Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh Merge conflicts
details: https://anonhg.NetBSD.org/src/rev/10d99fcb2bd3
branches: trunk
changeset: 1016833:10d99fcb2bd3
user: christos <christos%NetBSD.org@localhost>
date: Fri Dec 04 18:42:49 2020 +0000
description:
Merge conflicts
diffstat:
crypto/external/bsd/openssh/dist/PROTOCOL | 8 +-
crypto/external/bsd/openssh/dist/PROTOCOL.agent | 4 +-
crypto/external/bsd/openssh/dist/auth-options.c | 24 +-
crypto/external/bsd/openssh/dist/auth-options.h | 6 +-
crypto/external/bsd/openssh/dist/auth.c | 13 +-
crypto/external/bsd/openssh/dist/auth2-pubkey.c | 22 +-
crypto/external/bsd/openssh/dist/authfd.c | 10 +-
crypto/external/bsd/openssh/dist/authfd.h | 8 +-
crypto/external/bsd/openssh/dist/authfile.c | 14 +-
crypto/external/bsd/openssh/dist/channels.c | 13 +-
crypto/external/bsd/openssh/dist/channels.h | 11 +-
crypto/external/bsd/openssh/dist/clientloop.c | 42 +-
crypto/external/bsd/openssh/dist/compat.c | 48 +-
crypto/external/bsd/openssh/dist/compat.h | 10 +-
crypto/external/bsd/openssh/dist/hostfile.c | 54 +-
crypto/external/bsd/openssh/dist/hostfile.h | 7 +-
crypto/external/bsd/openssh/dist/kex.c | 11 +-
crypto/external/bsd/openssh/dist/kexdh.c | 8 +-
crypto/external/bsd/openssh/dist/krl.c | 11 +-
crypto/external/bsd/openssh/dist/log.c | 14 +-
crypto/external/bsd/openssh/dist/match.c | 17 +-
crypto/external/bsd/openssh/dist/match.h | 8 +-
crypto/external/bsd/openssh/dist/misc.c | 266 +++++-
crypto/external/bsd/openssh/dist/misc.h | 14 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 | 164 ++--
crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 | 156 ++-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 | 150 ++-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 | 144 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 | 125 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 | 126 +-
crypto/external/bsd/openssh/dist/monitor.c | 26 +-
crypto/external/bsd/openssh/dist/monitor_wrap.c | 9 +-
crypto/external/bsd/openssh/dist/monitor_wrap.h | 7 +-
crypto/external/bsd/openssh/dist/msg.c | 8 +-
crypto/external/bsd/openssh/dist/mux.c | 19 +-
crypto/external/bsd/openssh/dist/packet.c | 16 +-
crypto/external/bsd/openssh/dist/readconf.c | 118 ++-
crypto/external/bsd/openssh/dist/readconf.h | 5 +-
crypto/external/bsd/openssh/dist/readpass.c | 54 +-
crypto/external/bsd/openssh/dist/scp.1 | 13 +-
crypto/external/bsd/openssh/dist/scp.c | 24 +-
crypto/external/bsd/openssh/dist/servconf.c | 80 +-
crypto/external/bsd/openssh/dist/servconf.h | 13 +-
crypto/external/bsd/openssh/dist/serverloop.c | 9 +-
crypto/external/bsd/openssh/dist/session.c | 44 +-
crypto/external/bsd/openssh/dist/sftp-client.c | 9 +-
crypto/external/bsd/openssh/dist/sftp-server.8 | 24 +-
crypto/external/bsd/openssh/dist/sftp-server.c | 44 +-
crypto/external/bsd/openssh/dist/sftp.1 | 13 +-
crypto/external/bsd/openssh/dist/sftp.c | 16 +-
crypto/external/bsd/openssh/dist/sk-usbhid.c | 617 ++++++++++-----
crypto/external/bsd/openssh/dist/ssh-add.1 | 37 +-
crypto/external/bsd/openssh/dist/ssh-add.c | 97 +-
crypto/external/bsd/openssh/dist/ssh-agent.1 | 25 +-
crypto/external/bsd/openssh/dist/ssh-agent.c | 163 +++-
crypto/external/bsd/openssh/dist/ssh-ecdsa-sk.c | 156 +++-
crypto/external/bsd/openssh/dist/ssh-keygen.1 | 43 +-
crypto/external/bsd/openssh/dist/ssh-keygen.c | 341 +++++---
crypto/external/bsd/openssh/dist/ssh-keyscan.c | 23 +-
crypto/external/bsd/openssh/dist/ssh-keysign.c | 9 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11.c | 10 +-
crypto/external/bsd/openssh/dist/ssh-sk-helper.c | 18 +-
crypto/external/bsd/openssh/dist/ssh-sk-helper/Makefile | 20 -
crypto/external/bsd/openssh/dist/ssh-sk.c | 52 +-
crypto/external/bsd/openssh/dist/ssh.1 | 25 +-
crypto/external/bsd/openssh/dist/ssh.c | 127 ++-
crypto/external/bsd/openssh/dist/ssh.h | 9 +-
crypto/external/bsd/openssh/dist/ssh_api.c | 19 +-
crypto/external/bsd/openssh/dist/ssh_config | 5 +-
crypto/external/bsd/openssh/dist/ssh_config.5 | 87 +-
crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c | 6 +-
crypto/external/bsd/openssh/dist/sshbuf-misc.c | 49 +-
crypto/external/bsd/openssh/dist/sshbuf.h | 9 +-
crypto/external/bsd/openssh/dist/sshconnect.c | 15 +-
crypto/external/bsd/openssh/dist/sshconnect2.c | 114 ++-
crypto/external/bsd/openssh/dist/sshd.8 | 13 +-
crypto/external/bsd/openssh/dist/sshd.c | 125 ++-
crypto/external/bsd/openssh/dist/sshd_config.5 | 27 +-
crypto/external/bsd/openssh/dist/sshkey.c | 31 +-
crypto/external/bsd/openssh/dist/sshkey.h | 13 +-
crypto/external/bsd/openssh/dist/sshsig.c | 21 +-
crypto/external/bsd/openssh/dist/version.h | 8 +-
crypto/external/bsd/openssh/lib/shlib_version | 4 +-
crypto/external/bsd/openssh/openssh2netbsd | 4 +-
84 files changed, 2835 insertions(+), 1546 deletions(-)
diffs (truncated from 8312 to 300 lines):
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/PROTOCOL
--- a/crypto/external/bsd/openssh/dist/PROTOCOL Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL Fri Dec 04 18:42:49 2020 +0000
@@ -140,7 +140,7 @@
NB. due to certain broken SSH implementations aborting upon receipt
of this message (in contravention of RFC4254 section 5.4), this
message is only sent to OpenSSH peers (identified by banner).
-Other SSH implementations may be whitelisted to receive this message
+Other SSH implementations may be listed to receive this message
upon request.
2.2. connection: disallow additional sessions extension
@@ -169,7 +169,7 @@
NB. due to certain broken SSH implementations aborting upon receipt
of this message, the no-more-sessions request is only sent to OpenSSH
servers (identified by banner). Other SSH implementations may be
-whitelisted to receive this message upon request.
+listed to receive this message upon request.
2.3. connection: Tunnel forward extension "tun%openssh.com@localhost"
@@ -496,5 +496,5 @@
PROTOCOL.mux over a Unix domain socket for communications between a
master instance and later clients.
-$OpenBSD: PROTOCOL,v 1.37 2020/02/21 00:04:43 dtucker Exp $
-$NetBSD: PROTOCOL,v 1.14 2020/05/28 17:05:49 christos Exp $
+$OpenBSD: PROTOCOL,v 1.38 2020/07/05 23:59:45 djm Exp $
+$NetBSD: PROTOCOL,v 1.15 2020/12/04 18:42:49 christos Exp $
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/PROTOCOL.agent
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.agent Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.agent Fri Dec 04 18:42:49 2020 +0000
@@ -1,4 +1,6 @@
-$NetBSD: PROTOCOL.agent,v 1.9 2017/10/07 19:39:19 christos Exp $
+$NetBSD: PROTOCOL.agent,v 1.10 2020/12/04 18:42:49 christos Exp $
This file used to contain a description of the SSH agent protocol
implemented by OpenSSH. It has since been superseded by
https://tools.ietf.org/html/draft-miller-ssh-agent-00
+
+$OpenBSD: PROTOCOL.agent,v 1.13 2020/08/31 00:17:41 djm Exp $
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/auth-options.c
--- a/crypto/external/bsd/openssh/dist/auth-options.c Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.c Fri Dec 04 18:42:49 2020 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth-options.c,v 1.23 2020/05/28 17:05:49 christos Exp $ */
-/* $OpenBSD: auth-options.c,v 1.92 2020/03/06 18:15:38 markus Exp $ */
+/* $NetBSD: auth-options.c,v 1.24 2020/12/04 18:42:49 christos Exp $ */
+/* $OpenBSD: auth-options.c,v 1.93 2020/08/27 01:07:09 djm Exp $ */
/*
* Copyright (c) 2018 Damien Miller <djm%mindrot.org@localhost>
*
@@ -17,7 +17,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth-options.c,v 1.23 2020/05/28 17:05:49 christos Exp $");
+__RCSID("$NetBSD: auth-options.c,v 1.24 2020/12/04 18:42:49 christos Exp $");
#include <sys/types.h>
#include <sys/queue.h>
@@ -120,7 +120,10 @@
}
}
if (!found && (which & OPTIONS_CRITICAL) != 0) {
- if (strcmp(name, "force-command") == 0) {
+ if (strcmp(name, "verify-required") == 0) {
+ opts->require_verify = 1;
+ found = 1;
+ } else if (strcmp(name, "force-command") == 0) {
if ((r = sshbuf_get_cstring(data, &command,
NULL)) != 0) {
error("Unable to parse \"%s\" "
@@ -135,8 +138,7 @@
}
opts->force_command = command;
found = 1;
- }
- if (strcmp(name, "source-address") == 0) {
+ } else if (strcmp(name, "source-address") == 0) {
if ((r = sshbuf_get_cstring(data, &allowed,
NULL)) != 0) {
error("Unable to parse \"%s\" "
@@ -352,6 +354,8 @@
ret->permit_x11_forwarding_flag = r == 1;
} else if ((r = opt_flag("touch-required", 1, &opts)) != -1) {
ret->no_require_user_presence = r != 1; /* NB. flip */
+ } else if ((r = opt_flag("verify-required", 1, &opts)) != -1) {
+ ret->require_verify = r == 1;
} else if ((r = opt_flag("pty", 1, &opts)) != -1) {
ret->permit_pty_flag = r == 1;
} else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
@@ -573,6 +577,7 @@
}
#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1)
+#define OPTFLAG_OR(x) ret->x = (primary->x == 1) || (additional->x == 1)
/* Permissive flags are logical-AND (i.e. must be set in both) */
OPTFLAG_AND(permit_port_forwarding_flag);
OPTFLAG_AND(permit_agent_forwarding_flag);
@@ -580,6 +585,8 @@
OPTFLAG_AND(permit_pty_flag);
OPTFLAG_AND(permit_user_rc);
OPTFLAG_AND(no_require_user_presence);
+ /* Restrictive flags are logical-OR (i.e. must be set in either) */
+ OPTFLAG_OR(require_verify);
#undef OPTFLAG_AND
/* Earliest expiry time should win */
@@ -650,6 +657,7 @@
OPTSCALAR(force_tun_device);
OPTSCALAR(valid_before);
OPTSCALAR(no_require_user_presence);
+ OPTSCALAR(require_verify);
#undef OPTSCALAR
#define OPTSTRING(x) \
do { \
@@ -782,7 +790,8 @@
(r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
(r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
(r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
- (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0)
+ (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0 ||
+ (r = sshbuf_put_u8(m, opts->require_verify)) != 0)
return r;
/* Simple integer options */
@@ -845,6 +854,7 @@
OPT_FLAG(restricted);
OPT_FLAG(cert_authority);
OPT_FLAG(no_require_user_presence);
+ OPT_FLAG(require_verify);
#undef OPT_FLAG
/* Simple integer options */
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/auth-options.h
--- a/crypto/external/bsd/openssh/dist/auth-options.h Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.h Fri Dec 04 18:42:49 2020 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth-options.h,v 1.13 2020/02/27 00:24:40 christos Exp $ */
-/* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */
+/* $NetBSD: auth-options.h,v 1.14 2020/12/04 18:42:49 christos Exp $ */
+/* $OpenBSD: auth-options.h,v 1.30 2020/08/27 01:07:09 djm Exp $ */
/*
* Copyright (c) 2018 Damien Miller <djm%mindrot.org@localhost>
@@ -72,6 +72,8 @@
/* Key requires user presence asserted */
int no_require_user_presence;
+ /* Key requires user verification (e.g. PIN) */
+ int require_verify;
};
struct sshauthopt *sshauthopt_new(void);
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/auth.c
--- a/crypto/external/bsd/openssh/dist/auth.c Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/auth.c Fri Dec 04 18:42:49 2020 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth.c,v 1.27 2020/02/27 00:24:40 christos Exp $ */
-/* $OpenBSD: auth.c,v 1.146 2020/01/31 22:42:45 djm Exp $ */
+/* $NetBSD: auth.c,v 1.28 2020/12/04 18:42:49 christos Exp $ */
+/* $OpenBSD: auth.c,v 1.147 2020/08/27 01:07:09 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth.c,v 1.27 2020/02/27 00:24:40 christos Exp $");
+__RCSID("$NetBSD: auth.c,v 1.28 2020/12/04 18:42:49 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
@@ -1029,21 +1029,22 @@
snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
/* Try to keep this alphabetically sorted */
- snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
+ snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
opts->force_command == NULL ? "" : " command",
do_env ? " environment" : "",
opts->valid_before == 0 ? "" : "expires",
+ opts->no_require_user_presence ? " no-touch-required" : "",
do_permitopen ? " permitopen" : "",
do_permitlisten ? " permitlisten" : "",
opts->permit_port_forwarding_flag ? " port-forwarding" : "",
opts->cert_principals == NULL ? "" : " principals",
opts->permit_pty_flag ? " pty" : "",
+ opts->require_verify ? " uv" : "",
opts->force_tun_device == -1 ? "" : " tun=",
opts->force_tun_device == -1 ? "" : buf,
opts->permit_user_rc ? " user-rc" : "",
- opts->permit_x11_forwarding_flag ? " x11-forwarding" : "",
- opts->no_require_user_presence ? " no-touch-required" : "");
+ opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
debug("%s: %s", loc, msg);
if (do_remote)
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/auth2-pubkey.c
--- a/crypto/external/bsd/openssh/dist/auth2-pubkey.c Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/auth2-pubkey.c Fri Dec 04 18:42:49 2020 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth2-pubkey.c,v 1.25 2020/02/27 00:24:40 christos Exp $ */
-/* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */
+/* $NetBSD: auth2-pubkey.c,v 1.26 2020/12/04 18:42:49 christos Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.100 2020/08/27 01:07:09 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth2-pubkey.c,v 1.25 2020/02/27 00:24:40 christos Exp $");
+__RCSID("$NetBSD: auth2-pubkey.c,v 1.26 2020/12/04 18:42:49 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
@@ -102,7 +102,7 @@
u_char *pkblob = NULL, *sig = NULL, have_sig;
size_t blen, slen;
int r, pktype;
- int req_presence = 0, authenticated = 0;
+ int req_presence = 0, req_verify = 0, authenticated = 0;
struct sshauthopt *authopts = NULL;
struct sshkey_sig_details *sig_details = NULL;
@@ -244,6 +244,20 @@
authenticated = 0;
goto done;
}
+ req_verify = (options.pubkey_auth_options &
+ PUBKEYAUTH_VERIFY_REQUIRED) ||
+ authopts->require_verify;
+ if (req_verify && (sig_details->sk_flags &
+ SSH_SK_USER_VERIFICATION_REQD) == 0) {
+ error("public key %s signature for %s%s from "
+ "%.128s port %d rejected: user "
+ "verification requirement not met ", key_s,
+ authctxt->valid ? "" : "invalid user ",
+ authctxt->user, ssh_remote_ipaddr(ssh),
+ ssh_remote_port(ssh));
+ authenticated = 0;
+ goto done;
+ }
}
auth2_record_key(authctxt, authenticated, key);
} else {
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/authfd.c
--- a/crypto/external/bsd/openssh/dist/authfd.c Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/authfd.c Fri Dec 04 18:42:49 2020 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: authfd.c,v 1.21 2020/05/28 17:05:49 christos Exp $ */
-/* $OpenBSD: authfd.c,v 1.123 2020/03/06 18:24:39 markus Exp $ */
+/* $NetBSD: authfd.c,v 1.22 2020/12/04 18:42:49 christos Exp $ */
+/* $OpenBSD: authfd.c,v 1.124 2020/06/26 05:03:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -37,7 +37,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: authfd.c,v 1.21 2020/05/28 17:05:49 christos Exp $");
+__RCSID("$NetBSD: authfd.c,v 1.22 2020/12/04 18:42:49 christos Exp $");
#include <sys/types.h>
#include <sys/un.h>
#include <sys/socket.h>
@@ -337,7 +337,7 @@
* Returns 0 if found, or a negative SSH_ERR_* error code on failure.
*/
int
-ssh_agent_has_key(int sock, struct sshkey *key)
+ssh_agent_has_key(int sock, const struct sshkey *key)
{
int r, ret = SSH_ERR_KEY_NOT_FOUND;
size_t i;
@@ -535,7 +535,7 @@
* This call is intended only for use by ssh-add(1) and like applications.
*/
int
-ssh_remove_identity(int sock, struct sshkey *key)
+ssh_remove_identity(int sock, const struct sshkey *key)
{
struct sshbuf *msg;
int r;
diff -r 7cb9ddbe1b83 -r 10d99fcb2bd3 crypto/external/bsd/openssh/dist/authfd.h
--- a/crypto/external/bsd/openssh/dist/authfd.h Fri Dec 04 18:40:04 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/authfd.h Fri Dec 04 18:42:49 2020 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: authfd.h,v 1.14 2020/02/27 00:24:40 christos Exp $ */
-/* $OpenBSD: authfd.h,v 1.48 2019/12/21 02:19:13 djm Exp $ */
+/* $NetBSD: authfd.h,v 1.15 2020/12/04 18:42:50 christos Exp $ */
+/* $OpenBSD: authfd.h,v 1.49 2020/06/26 05:03:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -34,8 +34,8 @@
Home |
Main Index |
Thread Index |
Old Index