Commit Graph

9742 Commits

Author SHA1 Message Date
deraadt@openbsd.org
8142fcaf9e upstream: snprintf/vsnprintf return < 0 on error, rather than -1.
OpenBSD-Commit-ID: a261c421140a0639bb2b66bbceca72bf8239749d
2019-07-05 11:15:30 +10:00
deraadt@openbsd.org
4d28fa78ab upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0.  errno is only updated in this case.  Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-07-05 11:10:39 +10:00
deraadt@openbsd.org
e8c974043c upstream: asprintf returns -1, not an arbitrary value < 0. Also
upon error the (very sloppy specification) leaves an undefined value in *ret,
so it is wrong to inspect it, the error condition is enough. discussed a
little with nicm, and then much more with millert until we were exasperated

OpenBSD-Commit-ID: 29258fa51edf8115d244b9d4b84028487bf8923e
2019-07-02 15:59:26 +10:00
deraadt@openbsd.org
1b2d55d15c upstream: oops, from asou
OpenBSD-Commit-ID: 702e765d1639b732370d8f003bb84a1c71c4d0c6
2019-06-28 12:53:02 +10:00
deraadt@openbsd.org
5cdbaa78fc upstream: Some asprintf() calls were checked < 0, rather than the
precise == -1. ok millert nicm tb, etc

OpenBSD-Commit-ID: caecf8f57938685c04f125515b9f2806ad408d53
2019-06-28 11:30:18 +10:00
djm@openbsd.org
b2e3e57be4 upstream: fix NULL deference (bzero) on err
=?UTF-8?q?or=20path=20added=20in=20last=20commit;=20spotted=20by=20Reynir?=
=?UTF-8?q?=20Bj=C3=B6rnsson?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ok deraadt@ markus@ tb@

OpenBSD-Commit-ID: b11b084bcc551b2c630560eb08618dd501027bbd
2019-06-28 11:30:18 +10:00
Jitendra Sharma
58ceacdcba Update README doc to include missing test cases
Readme regress document is missing various individual tests,
which are supported currently. Update README to
include those test cases.
2019-06-27 20:54:14 +10:00
dtucker@openbsd.org
7959330a55 upstream: Remove unneeded unlink of xauthfile o
=?UTF-8?q?n=20error=20path.=20=20From=20Erik=20Sj=C3=B6lund=20via=20githu?=
=?UTF-8?q?b,=20ok=20djm@=20deraadt@?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: 62a4893cf83b29a4bbfedc40e7067c25c203e632
2019-06-27 09:43:39 +10:00
djm@openbsd.org
8de52eb224 upstream: fix mismatch proto/decl from key shielding change; spotted
via oss-fuzz

OpenBSD-Commit-ID: 1ea0ba05ded2c5557507bd844cd446e5c8b5b3b7
2019-06-23 22:22:42 +10:00
djm@openbsd.org
1dfadb9b57 upstream: adapt for key shielding API changes (const removal)
OpenBSD-Regress-ID: 298890bc52f0cd09dba76dc1022fabe89bc0ded6
2019-06-21 14:24:44 +10:00
djm@openbsd.org
4f7a56d5e0 upstream: Add protection for private keys at rest in RAM against
speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer
and Rambleed. This change encrypts private keys when they are not in use with
a symmetic key that is derived from a relatively large "prekey" consisting of
random data (currently 16KB).

Attackers must recover the entire prekey with high accuracy before
they can attempt to decrypt the shielded private key, but the current
generation of attacks have bit error rates that, when applied
cumulatively to the entire prekey, make this unlikely.

Implementation-wise, keys are encrypted "shielded" when loaded and then
automatically and transparently unshielded when used for signatures or
when being saved/serialised.

Hopefully we can remove this in a few years time when computer
architecture has become less unsafe.

been in snaps for a bit already; thanks deraadt@

ok dtucker@ deraadt@

OpenBSD-Commit-ID: 19767213c312e46f94b303a512ef8e9218a39bd4
2019-06-21 14:24:35 +10:00
djm@openbsd.org
4cd6b12cc9 upstream: print the correct AuthorizedPrincipalsCommand rather than
an uninitialised variable; spotted by dtucker@

OpenBSD-Commit-ID: 02802018784250f68202f01c8561de82e17b0638
2019-06-21 13:21:13 +10:00
jmc@openbsd.org
5f68ab436b upstream: from tim: - for reput, it is remote-path which is
optional, not local-path - sync help

from deraadt:
- prefer -R and undocument -r (but add a comment for future editors)

from schwarze:
- prefer -p and undocument -P (as above. the comment was schwarze's too)

more:
- add the -f flag to reput and reget
- sort help (i can;t remember who suggested this originally)

djm and deraadt were ok with earlier versions of this;
tim and schwarze ok

OpenBSD-Commit-ID: 3c699b53b46111f5c57eed4533f132e7e58bacdd
2019-06-21 13:21:13 +10:00
djm@openbsd.org
99bcbbc77f upstream: check for convtime() refusing to accept times that
resolve to LONG_MAX Reported by Kirk Wolf bz2977; ok dtucker

OpenBSD-Regress-ID: 15c9fe87be1ec241d24707006a31123d3a3117e0
2019-06-19 12:21:40 +10:00
dtucker@openbsd.org
e5cccb2410 upstream: Add unit tests for user@host and URI parsing.
OpenBSD-Regress-ID: 69d5b6f278e04ed32377046f7692c714c2d07a68
2019-06-19 12:21:40 +10:00
dtucker@openbsd.org
0bb7e38834 upstream: Add tests for sshd -T -C with Match.
OpenBSD-Regress-ID: d4c34916fe20d717692f10ef50b5ae5a271c12c7
2019-06-19 12:21:23 +10:00
Darren Tucker
73eb6cef41 Include stdio.h for vsnprintf.
Patch from mforney at mforney.org.
2019-06-16 12:55:27 +10:00
Darren Tucker
adcaf40fd0 upstream rev 1.27: fix integer overflow.
Cast bitcount to u_in64_t before bit shifting to prevent integer overflow
on 32bit platforms which cause incorrect results when adding a block
>=512M in size.  sha1 patch from ante84 at gmail.com via openssh github,
sha2 with djm@, ok tedu@
2019-06-14 14:22:39 +10:00
Darren Tucker
7689048e61 upstream rev 1.25: add DEF_WEAK.
Wrap blowfish, sha*, md5, and rmd160 so that internal calls go direct
ok deraadt@
2019-06-14 14:22:39 +10:00
Darren Tucker
55f3153393 upstream rev 1.25: add sys/types.h 2019-06-14 14:22:39 +10:00
Darren Tucker
10974f986f upstream: Use explicit_bzero instead of memset
in hash Final and End functions.  OK deraadt@ djm@
2019-06-14 14:22:39 +10:00
djm@openbsd.org
cb8f56570f upstream: slightly more instructive error message when the user
specifies multiple -J options on the commandline. bz3015 ok dtucker@

OpenBSD-Commit-ID: 181c15a65cac3b575819bc8d9a56212c3c748179
2019-06-14 14:15:01 +10:00
djm@openbsd.org
2317ce4b0e upstream: process agent requests for RSA certificate private keys using
correct signature algorithm when requested. Patch from Jakub Jelen in bz3016
ok dtucker markus

OpenBSD-Commit-ID: 61f86efbeb4a1857a3e91298c1ccc6cf49b79624
2019-06-14 13:52:48 +10:00
djm@openbsd.org
c95b90d401 upstream: for public key authentication, check AuthorizedKeysFiles
files before consulting AuthorizedKeysCommand; ok dtucker markus

OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
2019-06-14 13:42:31 +10:00
djm@openbsd.org
a5a5391498 upstream: if passed a bad fd, log what it was
OpenBSD-Commit-ID: 582e2bd05854e49365195b58989b68ac67f09140
2019-06-14 13:42:31 +10:00
jmc@openbsd.org
7349149da1 upstream: Hostname->HostName cleanup; from lauri tirkkonen ok
dtucker

OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-14 13:01:28 +10:00
jmc@openbsd.org
76af9c5738 upstream: deraadt noticed some inconsistency in the way we denote
the "Hostname" and "X11UseLocalhost" keywords; this makes things consistent
(effectively reversing my commit of yesterday);

ok deraadt markus djm

OpenBSD-Commit-ID: 255c02adb29186ac91dcf47dfad7adb1b1e54667
2019-06-14 13:01:28 +10:00
jmc@openbsd.org
d1bbfdd932 upstream: consistent lettering for "HostName" keyword; from lauri
tirkkonen

OpenBSD-Commit-ID: 0c267a1257ed7482b13ef550837b6496e657d563
2019-06-14 13:01:27 +10:00
Darren Tucker
fc0340f7c4 Typo fixes in error messages.
Patch from knweiss at gmail.com via github pull req #97 (portable-
specific parts).
2019-06-08 00:51:18 +10:00
dtucker@openbsd.org
4b7dd22b02 upstream: Typo and spelling fixes in comments and error messages.
Patch from knweiss at gmail.com via -portable.

OpenBSD-Commit-ID: 2577465442f761a39703762c4f87a8dfcb918b4b
2019-06-08 00:49:26 +10:00
Darren Tucker
130ef0695e Include missed bits from previous sync. 2019-06-08 00:47:07 +10:00
dtucker@openbsd.org
25e3bccbaa upstream: Check for user@host when parsing sftp target. This
allows user@[1.2.3.4] to work without a path in addition to with one.
bz#2999, ok djm@

OpenBSD-Commit-ID: d989217110932490ba8ce92127a9a6838878928b
2019-06-08 00:25:42 +10:00
otto@openbsd.org
0323d9b619 upstream: Replace calls to ssh_malloc_init() by a static init of
malloc_options. Prepares for changes in the way malloc is initialized.  ok
guenther@ dtucker@

OpenBSD-Commit-ID: 154f4e3e174f614b09f792d4d06575e08de58a6b
2019-06-08 00:25:42 +10:00
djm@openbsd.org
c586d2d312 upstream: fix ssh-keysign fd handling problem introduced in r1.304
caused by a typo (STDIN_FILENO vs STDERR_FILENO)

OpenBSD-Commit-ID: 57a0b4be7bef23963afe24150e24bf014fdd9cb0
2019-06-08 00:20:01 +10:00
lum@openbsd.org
410b231aa4 upstream: Make the standard output messages of both methods of
changing a key pair's comments (using -c and -C) more applicable to both
methods. ok and suggestions djm@ dtucker@

OpenBSD-Commit-ID: b379338118109eb36e14a65bc0a12735205b3de6
2019-06-08 00:20:01 +10:00
Darren Tucker
2b3402dc9f Always clean up before and after utimensat test. 2019-06-08 00:03:07 +10:00
Darren Tucker
182898192d Update utimensat test.
POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW should
update the symlink and not the destination.  The compat code doesn't
have a way to do this, so where possible it fails instead of following a
symlink when explicitly asked not to. Instead of checking for an explicit
failure, check that it does not update the destination, which both the
real and compat implmentations should honour.

Inspired by github pull req #125 from chutzpah at gentoo.org.
2019-06-07 23:47:37 +10:00
Darren Tucker
d220b67520 Have pthread_create return errno on failure.
According to POSIX, pthread_create returns the failure reason in
the non-zero function return code so make the fork wrapper do that.
Matches previous change.
2019-06-07 14:26:54 +10:00
Elliott Hughes
1bd4f7f25f pthread_create(3) returns positive values on failure.
Found by inspection after finding similar bugs in other code used by
Android.
2019-06-07 14:16:21 +10:00
Harald Freudenberger
b3a77b25e5 allow s390 specific ioctl for ecc hardware support
Adding another s390 specific ioctl to be able to support ECC hardware
acceleration to the sandbox seccomp filter rules.

Now the ibmca openssl engine provides elliptic curve cryptography
support with the help of libica and CCA crypto cards. This is done via
jet another ioctl call to the zcrypt device driver and so there is a
need to enable this on the openssl sandbox.

Code is s390 specific and has been tested, verified and reviewed.

Please note that I am also the originator of the previous changes in
that area.  I posted these changes to Eduardo and he forwarded the
patches to the openssl community.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
2019-06-05 15:08:46 +10:00
Sorin Adrian Savu
2459df9aa1 openssl-devel is obsoleted by libssl-devel
openssl-devel is no longer installable via the cygwin setup and
it's hidden by default, so you can't see the replacement very easy.
2019-06-05 15:04:57 +10:00
jmc@openbsd.org
85ceb0e64b upstream: tweak previous;
OpenBSD-Commit-ID: 42f39f22f53cfcb913bce401ae0f1bb93e08dd6c
2019-05-21 10:04:43 +10:00
djm@openbsd.org
3061529560 upstream: embiggen format buffer size for certificate serial number so
that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior

OpenBSD-Commit-ID: a51f3013056d05b976e5af6b978dcb9e27bbc12b
2019-05-20 10:27:44 +10:00
djm@openbsd.org
476e3551b2 upstream: When signing certificates with an RSA key, default to
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
will therefore be incompatible with OpenSSH < 7.2 unless the default is
overridden.

Document the ability of the ssh-keygen -t flag to override the
signature algorithm when signing certificates, and the new default.

ok deraadt@

OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
2019-05-20 10:21:58 +10:00
Darren Tucker
606077ee1e Add no-op implementation of pam_putenv.
Some platforms such as HP-UX do not have pam_putenv.  Currently the
calls are ifdef'ed out, but a new one was recently added.  Remove the
ifdefs and add a no-op implementation.  bz#3008, ok djm.
2019-05-17 13:14:12 +10:00
Darren Tucker
1ac98be872 Use the correct macro for SSH_ALLOWED_CA_SIGALGS. 2019-05-17 12:42:17 +10:00
Darren Tucker
97370f6c2c Fix building w/out ECC.
Ifdef out ECC specific code so that that it'll build against an OpenSSL
configured w/out ECC.  With & ok djm@
2019-05-17 10:54:51 +10:00
Darren Tucker
633703babf Conditionalize ECDH methods in CA algos.
When building against an OpenSSL configured without ECC, don't include
those algos in CASignatureAlgorithms.  ok djm@
2019-05-17 10:50:29 +10:00
dtucker@openbsd.org
5c8d14c512 upstream: Move a variable declaration to the block where it's used
to make things a little tidier for -portable.

OpenBSD-Commit-ID: 616379861be95619e5358768b7dee4793e2f3a75
2019-05-17 10:07:43 +10:00
deraadt@openbsd.org
a1d29cc36a upstream: When doing the fork+exec'ing for ssh-keysign, rearrange
the socket into fd3, so as to not mistakenly leak other fd forward
accidentally. ok djm

OpenBSD-Commit-ID: 24cc753f5aa2c6a7d0fbf62766adbc75cd785296
2019-05-17 10:07:43 +10:00