diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2026-03-10 18:04:03 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2026-03-10 18:04:03 +0000 |
| commit | 17ecafb37c65632e1e2f6afb7049332f544b75a0 (patch) | |
| tree | c91beec59da56218afced35b14087d362b5bba8e | |
| parent | 6409980cbba7323bd1c86249ed16f8bea9fa5490 (diff) | |
| -rw-r--r-- | .depend | 2 | ||||
| -rw-r--r-- | .github/ci-status.md | 5 | ||||
| -rwxr-xr-x | .github/run_test.sh | 1 | ||||
| -rw-r--r-- | ChangeLog | 183 | ||||
| -rw-r--r-- | Makefile.in | 2 | ||||
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | auth-pam.c | 2 | ||||
| -rw-r--r-- | channels.c | 9 | ||||
| -rw-r--r-- | channels.h | 3 | ||||
| -rw-r--r-- | config.h.in | 3 | ||||
| -rwxr-xr-x | configure | 8 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | contrib/redhat/openssh.spec | 2 | ||||
| -rw-r--r-- | contrib/suse/openssh.spec | 2 | ||||
| -rw-r--r-- | includes.h | 3 | ||||
| -rw-r--r-- | openbsd-compat/arc4random.h | 4 | ||||
| -rw-r--r-- | openbsd-compat/bsd-misc.c | 24 | ||||
| -rw-r--r-- | openbsd-compat/bsd-misc.h | 8 | ||||
| -rw-r--r-- | regress/test-exec.sh | 12 | ||||
| -rw-r--r-- | ssh-pkcs11-helper.c | 16 | ||||
| -rw-r--r-- | ssh-pkcs11.c | 31 | ||||
| -rw-r--r-- | sshkey.c | 8 | ||||
| -rw-r--r-- | version.h | 4 |
23 files changed, 257 insertions, 79 deletions
@@ -140,7 +140,7 @@ ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h sshkey.h ssh.h ssh2.h misc.h sshbuf.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h ssh-pkcs11-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h pathnames.h xmalloc.h sshbuf.h log.h ssherr.h misc.h sshkey.h authfd.h atomicio.h ssh-pkcs11.h ssh-pkcs11-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshbuf.h log.h ssherr.h misc.h sshkey.h authfd.h ssh-pkcs11.h -ssh-pkcs11.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sshkey.h +ssh-pkcs11.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sshkey.h ssh-pkcs11.h ssh-rsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh-sk-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sshbuf.h sshkey.h msg.h digest.h pathnames.h ssh-sk.h misc.h ssh-sk-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h sshkey.h authfd.h misc.h sshbuf.h msg.h uidswap.h ssh-sk.h ssh-pkcs11.h diff --git a/.github/ci-status.md b/.github/ci-status.md index 5b1f77f2369c..82ea40a840b4 100644 --- a/.github/ci-status.md +++ b/.github/ci-status.md @@ -8,6 +8,11 @@ master : [](https://scan.coverity.com/projects/openssh-portable) <br> +10.1 : +[](../../../actions/workflows/c-cpp.yml?query=branch:V_10_1) +[](../../../actions/workflows/vm.yml?query=branch:V_10_1) +[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_10_1) + 10.0 : [](../../../actions/workflows/c-cpp.yml?query=branch:V_10_0) [](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_10_0) diff --git a/.github/run_test.sh b/.github/run_test.sh index aac9ce57942e..33c90ac291c2 100755 --- a/.github/run_test.sh +++ b/.github/run_test.sh @@ -13,7 +13,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null $SUDO mkdir -p $sshconf - $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf $SUDO make install for key in $sshconf/ssh_host*key*.pub; do echo `hostname` `cat $key` | \ diff --git a/ChangeLog b/ChangeLog index e690f70726a2..83b4cece2f34 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,149 @@ +commit 2d8a388de215d9959d72bb11f03e07a6eb2e4614 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Oct 10 13:37:07 2025 +1100 + + depend + +commit 1d2676f4ffae35e2db37a35c385efaf2932cd639 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Oct 9 14:53:04 2025 +1100 + + update versions + +commit ecd65a492bd0ed3a44a1c07428107b2e148bfee4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 8 00:32:52 2025 +0000 + + upstream: openssh-10.2 + + The only change since 10.1 is the channels.c fix + + OpenBSD-Commit-ID: 5eebeb0db14c694efd4ee96b5f16112e3e5d5ba9 + +commit ea9af2921cb6af8e65341531db3a7351917f0a92 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Oct 8 21:02:16 2025 +0000 + + upstream: fix crash at exit (visible via ssh-keygen -D) when + + multiple keys loaded. ok markus deraadt dtucker + + OpenBSD-Commit-ID: baa9763ec69d162108dafd962792ec5610ff45c9 + +commit e49013576074ccd2d7ae75fb824170c739ce97a1 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Oct 9 10:07:40 2025 +1100 + + link ssh-keygen directly against ssh-pkcs11.c + + Matches what OpenBSD does and fixes ssh-keygen regression in + certifying keys using a CA key hosted via ssh-agent (bz3877) + +commit 684f2ceff8c0eeb775e8653cf32609f8fbfe07b1 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Oct 9 13:10:27 2025 +1100 + + some fixes to p11_setup + + 1. Use the ssh-keygen under test and not the one in $PATH + 2. Include a test PKCS#11 operation to ensure that the P11 stack is + working correctly. + + Previously, it was possible for p11_setup to return success on + configurations with PKCS#11 support disabled. + +commit af17ae64a5cfee42334883d2802f40f779131740 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Oct 9 13:12:15 2025 +1100 + + complete PKCS#11 stubs and move to ssh-pkcs11.c + + Should unbreak --disable-pkcs11 builds + +commit bcf7c05a473f92a35f4f3b561fd7a1e339e0a30f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Oct 8 11:26:52 2025 +1100 + + Fix header name and move return outside of ifdef. + + Fixes from Mike Frysinger via Github PR#597. + +commit b937061fe4922caced7b91442b3233c0bd763492 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Oct 7 21:10:33 2025 +1100 + + Check HAVE_MMAP too now that configure sets it. + +commit 8d57083c062f03098c9f767ec8d6278dc549a2f6 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Oct 7 21:07:05 2025 +1100 + + Use calloc for sshkeys if mmap is not supported. + + Based on Github PR#597 from Mike Frysinger, any bugs added by me. + +commit c97b931bffa481c72ff4bfddd9d59a2110899289 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Oct 7 20:25:07 2025 +1100 + + Add fcntl.h to includes. + + From FreeBSD via bz#3874: "This was previously included due to nested + includes in Heimdal's headers. Without this, the build fails with an + error due to redefining AT_FDCWD." + +commit 8aa13832315e52c4404c993a59c6139b44ac6114 +Author: Daan De Meyer <daan.j.demeyer@gmail.com> +Date: Mon Mar 20 20:22:14 2023 +0100 + + Only set PAM_RHOST if the remote host is not "UNKNOWN" + + When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 + socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then + set as the value of PAM_RHOST, causing pam to try to do a reverse DNS + query of "UNKNOWN", which times out multiple times, causing a + substantial slowdown when logging in. + + To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". + +commit 0bd6649ea80ead0cd6404dbc25b64937421b556e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Oct 7 20:10:56 2025 +1100 + + Don't copy native host keys for hostbased test. + + Some github runners (notably macos-14) seem to have host keys where + public and private do not match, so generate our own keys for testing + purposes. + +commit 33b63718d40ccc555b8c7a24331a3790b2efc6c5 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Oct 7 20:10:07 2025 +1100 + + Add 10.1 branch to ci-status page. + +commit 52411f15353257e9ec883fc044b7a56b6fca242d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Oct 7 20:04:40 2025 +1100 + + Add clock_gettime compat shim. + + This fixes the build on macOS prior to 10.12 Sierra, since it does not + have it. Found and tested by Sevan Janiyan. + +commit beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Oct 7 08:02:32 2025 +0000 + + upstream: don't reuse c->isatty for signalling that the remote channel + + has a tty attached as this causes side effects, e.g. in channel_handle_rfd(). + bz3872 + + ok markus@ + + OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8 + commit 476bab6259d5a6ea0402ec79bc47ed61e2c15e86 Author: Damien Miller <djm@mindrot.org> Date: Mon Oct 6 12:52:25 2025 +1100 @@ -9292,40 +9438,3 @@ Date: Tue Oct 10 03:57:45 2023 +0000 OpenSSH promises not to use (comment change only) OpenBSD-Commit-ID: e61795b453d4892d2c99ce1039112c4a00250e03 - -commit 90b0d73d63a706e85f6431f05a62d2ce1b476472 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Oct 6 03:32:15 2023 +0000 - - upstream: typo in error message - - OpenBSD-Regress-ID: 6a8edf0dc39941298e3780b147b10c0a600b4fee - -commit e84517f51532ec913d8fb01a8aab7307134774bb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Oct 6 03:25:14 2023 +0000 - - upstream: Perform the softhsm2 setup as discrete steps rather than - - as a long shell pipeline. Makes it easier to figure out what has happened - when it breaks. - - OpenBSD-Regress-ID: b3f1292115fed65765d0a95414df16e27772d81c - -commit cb54becff4d776238e0e9072943ba0872260535d -Author: claudio@openbsd.org <claudio@openbsd.org> -Date: Sun Sep 24 08:14:13 2023 +0000 - - upstream: REGRESS_FAIL_EARLY defaults to yes now. So no need to - - overload the value here anymore. OK tb@ bluhm@ - - OpenBSD-Regress-ID: f063330f1bebbcd373100afccebc91a965b14496 - -commit f01f5137ceba65baf34ceac5a298c12ac01b1fef -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Wed Oct 4 05:42:10 2023 +0000 - - upstream: spelling fix; - - OpenBSD-Commit-ID: 493f95121567e5ab0d9dd1150f873b5535ca0195 diff --git a/Makefile.in b/Makefile.in index 760fbaa5b997..ba17a79f0d3d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -158,7 +158,7 @@ SSHADD_OBJS= ssh-add.o $(P11OBJS) $(SKOBJS) SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS) -SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS) +SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS) SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS) @@ -1,4 +1,4 @@ -See https://www.openssh.com/releasenotes.html#10.1p1 for the release +See https://www.openssh.com/releasenotes.html#10.2p1 for the release notes. Please read https://www.openssh.com/report.html for bug reporting diff --git a/auth-pam.c b/auth-pam.c index 5dee7601bf4b..5591f094ece3 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -758,7 +758,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) sshpam_laddr = get_local_ipaddr( ssh_packet_get_connection_in(ssh)); } - if (sshpam_rhost != NULL) { + if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, sshpam_rhost); diff --git a/channels.c b/channels.c index f1d7bcf345b1..80014ff341fa 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c) { struct ssh_channels *sc = ssh->chanctxt; const char *type = c->xctype == NULL ? c->ctype : c->xctype; - const char *classifier = c->isatty ? + const char *classifier = (c->isatty || c->remote_has_tty) ? sc->bulk_classifier_tty : sc->bulk_classifier_notty; c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1; @@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, void channel_set_tty(struct ssh *ssh, Channel *c) { - c->isatty = 1; + c->remote_has_tty = 1; channel_classify(ssh, c); } @@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c) c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id, c->io_want, c->io_ready, - c->isatty ? "T" : "", c->bulk ? "B" : "I"); + c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""), + c->bulk ? "B" : "I"); return ret; } diff --git a/channels.h b/channels.h index df7c7f364d22..7456541f8ce3 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -145,6 +145,7 @@ struct Channel { int ctl_chan; /* control channel (multiplexed connections) */ uint32_t ctl_child_id; /* child session for mux controllers */ int have_ctl_child_id;/* non-zero if ctl_child_id is valid */ + int remote_has_tty; /* remote side has a tty */ int isatty; /* rfd is a tty */ #ifdef _AIX int wfd_isatty; /* wfd is a tty */ diff --git a/config.h.in b/config.h.in index 348bb306ae2b..eeb1466ffd8b 100644 --- a/config.h.in +++ b/config.h.in @@ -994,6 +994,9 @@ /* Define to 1 if you have the `mkdtemp' function. */ #undef HAVE_MKDTEMP +/* Define to 1 if you have the `mmap' function. */ +#undef HAVE_MMAP + /* define if you have mode_t data type */ #undef HAVE_MODE_T diff --git a/configure b/configure index 74539c8e4ee6..652d7e137570 100755 --- a/configure +++ b/configure @@ -11442,7 +11442,7 @@ fi # the equivalent file. This avoids having to wrap those includes in # '#ifdef HAVE_FOO_H'. If we create any such headers, add the path to includes. COMPATINCLUDES="" - for ac_header in endian.h ifaddrs.h libgen.h paths.h netgroup.h nlist.h poll.h stdint.h sys/stat.h sys/time.h sys/un.h time.h util.h + for ac_header in endian.h ifaddrs.h libgen.h paths.h netgroup.h nlist.h poll.h stdint.h sys/mman.h sys/stat.h sys/time.h sys/un.h time.h util.h do : as_ac_Header=`printf "%s\n" "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @@ -16793,6 +16793,12 @@ then : printf "%s\n" "#define HAVE_MKDTEMP 1" >>confdefs.h fi +ac_fn_c_check_func "$LINENO" "mmap" "ac_cv_func_mmap" +if test "x$ac_cv_func_mmap" = xyes +then : + printf "%s\n" "#define HAVE_MMAP 1" >>confdefs.h + +fi ac_fn_c_check_func "$LINENO" "ngetaddrinfo" "ac_cv_func_ngetaddrinfo" if test "x$ac_cv_func_ngetaddrinfo" = xyes then : diff --git a/configure.ac b/configure.ac index 3eb6d4697f98..db5211013f43 100644 --- a/configure.ac +++ b/configure.ac @@ -536,6 +536,7 @@ AC_CHECK_HEADERS([ \ nlist.h \ poll.h \ stdint.h \ + sys/mman.h \ sys/stat.h \ sys/time.h \ sys/un.h \ @@ -2103,6 +2104,7 @@ AC_CHECK_FUNCS([ \ memmove \ memset_s \ mkdtemp \ + mmap \ ngetaddrinfo \ nlist \ nsleep \ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index a8fe2ecd0620..9a84728556de 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%global ver 10.1p1 +%global ver 10.2p1 %global rel 1%{?dist} # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 63ea57064d10..46514234dedb 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 10.1p1 +Version: 10.2p1 URL: https://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/includes.h b/includes.h index 8f933568d337..96cddbc26089 100644 --- a/includes.h +++ b/includes.h @@ -34,6 +34,9 @@ #ifdef HAVE_ENDIAN_H # include <endian.h> #endif +#ifdef HAVE_FCNTL_H +# include <fcntl.h> +#endif #ifdef HAVE_TTYENT_H # include <ttyent.h> #endif diff --git a/openbsd-compat/arc4random.h b/openbsd-compat/arc4random.h index af2d5c172a28..8f6842874b29 100644 --- a/openbsd-compat/arc4random.h +++ b/openbsd-compat/arc4random.h @@ -65,7 +65,7 @@ _rs_forkdetect(void) static inline int _rs_allocate(struct _rs **rsp, struct _rsx **rsxp) { -#if defined(MAP_ANON) && defined(MAP_PRIVATE) +#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) if ((*rsp = mmap(NULL, sizeof(**rsp), PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) return (-1); @@ -84,7 +84,7 @@ _rs_allocate(struct _rs **rsp, struct _rsx **rsxp) *rsp = NULL; return (-1); } -#endif +#endif /* HAVE_MMAP et al */ _ARC4_ATFORK(_rs_forkhandler); return (0); diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 983cd3fe6216..2c196ec23eee 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -494,6 +494,30 @@ localtime_r(const time_t *timep, struct tm *result) } #endif +#ifndef HAVE_CLOCK_GETTIME +int +clock_gettime(clockid_t clockid, struct timespec *ts) +{ + struct timeval tv; + + if (clockid != CLOCK_REALTIME) { + errno = ENOSYS; + return -1; + } + if (ts == NULL) { + errno = EFAULT; + return -1; + } + + if (gettimeofday(&tv, NULL) == -1) + return -1; + + ts->tv_sec = tv.tv_sec; + ts->tv_nsec = (long)tv.tv_usec * 1000; + return 0; +} +#endif + #ifdef ASAN_OPTIONS const char *__asan_default_options(void) { return ASAN_OPTIONS; diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index 2ad89cd83b59..8495f471c285 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -202,6 +202,14 @@ int flock(int, int); struct tm *localtime_r(const time_t *, struct tm *); #endif +#ifndef HAVE_CLOCK_GETTIME +typedef int clockid_t; +#ifndef CLOCK_REALTIME +# define CLOCK_REALTIME 0 +#endif +int clock_gettime(clockid_t, struct timespec *); +#endif + #ifndef HAVE_REALPATH #define realpath(x, y) (sftp_realpath((x), (y))) #endif diff --git a/regress/test-exec.sh b/regress/test-exec.sh index c5270042e6a9..34fb58fda0f8 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -964,7 +964,7 @@ EOF softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \ --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail" chmod 600 $RSA - ssh-keygen -y -f $RSA > ${RSA}.pub + ${SSHKEYGEN} -y -f $RSA > ${RSA}.pub # ECDSA key ECPARAM=${SSH_SOFTHSM_DIR}/ECPARAM EC=${SSH_SOFTHSM_DIR}/EC @@ -978,7 +978,7 @@ EOF softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \ --import $ECP8 >/dev/null || fatal "softhsm import EC fail" chmod 600 $EC - ssh-keygen -y -f $EC > ${EC}.pub + ${SSHKEYGEN} -y -f $EC > ${EC}.pub # Ed25519 key ED25519=${SSH_SOFTHSM_DIR}/ED25519 ED25519P8=${SSH_SOFTHSM_DIR}/ED25519P8 @@ -990,7 +990,7 @@ EOF --import $ED25519P8 >/dev/null || \ fatal "softhsm import ed25519 fail" chmod 600 $ED25519 - ssh-keygen -y -f $ED25519 > ${ED25519}.pub + ${SSHKEYGEN} -y -f $ED25519 > ${ED25519}.pub # Prepare askpass script to load PIN. PIN_SH=$SSH_SOFTHSM_DIR/pin.sh cat > $PIN_SH << EOF @@ -999,7 +999,11 @@ echo "${TEST_SSH_PIN}" EOF chmod 0700 "$PIN_SH" PKCS11_OK=yes - return 0 + if env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force \ + ${SSHKEYGEN} -D ${TEST_SSH_PKCS11} >/dev/null 2>&1 ; then + return 0 + fi + return 1 } # Peforms ssh-add with the right token PIN. diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 7ed4bdb76841..aeb5b7a8a924 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -310,22 +310,6 @@ main(int argc, char **argv) } } #else /* ENABLE_PKCS11 */ -/* stubs */ -int -pkcs11_sign(struct sshkey *key, - u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, - const char *alg, const char *sk_provider, - const char *sk_pin, u_int compat) -{ - return SSH_ERR_INTERNAL_ERROR; -} - -void -pkcs11_key_free(struct sshkey *key) -{ -} - int main(int argc, char **argv) { diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 0a94fcd97adb..c8817947395a 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.72 2025/10/03 00:08:02 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.73 2025/10/08 21:02:16 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved. @@ -2029,8 +2029,10 @@ pkcs11_terminate(void) debug3_f("called"); - while ((k11 = TAILQ_FIRST(&pkcs11_keys)) != NULL) + while ((k11 = TAILQ_FIRST(&pkcs11_keys)) != NULL) { + TAILQ_REMOVE(&pkcs11_keys, k11, next); pkcs11_k11_free(k11); + } while ((p = TAILQ_FIRST(&pkcs11_providers)) != NULL) { TAILQ_REMOVE(&pkcs11_providers, p, next); pkcs11_provider_finalize(p); @@ -2287,11 +2289,13 @@ out: #include "log.h" #include "sshkey.h" +#include "ssherr.h" +#include "ssh-pkcs11.h" int pkcs11_init(int interactive) { - error_f("dlopen() not supported"); + error_f("PKCS#11 not supported"); return (-1); } @@ -2299,13 +2303,30 @@ int pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp, char ***labelsp) { - error_f("dlopen() not supported"); + error_f("PKCS#11 not supported"); return (-1); } void +pkcs11_key_free(struct sshkey *key) +{ + error_f("PKCS#11 not supported"); +} + +int +pkcs11_sign(struct sshkey *key, + u_char **sigp, size_t *lenp, + const u_char *data, size_t datalen, + const char *alg, const char *sk_provider, + const char *sk_pin, u_int compat) +{ + error_f("PKCS#11 not supported"); + return SSH_ERR_FEATURE_UNSUPPORTED; +} + +void pkcs11_terminate(void) { - error_f("dlopen() not supported"); + error_f("PKCS#11 not supported"); } #endif /* ENABLE_PKCS11 */ @@ -723,6 +723,7 @@ sshkey_sk_cleanup(struct sshkey *k) static int sshkey_prekey_alloc(u_char **prekeyp, size_t len) { +#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) u_char *prekey; *prekeyp = NULL; @@ -733,15 +734,22 @@ sshkey_prekey_alloc(u_char **prekeyp, size_t len) (void)madvise(prekey, len, MADV_DONTDUMP); #endif *prekeyp = prekey; +#else + *prekeyp = calloc(1, len); +#endif /* HAVE_MMAP et al */ return 0; } static void sshkey_prekey_free(void *prekey, size_t len) { +#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) if (prekey == NULL) return; munmap(prekey, len); +#else + free(prekey); +#endif /* HAVE_MMAP et al */ } static void diff --git a/version.h b/version.h index 5dcdcca3fc93..086cdba98516 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.106 2025/10/06 01:45:22 djm Exp $ */ +/* $OpenBSD: version.h,v 1.107 2025/10/08 00:32:52 djm Exp $ */ -#define SSH_VERSION "OpenSSH_10.1" +#define SSH_VERSION "OpenSSH_10.2" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE |