the bignum it is + + parsing rather than make the caller do it. Saves a lot of boilerplate code. + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9 + +commit 803178bd5da7e72be94ba5b4c4c196d4b542da4d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 09:52:25 2019 +0000 + + upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1 + + functions + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 0380b1b2d9de063de3c5a097481a622e6a04943e + +commit f3ebaffd8714be31d4345f90af64992de4b3bba2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 09:49:37 2019 +0000 + + upstream: fix all-zero check in kexc25519_shared_key + + from markus@ ok djm@ + + OpenBSD-Commit-ID: 60b1d364e0d9d34d1d1ef1620cb92e36cf06712d + +commit 9d1a9771d0ad3a83af733bf3d2650b53f43c269f +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Mon Jan 21 07:09:10 2019 +0000 + + upstream: - -T was added to the first synopsis by mistake - since + + "..." denotes optional, no need to surround it in [] + + ok djm + + OpenBSD-Commit-ID: 918f6d8eed4e0d8d9ef5eadae1b8983d796f0e25 + +commit 2f0bad2bf85391dbb41315ab55032ec522660617 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Jan 21 21:28:27 2019 +1100 + + Make --with-rpath take a flag instead of yes/no. + + Linkers need various flags for -rpath and similar, so make --with-rpath + take an optional flag argument which is passed to the linker. ok djm@ + +commit 23490a6c970ea1d03581a3b4208f2eb7a675f453 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 15:05:43 2019 +1100 + + fix previous test + +commit b6dd3277f2c49f9584a2097bc792e8f480397e87 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Jan 21 13:50:17 2019 +1100 + + Wrap ECC static globals in EC_KEY_METHOD_NEW too. + +commit b2eb9db35b7191613f2f4b934d57b25938bb34b3 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 12:53:40 2019 +1100 + + pass TEST_SSH_SSHPKCS11HELPER to regress tests + +commit ba58a529f45b3dae2db68607d8c54ae96e90e705 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 12:31:29 2019 +1100 + + make agent-pkcs11 search harder for softhsm2.so + +commit 662be40c62339ab645113c930ce689466f028938 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 02:05:38 2019 +0000 + + upstream: always print the caller's error message in ossl_error(), + + even when there are no libcrypto errors to report. + + OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a + +commit ce46c3a077dfb4c531ccffcfff03f37775725b75 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 02:01:03 2019 +0000 + + upstream: get the ex_data (pkcs11_key object) back from the keys at + + the index at which it was inserted, rather than assuming index 0 + + OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8 + +commit 0a5f2ea35626022299ece3c8817a1abe8cf37b3e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 01:05:00 2019 +0000 + + upstream: GSSAPI code got missed when converting to new packet API + + OpenBSD-Commit-ID: 37e4f06ab4a0f4214430ff462ba91acba28b7851 + +commit 2efcf812b4c1555ca3aff744820a3b3bccd68298 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 11:57:21 2019 +1100 + + Fix -Wunused when compiling PKCS#11 without ECDSA + +commit 3c0c657ed7cd335fc05c0852d88232ca7e92a5d9 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:26:44 2019 +0000 + + upstream: allow override of ssh-pkcs11-helper binary via + + $TEST_SSH_SSHPKCS11HELPER from markus@ + + OpenBSD-Regress-ID: 7382a3d76746f5a792d106912a5819fd5e49e469 + +commit 760ae37b4505453c6fa4faf1aa39a8671ab053af +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:25:25 2019 +0000 + + upstream: adapt agent-pkcs11.sh test to softhsm2 and add support + + for ECDSA keys + + work by markus@, ok djm@ + + OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe + +commit b2ce8b31a1f974a13e6d12e0a0c132b50bc45115 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:24:19 2019 +0000 + + upstream: add "extra:" target to run some extra tests that are not + + enabled by default (currently includes agent-pkcs11.sh); from markus@ + + OpenBSD-Regress-ID: 9a969e1adcd117fea174d368dcb9c61eb50a2a3c + +commit 632976418d60b7193597bbc6ac7ca33981a41aab +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jan 21 00:47:34 2019 +0000 + + upstream: use ECDSA_SIG_set0() instead of poking signature values into + + structure directly; the latter works on LibreSSL but not on OpenSSL. From + portable. + + OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6 + +commit 5de6ac2bad11175135d9b819b3546db0ca0b4878 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 11:44:19 2019 +1100 + + remove HAVE_DLOPEN that snuck in + + portable doesn't use this + +commit e2cb445d786f7572da2af93e3433308eaed1093a +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jan 21 11:32:28 2019 +1100 + + conditionalise ECDSA PKCS#11 support + + Require EC_KEY_METHOD support in libcrypto, evidenced by presence + of EC_KEY_METHOD_new() function. + +commit fcb1b0937182d0137a3c357c89735d0dc5869d54 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:12:35 2019 +0000 + + upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD + + now, so there is no need to keep a copy of each in the pkcs11_key object. + + work by markus@, ok djm@ + + OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa + +commit 6529409e85890cd6df7e5e81d04e393b1d2e4b0b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:11:11 2019 +0000 + + upstream: KNF previous; from markus@ + + OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395 + +commit 58622a8c82f4e2aad630580543f51ba537c1f39e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:10:33 2019 +0000 + + upstream: use OpenSSL's RSA reference counting hooks to + + implicitly clean up pkcs11_key objects when their owning RSA object's + reference count drops to zero. Simplifies the cleanup path and makes it more + like ECDSA's + + work by markus@, ok djm@ + + OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c + +commit f118542fc82a3b3ab0360955b33bc5a271ea709f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:08:24 2019 +0000 + + upstream: make the PKCS#11 RSA code more like the new PKCS#11 + + ECDSA code: use a single custom RSA_METHOD instead of a method per key + + suggested by me, but markus@ did all the work. + ok djm@ + + OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e + +commit 445cfce49dfc904c6b8ab25afa2f43130296c1a5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:05:52 2019 +0000 + + upstream: fix leak of ECDSA pkcs11_key objects + + work by markus, ok djm@ + + OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1 + +commit 8a2467583f0b5760787273796ec929190c3f16ee +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:03:26 2019 +0000 + + upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of + + EC_KEY internals as that won't work on OpenSSL + + work by markus@, feedback and ok djm@ + + OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700 + +commit 24757c1ae309324e98d50e5935478655be04e549 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:01:59 2019 +0000 + + upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned + + object should never have a DER header + + work by markus; feedback and ok djm@ + + OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17 + +commit 749aef30321595435ddacef2f31d7a8f2b289309 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 23:00:12 2019 +0000 + + upstream: cleanup unnecessary code in ECDSA pkcs#11 signature + + work by markus@, feedback and ok djm@ + + OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d + +commit 0c50992af49b562970dd0ba3f8f151f1119e260e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 22:57:45 2019 +0000 + + upstream: cleanup pkcs#11 client code: use sshkey_new in instead + + of stack- allocating a sshkey + + work by markus@, ok djm@ + + OpenBSD-Commit-ID: a048eb6ec8aa7fa97330af927022c0da77521f91 + +commit 854bd8674ee5074a239f7cadf757d55454802e41 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 22:54:30 2019 +0000 + + upstream: allow override of the pkcs#11 helper binary via + + $SSH_PKCS11_HELPER; needed for regress tests. + + work by markus@, ok me + + OpenBSD-Commit-ID: f78d8185500bd7c37aeaf7bd27336db62f0f7a83 + +commit 93f02107f44d63a016d8c23ebd2ca9205c495c48 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 22:51:37 2019 +0000 + + upstream: add support for ECDSA keys in PKCS#11 tokens + + Work by markus@ and Pedro Martelletto, feedback and ok me@ + + OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424 + +commit aa22c20e0c36c2fc610cfcc793b0d14079c38814 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jan 20 22:03:29 2019 +0000 + + upstream: add option to test whether keys in an agent are usable, + + by performing a signature and a verification using each key "ssh-add -T + pubkey [...]" + + work by markus@, ok djm@ + + OpenBSD-Commit-ID: 931b888a600b6a883f65375bd5f73a4776c6d19b + +commit a36b0b14a12971086034d53c0c3dfbad07665abe +Author: tb@openbsd.org <tb@openbsd.org> +Date: Sun Jan 20 02:01:59 2019 +0000 + + upstream: Fix BN_is_prime_* calls in SSH, the API returns -1 on + + error. + + Found thanks to BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd + by David Benjamin. + + ok djm, dtucker + + OpenBSD-Commit-ID: 1ee832be3c44b1337f76b8562ec6d203f3b072f8 + +commit ec4776bb01dd8d61fddc7d2a31ab10bf3d3d829a +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Sun Jan 20 01:12:40 2019 +0000 + + upstream: DH-GEX min value is now specified in RFC8270. ok djm@ + + OpenBSD-Commit-ID: 1229d0feb1d0ecefe05bf67a17578b263e991acc + +commit c90a7928c4191303e76a8c58b9008d464287ae1b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Jan 21 09:22:36 2019 +1100 + + Check for cc before gcc. + + If cc is something other than gcc and is the system compiler prefer using + that, unless otherwise told via $CC. ok djm@ + +commit 9b655dc9c9a353f0a527f0c6c43a5e35653c9503 +Author: Damien Miller <djm@mindrot.org> +Date: Sun Jan 20 14:55:27 2019 +1100 + + last bits of old packet API / active_state global + +commit 3f0786bbe73609ac96e5a0d91425ee21129f8e04 +Author: Damien Miller <djm@mindrot.org> +Date: Sun Jan 20 10:22:18 2019 +1100 + + remove PAM dependencies on old packet API + + Requires some caching of values, because the PAM code isn't + always called with packet context. + +commit 08f66d9f17e12c1140d1f1cf5c4dce67e915d3cc +Author: Damien Miller <djm@mindrot.org> +Date: Sun Jan 20 09:58:45 2019 +1100 + + remove vestiges of old packet API from loginrec.c + +commit c327813ea1d740e3e367109c17873815aba1328e +Author: Damien Miller <djm@mindrot.org> +Date: Sun Jan 20 09:45:38 2019 +1100 + + depend + +commit 135e302cfdbe91817294317c337cc38c3ff01cba +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 22:30:52 2019 +0000 + + upstream: fix error in refactor: use ssh_packet_disconnect() instead of + + sshpkt_error(). The first one logs the error and exits (what we want) instead + of just logging and blundering on. + + OpenBSD-Commit-ID: 39f51b43641dce9ce0f408ea6c0e6e077e2e91ae + +commit 245c6a0b220b58686ee35bc5fc1c359e9be2faaa +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:45:31 2019 +0000 + + upstream: remove last traces of old packet API! + + with & ok markus@ + + OpenBSD-Commit-ID: 9bd10437026423eb8245636ad34797a20fbafd7d + +commit 04c091fc199f17dacf8921df0a06634b454e2722 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:43:56 2019 +0000 + + upstream: remove last references to active_state + + with & ok markus@ + + OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2 + +commit ec00f918b8ad90295044266c433340a8adc93452 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:43:07 2019 +0000 + + upstream: convert monitor.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 61ecd154bd9804461a0cf5f495a29d919e0014d5 + +commit 6350e0316981489d4205952d6904d6fedba5bfe0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:42:30 2019 +0000 + + upstream: convert sshd.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: ea569d3eaf9b5cf1bad52779fbfa5fa0b28af891 + +commit a5e2ad88acff2b7d131ee6d5dc5d339b0f8c6a6d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:41:53 2019 +0000 + + upstream: convert session.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: fae817207e23099ddd248960c984f7b7f26ea68e + +commit 3a00a921590d4c4b7e96df11bb10e6f9253ad45e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:41:18 2019 +0000 + + upstream: convert auth.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4 + +commit 7ec5cb4d15ed2f2c5c9f5d00e6b361d136fc1e2d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:40:48 2019 +0000 + + upstream: convert serverloop.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: c92dd19b55457541478f95c0d6b318426d86d885 + +commit 64c9598ac05332d1327cbf55334dee4172d216c4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:40:21 2019 +0000 + + upstream: convert the remainder of sshconnect2.c to new packet + + API + + with & ok markus@ + + OpenBSD-Commit-ID: 0986d324f2ceb5e8a12ac21c1bb10b3b4b1e0f71 + +commit bc5e1169d101d16e3a5962a928db2bc49a8ef5a3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:39:12 2019 +0000 + + upstream: convert the remainder of clientloop.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: ce2fbbacb86a290f31da1e7bf04cddf2bdae3d1e + +commit 5ebce136a6105f084db8f0d7ee41981d42daec40 +Author: Damien Miller <djm@mindrot.org> +Date: Sun Jan 20 09:44:53 2019 +1100 + + upstream: convert auth2.c to new packet API + + OpenBSD-Commit-ID: ed831bb95ad228c6791bc18b60ce7a2edef2c999 + +commit 172a592a53ebe8649c4ac0d7946e6c08eb151af6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:37:48 2019 +0000 + + upstream: convert servconf.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4 + +commit 8cc7a679d29cf6ecccfa08191e688c7f81ef95c2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:37:13 2019 +0000 + + upstream: convert channels.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 0b8279b56113cbd4011fc91315c0796b63dc862c + +commit 06232038c794c7dfcb087be0ab0b3e65b09fd396 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:36:38 2019 +0000 + + upstream: convert sshconnect.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 222337cf6c96c347f1022d976fac74b4257c061f + +commit 25b2ed667216314471bb66752442c55b95792dc3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:36:06 2019 +0000 + + upstream: convert ssh.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: eb146878b24e85c2a09ee171afa6797c166a2e21 + +commit e3128b38623eef2fa8d6e7ae934d3bd08c7e973e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:35:25 2019 +0000 + + upstream: convert mux.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 4e3893937bae66416e984b282d8f0f800aafd802 + +commit ed1df7226caf3a943a36d580d4d4e9275f8a61ee +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:34:45 2019 +0000 + + upstream: convert sshconnect2.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 1cb869e0d6e03539f943235641ea070cae2ebc58 + +commit 23f22a4aaa923c61ec49a99ebaa383656e87fa40 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:33:57 2019 +0000 + + upstream: convert clientloop.c to new packet API + + with & ok markus@ + + OpenBSD-Commit-ID: 497b36500191f452a22abf283aa8d4a9abaee7fa + +commit ad60b1179c9682ca5aef0b346f99ef68cbbbc4e5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:33:13 2019 +0000 + + upstream: allow sshpkt_fatal() to take a varargs format; we'll + + use this to give packet-related fatal error messages more context (esp. the + remote endpoint) ok markus@ + + OpenBSD-Commit-ID: de57211f9543426b515a8a10a4f481666b2b2a50 + +commit 0fa174ebe129f3d0aeaf4e2d1dd8de745870d0ff +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Jan 19 21:31:32 2019 +0000 + + upstream: begin landing remaining refactoring of packet parsing + + API, started almost exactly six years ago. + + This change stops including the old packet_* API by default and makes + each file that requires the old API include it explicitly. We will + commit file-by-file refactoring to remove the old API in consistent + steps. + + with & ok markus@ + + OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4 + +commit 4ae7f80dfd02f2bde912a67c9f338f61e90fa79f +Author: tb@openbsd.org <tb@openbsd.org> +Date: Sat Jan 19 04:15:56 2019 +0000 + + upstream: Print an \r in front of the password prompt so parts of + + a password that was entered too early are likely clobbered by the prompt. + Idea from doas. + + from and ok djm + "i like it" deraadt + + OpenBSD-Commit-ID: 5fb97c68df6d8b09ab37f77bca1d84d799c4084e + +commit a6258e5dc314c7d504ac9f0fbc3be96475581dbe +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jan 18 11:09:01 2019 +1100 + + Add minimal fchownat and fchmodat implementations. + + Fixes builds on at least OS X Lion, NetBSD 6 and Solaris 10. + +commit 091093d25802b87d3b2b09f2c88d9f33e1ae5562 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jan 18 12:11:42 2019 +1300 + + Add a minimal implementation of utimensat(). + + Some systems (eg older OS X) do not have utimensat, so provide minimal + implementation in compat layer. Fixes build on at least El Capitan. + +commit 609644027dde1f82213699cb6599e584c7efcb75 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 1 22:20:16 2019 +0000 + + upstream: regress bits for banner processing refactor (this test was + + depending on ssh returning a particular error message for banner parsing + failure) + + reminded by bluhm@ + + OpenBSD-Regress-ID: f24fc303d40931157431df589b386abf5e1be575 + +commit f47d72ddad75b93d3cbc781718b0fa9046c03df8 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jan 17 04:45:09 2019 +0000 + + upstream: tun_fwd_ifnames variable should b + + =?UTF-8?q?e=20extern;=20from=20Hanno=20B=C3=B6ck?= + MIME-Version: 1.0 + Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit + + OpenBSD-Commit-ID: d53dede6e521161bf04d39d09947db6253a38271 + +commit 943d0965263cae1c080ce5a9d0b5aa341885e55d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jan 17 04:20:53 2019 +0000 + + upstream: include time.h for time(3)/nanosleep(2); from Ian + + McKellar + + OpenBSD-Commit-ID: 6412ccd06a88f65b207a1089345f51fa1244ea51 + +commit dbb4dec6d5d671b5e9d67ef02162a610ad052068 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jan 17 01:50:24 2019 +0000 + + upstream: many of the global variables in this file can be made static; + + patch from Markus Schmidt + + OpenBSD-Commit-ID: f3db619f67beb53257b21bac0e92b4fb7d5d5737 + +commit 60d8c84e0887514c99c9ce071965fafaa1c3d34a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jan 16 23:23:45 2019 +0000 + + upstream: Add "-h" flag to sftp chown/chgrp/chmod commands to + + request they do not follow symlinks. Requires recently-committed + lsetstat@openssh.com extension on the server side. + + ok markus@ dtucker@ + + OpenBSD-Commit-ID: f93bb3f6f7eb2fb7ef1e59126e72714f1626d604 + +commit dbbc7e0eab7262f34b8e0cd6efecd1c77b905ed0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Jan 16 23:22:10 2019 +0000 + + upstream: add support for a "lsetstat@openssh.com" extension. This + + replicates the functionality of the existing SSH2_FXP_SETSTAT operation but + does not follow symlinks. Based on a patch from Bert Haverkamp in bz#2067 but + with more attribute modifications supported. + + ok markus@ dtucker@ + + OpenBSD-Commit-ID: f7234f6e90db19655d55d936a115ee4ccb6aaf80 + +commit 4a526941d328fc3d97068c6a4cbd9b71b70fe5e1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jan 4 03:27:50 2019 +0000 + + upstream: eliminate function-static attempt counters for + + passwd/kbdint authmethods by moving them to the client authctxt; Patch from + Markus Schmidt, ok markus@ + + OpenBSD-Commit-ID: 4df4404a5d5416eb056f68e0e2f4fa91ba3b3f7f + +commit 8a8183474c41bd6cebaa917346b549af2239ba2f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jan 4 03:23:00 2019 +0000 + + upstream: fix memory leak of ciphercontext when rekeying; bz#2942 + + Patch from Markus Schmidt; ok markus@ + + OpenBSD-Commit-ID: 7877f1b82e249986f1ef98d0ae76ce987d332bdd + +commit 5bed70afce0907b6217418d0655724c99b683d93 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jan 1 23:10:53 2019 +0000 + + upstream: static on global vars, const on handler tables that contain + + function pointers; from Mike Frysinger + + OpenBSD-Commit-ID: 7ef2305e50d3caa6326286db43cf2cfaf03960e0 + +commit 007a88b48c97d092ed2f501bbdcb70d9925277be +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Dec 27 23:02:11 2018 +0000 + + upstream: Request RSA-SHA2 signatures for + + rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@ + + OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033 + +commit eb347d086c35428c47fe52b34588cbbc9b49d9a6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Dec 27 03:37:49 2018 +0000 + + upstream: ssh_packet_set_state() now frees ssh->kex implicitly, so + + don't do explicit kex_free() beforehand + + OpenBSD-Regress-ID: f2f73bad47f62a2040ccba0a72cadcb12eda49cf + +commit bb542f0cf6f7511a22a08c492861e256a82376a9 +Author: tedu@openbsd.org <tedu@openbsd.org> +Date: Sat Dec 15 00:50:21 2018 +0000 + + upstream: remove unused and problematic sudo clean. ok espie + + OpenBSD-Regress-ID: ca90c20a15a85b661e13e98b80c10e65cd662f7b + +commit 0a843d9a0e805f14653a555f5c7a8ba99d62c12d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Dec 27 03:25:24 2018 +0000 + + upstream: move client/server SSH-* banners to buffers under + + ssh->kex and factor out the banner exchange. This eliminates some common code + from the client and server. + + Also be more strict about handling \r characters - these should only + be accepted immediately before \n (pointed out by Jann Horn). + + Inspired by a patch from Markus Schmidt. + (lots of) feedback and ok markus@ + + OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b + +commit 434b587afe41c19391821e7392005068fda76248 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Dec 7 04:36:09 2018 +0000 + + upstream: Fix calculation of initial bandwidth limits. Account for + + written bytes before the initial timer check so that the first buffer written + is accounted. Set the threshold after which the timer is checked such that + the limit starts being computed as soon as possible, ie after the second + buffer is written. This prevents an initial burst of traffic and provides a + more accurate bandwidth limit. bz#2927, ok djm. + + OpenBSD-Commit-ID: ff3ef76e4e43040ec198c2718d5682c36b255cb6 + +commit a6a0788cbbe8dfce2819ee43b09c80725742e21c +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Dec 7 03:39:40 2018 +0000 + + upstream: only consider the ext-info-c extension during the initial + + KEX. It shouldn't be sent in subsequent ones, but if it is present we should + ignore it. + + This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy + these clients. Reported by Jakub Jelen via bz2929; ok dtucker@ + + OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9 + +commit 63bba57a32c5bb6158d57cf4c47022daf89c14a0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Dec 7 03:33:18 2018 +0000 + + upstream: fix option letter pasto in previous + + OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39 + +commit 737e4edd82406595815efadc28ed5161b8b0c01a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Dec 7 03:32:26 2018 +0000 + + upstream: mention that the ssh-keygen -F (find host in + + authorized_keys) and -R (remove host from authorized_keys) options may accept + either a bare hostname or a [hostname]:port combo. bz#2935 + + OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780 + +commit 8a22ffaa13391cfe5b40316d938fe0fb931e9296 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Dec 7 15:41:16 2018 +1100 + + expose $SSH_CONNECTION in the PAM environment + + This makes the connection 4-tuple available to PAM modules that + wish to use it in decision-making. bz#2741 + +commit a784fa8c7a7b084d63bae82ccfea902131bb45c5 +Author: Kevin Adler <kadler@us.ibm.com> +Date: Wed Dec 12 22:12:45 2018 -0600 + + Don't pass loginmsg by address now that it's an sshbuf* + + In 120a1ec74, loginmsg was changed from the legacy Buffer type + to struct sshbuf*, but it missed changing calls to + sys_auth_allowed_user and sys_auth_record_login which passed + loginmsg by address. Now that it's a pointer, just pass it directly. + + This only affects AIX, unless there are out of tree users. + +commit 285310b897969a63ef224d39e7cc2b7316d86940 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Dec 7 02:31:20 2018 +0000 + + upstream: no need to allocate channels_pre/channels_post in + + channel_init_channels() as we do it anyway in channel_handler_init() that we + call at the end of the function. Fix from Markus Schmidt via bz#2938 + + OpenBSD-Commit-ID: 74893638af49e3734f1e33a54af1b7ea533373ed + +commit 87d6cf1cbc91df6815db8fe0acc7c910bc3d18e4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 30 02:24:52 2018 +0000 + + upstream: don't attempt to connect to empty SSH_AUTH_SOCK; bz#293 + + OpenBSD-Commit-ID: 0e8fc8f19f14b21adef7109e0faa583d87c0e929 + +commit 91b19198c3f604f5eef2c56dbe36f29478243141 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Nov 28 06:00:38 2018 +0000 + + upstream: don't truncate user or host name in "user@host's + + OpenBSD-Commit-ID: e6ca01a8d58004b7f2cac0b1b7ce8f87e425e360 + +commit dd0cf6318d9b4b3533bda1e3bc021b2cd7246b7a +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Nov 23 06:58:28 2018 +0000 + + upstream: tweak previous; + + OpenBSD-Commit-ID: 08f096922eb00c98251501c193ff9e83fbb5de4f + +commit 8a85f5458d1c802471ca899c97f89946f6666e61 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Nov 25 21:44:05 2018 +1100 + + Include stdio.h for FILE if needed. + +commit 16fb23f25454991272bfe4598cc05d20fcd25116 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Nov 25 14:05:57 2018 +1100 + + Reverse order of OpenSSL init functions. + + Try the new init function (OPENSSL_init_crypto) before falling back to + the old one (OpenSSL_add_all_algorithms). + +commit 98f878d2272bf8dff21f2a0265d963c29e33fed2 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Nov 25 14:05:08 2018 +1100 + + Improve OpenSSL_add_all_algorithms check. + + OpenSSL_add_all_algorithms() may be a macro so check for that too. + +commit 9e34e0c59ab04514f9de9934a772283f7f372afe +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 23 05:08:07 2018 +0000 + + upstream: add a ssh_config "Match final" predicate + + Matches in same pass as "Match canonical" but doesn't require + hostname canonicalisation be enabled. bz#2906 ok markus + + OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa + +commit 4da58d58736b065b1182b563d10ad6765d811c6d +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Nov 23 02:53:57 2018 +0000 + + upstream: Remove now-unneeded ifdef SIGINFO around handler since it is + + now always used for SIGUSR1 even when SIGINFO is not defined. This will make + things simpler in -portable. + + OpenBSD-Regress-ID: 4ff0265b335820b0646d37beb93f036ded0dc43f + +commit c721d5877509875c8515df0215fa1dab862013bc +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Nov 23 14:11:20 2018 +1100 + + Move RANDOM_SEED_SIZE outside ifdef. + + RANDOM_SEED_SIZE is used by both the OpenSSL and non-OpenSSL code + This fixes the build with configureed --without-openssl. + +commit deb51552c3ce7ce72c8d0232e4f36f2e7c118c7d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Nov 22 19:59:28 2018 +1100 + + Resync with OpenBSD by pulling in an ifdef SIGINFO. + +commit 28c7b2cd050f4416bfcf3869a20e3ea138aa52fe +Author: Damien Miller <djm@mindrot.org> +Date: Fri Nov 23 10:45:20 2018 +1100 + + fix configure test for OpenSSL version + + square brackets in case statements may be eaten by autoconf. + + Report and fix from Filipp Gunbin; tweaked by naddy@ + +commit 42c5ec4b97b6a1bae70f323952d0646af16ce710 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Nov 23 10:40:06 2018 +1100 + + refactor libcrypto initialisation + + Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually + supports it. + + Move all libcrypto initialisation to a single function, and call that + from seed_rng() that is called early in each tool's main(). + + Prompted by patch from Rosen Penev + +commit 5b60b6c02009547a3e2a99d4886965de2a4719da +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Nov 22 08:59:11 2018 +0000 + + upstream: Output info on SIGUSR1 as well as + + SIGINFO to resync with portable. (ID sync only). + + OpenBSD-Regress-ID: 699d153e2de22dce51a1b270c40a98472d1a1b16 + +commit e4ae345dc75b34fd870c2e8690d831d2c1088eb7 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Thu Nov 22 08:48:32 2018 +0000 + + upstream: Append pid to temp files in /var/run and set a cleanup + + trap for them. This allows multiple instances of tests to run without + colliding. + + OpenBSD-Regress-ID: 57add105ecdfc54752d8003acdd99eb68c3e0b4c + +commit f72d0f52effca5aa20a193217346615ecd3eed53 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Oct 31 11:09:27 2018 +0000 + + upstream: UsePrivilegeSeparation no is deprecated + + test "yes" and "sandbox". + + OpenBSD-Regress-ID: 80e685ed8990766527dc629b1affc09a75bfe2da + +commit 35d0e5fefc419bddcbe09d7fc163d8cd3417125b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 17 23:28:05 2018 +0000 + + upstream: add some knobs: + + UNITTEST_FAST?= no # Skip slow tests (e.g. less intensive fuzzing). + UNITTEST_SLOW?= no # Include slower tests (e.g. more intensive fuzzing). + UNITTEST_VERBOSE?= no # Verbose test output (inc. per-test names). + + useful if you want to run the tests as a smoke test to exercise the + functionality without waiting for all the fuzzers to run. + + OpenBSD-Regress-ID: e04d82ebec86068198cd903acf1c67563c57315e + +commit c1941293d9422a14dda372b4c21895e72aa7a063 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Nov 22 15:52:26 2018 +1100 + + Resync Makefile.inc with upstream. + + It's unused in -portable, but having it out of sync makes other syncs + fail to apply. + +commit 928f1231f65f88cd4c73e6e0edd63d2cf6295d77 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Nov 19 04:12:32 2018 +0000 + + upstream: silence (to log level debug2) failure messages when + + loading the default hostkeys. Hostkeys explicitly specified in the + configuration or on the command-line are still reported as errors, and + failure to load at least one host key remains a fatal error. + MIME-Version: 1.0 + Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit + + Based on patch from Dag-Erling Smørgrav via + https://github.com/openssh/openssh-portable/pull/103 + + ok markus@ + + OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684 + +commit 7fca94edbe8ca9f879da9fdd2afd959c4180f4c7 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Sun Nov 18 22:43:29 2018 +0000 + + upstream: Fix inverted logic for redirecting ProxyCommand stderr to + + /dev/null. Fixes mosh in proxycommand mode that was broken by the previous + ProxyCommand change that was reported by matthieu@. ok djm@ danj@ + + OpenBSD-Commit-ID: c6fc9641bc250221a0a81c6beb2e72d603f8add6 + +commit ccef7c4faf914993b53035cd2b25ce02ab039c9d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 16 06:17:38 2018 +0000 + + upstream: redirect stderr of ProxyCommands to /dev/null when ssh is + + started with ControlPersist; based on patch from Steffen Prohaska + + OpenBSD-Commit-ID: 1bcaa14a03ae80369d31021271ec75dce2597957 + +commit 15182fd96845a03216d7ac5a2cf31c4e77e406e3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 16 06:10:29 2018 +0000 + + upstream: make grandparent-parent-child sshbuf chains robust to + + use-after-free faults if the ancestors are freed before the descendents. + Nothing in OpenSSH uses this deallocation pattern. Reported by Jann Horn + + OpenBSD-Commit-ID: d93501d1d2734245aac802a252b9bb2eccdba0f2 + +commit 2a35862e664afde774d4a72497d394fe7306ccb5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 16 03:26:01 2018 +0000 + + upstream: use path_absolute() for pathname checks; from Manoj Ampalam + + OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925 + +commit d0d1dfa55be1c5c0d77ab3096b198a64235f936d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Nov 16 14:11:44 2018 +1100 + + Test for OPENSSL_init_crypto before using. + + Check for the presence of OPENSSL_init_crypto and all the flags we want + before trying to use it (bz#2931). + +commit 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 16 03:03:10 2018 +0000 + + upstream: disallow empty incoming filename or ones that refer to the + + current directory; based on report/patch from Harry Sintonen + + OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 + +commit aaed635e3a401cfcc4cc97f33788179c458901c3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 16 02:46:20 2018 +0000 + + upstream: fix bug in client that was keeping a redundant ssh-agent + + socket around for the life of the connection; bz#2912; reported by Simon + Tatham; ok dtucker@ + + OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478 + +commit e76135e3007f1564427b2956c628923d8dc2f75a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 16 02:43:56 2018 +0000 + + upstream: fix bug in HostbasedAcceptedKeyTypes and + + PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were + specified, then authentication would always fail for RSA keys as the monitor + checks only the base key (not the signature algorithm) type against + *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker + + OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b + +commit 5c1a63562cac0574c226224075b0829a50b48c9d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 16 02:30:20 2018 +0000 + + upstream: support a prefix of '@' to suppress echo of sftp batch + + commands; bz#2926; ok dtucker@ + + OpenBSD-Commit-ID: 9d635636bc84aeae796467e059f7634de990a79d + +commit 90ef45f7aac33eaf55ec344e101548a01e570f29 +Author: schwarze@openbsd.org <schwarze@openbsd.org> +Date: Tue Nov 13 07:22:45 2018 +0000 + + upstream: fix markup error (missing blank before delimiter); from + + Mike Frysinger <vapier at gentoo dot org> + + OpenBSD-Commit-ID: 1bc5392f795ca86318d695e0947eaf71a5a4f6d9 + +commit 960e7c672dc106f3b759c081de3edb4d1138b36e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 9 02:57:58 2018 +0000 + + upstream: typo in error message; caught by Debian lintian, via + + Colin Watson + + OpenBSD-Commit-ID: bff614c7bd1f4ca491a84e9b5999f848d0d66758 + +commit 81f1620c836e6c79c0823ba44acca605226a80f1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Nov 9 02:56:22 2018 +0000 + + upstream: correct local variable name; from yawang AT microsoft.com + + OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87 + +commit 1293740e800fa2e5ccd38842a2e4970c6f3b9831 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Oct 31 11:20:05 2018 +0000 + + upstream: Import new moduli. + + OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403 + +commit 46925ae28e53fc9add336a4fcdb7ed4b86c3591c +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Oct 26 01:23:03 2018 +0000 + + upstream: mention ssh-ed25519-cert-v01@openssh.com in list of cert + + key type at start of doc + + OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324 + +commit 8d8340e2c215155637fe19cb1a837f71b2d55f7b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Nov 16 13:32:13 2018 +1100 + + Remove fallback check for /usr/local/ssl. + + If configure could not find a working OpenSSL installation it would + fall back to checking in /usr/local/ssl. This made sense back when + systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't + use that as a default any more. The fallback behaviour also meant + that if you pointed --with-ssl-dir at a specific directory and it + didn't work, it would silently use either the system libs or the ones + in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to + pass configure --with-ssl-dir=/usr/local/ssl. ok djm@ + +commit ce93472134fb22eff73edbcd173a21ae38889331 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Nov 16 12:44:01 2018 +1100 + + Fix check for OpenSSL 1.0.1 exactly. + + Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix + compile-time check for 1.0.1 to match. + +commit f2970868f86161a22b2c377057fa3891863a692a +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Nov 11 15:58:20 2018 +1100 + + Improve warnings in cygwin service setup. + + bz#2922, patch from vinschen at redhat.com. + +commit bd2d54fc1eee84bf87158a1277a50e6c8a303339 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Nov 11 15:54:54 2018 +1100 + + Remove hardcoded service name in cygwin setup. + + bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check + by vinschen at redhat.com. + +commit d0153c77bf7964e694f1d26c56c41a571b8e9466 +Author: Dag-Erling Smørgrav <des@des.no> +Date: Tue Oct 9 23:03:40 2018 +0200 + + AC_CHECK_SIZEOF() no longer needs a second argument. + +commit 9b47b083ca9d866249ada9f02dbd57c87b13806e +Author: Manoj Ampalam <manojamp@microsoft.com> +Date: Thu Nov 8 22:41:59 2018 -0800 + + Fix error message w/out nistp521. + + Correct error message when OpenSSL doesn't support certain ECDSA key + lengths. + +commit 624d19ac2d56fa86a22417c35536caceb3be346f +Author: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Tue Oct 9 16:17:42 2018 -0300 + + fix compilation with openssl built without ECC + + ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be + guarded by OPENSSL_HAS_ECC + + Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +commit 1801cd11d99d05a66ab5248c0555f55909a355ce +Author: Darren Tucker <dtucker@dtucker.net> +Date: Thu Nov 8 15:03:11 2018 +1100 + + Simplify OpenSSL 1.1 function checks. + + Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single + AC_CHECK_FUNCS. ok djm@ + +commit bc32f118d484e4d71d2a0828fd4eab7e4176c9af +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Nov 5 17:31:24 2018 +1100 + + Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV. + + Prevents unnecessary redefinition. Patch from mforney at mforney.org. + +commit 3719df60c66abc4b47200d41f571d67772f293ba +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Oct 31 22:21:03 2018 +1100 + + Import new moduli. + +commit 595605d4abede475339d6a1f07a8cc674c11d1c3 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Oct 28 15:18:13 2018 +1100 + + Update check for minimum OpenSSL version. + +commit 6ab75aba340d827140d7ba719787aabaf39a0355 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Oct 28 15:16:31 2018 +1100 + + Update required OpenSSL versions to match current. + +commit c801b0e38eae99427f37869370151b78f8e15c5d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Oct 28 14:34:12 2018 +1100 + + Use detected version functions in openssl compat. + + Use detected functions in compat layer instead of guessing based on + versions. Really fixes builds with LibreSSL, not just configure. + +commit 262d81a259d4aa1507c709ec9d5caa21c7740722 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Oct 27 16:45:59 2018 +1100 + + Check for the existence of openssl version funcs. + + Check for the existence of openssl version functions and use the ones + detected instead of trying to guess based on the int32 version + identifier. Fixes builds with LibreSSL. + +commit 406a24b25d6a2bdd70cacd16de7e899dcb2a8829 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Oct 26 13:43:28 2018 +1100 + + fix builds on OpenSSL <= 1.0.x + + I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API + to obtain version number, but they don't. + +commit 859754bdeb41373d372e36b5dc89c547453addb3 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Oct 23 17:10:41 2018 +1100 + + remove remaining references to SSLeay + + Prompted by Rosen Penev + +commit b9fea45a68946c8dfeace72ad1f6657c18f2a98a +Author: Damien Miller <djm@mindrot.org> +Date: Tue Oct 23 17:10:35 2018 +1100 + + regen depend + +commit a65784c9f9c5d00cf1a0e235090170abc8d07c73 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Oct 23 05:56:35 2018 +0000 + + upstream: refer to OpenSSL not SSLeay; + + we're old, but we don't have to act it + + OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec + +commit c0a35265907533be10ca151ac797f34ae0d68969 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Oct 22 11:22:50 2018 +1100 + + fix compile for openssl 1.0.x w/ --with-ssl-engine + + bz#2921, patch from cotequeiroz + +commit 31b49525168245abe16ad49d7b7f519786b53a38 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Oct 22 20:05:18 2018 +1100 + + Include openssl compatibility. + + Patch from rosenp at gmail.com via openssh-unix-dev. + +commit a4fc253f5f44f0e4c47aafe2a17d2c46481d3c04 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Oct 19 03:12:42 2018 +0000 + + upstream: when printing certificate contents "ssh-keygen -Lf + + /path/certificate", include the algorithm that the CA used to sign the cert. + + OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd + +commit 83b3d99d2b47321b7ebb8db6f6ea04f3808bc069 +Author: florian@openbsd.org <florian@openbsd.org> +Date: Mon Oct 15 11:28:50 2018 +0000 + + upstream: struct sockaddr_storage is guaranteed to be large enough, + + no need to check the size. OK kn, deraadt + + OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439 + commit aede1c34243a6f7feae2fb2cb686ade5f9be6f3d Author: Damien Miller <djm@mindrot.org> Date: Wed Oct 17 11:01:20 2018 +1100 @@ -7741,1966 +10340,3 @@ Date: Mon Apr 17 11:02:31 2017 +0000 -Wpointer-sign and -Wold-style-definition. Upstream-ID: 5cbe348aa76dc1adf55be6c0e388fafaa945439a - -commit 4d827f0d75a53d3952288ab882efbddea7ffadfe -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Apr 4 00:24:56 2017 +0000 - - upstream commit - - disallow creation (of empty files) in read-only mode; - reported by Michal Zalewski, feedback & ok deraadt@ - - Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b - -commit ef47843af0a904a21c920e619c5aec97b65dd9ac -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Sun Mar 26 00:18:52 2017 +0000 - - upstream commit - - incorrect renditions of this quote bother me - - Upstream-ID: 1662be3ebb7a71d543da088119c31d4d463a9e49 - -commit d9048861bea842c4eba9c2dbbf97064cc2a5ef02 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Mar 31 11:04:43 2017 +1100 - - Check for and use gcc's -pipe. - - Speeds up configure and build by a couple of percent. ok djm@ - -commit 282cad2240c4fbc104c2f2df86d688192cbbe4bb -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 16:34:44 2017 +1100 - - Import fmt_scaled.c rev 1.16 from OpenBSD. - - Fix overly-conservative overflow checks on mulitplications and add checks - on additions. This allows scan_scaled to work up to +/-LLONG_MAX (LLONG_MIN - will still be flagged as a range error). ok millert@ - -commit c73a229e4edf98920f395e19fd310684fc6bb951 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 16:34:02 2017 +1100 - - Import fmt_scaled.c rev 1.15 from OpenBSD. - - Collapse underflow and overflow checks into a single block. - ok djm@ millert@ - -commit d427b73bf5a564f663d16546dbcbd84ba8b9d4af -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 16:32:57 2017 +1100 - - Import fmt_scaled.c rev 1.14 from OpenBSD. - - Catch integer underflow in scan_scaled reported by Nicolas Iooss. - ok deraadt@ djm@ - -commit d13281f2964abc5f2e535e1613c77fc61b0c53e7 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 12:39:39 2017 +1100 - - Don't check privsep user or path when unprivileged - - If running with privsep (mandatory now) as a non-privileged user, we - don't chroot or change to an unprivileged user however we still checked - the existence of the user and directory. Don't do those checks if we're - not going to use them. Based in part on a patch from Lionel Fourquaux - via Corinna Vinschen, ok djm@ - -commit f2742a481fe151e493765a3fbdef200df2ea7037 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 10:50:31 2017 +1100 - - Remove SHA256 EVP wrapper implementation. - - All supported versions of OpenSSL should now have SHA256 so remove our - EVP wrapper implementaion. ok djm@ - -commit 5346f271fc76549caf4a8e65b5fba319be422fe9 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 10:23:58 2017 +1100 - - Remove check for OpenSSL < 0.9.8g. - - We no longer support OpenSSL < 1.0.1 so remove check for unreliable ECC - in OpenSSL < 0.9.8g. - -commit 8fed0a5fe7b4e78a6810b133d8e91be9742ee0a1 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 10:16:15 2017 +1100 - - Remove compat code for OpenSSL < 0.9.7. - - Resyncs that code with OpenBSD upstream. - -commit 608ec1f62ff22fdccc3952e51463d79c43cbd0d3 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Mar 29 09:50:54 2017 +1100 - - Remove SSHv1 code path. - - Server-side support for Protocol 1 has been removed so remove !compat20 - PAM code path. - -commit 7af27bf538cbc493d609753f9a6d43168d438f1b -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Mar 24 09:44:56 2017 +1100 - - Enable ldns when using ldns-config. - - Actually enable ldns when attempting to use ldns-config. bz#2697, patch - from fredrik at fornwall.net. - -commit 58b8cfa2a062b72139d7229ae8de567f55776f24 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Mar 22 12:43:02 2017 +1100 - - Missing header on Linux/s390 - - Patch from Jakub Jelen - -commit 096fb65084593f9f3c1fc91b6d9052759a272a00 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Mar 20 22:08:06 2017 +0000 - - upstream commit - - remove /usr/bin/time calls around tests, makes diffing test - runs harder. Based on patch from Mike Frysinger - - Upstream-Regress-ID: 81c1083b14dcf473b23d2817882f40b346ebc95c - -commit 6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 21 08:47:55 2017 +1100 - - Fix syntax error on Linux/X32 - - Patch from Mike Frysinger - -commit d38f05dbdd291212bc95ea80648b72b7177e9f4e -Author: Darren Tucker <dtucker@zip.com.au> -Date: Mon Mar 20 13:38:27 2017 +1100 - - Add llabs() implementation. - -commit 72536316a219b7394996a74691a5d4ec197480f7 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Mar 20 12:23:04 2017 +1100 - - crank version numbers - -commit 3be52bc36bdfd24ded7e0f46999e7db520fb4e3f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Mar 20 01:18:59 2017 +0000 - - upstream commit - - openssh-7.5 - - Upstream-ID: b8b9a4a949427c393cd868215e1724ceb3467ee5 - -commit db84e52fe9cfad57f22e7e23c5fbf00092385129 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Mar 20 12:07:20 2017 +1100 - - I'm a doofus. - - Unbreak obvious syntax error. - -commit 89f04852db27643717c9c3a2b0dde97ae50099ee -Author: Damien Miller <djm@mindrot.org> -Date: Mon Mar 20 11:53:34 2017 +1100 - - on Cygwin, check paths from server for backslashes - - Pointed out by Jann Horn of Google Project Zero - -commit 7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Mar 20 11:48:34 2017 +1100 - - Yet another synonym for ASCII: "646" - - Used by NetBSD; this unbreaks mprintf() and friends there for the C - locale (caught by dtucker@ and his menagerie of test systems). - -commit 9165abfea3f68a0c684a6ed2e575e59bc31a3a6b -Author: Damien Miller <djm@mindrot.org> -Date: Mon Mar 20 09:58:34 2017 +1100 - - create test mux socket in /tmp - - Creating the socket in $OBJ could blow past the (quite limited) - path limit for Unix domain sockets. As a bandaid for bz#2660, - reported by Colin Watson; ok dtucker@ - -commit 2adbe1e63bc313d03e8e84e652cc623af8ebb163 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Wed Mar 15 07:07:39 2017 +0000 - - upstream commit - - disallow KEXINIT before NEWKEYS; ok djm; report by - vegard.nossum at oracle.com - - Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234 - -commit 2fbf91684d76d38b9cf06550b69c9e41bca5a71c -Author: Darren Tucker <dtucker@zip.com.au> -Date: Thu Mar 16 14:05:46 2017 +1100 - - Include includes.h for compat bits. - -commit b55f634e96b9c5b0cd991e23a9ca181bec4bdbad -Author: Darren Tucker <dtucker@zip.com.au> -Date: Thu Mar 16 13:45:17 2017 +1100 - - Wrap stdint.h in #ifdef HAVE_STDINT_H - -commit 55a1117d7342a0bf8b793250cf314bab6b482b99 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Mar 16 11:22:42 2017 +1100 - - Adapt Cygwin config script to privsep knob removal - - Patch from Corinna Vinschen. - -commit 1a321bfdb91defe3c4d9cca5651724ae167e5436 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Wed Mar 15 03:52:30 2017 +0000 - - upstream commit - - accidents happen to the best of us; ok djm - - Upstream-ID: b7a9dbd71011ffde95e06f6945fe7197dedd1604 - -commit 25f837646be8c2017c914d34be71ca435dfc0e07 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Mar 15 02:25:09 2017 +0000 - - upstream commit - - fix regression in 7.4: deletion of PKCS#11-hosted keys - would fail unless they were specified by full physical pathname. Report and - fix from Jakub Jelen via bz#2682; ok dtucker@ - - Upstream-ID: 5b5bc20ca11cacb5d5eb29c3f93fd18425552268 - -commit a8c5eeacf032a7d3408957e45dd7603cc1baf55f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Mar 15 02:19:09 2017 +0000 - - upstream commit - - Fix segfault when sshd attempts to load RSA1 keys (can - only happen when protocol v.1 support is enabled for the client). Reported by - Jakub Jelen in bz#2686; ok dtucker - - Upstream-ID: 8fdaec2ba4b5f65db1d094f6714ce64b25d871d7 - -commit 66705948c0639a7061a0d0753266da7685badfec -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Mar 14 07:19:07 2017 +0000 - - upstream commit - - Mark the sshd_config UsePrivilegeSeparation option as - deprecated, effectively making privsep mandatory in sandboxing mode. ok - markus@ deraadt@ - - (note: this doesn't remove the !privsep code paths, though that will - happen eventually). - - Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a - -commit f86586b03fe6cd8f595289bde200a94bc2c191af -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 14 18:26:29 2017 +1100 - - Make seccomp-bpf sandbox work on Linux/X32 - - Allow clock_gettime syscall with X32 bit masked off. Apparently - this is required for at least some kernel versions. bz#2142 - Patch mostly by Colin Watson. ok dtucker@ - -commit 2429cf78dd2a9741ce27ba25ac41c535274a0af6 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 14 18:01:52 2017 +1100 - - require OpenSSL >=1.0.1 - -commit e3ea335abeab731c68f2b2141bee85a4b0bf680f -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 14 17:48:43 2017 +1100 - - Remove macro trickery; no binary change - - This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros - prepending __NR_ to the syscall number parameter and just makes - them explicit in the macro invocations. - - No binary change in stripped object file before/after. - -commit 5f1596e11d55539678c41f68aed358628d33d86f -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 14 13:15:18 2017 +1100 - - support ioctls for ICA crypto card on Linux/s390 - - Based on patch from Eduardo Barretto; ok dtucker@ - -commit b1b22dd0df2668b322dda174e501dccba2cf5c44 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Mar 14 14:19:36 2017 +1100 - - Plumb conversion test into makefile. - -commit f57783f1ddfb4cdfbd612c6beb5ec01cb5b9a6b9 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Mar 14 01:20:29 2017 +0000 - - upstream commit - - Add unit test for convtime(). - - Upstream-Regress-ID: 8717bc0ca4c21120f6dd3a1d3b7a363f707c31e1 - -commit 8884b7247d094cd11ff9e39c325ba928c5bdbc6c -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Mar 14 01:10:07 2017 +0000 - - upstream commit - - Add ASSERT_LONG_* helpers. - - Upstream-Regress-ID: fe15beaea8f5063c7f21b0660c722648e3d76431 - -commit c6774d21185220c0ba11e8fd204bf0ad1a432071 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Mar 14 00:55:37 2017 +0000 - - upstream commit - - Fix convtime() overflow test on boundary condition, - spotted by & ok djm. - - Upstream-ID: 51f14c507ea87a3022e63f574100613ab2ba5708 - -commit f5746b40cfe6d767c8e128fe50c43274b31cd594 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Mar 14 00:25:03 2017 +0000 - - upstream commit - - Check for integer overflow when parsing times in - convtime(). Reported by nicolas.iooss at m4x.org, ok djm@ - - Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13 - -commit f5907982f42a8d88a430b8a46752cbb7859ba979 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Mar 14 13:38:15 2017 +1100 - - Add a "unit" target to run only unit tests. - -commit 9e96b41682aed793fadbea5ccd472f862179fb02 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Mar 14 12:24:47 2017 +1100 - - Fix weakness in seccomp-bpf sandbox arg inspection - - Syscall arguments are passed via an array of 64-bit values in struct - seccomp_data, but we were only inspecting the bottom 32 bits and not - even those correctly for BE systems. - - Fortunately, the only case argument inspection was used was in the - socketcall filtering so using this for sandbox escape seems - impossible. - - ok dtucker - -commit 8ff3fc3f2f7c13e8968717bc2b895ee32c441275 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Mar 11 23:44:16 2017 +0000 - - upstream commit - - regress tests for loading certificates without public keys; - bz#2617 based on patch from Adam Eijdenberg; ok markus@ dtucker@ - - Upstream-Regress-ID: 0145d19328ed995b73fe2d9da33596b17429d0d0 - -commit 1e24552716194db8f2f620587b876158a9ef56ad -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Mar 11 23:40:26 2017 +0000 - - upstream commit - - allow ssh to use certificates accompanied by a private - key file but no corresponding plain *.pub public key. bz#2617 based on patch - from Adam Eijdenberg; ok dtucker@ markus@ - - Upstream-ID: 295668dca2c39505281577217583ddd2bd4b00b9 - -commit 0fb1a617a07b8df5de188dd5a0c8bf293d4bfc0e -Author: markus@openbsd.org <markus@openbsd.org> -Date: Sat Mar 11 13:07:35 2017 +0000 - - upstream commit - - Don't count the initial block twice when computing how - many bytes to discard for the work around for the attacks against CBC-mode. - ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL - - Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2 - -commit ef653dd5bd5777132d9f9ee356225f9ee3379504 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 07:18:32 2017 +0000 - - upstream commit - - krl.c - - Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1 - -commit d94c1dfef2ea30ca67b1204ada7c3b537c54f4d0 -Author: Damien Miller <djm@mindrot.org> -Date: Sun Mar 12 10:48:14 2017 +1100 - - sync fmt_scaled.c with OpenBSD - - revision 1.13 - date: 2017/03/11 23:37:23; author: djm; state: Exp; lines: +14 -1; commitid: jnFKyHkB3CEiEZ2R; - fix signed integer overflow in scan_scaled. Found by Nicolas Iooss - using AFL against ssh_config. ok deraadt@ millert@ - ---------------------------- - revision 1.12 - date: 2013/11/29 19:00:51; author: deraadt; state: Exp; lines: +6 -5; - fairly simple unsigned char casts for ctype - ok krw - ---------------------------- - revision 1.11 - date: 2012/11/12 14:07:20; author: halex; state: Exp; lines: +4 -2; - make scan_scaled set errno to EINVAL rather than ERANGE if it encounters - an invalid multiplier, like the man page says it should - - "looks sensible" deraadt@, ok ian@ - ---------------------------- - revision 1.10 - date: 2009/06/20 15:00:04; author: martynas; state: Exp; lines: +4 -4; - use llabs instead of the home-grown version; and some comment changes - ok ian@, millert@ - ---------------------------- - -commit 894221a63fa061e52e414ca58d47edc5fe645968 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 05:01:13 2017 +0000 - - upstream commit - - When updating hostkeys, accept RSA keys if - HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA - keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms - nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok - dtucker@ - - Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2 - -commit dd3e2298663f4cc1a06bc69582d00dcfee27d73c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 04:24:55 2017 +0000 - - upstream commit - - make hostname matching really insensitive to case; - bz#2685, reported by Petr Cerny; ok dtucker@ - - Upstream-ID: e467622ff154269e36ba8b6c9e3d105e1c4a9253 - -commit 77a9be9446697fe8b5499fe651f4a82a71a4b51f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 03:52:48 2017 +0000 - - upstream commit - - reword a comment to make it fit 80 columns - - Upstream-ID: 4ef509a66b96c7314bbcc87027c2af71fa9d0ba4 - -commit 61b8ef6a66efaec07e023342cb94a10bdc2254dc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 04:27:32 2017 +0000 - - upstream commit - - better match sshd config parser behaviour: fatal() if - line is overlong, increase line buffer to match sshd's; bz#2651 reported by - Don Fong; ok dtucker@ - - Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18 - -commit db2597207e69912f2592cd86a1de8e948a9d7ffb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 04:26:06 2017 +0000 - - upstream commit - - ensure hostname is lower-case before hashing it; - bz#2591 reported by Griff Miller II; ok dtucker@ - - Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17 - -commit df9936936c695f85c1038bd706d62edf752aca4b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 04:24:55 2017 +0000 - - upstream commit - - make hostname matching really insensitive to case; - bz#2685, reported by Petr Cerny; ok dtucker@ - - Upstream-ID: e632b7a9bf0d0558d5ff56dab98b7cca6c3db549 - -commit 67eed24bfa7645d88fa0b883745fccb22a0e527e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 04:11:00 2017 +0000 - - upstream commit - - Remove old null check from config dumper. Patch from - jjelen at redhat.com vi bz#2687, ok djm@ - - Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528 - -commit 183ba55aaaecca0206184b854ad6155df237adbe -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 04:07:20 2017 +0000 - - upstream commit - - fix regression in 7.4 server-sig-algs, where we were - accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno - Goncalves; ok dtucker@ - - Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8 - -commit 66be4fe8c4435af5bbc82998501a142a831f1181 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 03:53:11 2017 +0000 - - upstream commit - - Check for NULL return value from key_new. Patch from - jjelen at redhat.com via bz#2687, ok djm@ - - Upstream-ID: 059e33cd43cba88dc8caf0b1936fd4dd88fd5b8e - -commit ec2892b5c7fea199914cb3a6afb3af38f84990bf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 03:52:48 2017 +0000 - - upstream commit - - reword a comment to make it fit 80 columns - - Upstream-ID: b4b48b4487c0821d16e812c40c9b09f03b28e349 - -commit 7fadbb6da3f4122de689165651eb39985e1cba85 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 03:48:57 2017 +0000 - - upstream commit - - Check for NULL argument to sshkey_read. Patch from - jjelen at redhat.com via bz#2687, ok djm@ - - Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e - -commit 5a06b9e019e2b0b0f65a223422935b66f3749de3 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 03:45:40 2017 +0000 - - upstream commit - - Plug some mem leaks mostly on error paths. From jjelen - at redhat.com via bz#2687, ok djm@ - - Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2 - -commit f6edbe9febff8121f26835996b1229b5064d31b7 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 03:24:48 2017 +0000 - - upstream commit - - Plug mem leak on GLOB_NOMATCH case. From jjelen at - redhat.com via bz#2687, ok djm@ - - Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d - -commit 566b3a46e89a2fda2db46f04f2639e92da64a120 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 03:22:40 2017 +0000 - - upstream commit - - Plug descriptor leaks of auth_sock. From jjelen at - redhat.com via bz#2687, ok djm@ - - Upstream-ID: 248acb99a5ed2fdca37d1aa33c0fcee7be286d88 - -commit 8a2834454c73dfc1eb96453c0e97690595f3f4c2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 03:18:24 2017 +0000 - - upstream commit - - correctly hash hosts with a port number. Reported by Josh - Powers in bz#2692; ok dtucker@ - - Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442 - -commit 9747b9c742de409633d4753bf1a752cbd211e2d3 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 10 03:15:58 2017 +0000 - - upstream commit - - don't truncate off \r\n from long stderr lines; bz#2688, - reported by Brian Dyson; ok dtucker@ - - Upstream-ID: cdfdc4ba90639af807397ce996153c88af046ca4 - -commit 4a4b75adac862029a1064577eb5af299b1580cdd -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Mar 10 02:59:51 2017 +0000 - - upstream commit - - Validate digest arg in ssh_digest_final; from jjelen at - redhat.com via bz#2687, ok djm@ - - Upstream-ID: dbe5494dfddfe523fab341a3dab5a79e7338f878 - -commit bee0167be2340d8de4bdc1ab1064ec957c85a447 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Mar 10 13:40:18 2017 +1100 - - Check for NULL from malloc. - - Part of bz#2687, from jjelen at redhat.com. - -commit da39b09d43b137a5a3d071b51589e3efb3701238 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Mar 10 13:22:32 2017 +1100 - - If OSX is using launchd, remove screen no. - - Check for socket with and without screen number. From Apple and Jakob - Schlyter via bz#2341, with contributions from Ron Frederick, ok djm@ - -commit 8fb15311a011517eb2394bb95a467c209b8b336c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Mar 8 12:07:47 2017 +0000 - - upstream commit - - quote [host]:port in generated ProxyJump commandline; the - [ / ] characters can confuse some shells (e.g. zsh). Reported by Lauri - Tirkkonen via bugs@ - - Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182 - -commit 18501151cf272a15b5f2c5e777f2e0933633c513 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Mar 6 02:03:20 2017 +0000 - - upstream commit - - Check l->hosts before dereferencing; fixes potential null - pointer deref. ok djm@ - - Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301 - -commit d072370793f1a20f01ad827ba8fcd3b8f2c46165 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Mar 6 00:44:51 2017 +0000 - - upstream commit - - linenum is unsigned long so use %lu in log formats. ok - deraadt@ - - Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08 - -commit 12d3767ba4c84c32150cbe6ff6494498780f12c9 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Mar 3 06:13:11 2017 +0000 - - upstream commit - - fix ssh-keygen -H accidentally corrupting known_hosts that - contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by - hostkeys_foreach() when hostname matching is in use, so we need to look for - the hash marker explicitly. - - Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528 - -commit d7abb771bd5a941b26144ba400a34563a1afa589 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Feb 28 06:10:08 2017 +0000 - - upstream commit - - small memleak: free fd_set on connection timeout (though - we are heading to exit anyway). From Tom Rix in bz#2683 - - Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4 - -commit 78142e3ab3887e53a968d6e199bcb18daaf2436e -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Mon Feb 27 14:30:33 2017 +0000 - - upstream commit - - errant dot; from klemens nanni - - Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921 - -commit 8071a6924c12bb51406a9a64a4b2892675112c87 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 24 03:16:34 2017 +0000 - - upstream commit - - might as well set the listener socket CLOEXEC - - Upstream-ID: 9c538433d6a0ca79f5f21decc5620e46fb68ab57 - -commit d5499190559ebe374bcdfa8805408646ceffad64 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Feb 19 00:11:29 2017 +0000 - - upstream commit - - add test cases for C locale; ok schwarze@ - - Upstream-Regress-ID: 783d75de35fbc923d46e2a5e6cee30f8f381ba87 - -commit 011c8ffbb0275281a0cf330054cf21be10c43e37 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Feb 19 00:10:57 2017 +0000 - - upstream commit - - Add a common nl_langinfo(CODESET) alias for US-ASCII - "ANSI_X3.4-1968" that is used by Linux. Fixes mprintf output truncation for - non-UTF-8 locales on Linux spotted by dtucker@; ok deraadt@ schwarze@ - - Upstream-ID: c6808956ebffd64066f9075d839f74ff0dd60719 - -commit 0c4430a19b73058a569573492f55e4c9eeaae67b -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Feb 7 23:03:11 2017 +0000 - - upstream commit - - Remove deprecated SSH1 options RSAAuthentication and - RhostsRSAAuthentication from regression test sshd_config. - - Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491 - -commit 3baa4cdd197c95d972ec3d07f1c0d08f2d7d9199 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Feb 17 02:32:05 2017 +0000 - - upstream commit - - Do not show rsa1 key type in usage when compiled without - SSH1 support. - - Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57 - -commit ecc35893715f969e98fee118481f404772de4132 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Feb 17 02:31:14 2017 +0000 - - upstream commit - - ifdef out "rsa1" from the list of supported keytypes when - compiled without SSH1 support. Found by kdunlop at guralp.com, ok djm@ - - Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f - -commit 10577c6d96a55b877a960b2d0b75edef1b9945af -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 17 02:04:15 2017 +0000 - - upstream commit - - For ProxyJump/-J, surround host name with brackets to - allow literal IPv6 addresses. From Dick Visser; ok dtucker@ - - Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1 - -commit b2afdaf1b52231aa23d2153f4a8c5a60a694dda4 -Author: jsg@openbsd.org <jsg@openbsd.org> -Date: Wed Feb 15 23:38:31 2017 +0000 - - upstream commit - - Fix memory leaks in match_filter_list() error paths. - - ok dtucker@ markus@ - - Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e - -commit 6d5a41b38b55258213ecfaae9df7a758caa752a1 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Feb 15 01:46:47 2017 +0000 - - upstream commit - - fix division by zero crash in "df" output when server - returns zero total filesystem blocks/inodes. Spotted by Guido Vranken; ok - dtucker@ - - Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f - -commit bd5d7d239525d595ecea92765334af33a45d9d63 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Sun Feb 12 15:45:15 2017 +1100 - - ifdef out EVP_R_PRIVATE_KEY_DECODE_ERROR - - EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out - for the benefit of OpenSSL versions prior to that. - -commit 155d540d00ff55f063421ec182ec8ff2b7ab6cbe -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 10 04:34:50 2017 +0000 - - upstream commit - - bring back r1.34 that was backed out for problems loading - public keys: - - translate OpenSSL error codes to something more - meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@ - - with additional fix from Jakub Jelen to solve the backout. - bz#2525 bz#2523 re-ok dtucker@ - - Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031 - -commit a287c5ad1e0bf9811c7b9221979b969255076019 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 10 03:36:40 2017 +0000 - - upstream commit - - Sanitise escape sequences in key comments sent to printf - but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@ - - Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e - -commit e40269be388972848aafcca7060111c70aab5b87 -Author: millert@openbsd.org <millert@openbsd.org> -Date: Wed Feb 8 20:32:43 2017 +0000 - - upstream commit - - Avoid printf %s NULL. From semarie@, OK djm@ - - Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c - -commit 5b90709ab8704dafdb31e5651073b259d98352bc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Feb 6 09:22:51 2017 +0000 - - upstream commit - - Restore \r\n newline sequence for server ident string. The CR - got lost in the flensing of SSHv1. Pointed out by Stef Bon - - Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac - -commit 97c31c46ee2e6b46dfffdfc4f90bbbf188064cbc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 3 23:01:42 2017 +0000 - - upstream commit - - unit test for match_filter_list() function; still want a - better name for this... - - Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a - -commit f1a193464a7b77646f0d0cedc929068e4a413ab4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 3 23:05:57 2017 +0000 - - upstream commit - - use ssh_packet_set_log_preamble() to include connection - username in packet log messages, e.g. - - Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth] - - ok markus@ bz#113 - - Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15 - -commit 07edd7e9537ab32aa52abb5fb2a915c350fcf441 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 3 23:03:33 2017 +0000 - - upstream commit - - add ssh_packet_set_log_preamble() to allow inclusion of a - preamble string in disconnect messages; ok markus@ - - Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead - -commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 3 23:01:19 2017 +0000 - - upstream commit - - support =- for removing methods from algorithms lists, - e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like - it" markus@ - - Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d - -commit c924b2ef941028a1f31e6e94f54dfeeeef462a4e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Feb 3 05:05:56 2017 +0000 - - upstream commit - - allow form-feed characters at EOL; bz#2431 ok dtucker@ - - Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2 - -commit 523db8540b720c4d21ab0ff6f928476c70c38aab -Author: Damien Miller <djm@mindrot.org> -Date: Fri Feb 3 16:01:22 2017 +1100 - - prefer to use ldns-config to find libldns - - Should fix bz#2603 - "Build with ldns and without kerberos support - fails if ldns compiled with kerberos support" by including correct - cflags/libs - - ok dtucker@ - -commit c998bf0afa1a01257a53793eba57941182e9e0b7 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Feb 3 02:56:00 2017 +0000 - - upstream commit - - Make ssh_packet_set_rekey_limits take u32 for the number of - seconds until rekeying (negative values are rejected at config parse time). - This allows the removal of some casts and a signed vs unsigned comparison - warning. - - rekey_time is cast to int64 for the comparison which is a no-op - on OpenBSD, but should also do the right thing in -portable on - anything still using 32bit time_t (until the system time actually - wraps, anyway). - - some early guidance deraadt@, ok djm@ - - Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c - -commit 3ec5fa4ba97d4c4853620daea26a33b9f1fe3422 -Author: jsg@openbsd.org <jsg@openbsd.org> -Date: Thu Feb 2 10:54:25 2017 +0000 - - upstream commit - - In vasnmprintf() return an error if malloc fails and - don't set a function argument to the address of free'd memory. - - ok djm@ - - Upstream-ID: 1efffffff2f51d53c9141f245b90ac23d33b9779 - -commit 858252fb1d451ebb0969cf9749116c8f0ee42753 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Feb 1 02:59:09 2017 +0000 - - upstream commit - - Return true reason for port forwarding failures where - feasible rather than always "administratively prohibited". bz#2674, ok djm@ - - Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419 - -commit 6ba9f893838489add6ec4213c7a997b425e4a9e0 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jan 30 23:27:39 2017 +0000 - - upstream commit - - Small correction to the known_hosts section on when it is - updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at - sdf.org - - Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5 - -commit c61d5ec3c11e7ff9779b6127421d9f166cf10915 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Feb 3 14:10:34 2017 +1100 - - Remove _XOPEN_SOURCE from wide char detection. - - Having _XOPEN_SOURCE unconditionally causes problems on some platforms - and configurations, notably Solaris 64-bit binaries. It was there for - the benefit of Linux put the required bits in the *-*linux* section. - - Patch from yvoinov at gmail.com. - -commit f25ee13b3e81fd80efeb871dc150fe49d7fc8afd -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jan 30 05:22:14 2017 +0000 - - upstream commit - - fully unbreak: some $SSH invocations did not have -F - specified and could pick up the ~/.ssh/config of the user running the tests - - Upstream-Regress-ID: f362d1892c0d3e66212d5d3fc02d915c58ef6b89 - -commit 6956e21fb26652887475fe77ea40d2efcf25908b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jan 30 04:54:07 2017 +0000 - - upstream commit - - partially unbreak: was not specifying hostname on some - $SSH invocations - - Upstream-Regress-ID: bc8a5e98e57bad0a92ef4f34ed91c1d18294e2cc - -commit 52763dd3fe0a4678dafdf7aeb32286e514130afc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jan 30 01:03:00 2017 +0000 - - upstream commit - - revise keys/principals command hang fix (bz#2655) to - consume entire output, avoiding sending SIGPIPE to subprocesses early; ok - dtucker@ - - Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc - -commit 381a2615a154a82c4c53b787f4a564ef894fe9ac -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jan 30 00:38:50 2017 +0000 - - upstream commit - - small cleanup post SSHv1 removal: - - remove SSHv1-isms in commented examples - - reorder token table to group deprecated and compile-time conditional tokens - better - - fix config dumping code for some compile-time conditional options that - weren't being correctly skipped (SSHv1 and PKCS#11) - - Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105 - -commit 4833d01591b7eb049489d9558b65f5553387ed43 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jan 30 00:34:01 2017 +0000 - - upstream commit - - some explicit NULL tests when dumping configured - forwardings; from Karsten Weiss - - Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d - -commit 326e2fae9f2e3e067b5651365eba86b35ee5a6b2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jan 30 00:32:28 2017 +0000 - - upstream commit - - misplaced braces in test; from Karsten Weiss - - Upstream-ID: f7b794074d3aae8e35b69a91d211c599c94afaae - -commit 3e032a95e46bfaea9f9e857678ac8fa5f63997fb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jan 30 00:32:03 2017 +0000 - - upstream commit - - don't dereference authctxt before testing != NULL, it - causes compilers to make assumptions; from Karsten Weiss - - Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2 - -commit 01cfaa2b1cfb84f3cdd32d1bf82b120a8d30e057 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jan 6 02:51:16 2017 +0000 - - upstream commit - - use correct ssh-add program; bz#2654, from Colin Watson - - Upstream-Regress-ID: 7042a36e1bdaec6562f6e57e9d047efe9c7a6030 - -commit e5c7ec67cdc42ae2584085e0fc5cc5ee91133cf5 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 6 02:26:10 2017 +0000 - - upstream commit - - Account for timeouts in the integrity tests as failures. - - If the first test in a series for a given MAC happens to modify the low - bytes of a packet length, then ssh will time out and this will be - interpreted as a test failure. Patch from cjwatson at debian.org via - bz#2658. - - Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9 - -commit dbaf599b61bd6e0f8469363a8c8e7f633b334018 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 6 02:09:25 2017 +0000 - - upstream commit - - Make forwarding test less racy by using unix domain - sockets instead of TCP ports where possible. Patch from cjwatson at - debian.org via bz#2659. - - Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9 - -commit 9390b0031ebd6eb5488d3bc4d4333c528dffc0a6 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Jan 29 21:35:23 2017 +0000 - - upstream commit - - Fix typo in ~C error message for bad port forward - cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's - bugtracker. - - Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af - -commit 4ba15462ca38883b8a61a1eccc093c79462d5414 -Author: guenther@openbsd.org <guenther@openbsd.org> -Date: Sat Jan 21 11:32:04 2017 +0000 - - upstream commit - - The POSIX APIs that that sockaddrs all ignore the s*_len - field in the incoming socket, so userspace doesn't need to set it unless it - has its own reasons for tracking the size along with the sockaddr. - - ok phessler@ deraadt@ florian@ - - Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437 - -commit a1187bd3ef3e4940af849ca953a1b849dae78445 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Fri Jan 6 16:28:12 2017 +0000 - - upstream commit - - keep the tokens list sorted; - - Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638 - -commit b64077f9767634715402014f509e58decf1e140d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jan 6 09:27:52 2017 +0000 - - upstream commit - - fix previous - - Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895 - -commit 5e820e9ea2e949aeb93071fe31c80b0c42f2b2de -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jan 6 03:53:58 2017 +0000 - - upstream commit - - show a useful error message when included config files - can't be opened; bz#2653, ok dtucker@ - - Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b - -commit 13bd2e2d622d01dc85d22b94520a5b243d006049 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jan 6 03:45:41 2017 +0000 - - upstream commit - - sshd_config is documented to set - GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this. - bz#2637 ok dtucker - - Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665 - -commit f89b928534c9e77f608806a217d39a2960cc7fd0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jan 6 03:41:58 2017 +0000 - - upstream commit - - Avoid confusing error message when attempting to use - ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583 - - Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165 - -commit 0999533014784579aa6f01c2d3a06e3e8804b680 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jan 6 02:34:54 2017 +0000 - - upstream commit - - Re-add '%k' token for AuthorizedKeysCommand which was - lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com. - - Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38 - -commit 51045869fa084cdd016fdd721ea760417c0a3bf3 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jan 4 05:37:40 2017 +0000 - - upstream commit - - unbreak Unix domain socket forwarding for root; ok - markus@ - - Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2 - -commit 58fca12ba967ea5c768653535604e1522d177e44 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Mon Jan 16 09:08:32 2017 +1100 - - Remove LOGIN_PROGRAM. - - UseLogin is gone, remove leftover. bz#2665, from cjwatson at debian.org - -commit b108ce92aae0ca0376dce9513d953be60e449ae1 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jan 4 02:21:43 2017 +0000 - - upstream commit - - relax PKCS#11 whitelist a bit to allow libexec as well as - lib directories. - - Upstream-ID: cf5617958e2e2d39f8285fd3bc63b557da484702 - -commit c7995f296b9222df2846f56ecf61e5ae13d7a53d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jan 3 05:46:51 2017 +0000 - - upstream commit - - check number of entries in SSH2_FXP_NAME response; avoids - unreachable overflow later. Reported by Jann Horn - - Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f - -commit ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 30 22:08:02 2016 +0000 - - upstream commit - - fix deadlock when keys/principals command produces a lot of - output and a key is matched early; bz#2655, patch from jboning AT gmail.com - - Upstream-ID: e19456429bf99087ea994432c16d00a642060afe - -commit 30eee7d1b2fec33c14870cc11910610be5d2aa6f -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 20 12:16:11 2016 +1100 - - Re-add missing "Prerequisites" header and fix typo - - Patch from HARUYAMA Seigo <haruyama at unixuser org>. - -commit c8c60f3663165edd6a52632c6ddbfabfce1ca865 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Dec 19 22:35:23 2016 +0000 - - upstream commit - - use standard /bin/sh equality test; from Mike Frysinger - - Upstream-Regress-ID: 7b6f0b63525f399844c8ac211003acb8e4b0bec2 - -commit 4a354fc231174901f2629437c2a6e924a2dd6772 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Dec 19 15:59:26 2016 +1100 - - crank version numbers for release - -commit 5f8d0bb8413d4d909cc7aa3c616fb0538224c3c9 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Dec 19 04:55:51 2016 +0000 - - upstream commit - - openssh-7.4 - - Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79 - -commit 3a8213ea0ed843523e34e55ab9c852332bab4c7b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Dec 19 04:55:18 2016 +0000 - - upstream commit - - remove testcase that depends on exact output and - behaviour of snprintf(..., "%s", NULL) - - Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f - -commit eae735a82d759054f6ec7b4e887fb7a5692c66d7 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Dec 19 03:32:57 2016 +0000 - - upstream commit - - Use LOGNAME to get current user and fall back to whoami if - not set. Mainly to benefit -portable since some platforms don't have whoami. - - Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa - -commit 0d2f88428487518eea60602bd593989013831dcf -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Dec 16 03:51:19 2016 +0000 - - upstream commit - - Add regression test for AllowUsers and DenyUsers. Patch from - Zev Weiss <zev at bewilderbeest.net> - - Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9 - -commit 3bc8180a008929f6fe98af4a56fb37d04444b417 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Dec 16 15:02:24 2016 +1100 - - Add missing monitor.h include. - - Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net> - -commit 410681f9015d76cc7b137dd90dac897f673244a0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 16 02:48:55 2016 +0000 - - upstream commit - - revert to rev1.2; the new bits in this test depend on changes - to ssh that aren't yet committed - - Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123 - -commit 2f2ffa4fbe4b671bbffa0611f15ba44cff64d58e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Dec 16 01:06:27 2016 +0000 - - upstream commit - - Move the "stop sshd" code into its own helper function. - Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@ - - Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329 - -commit e15e7152331e3976b35475fd4e9c72897ad0f074 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 16 01:01:07 2016 +0000 - - upstream commit - - regression test for certificates along with private key - with no public half. bz#2617, mostly from Adam Eijdenberg - - Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115 - -commit 9a70ec085faf6e55db311cd1a329f1a35ad2a500 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Dec 15 23:50:37 2016 +0000 - - upstream commit - - Use $SUDO to read pidfile in case root's umask is - restricted. From portable. - - Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98 - -commit fe06b68f824f8f55670442fb31f2c03526dd326c -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Dec 15 21:29:05 2016 +0000 - - upstream commit - - Add missing braces in DenyUsers code. Patch from zev at - bewilderbeest.net, ok deraadt@ - - Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e - -commit dcc7d74242a574fd5c4afbb4224795b1644321e7 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Dec 15 21:20:41 2016 +0000 - - upstream commit - - Fix text in error message. Patch from zev at - bewilderbeest.net. - - Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6 - -commit b737e4d7433577403a31cff6614f6a1b0b5e22f4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Dec 14 00:36:34 2016 +0000 - - upstream commit - - disable Unix-domain socket forwarding when privsep is - disabled - - Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0 - -commit 08a1e7014d65c5b59416a0e138c1f73f417496eb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Dec 9 03:04:29 2016 +0000 - - upstream commit - - log connections dropped in excess of MaxStartups at - verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@ - - Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b - -commit 10e290ec00964b2bf70faab15a10a5574bb80527 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 13 13:51:32 2016 +1100 - - Get default of TEST_SSH_UTF8 from environment. - -commit b9b8ba3f9ed92c6220b58d70d1e6d8aa3eea1104 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 13 12:56:40 2016 +1100 - - Remove commented-out includes. - - These commented-out includes have "Still needed?" comments. Since - they've been commented out for ~13 years I assert that they're not. - -commit 25275f1c9d5f01a0877d39444e8f90521a598ea0 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 13 12:54:23 2016 +1100 - - Add prototype for strcasestr in compat library. - -commit afec07732aa2985142f3e0b9a01eb6391f523dec -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Dec 13 10:23:03 2016 +1100 - - Add strcasestr to compat library. - - Fixes build on (at least) Solaris 10. - -commit dda78a03af32e7994f132d923c2046e98b7c56c8 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Dec 12 13:57:10 2016 +1100 - - Force Turkish locales back to C/POSIX; bz#2643 - - Turkish locales are unique in their handling of the letters 'i' and - 'I' (yes, they are different letters) and OpenSSH isn't remotely - prepared to deal with that. For now, the best we can do is to force - OpenSSH to use the C/POSIX locale and try to preserve the UTF-8 - encoding if possible. - - ok dtucker@ - -commit c35995048f41239fc8895aadc3374c5f75180554 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Dec 9 12:52:02 2016 +1100 - - exit is in stdlib.h not unistd.h (that's _exit). - -commit d399a8b914aace62418c0cfa20341aa37a192f98 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Dec 9 12:33:25 2016 +1100 - - Include <unistd.h> for exit in utf8 locale test. - -commit 47b8c99ab3221188ad3926108dd9d36da3b528ec -Author: Darren Tucker <dtucker@zip.com.au> -Date: Thu Dec 8 15:48:34 2016 +1100 - - Check for utf8 local support before testing it. - - Check for utf8 local support and if not found, do not attempt to run the - utf8 tests. Suggested by djm@ - -commit 4089fc1885b3a2822204effbb02b74e3da58240d -Author: Darren Tucker <dtucker@zip.com.au> -Date: Thu Dec 8 12:57:24 2016 +1100 - - Use AC_PATH_TOOL for krb5-config. - - This will use the host-prefixed version when cross compiling; patch from - david.michael at coreos.com. - -commit b4867e0712c89b93be905220c82f0a15e6865d1e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Dec 6 07:48:01 2016 +0000 - - upstream commit - - make IdentityFile successfully load and use certificates that - have no corresponding bare public key. E.g. just a private id_rsa and - certificate id_rsa-cert.pub (and no id_rsa.pub). - - bz#2617 ok dtucker@ - - Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604 - -commit c9792783a98881eb7ed295680013ca97a958f8ac -Author: Damien Miller <djm@mindrot.org> -Date: Fri Nov 25 14:04:21 2016 +1100 - - Add a gnome-ssh-askpass3 target for GTK+3 version - - Based on patch from Colin Watson via bz#2640 - -commit 7be85ae02b9de0993ce0a1d1e978e11329f6e763 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Nov 25 14:03:53 2016 +1100 - - Make gnome-ssh-askpass2.c GTK+3-friendly - - Patch from Colin Watson via bz#2640 - -commit b9844a45c7f0162fd1b5465683879793d4cc4aaa -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Dec 4 23:54:02 2016 +0000 - - upstream commit - - Fix public key authentication when multiple - authentication is in use. Instead of deleting and re-preparing the entire - keys list, just reset the 'used' flags; the keys list is already in a good - order (with already- tried keys at the back) - - Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@ - - Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176 - -commit f2398eb774075c687b13af5bc22009eb08889abe -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Dec 4 22:27:25 2016 +0000 - - upstream commit - - Unlink PidFile on SIGHUP and always recreate it when the - new sshd starts. Regression tests (and possibly other things) depend on the - pidfile being recreated after SIGHUP, and unlinking it means it won't contain - a stale pid if sshd fails to restart. ok djm@ markus@ - - Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870 - -commit 85aa2efeba51a96bf6834f9accf2935d96150296 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Nov 30 03:01:33 2016 +0000 - - upstream commit - - test new behaviour of cert force-command restriction vs. - authorized_key/ principals - - Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c - -commit 5d333131cd8519d022389cfd3236280818dae1bc -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Wed Nov 30 06:54:26 2016 +0000 - - upstream commit - - tweak previous; while here fix up FILES and AUTHORS; - - Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa - -commit 786d5994da79151180cb14a6cf157ebbba61c0cc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Nov 30 03:07:37 2016 +0000 - - upstream commit - - add a whitelist of paths from which ssh-agent will load - (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@ - - Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f - -commit 7844f357cdd90530eec81340847783f1f1da010b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Nov 30 03:00:05 2016 +0000 - - upstream commit - - Add a sshd_config DisableForwaring option that disables - X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as - anything else we might implement in the future. - - This, like the 'restrict' authorized_keys flag, is intended to be a - simple and future-proof way of restricting an account. Suggested as - a complement to 'restrict' by Jann Horn; ok markus@ - - Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7 - -commit fd6dcef2030d23c43f986d26979f84619c10589d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Nov 30 02:57:40 2016 +0000 - - upstream commit - - When a forced-command appears in both a certificate and - an authorized keys/principals command= restriction, refuse to accept the - certificate unless they are identical. - - The previous (documented) behaviour of having the certificate forced- - command override the other could be a bit confused and more error-prone. - - Pointed out by Jann Horn of Project Zero; ok dtucker@ - - Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f - -commit 7fc4766ac78abae81ee75b22b7550720bfa28a33 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Nov 30 00:28:31 2016 +0000 - - upstream commit - - On startup, check to see if sshd is already daemonized - and if so, skip the call to daemon() and do not rewrite the PidFile. This - means that when sshd re-execs itself on SIGHUP the process ID will no longer - change. Should address bz#2641. ok djm@ markus@. - - Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9 - -commit c9f880c195c65f1dddcbc4ce9d6bfea7747debcc -Author: Damien Miller <djm@mindrot.org> -Date: Wed Nov 30 13:51:49 2016 +1100 - - factor out common PRNG reseed before privdrop - - Add a call to RAND_poll() to ensure than more than pid+time gets - stirred into child processes states. Prompted by analysis from Jann - Horn at Project Zero. ok dtucker@ - -commit 79e4829ec81dead1b30999e1626eca589319a47f -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Nov 25 03:02:01 2016 +0000 - - upstream commit - - Allow PuTTY interop tests to run unattended. bz#2639, - patch from cjwatson at debian.org. - - Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0 - -commit 504c3a9a1bf090f6b27260fc3e8ea7d984d163dc -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Nov 25 02:56:49 2016 +0000 - - upstream commit - - Reverse args to sshd-log-wrapper. Matches change in - portable, where it allows sshd do be optionally run under Valgrind. - - Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906 - -commit bd13017736ec2f8f9ca498fe109fb0035f322733 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Nov 25 02:49:18 2016 +0000 - - upstream commit - - Fix typo in trace message; from portable. - - Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a - -commit 7da751d8b007c7f3e814fd5737c2351440d78b4c -Author: tb@openbsd.org <tb@openbsd.org> -Date: Tue Nov 1 13:43:27 2016 +0000 - - upstream commit - - Clean up MALLOC_OPTIONS. For the unittests, move - MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc. - - ok otto - - Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12 - -commit 36f58e68221bced35e06d1cca8d97c48807a8b71 -Author: tb@openbsd.org <tb@openbsd.org> -Date: Mon Oct 31 23:45:08 2016 +0000 - - upstream commit - - Remove the obsolete A and P flags from MALLOC_OPTIONS. - - ok dtucker - - Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59 - -commit b0899ee26a6630883c0f2350098b6a35e647f512 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Tue Nov 29 03:54:50 2016 +0000 - - upstream commit - - Factor out code to disconnect from controlling terminal - into its own function. ok djm@ - - Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885 - -commit 54d022026aae4f53fa74cc636e4a032d9689b64d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Nov 25 23:24:45 2016 +0000 - - upstream commit - - use sshbuf_allocate() to pre-allocate the buffer used for - loading keys. This avoids implicit realloc inside the buffer code, which - might theoretically leave fragments of the key on the heap. This doesn't - appear to happen in practice for normal sized keys, but was observed for - novelty oversize ones. - - Pointed out by Jann Horn of Project Zero; ok markus@ - - Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1 - -commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Nov 25 23:22:04 2016 +0000 - - upstream commit - - split allocation out of sshbuf_reserve() into a separate - sshbuf_allocate() function; ok markus@ - - Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2 - -commit f0ddedee460486fa0e32fefb2950548009e5026e -Author: markus@openbsd.org <markus@openbsd.org> -Date: Wed Nov 23 23:14:15 2016 +0000 - - upstream commit - - allow ClientAlive{Interval,CountMax} in Match; ok dtucker, - djm - - Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55 - -commit 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Nov 8 22:04:34 2016 +0000 - - upstream commit - - unbreak DenyUsers; reported by henning@ - - Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2 - -commit 010359b32659f455fddd2bd85fd7cc4d7a3b994a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Nov 6 05:46:37 2016 +0000 - - upstream commit - - Validate address ranges for AllowUser/DenyUsers at - configuration load time and refuse to accept bad ones. It was previously - possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and - these would always match. - - Thanks to Laurence Parry for a detailed bug report. ok markus (for - a previous diff version) - - Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb - -commit efb494e81d1317209256b38b49f4280897c61e69 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Oct 28 03:33:52 2016 +0000 - - upstream commit - - Improve pkcs11_add_provider() logging: demote some - excessively verbose error()s to debug()s, include PKCS#11 provider name and - slot in log messages where possible. bz#2610, based on patch from Jakub Jelen - - Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d - -commit 5ee3fb5affd7646f141749483205ade5fc54adaf -Author: Darren Tucker <dtucker@zip.com.au> -Date: Tue Nov 1 08:12:33 2016 +1100 - - Use ptrace(PT_DENY_ATTACH, ..) on OS X. - -commit 315d2a4e674d0b7115574645cb51f968420ebb34 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Oct 28 14:34:07 2016 +1100 - - Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL - - ok dtucker@ - -commit a9ff3950b8e80ff971b4d44bbce96df27aed28af -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Oct 28 14:26:58 2016 +1100 - - Move OPENSSL_NO_RIPEMD160 to compat. - - Move OPENSSL_NO_RIPEMD160 to compat and add ifdefs to mac.c around the - ripemd160 MACs. - -commit bce58885160e5db2adda3054c3b81fe770f7285a -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Oct 28 13:52:31 2016 +1100 - - Check if RIPEMD160 is disabled in OpenSSL. - -commit d924640d4c355d1b5eca1f4cc60146a9975dbbff -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Oct 28 13:38:19 2016 +1100 - - Skip ssh1 specfic ciphers. - - cipher-3des1.c and cipher-bf1.c are specific to sshv1 so don't even try - to compile them when Protocol 1 is not enabled. - -commit 79d078e7a49caef746516d9710ec369ba45feab6 -Author: jsg@openbsd.org <jsg@openbsd.org> -Date: Tue Oct 25 04:08:13 2016 +0000 - - upstream commit - - Fix logic in add_local_forward() that inverted a test - when code was refactored out into bind_permitted(). This broke ssh port - forwarding for non-priv ports as a non root user. - - ok dtucker@ 'looks good' deraadt@ - - Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9 - -commit a903e315dee483e555c8a3a02c2946937f9b4e5d -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Oct 24 01:09:17 2016 +0000 - - upstream commit - - Remove dead breaks, found via opencoverage.net. ok - deraadt@ - - Upstream-ID: ad9cc655829d67fad219762810770787ba913069 - -commit b4e96b4c9bea4182846e4942ba2048e6d708ee54 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Wed Oct 26 08:43:25 2016 +1100 - - Use !=NULL instead of >0 for getdefaultproj. - - getdefaultproj() returns a pointer so test it for NULL inequality - instead of >0. Fixes compiler warning and is more correct. Patch from - David Binderman. - -commit 1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Oct 23 22:04:05 2016 +0000 - - upstream commit - - Factor out "can bind to low ports" check into its own function. This will - make it easier for Portable to support platforms with permissions models - other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" - deraadt@. - - Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface - -commit 0b9ee623d57e5de7e83e66fd61a7ba9a5be98894 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Oct 19 23:21:56 2016 +0000 - - upstream commit - - When tearing down ControlMaster connecctions, don't - pollute stderr when LogLevel=quiet. Patch from Tim Kuijsten via tech@. - - Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced - -commit 09e6a7d8354224933febc08ddcbc2010f542284e -Author: Darren Tucker <dtucker@zip.com.au> -Date: Mon Oct 24 09:06:18 2016 +1100 - - Wrap stdint.h include in ifdef. - -commit 08d9e9516e587b25127545c029e5464b2e7f2919 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Oct 21 09:46:46 2016 +1100 - - Fix formatting. - -commit 461f50e7ab8751d3a55e9158c44c13031db7ba1d -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Oct 21 06:55:58 2016 +1100 - - Update links to https. - - www.openssh.com now supports https and ftp.openbsd.org no longer - supports ftp. Make all links to these https. - -commit dd4e7212a6141f37742de97795e79db51e4427ad -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Oct 21 06:48:46 2016 +1100 - - Update host key generation examples. - - Remove ssh1 host key generation, add ssh-keygen -A - -commit 6d49ae82634c67e9a4d4af882bee20b40bb8c639 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Fri Oct 21 05:22:55 2016 +1100 - - Update links. - - Make links to openssh.com HTTPS now that it's supported, point release - notes link to the HTML release notes page, and update a couple of other - links and bits of text. - -commit fe0d1ca6ace06376625084b004ee533f2c2ea9d6 -Author: Darren Tucker <dtucker@zip.com.au> -Date: Thu Oct 20 03:42:09 2016 +1100 - - Remote channels .orig and .rej files. - - These files were incorrectly added during an OpenBSD sync. |