-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential method name clash with LibreSSL #13411
Comments
We will address the names of these APIs because the current names are confusing. |
Perhaps use one function that has a parameter that indicates running or original iv. |
I'm not sure that that is what we agreed on |
What did you hear :) |
There was no definite agreement about what to change and how but there at least is an agreement that the current API definition of EVP_CIPHER_CTX_get_iv() and EVP_CIPHER_CTX_get_iv_state() is confusing and needs adjustments. The proposed choices were:
In case of 2 there still will be name clash with LibreSSL but it will result in syntax error in compilation so the users can easily see that their code needs to handle LibreSSL and OpenSSL differently. |
In https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-December/039003.html @daztucker thought about:
|
That was discussed but not acceptable for OTC. Please note that the objective of the change that OTC aims for is that the current APIs are confusing and not the clash with LibreSSL. This would not remove the confusion it would just make it the other way around. |
Ok. Proposal 1. looks good to me, as libressl can keep their |
I see that 3.0.0-alpha10 did not fix this problem. It would be good if it could be fixed before 3.0.0 leaves alpha, otherwise it will be more difficult for OpenSSH to support OpenSSL-3.x |
During OpenSSL 3.0 development since OpenSSL commits: | 718b133a5328 Implement AES CBC ciphers in the default provider | 819a7ae9fc77 Implement AES CTR ciphers in the default provider the dhgex tests ("make t-exec LTESTS=dhgex") are failing. OpenSSH needs the "current" IV state, which is aquired with the accessor function EVP_CIPHER_CTX_get_iv(). The libressl compat layer uses EVP_CIPHER_CTX_iv() to implement EVP_CIPHER_CTX_get_iv(), see: | 482d23b upstream: hold our collective noses and use the openssl-1.1.x API in | 48f54b9 adapt -portable to OpenSSL 1.1x API Duing OpenSSL 3.0 development EVP_CIPHER_CTX_iv() was deprecated, and later OpenSSL re-added the functionality: EVP_CIPHER_CTX_get_iv() and EVP_CIPHER_CTX_get_iv_state() were introduced. However, EVP_CIPHER_CTX_get_iv() returns the original IV, while EVP_CIPHER_CTX_get_iv_state() returns the current IV. See openssl PR #12233 for additional discussion. This is a API clash, since OpenSSH expects EVP_CIPHER_CTX_get_iv() to return the running IV. See OpenSSL issue #13411 for an ongoing discussion on how to fix the problem, by renaming the functions. This patch works around the problem in the libressl compat layer, by providing a EVP_CIPHER_CTX_get_iv() function, that calls EVP_CIPHER_CTX_get_iv_state(), only if EVP_CIPHER_CTX_get_iv_state() is available. This internal EVP_CIPHER_CTX_get_iv() will be used by OpenSSH instead of the EVP_CIPHER_CTX_get_iv() provided by OpenSSL-3.0. The latest changes in OpenSSL 3.0 in combination with this patch fixes the non-GCM ciphers. All but the chacha20-poly1305 test are working again: | dhgex bits 3072 diffie-hellman-group-exchange-sha1 3des-cbc | dhgex bits 3072 diffie-hellman-group-exchange-sha256 3des-cbc | dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-cbc | dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-cbc | dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-ctr | dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-ctr | dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-gcm@openssh.com | dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-gcm@openssh.com | dhgex bits 7680 diffie-hellman-group-exchange-sha1 aes192-cbc | dhgex bits 7680 diffie-hellman-group-exchange-sha256 aes192-cbc | dhgex bits 7680 diffie-hellman-group-exchange-sha1 aes192-ctr | dhgex bits 7680 diffie-hellman-group-exchange-sha256 aes192-ctr | dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-cbc | dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-cbc | dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-ctr | dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-ctr | dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-gcm@openssh.com | dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com | dhgex bits 8192 diffie-hellman-group-exchange-sha1 rijndael-cbc@lysator.liu.se | dhgex bits 8192 diffie-hellman-group-exchange-sha256 rijndael-cbc@lysator.liu.se | dhgex bits 8192 diffie-hellman-group-exchange-sha1 chacha20-poly1305@openssh.com | ssh failed () | dhgex bits 8192 diffie-hellman-group-exchange-sha256 chacha20-poly1305@openssh.com | ssh failed () Cc: Thomas Dwyer III <tomiii@tomiii.com> Link: https://www.spinics.net/lists/openssh-unix-dev/msg06860.html Link: openssl/openssl#12233 Link: openssl/openssl#13411 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
To clarify the purpose of these two calls rename them to EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv. Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV to better align with the function name. Fixes openssl#13411
* Update copyright years of auto-generated headers (make update) Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from openssl#13764) * crypto/win: Don't use disallowed APIs on UWP CreateFiber and ConvertThreadToFiber are not allowed in Windows Store (Universal Windows Platform) apps since they have been replaced by their Ex variants which have a new dwFlags parameter. This flag allows the fiber to do floating-point arithmetic in the fiber on x86, which would silently cause corruption otherwise since the floating-point state is not switched by default. Switch to these "new" APIs which were added in Vista. See: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex#parameters Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#12400) * win-onecore: Build with /APPCONTAINER for UWP compat When targeting the win-onecore configuration, we must link with /APPCONTAINER which is a requirement for submitting apps to the Windows Store. Without this, the Windows App Certificate Kit will reject the app: https://docs.microsoft.com/en-us/cpp/build/reference/appcontainer-windows-store-app Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#12400) * EVP_SIGNATURE-ED25519.pod: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13768) * 28-seclevel.cnf.in: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13768) * Updated SSL_CTX_new doc Fixes openssl#13703 Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13741) * Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13468) * Support session information on FreeBSD. FreeBSD's /dev/crypto does not provide a CIOCGSESSINFO ioctl, but it does provide other ioctls that can be used to provide similar functionality. First, FreeBSD's /dev/crypto defines a CIOCGESSION2 ioctl which accepts a 'struct session2_op'. This structure extends 'struct session_op' with a 'crid' member which can be used to either request an individual driver by id, or a class of drivers via flags. To determine if the available drivers for a given algorithm are accelerated or not, use CIOCGESSION2 to first attempt to create an accelerated (hardware) session. If that fails, fall back to attempting a software session. In addition, when requesting a new cipher session, use the current setting of the 'use_softdrivers' flag to determine the value assigned to 'crid' when invoking CIOCGSESSION2. Finally, use the returned 'crid' value from CIOCGSESSION2 to look up the name of the associated driver via the CIOCFINDDEV ioctl. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13468) * Mac M1 setting change proposal. Running tests takes very long with the current setting while it takes a lot shorter time with this change. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13771) * Only perform special TLS handling if TLS has been configured Skip over special TLS steps for stream ciphers if we haven't been configured for TLS. Fixes openssl#12528 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13774) * Update copyright year Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from openssl#13800) * Prepare for release of 3.0 alpha 10 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> * Prepare for 3.0 alpha 11 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> * Fix set_ciphersuites ignore unknown ciphers. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Fixed error and return code. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Remove extra space. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#12100) * Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes openssl#13649 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13655) * [crypto/dh] side channel hardening for computing DH shared keys Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13783) * Adding TLS group name retrieval Function SSL_group_to_name() added, together with documentation and tests. This now permits displaying names of internal and external provider-implemented groups. Partial fix of openssl#13767 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13785) * [test] Add `pkey -check` validation tests Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * [apps/pkey] Return error on failed `-[pub]check` Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * [test][pkey_check] Add invalid SM2 key test SM2 private keys have different validation requirements than EC keys: this test checks one corner case highlighted in openssl#8435 As @bbbrumley mentioned in openssl#8435 (comment) this only fixes the absence of a regression test for validation of this kind of boundary issues for decoded SM2 keys. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * Add SM2 private key range validation According to the relevant standards, the valid range for SM2 private keys is [1, n-1), where n is the order of the curve generator. For this reason we cannot reuse the EC validation function as it is, and we introduce a new internal function `sm2_key_private_check()`. Partially fixes openssl#8435 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * [test][pkey_check] Add more invalid SM2 key tests Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13359) * replace 'unsigned const char' with 'const unsigned char' The openssl code base has only a few occurrences of 'unsigned const char' (15 occurrences), compared to the more common 'const unsigned char' (4420 occurrences). While the former is not illegal C, mixing the 'const' keyword (a 'type qualifier') in between 'unsigned' and 'char' (both 'type specifiers') is a bit odd. The background for writing this patch is not to be pedantic, but because the 'opmock' program (used to mock headers for unit tests) does not accept the 'unsigned const char' construct. While this definitely is a bug in opmock or one of its dependencies, openssl is the only piece of software we are using in combination with opmock that has this construct. CLA: trivial Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from openssl#13722) * Fix simpledynamic test compilation when condigured without DSO support. This fixes this compilation error: In file included from test/simpledynamic.c:13: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ make[1]: *** [Makefile:24670: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: *** Waiting for unfinished jobs.... In file included from test/moduleloadtest.c:19: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13802) * Fix for negative return value from `SSL_CTX_sess_accept()` Fixes openssl#13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from openssl#13297) * doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. Signed-off-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#13814) * apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * apps/pkey.c: Make clear that -passout is not supported for DER output Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * apps/pkey.c: Re-order help output and option documentation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13712) * APPS: Fix confusion between program and app/command name used in diagnostic/help output Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13799) * APPS: Print help also on -h and --h; print high-level help when no cmd given Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13799) * Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13807) * v3_ocsp.c: fix indentation of include directives Fixes openssl#13820 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from openssl#13822) * Configure: Check all SOURCE declarations, to ensure consistency If the given sources are GENERATEd, we check those generators as well. This ensures that the declarations in the diverse build.info files are consistent with existing files. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Configure: clean away perl syntax faults The faults aren't fatal (i.e. perl just shrugs), but are curious. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Configure: warn about duplicate GENERATE declarations in build.info files This sort of duplication is permitted, as the end result will be a single item anyway, but we might as well warn to avoid future confusion. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Remove duplicate GENERATE declarations for .pod files Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13824) * Use centralized fetching errors We've spread around FETCH_FAILED errors in quite a few places, and that gives somewhat crude error records, as there's no way to tell if the error was unavailable algorithms or some other error at such high levels. As an alternative, we take recording of these kinds of errors down to the fetching functions, which are in a much better place to tell what kind of error it was, thereby relieving the higher level calls from having to guess. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13467) * Clean away extraneous library specific FETCH_FAILED reason codes Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13467) * Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * TEST: move cert, key, and CSR loading aux functions to new testutil/load.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * Make PEM_X509_INFO_read_bio_ex() conservative on the error queue Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * x509_vfy.c: Fix a regression in find_issuer() ...in case the candidate issuer cert is identical to the target cert. This is the v3.0.0 variant of openssl#13749 fixing openssl#13739 for v1.1.1. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13762) * Fix enable-weak-ssl-ciphers Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched rc4-hmac-md5 cipher implementation did not recognise the tls_version parameter, and therefore was being incorrectly handled. Fixes openssl#13795 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#13803) * Fix incorrect use of BN_CTX API In some edge cases BN_CTX_end was being called without first calling BN_CTX_start. This creates a situation where the state of the big number allocator is corrupted and may lead to crashes. Fixes openssl#13812 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13813) * d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() Partly fixes openssl#13754 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13755) * X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the upstream fix for openssl#13698 reported for v1.1.1 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13755) * apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default Fixes openssl#13603 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * APPS: Allow OPENSSL_CONF to be empty, not loading a config file Also document the function CONF_get1_default_config_file() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: add -CA and -CAkey options; improve code and doc Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/lib/opt.c: Fix error message on unknown option/digest Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * X509_PUBKEY_set(): Fix error reporting Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: make -subj work with -x509; clean up related code Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert Also clean up some related auxiliary functions and documentation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: Add -copy_extensions option for use with -x509; default: none Fixes openssl#13708 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: Cosmetic improvements of code and documentation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * apps/req.c: Make sure -verify option takes effect also with -x509 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13658) * chacha20: Properly reinitialize the cipher context with NULL key Same for chacha20-poly1305. The test_cipher_reinit and test_cipher_reinit_partialupdate is modified to test this case of cipher context reinitialization. Fixes openssl#13064 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#13850) * Make the OSSL_PARAM manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from openssl#13848) * Make the OSSL_SELF_TEST manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13849) * Make the OSSL_HTTP manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13847) * Make the OSSL_PROVIDER manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13845) * Make the OSSL_trace manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13842) * Make header references conform with man-pages(7) in all manuals Details from man-pages(7) that are used: Formatting conventions (general) ... Filenames (whether pathnames, or references to header files) are always in italics (e.g., <stdio.h>), except in the SYNOPSIS section, where in‐ cluded files are in bold (e.g., #include <stdio.h>). When referring to a standard header file include, specify the header file surrounded by angle brackets, in the usual C way (e.g., <stdio.h>). ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13843) * OPENSSL_cpuid_setup FreeBSD PowerPC update Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13821) * OPENSSL_cpuid_setup FreeBSD arm update. when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13650) * Skip BOM when reading the config file Fixes openssl#13840 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#13857) * Make the OSSL_CMP manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13846) * find_issuer(): When returning an expired issuer, take the most recently expired one Also point out in the documenting comment that a non-expired issuer is preferred. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13805) * Fix a crash with multi-threaded applications using the FIPS module The FIPS implementation of the ossl_ctx_thread_stop function needs to use an OSSL_LIB_CTX - but gets passed a provctx as an argument. It was assuming that these are the same thing (which was true at one point during development) - but that is no longer the case. The fix is to get the OSSL_LIB_CTX out of the provctx. Fixes openssl#13469 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Add a test for performing work in multiple concurrent threads We test both the default provider and the fips provider Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Document the core_thread_start upcall The core_thread_start upcall previously had a placeholder in the docs. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Lock the provider operation_bits The provider operation_bits array can see concurrent access by multiple threads and can be reallocated at any time. Therefore we need to ensure that it is appropriately locked. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() The function ossl_lib_ctx_generic_new() modifies the exdata. This may be simultaneously being modified by other threads and therefore we need to make sure we take the lock before doing so. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Enable locking on the primary DRBG when we create it The primary DRBG may be shared across multiple threads and therefore we must use locking to access it. Previously we were enabling that locking lazily when we attempted to obtain one of the child DRBGs. Part of the process of enabling the lock, is to create the lock. But if we create the lock lazily then it is too late - we may race with other threads where each thread is independently attempting to enable the locking. This results in multiple locks being created - only one of which "sticks" and the rest are leaked. Instead we enable locking on the primary when we first create it. This is already locked and therefore we cannot race. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Extend the threads test to add simple fetch from multi threads Issue openssl#13682 suggests that doing a simple fetch from multi-threads may result in issues so we add a test for that. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Fix an issue in provider_activate_fallbacks() The above function was running while holding the store lock with a read lock. Unfortunately it actually modifies the store, so a write lock is required instead. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Fix a failure where fetches can return NULL in multi-threaded code When a fetch is attempted simultaneously from multiple threads then both threads can attempt to construct the method. However only one of those will get added to the global evp method store. The one that "lost" the race to add the method to the global evp method store ended up with the fetch call returning NULL, instead of returning the method that was already available. Fixes openssl#13682 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13660) * Enhance default provider documentation Bring Wiki and man page documentation in line regarding default provider fall-back behaviour. Fixes openssl#13844 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13859) * Correct typo in rsa_oaep.c Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13861) * Remove unused DRBG tests. The DRBG known answer tests are performed by evp_test and the old vectors are not used. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from openssl#13867) * Document openssl thread-safety Also discuss reference-counting, mutability and safety. Thanks to David Benjamin for pointing to comment text he added to boringSSL's header files. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13788) * Fix crypto/des/build.info !$disabled{mdc2} was used to determine if DES files should be included in providers/liblegacy.a. Use !$disabled{des} instead. Fixes openssl#13865 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13866) * Fix incomplete deprecation guard in test/sslapitest.c OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED, as the latter doesn't take the configuration option '--api=' in account. Fixes openssl#13865 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13866) * Allow EVP_PKEY private key objects to be created without a public component Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13855) * X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13713) * bio_lib.c: Fix error queue entries and return codes on NULL args etc. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13713) * replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13713) * Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes openssl#13868 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13874) * Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity To clarify the purpose of these two calls rename them to EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv. Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV to better align with the function name. Fixes openssl#13411 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13870) * CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. Fixes openssl#13624 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13668) * Fix PKCS7 potential segfault As the code that handles libctx, propq for PKCS7 is very similar to CMS code, a similiar fix for issue openssl#13624 needs to be applied. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13668) * Fix memory leak in mac_newctx() on error Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13702) * DOCS: Fix the last few remaining pass phrase options references There were a few lingering older style references to the pass phrase options section, now streamlined with all the others. Fixes openssl#13883 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#13885) * Deprecate OCSP_xxx API for OSSL_HTTP_xxx Deprecations made: OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES text inline. Some of the original functions had no documentation: OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio, OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod Fixes openssl#12234 Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#13742) * cleaned internal crypto references; activated all tests * clarified provider activation Co-authored-by: Dr. David von Oheimb <David.von.Oheimb@siemens.com> Co-authored-by: Nirbheek Chauhan <nirbheek.chauhan@gmail.com> Co-authored-by: Etienne Millon <me@emillon.org> Co-authored-by: bazmoz <bazmoz@protonmail.com> Co-authored-by: John Baldwin <jhb@FreeBSD.org> Co-authored-by: David CARLIER <devnexen@gmail.com> Co-authored-by: Matt Caswell <matt@openssl.org> Co-authored-by: Otto Hollmann <otto@hollmann.cz> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Co-authored-by: Romain Geissler <romain.geissler@amadeus.com> Co-authored-by: anupamam13 <anuavnd@gmail.com> Co-authored-by: Sahana Prasad <sahana@redhat.com> Co-authored-by: Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com> Co-authored-by: Richard Levitte <levitte@openssl.org> Co-authored-by: Agustin Gianni <agustingianni@gmail.com> Co-authored-by: Tomas Mraz <tmraz@fedoraproject.org> Co-authored-by: Dmitry Belyavskiy <beldmit@gmail.com> Co-authored-by: Daniel Bevenius <daniel.bevenius@gmail.com> Co-authored-by: Pauli <ppzgs1@gmail.com> Co-authored-by: Rich Salz <rsalz@akamai.com> Co-authored-by: Jon Spillett <jon.spillett@oracle.com> Co-authored-by: Shane Lontis <shane.lontis@oracle.com> Co-authored-by: Kurt Roeckx <kurt@roeckx.be>
OpenSSL renamed the "get current CIPHER_CTX" IV operation in 3.x. This uses the new name if available. openssl/openssl#13411 bz#3238 ok dtucker@
* Restore correct flags during localtime_r check. We were restoring the wrong thing CPPFLAGS (we used CFLAGS) for any platform that doesn't have localtime_r. * Use "=" not "==" in string test. POSIX says "=" is string comparison and some shells (eg HP-UX) will complain about "==". * upstream: when mentioning that the host key has changed, don't report the type because it is ambiguous as to whether it referred to the known or new host key. bz3216; ok dtucker@ OpenBSD-Commit-ID: 2d5ce4a83dbcf44e340a572e361decad8aab7bad * upstream: when loading PKCS#11 keys, include the key fingerprints and provider/slot information in debug output. OpenBSD-Commit-ID: 969a089575d0166a9a364a9901bb6a8d9b8a1431 * upstream: clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly, Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@ OpenBSD-Commit-ID: 9925df75a56732c43f3663e70dd15ff413ab3e53 * upstream: Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. ok dtucker@ OpenBSD-Commit-ID: f31ab10d9233363a6d2c9996007083ba43a093f1 * upstream: Document ssh-keygen -Z, sanity check its argument earlier and provide a better error message if it's not correct. Prompted by bz#2879, ok djm@ jmc@ OpenBSD-Commit-ID: 484178a173e92230fb1803fb4f206d61f7b58005 * upstream: check result of strchr() against NULL rather than searched-for characters; from zhongjubin@huawei.com OpenBSD-Commit-ID: e6f57de1d4a4d25f8db2d44e8d58d847e247a4fe * upstream: Include cipher.h for declaration of cipher_by_name. OpenBSD-Commit-ID: ddfebbca03ca0e14e00bbad9d35f94b99655d032 * upstream: Ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320, with & ok djm@ OpenBSD-Commit-ID: bdbf9fc5bc72b1a14266f5f61723ed57307a6db4 * upstream: make program name be const OpenBSD-Commit-ID: ece25680ec637fdf20502721ccb0276691df5384 * upstream: typos: s/hex/kex/ in error messages OpenBSD-Commit-ID: 43a026c9571dd779ec148de1829cf5a6b6651905 * upstream: fix minor memleak of kex->hostkey_alg on rekex OpenBSD-Commit-ID: 2c3969c74966d4ccdfeff5e5f0df0791919aef50 * upstream: memleak of DH public bignum; found with libfuzzer OpenBSD-Commit-ID: 0e913b542c3764b100b1571fdb0d0e5cc086fe97 * upstream: make ssh_free(NULL) a no-op OpenBSD-Commit-ID: 42cb285d94789cefe6608db89c63040ab0a80fa0 * upstream: shuffle a few utility functions into sftp-client.c; from Jakub Jelen OpenBSD-Commit-ID: fdeb1aae1f6149b193f12cd2af158f948c514a2a * use options that work with recent clang * basic KEX fuzzer; adapted from Markus' unittest * upstream: use _PATH_SSH_USER_DIR instead of hardcoded .ssh in path OpenBSD-Commit-ID: 5c1048468813107baa872f5ee33ba51623630e01 * upstream: prepare readconf.c for fuzzing; remove fatal calls and fix some (one-off) memory leaks; ok markus@ OpenBSD-Commit-ID: 91c6aec57b0e7aae9190de188e9fe8933aad5ec5 * upstream: refactor client percent_expand() argument passing; consolidate the common arguments into a single struct and pass that around instead of using a bunch of globals. ok markus@ OpenBSD-Commit-ID: 035e6d7ca9145ad504f6af5a021943f1958cd19b * upstream: fix possible error("%s", NULL) on error paths OpenBSD-Commit-ID: 0b3833c2cb985453ecca1d76803ebb8f3b736a11 * upstream: Print client kem key with correct length. ok markus@ OpenBSD-Commit-ID: 91689e14a4fc6c270e265a32d1c8faba63a45755 * upstream: load_hostkeys()/hostkeys_foreach() variants for FILE* Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly. Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces. Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys(). ok markus@ OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20 * upstream: allow UserKnownHostsFile=none; feedback and ok markus@ OpenBSD-Commit-ID: c46d515eac94a35a1d50d5fd71c4b1ca53334b48 * upstream: plumb ssh_conn_info through to sshconnect.c; feedback/ok markus@ OpenBSD-Commit-ID: e8d14a09cda3f1dc55df08f8a4889beff74e68b0 * Pull in missing rev 1.2. * upstream: few more things needs match.c and addrmatch.c now that log.c calls match_pattern_list() OpenBSD-Regress-ID: f7c95c76b150d0aeb00a67858b9579b7d1b2db74 * upstream: adapt to API change in hostkeys_foreach()/load_hostkeys() OpenBSD-Regress-ID: dcb468514f32da49a446372453497dc6eeafdbf3 * upstream: properly fix ProxyJump parsing; Thanks to tb@ for pointing out my error (parse_ssh_uri() can return -1/0/1, that I missed). Reported by Raf Czlonka via bugs@ ok tb@ OpenBSD-Commit-ID: a2991a3794bcaf1ca2b025212cce11cdb5f6b7d6 * upstream: Remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc which was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. This will reduce the amount of work the cipher/kex regression tests need to do by a little bit. ok markus@ djm@ OpenBSD-Commit-ID: fb460acc18290a998fd70910b19c29b4e4f199ad * upstream: Remove explicit rijndael-cbc@lysator.liu.se test since the cipher was removed. OpenBSD-Regress-ID: aa93cddb4ecd9bc21446a79008a1a53050e64f17 * upstream: move subprocess() from auth.c to misc.c make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere) add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use. feedback & ok markus@ OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf * upstream: add a ssh_config KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files. The command accepts bunch of %-expansions, including details of the connection and the offered server host key. Note that the command may be invoked up to three times per connection (see the manpage for details). ok markus@ OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0 * upstream: Remove lines accidentally left behind in the ProxyJump parsing fix r1.345. ok djm OpenBSD-Commit-ID: fe767c108c8117bea33767b080ff62eef2c55f5c * upstream: regress test for KnownHostsCommand OpenBSD-Regress-ID: ffc77464320b6dabdcfa0a72e0df02659233a38a * upstream: more detail for failing tests OpenBSD-Regress-ID: c68c0e5a521cad7e7f68e54c54ebf86d6c10ee1d * ensure $LOGNAME is set in tests * Include stdio.h for FILE in misc.h. Fixes build on at least OpenBSD. * Improve AIX text. * whitespace at EOL * whitespace at EOL * upstream: tweak the description of KnownHostsCommand in ssh_conf.5, and add entries for it to the -O list in scp.1 and sftp.1; ok djm OpenBSD-Commit-ID: aba31ebea03f38f8d218857f7ce16a500c3e4aff * upstream: Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default) OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae * upstream: Adapt to replacement of sntrup4591761x25519-sha512@tinyssh.org with sntrup761x25519-sha512@openssh.com. Also test sntrup761x25519-sha512@openssh.com in unittests/kex OpenBSD-Regress-ID: cfa3506b2b077a9cac1877fb521efd2641b6030c * adapt KEX fuzzer to PQ kex change * upstream: Use int64_t for intermediate values in int32_MINMAX to prevent signed 32-bit integer overflow. Found by and ok djm@ ok markus@ OpenBSD-Commit-ID: 4f0704768e34cf45fdd792bac4011c6971881bb3 * fix: missing pieces of previous commit * Undef int32 after sort routines. This prevents typedef'ing crypto_int32 twice, in sntrup761.c and crypto_api.h, which some compilers (at least some GCCs) don't accept. * upstream: Prevent redefinition of `crypto_int32' error with gcc3. Fixes compilation on luna88k. Feedback millert@ Found by and ok aoyama@ OpenBSD-Commit-ID: f305ddfe575a26cc53431af3fde3f4aeebed9ba6 * upstream: estructure sntrup761.sh to process all files in a single list, which will make it easier to reorder. Re-inline int32_MINMAX. ok tobhe@ OpenBSD-Commit-ID: d145c6c19b08bb93c9e14bfaa7af589d90f144c0 * upstream: mention that DisableForwarding is valid in a sshd_config Match block reported by Fredrik Eriksson in bz3239 OpenBSD-Commit-ID: 3a71c3d84b597f5e43e4b40d5232797daf0993f6 * upstream: Update the sntrup761 creation script and generated code: - remove unneeded header files and typedefs and rely on crypto_api.h - add defines to map types used to the crypto_api ones instead of typedefs. This prevents typedef name collisions in -portable. - remove CRYPTO_NAMESPACE entirely instead of making it a no-op - delete unused functions and make the remaining ones that aren't exported static. ok djm@ OpenBSD-Commit-ID: 7b9d0cf3acd5a3c1091da8afe00c904d38cf5783 * upstream: don't try to use timespeccmp(3) directly as a qsort(3) comparison function - it returns 0/1 and not the -1/0/1 that qsort expectes. fixes sftp "ls -ltr" under some circumstances. Based on patch by Masahiro Matsuya via bz3248. OpenBSD-Commit-ID: 65b5e9f18bb0d10573868c3516de6e5170adb163 * upstream: If a signature operation on a FIDO key fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This smoothes over a few corner cases including FIDO devices that require PINs for all hosted credentials, biometric FIDO devices that fall back to requiring PIN when reading the biometric failed, devices that don't implement reading credProtect status for downloaded keys and probably a few more cases that I haven't though of yet. ok dtucker@ OpenBSD-Commit-ID: 176db8518933d6a5bbf81a2e3cf62447158dc878 * Add Ubuntu 16.04 and 20.04 test targets. * Run tests with sudo for better coverage. * upstream: make CheckHostIP default to 'no'. It doesn't provide any perceptible value and makes it much harder for hosts to change host keys, particularly ones that use IP-based load-balancing. ok dtucker@ OpenBSD-Commit-ID: 0db98413e82074f78c7d46784b1286d08aee78f0 * Add test against Graphene hardened malloc. * upstream: Move address handling functions out into their own file in order to reuse them for per-source maxstartups limiting. Supplement with some additional functions from djm's flowtools that we'll also need. ok djm@ (as part of a larger diff). OpenBSD-Commit-ID: e3e7d9ccc6c9b82e25cfef0ec83598e8e2327cbf * upstream: Add PerSourceMaxStartups and PerSourceNetBlockSize options which provide more fine grained MaxStartups limits. Man page help jmc@, feedback & ok djm@ OpenBSD-Commit-ID: e2f68664e3d02c0895b35aa751c48a2af622047b * upstream: add a comma to previous; OpenBSD-Commit-ID: 9139433701c0aa86a0d3a6c7afe10d1c9c2e0869 * upstream: Change convtime() from returning long to returning int. On platforms where sizeof(int) != sizeof(long), convtime could accept values >MAX_INT which subsequently truncate when stored in an int during config parsing. bz#3250, ok djm@ OpenBSD-Commit-ID: 8fc932683d6b4660d52f50911d62bd6639c5db31 * upstream: Update unittests for addr.c/addrmatch.c split. OpenBSD-Regress-ID: de2b415fb7af084a91c6ef147a90482d8f771eef * upstream: Adjust kexfuzz to addr.c/addrmatch.c split. OpenBSD-Regress-ID: 1d8d23bb548078020be2fb52c4c643efb190f0eb * upstream: Correct spelling of persourcenetblocksize in config-dump mode. OpenBSD-Commit-ID: ecdc49e2b6bde6b6b0e52163d621831f6ac7b13d * Remove duplicated declaration in fatal.c . * Add Mac OS X test targets. * Merge Mac OS X targets into a single config. * upstream: Minor grammatical correction. OK jmc@ OpenBSD-Commit-ID: de0fad0581e212b2750751e479b79c18ff8cac02 * upstream: In waitfd(), when poll returns early we are subtracting the elapsed time from the timeout each loop, so we only want to measure the elapsed time the poll() in that loop, not since the start of the function. Spotted by chris.xj.zhu at gmail.com, ok djm@ OpenBSD-Commit-ID: 199df060978ee9aa89b8041a3dfaf1bf7ae8dd7a * upstream: Change types in convtime() unit test to int to match change its new type. Add tests for boundary conditions and fix convtime to work up to INT_MAX. ok djm@ OpenBSD-Commit-ID: 01dc0475f1484ac2f47facdfcf9221f9472145de * upstream: Make output buffer larger to prevent potential truncation warnings from compilers not smart enough to know the strftime calls won't ever fully fill "to" and "from". ok djm@ OpenBSD-Commit-ID: 83733f1b01b82da88b9dd1769475952aff10bdd7 * upstream: Change types in convtime() unit test to int to match change its new type. Add tests for boundary conditions and fix convtime to work up to INT_MAX. ok djm@ OpenBSD-Regress-ID: ba2b81e9a3257fff204b020affe85b604a44f97e * upstream: Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5 * upstream: PubkeyAcceptedKeyTypes->PubkeyAcceptedAlgorithms here too. OpenBSD-Commit-ID: 3b64a640f8ce8c21d9314da9df7ce2420eefde3a * upstream: Fix long->int for convtime tests here too. Spotted by tobhe@. OpenBSD-Regress-ID: a87094f5863312d00938afba771d25f788c849d0 * ifdef new instance of sin6_scope_id Put inside HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID similar to existing instance. Should fix error on UnixWare 7. * upstream: make ssh hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. spotted with dtucker@ ok markus@ OpenBSD-Commit-ID: 25bffe19f0326972f5728170f7da81d5f45c78c6 * upstream: factor out common code in the agent client Add a ssh_request_reply_decode() function that sends a message to the agent, reads and parses a success/failure reply. Use it for all requests that only expect success/failure ok markus@ OpenBSD-Commit-ID: e0c1f4d5e6cfa525d62581e2b8de93be0cb85adb * upstream: use recallocarray to allocate the agent sockets table; also clear socket entries that are being marked as unused. spinkle in some debug2() spam to make it easier to watch an agent do its thing. ok markus OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922 * upstream: move check_host_cert() from sshconnect,c to sshkey.c and refactor it to make it more generally usable and testable. ok markus@ OpenBSD-Commit-ID: 536f489f5ff38808c1fa711ba58d4579b636f9e4 * upstream: make struct hostkeys public; I have no idea why I made it opaque originally. ok markus@ OpenBSD-Commit-ID: e50780b34d4bbe628d69b2405b024dd749d982f3 * upstream: more ssh-agent refactoring Allow confirm_key() to accept an additional reason suffix Factor publickey userauth parsing out into its own function and allow it to optionally return things it parsed out of the message to its caller. feedback/ok markus@ OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e * upstream: refactor key constraint parsing in ssh-agent Key constraints parsing code previously existed in both the "add regular key" and "add smartcard key" path. This unifies them but also introduces more consistency checking: duplicated constraints and constraints that are nonsensical for a particular situation (e.g. FIDO provider for a smartcard key) are now banned. ok markus@ OpenBSD-Commit-ID: 511cb1b1c021ee1d51a4c2d649b937445de7983c * Disable sntrup761 if compiler doesn't support VLAs. The sntrup761 code sourced from supercop uses variable length arrays. Although widely supported, they are not part of the ANSI C89 spec so if the compiler does not support VLAs, disable the sntrup761x25519-sha512@openssh.com KEX method by replacing the kex functions with no-op ones similar to what we do in kexecdh.c. This should allow OpenSSH to build with a plain C89 compiler again. Spotted by tim@, ok djm@. * upstream: Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@ OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e * upstream: Remove unused variables leftover from refactoring. ok djm@ OpenBSD-Commit-ID: 8b3ad58bff828fcf874e54b2fc27a4cf1d9505e8 * upstream: move HostbasedAcceptedAlgorithms to the right place in alphabetical order OpenBSD-Commit-ID: d766820d33dd874d944c14b0638239adb522c7ec * upstream: Logical not bitwise or. ok djm@ OpenBSD-Commit-ID: d4dc855cf04951b93c45caa383e1ac9af0a3b0e5 * Run one test with -Werror to catch warnings. * Install moduli file before tests. Reduces warnings during test runs. * upstream: remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@ OpenBSD-Commit-ID: 7c4f200e112dae6bcf99f5bae1a5629288378a06 * upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@ OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68 * upstream: this needs kex.h now OpenBSD-Commit-ID: c5a42166c5aa002197217421a971e48be7cb5d41 * correct kex name in disabled code * upstream: fix leak: was double allocating kex->session_id buffer OpenBSD-Commit-ID: 3765f4cc3ae1df874dba9102a3588ba7b48b8183 * Remove whitespace. * Add test against openssl head and libressl head. * make with -j2 to use available CPUs. * support for running kex fuzzer with null cipher * fuzz diffie-hellman-group-exchange-sha1 kex too * upstream: give typedef'd struct a struct name; makes the fuzzer I'm writing a bit easier OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb * upstream: fix the values of enum sock_type OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd * upstream: add a SK_DUMMY_INTEGRATE define that allows the dummy security key middleware to be directly linked; useful for writing fuzzers, etc. OpenBSD-Regress-ID: 0ebd00159b58ebd85e61d8270fc02f1e45df1544 * some fixed test data (mostly keys) for fuzzing * move keys out of kex_fuzz.cc into separate header add certificates and missing key types * ssh-agent fuzzer * expect fuzz cases to have length prefix might make life a little easier for the fuzzer, e.g. it can now produce valid (multi-request) messages by smashing two cases together. * allow a fuzz case to contain more than one request loop until input buffer empty, no message consumed or 256 messages processed * upstream: Set linesize returned by getline to zero when freeing and NULLing the returned string. OpenBSD's getline handles this just fine, but some implementations used by -portable do not. ok djm@ OpenBSD-Commit-ID: 4d7bd5169d3397654247db9655cc69a9908d165c * upstream: more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078). ok markus@ OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def * upstream: memleak on error path; ok markus@ OpenBSD-Commit-ID: 2091a36d6ca3980c81891a6c4bdc544e63cb13a8 * upstream: fix memleaks in private key deserialisation; enforce more consistency between redundant fields in private key certificate and private key body; ok markus@ OpenBSD-Commit-ID: dec344e414d47f0a7adc13aecf3760fe58101240 * upstream: whitespace OpenBSD-Commit-ID: 544bb092e03fcbecb420196cd0f70af13ea868ad * upstream: Remove debug message from sigchld handler. While this works on OpenBSD it can cause problems on other platforms. From kircherlike at outlook.com via bz#3259, ok djm@ OpenBSD-Commit-ID: 3e241d7ac1ee77e3de3651780b5dc47b283a7668 * Deny (non-fatal) statx in preauth privsep child. * Using explicit_memset for the explicit_bzero compatibility layer. Favoriting the native implementation in this case. * upstream: hostname is not specified by POSIX but uname -n is, so use the latter for portability. Patch from Geert Hendrickx via github PR#208. OpenBSD-Regress-ID: d6a79c7c4d141a0d05ade4a042eb57dddbce89f3 * upstream: Roll back the hostname->uname change in rev 1.10. It turns out uname -n doesn't do what we need for some platforms in portable, so we'll fix the original problem (that some other platforms don't have hostname at all) by providing wrapper function to implement it. OpenBSD-Regress-ID: 827a707d6201d5a8e196a8c28aec1d2c76c52341 * Add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but as found by tim@ some others (eg UnixWare) do not report the FQDN from uname -n. * Add __NR_futex_time64 to seccomp sandbox. This is apparently needed for (some) 32 bit platforms with glibc 2.33. Patch from nix at esperi.org.uk and jjelen at redhat.com via bz#3260. * upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own function and remove an unused variable; ok dtucker@ OpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559 * upstream: sftp: add missing lsetstat@openssh.com documentation patch from Mike Frysinger OpenBSD-Commit-ID: 9c114db88d505864075bfe7888b7c8745549715b * upstream: ProxyJump takes "none" to disable processing like ProxyCommand does ok djm@ jmc@ OpenBSD-Commit-ID: 941a2399da2193356bdc30b879d6e1692f18b6d3 * upstream: factor out opt_array_append; ok djm@ OpenBSD-Commit-ID: 571bc5dd35f99c5cf9de6aaeac428b168218e74a * upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding with SOCKS ok djm@, dtucker@ OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c * upstream: Make sure puttygen is new enough to successfully run the PuTTY interop tests, otherwise skip them. OpenBSD-Regress-ID: 34565bb50b8aec58331ed02a5e9e0a9a929bef51 * Add self-hosted runners for VMs of other platforms. Github only hosts a limited number of platforms, and the runner code is only supported on slightly wider range of platforms. To increase our test coverage beyond that, we run the runner natively on a VM host, where it runs a jobs that boot VMs of other platforms, waits for them to come up then runs the build and test by ssh'ing into the guest. This means that the minimum dependencies for the guests are quite low (basically just sshd, a compiler and make). The interface to the VM host is fairly simple (basically 3 scripts: vmstartup, vmrun and vmshutdown), but those are specific to the VM host so are not in the public repo. We also mount the working directory on the host via sshfs, so things like artifact upload by the runner also work. As part of this we are moving the per-test-target configs into a single place (.github/configs) where there will be referenced by a single short "config" key. I plan to make the github-hosted runners use this too. The self-hosted runners are run off a private repo on github since that prevents third parties from accessing them[0], and since runner quota is limited on private repos, we avoid running the tests we run on the public repo. [0] https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories * Only run selfhosted tests from selfhosted repo. * Convert most github hosted tests to new config structure. * Merge macos and ubuntu tests. * Skip unit tests on hosted VMs to speed things up. * More compact representation of config matrix. * Fix labels on targets (dots vs underscores). * Quote SSHD_CONFOPTS in case it contains spaces. * Always intall moduli. Allows us to run tests without falling back to a fixed modulus. Ensure that the directory exists. * Remove SKIP_UNIT as it needs to be a make arg. * Skip unit tests on sol11 to speed things up. * don't free string returned by login_getcapstr(3) OpenBSD and NetBSD require the caller to free strings returned bu the login_* functions, but FreeBSD requires that callers don't. Fortunately in this case, we can harmlessly leak as the process is about to exec the shell/command. From https://reviews.freebsd.org/D28617 via Ed Maste; ok dtucker@ * Install moduli on target not host. * Fixing quoting for installing moduli on target guest. * prefer login_getpwclass() to login_getclass() FreeBSD has login_getpwclass() that does some special magic for UID=0. Prefer this to login_getclass() as its easier to emulate the former with the latter. Based on FreeBSD PR 37416 via Ed Maste; ok dtucker@ * support OpenSSL 3.x cipher IV API change OpenSSL renamed the "get current CIPHER_CTX" IV operation in 3.x. This uses the new name if available. openssl/openssl#13411 bz#3238 ok dtucker@ * upstream: sftp-server: implement limits@openssh.com extension This is a simple extension that allows the server to clearly communicate transfer limits it is imposing so the client doesn't have to guess, or force the user to manually tune. This is particularly useful when an attempt to use too large of a value causes the server to abort the connection. Patch from Mike Frysinger; ok dtucker@ OpenBSD-Commit-ID: f96293221e5aa24102d9bf30e4f4ef04d5f4fb51 * upstream: unbreak SK_DEBUG builds from openssh#225 by ZenithalHourlyRate OpenBSD-Commit-ID: 28d7259ce1b04d025411464decfa2f1a097b43eb * upstream: make names in function prototypes match those in definition from openssh#225 by ZenithalHourlyRate OpenBSD-Commit-ID: 7c736307bf3f2c7cb24d6f82f244eee959485acd * upstream: Fix the hostkeys rotation extension documentation The documentation was lacking the needed want-reply field in the initial global request. openssh#218 by dbussink OpenBSD-Commit-ID: 051824fd78edf6d647a0b9ac011bf88e28775054 * Add bbone test target (arm32). * Add DEBUG_SK to kitchensink builds. * Remove unused arg. * Add fbsd12 test target. * Add test against Valgrind. * Actually run Valgrind tests. * Comment out Solaris 64bit PAM build... until I can figure out why it's failing. * Upload regress failure logs in c-cpp too. * Rename "vm" to "os" in selfhosted to match c-cpp. Should make it easier to share code or maybe merge at some point. * Upload valgrind logs on failure. * Disable rlimit sandbox, doesn't work with valgrind Only run regress tests, runing unit tests as well makes it run longer than allowed y github. * upstream: warn when the user specifies a ForwardAgent path that does not exist and exit if ExitOnForwardFailure is set; bz3264 OpenBSD-Commit-ID: 72f7875865e723e464c71bf8692e83110699bf26 * Valgrind test: split and move up list. Since the valgrind test takes so long it approaches the limit allowed by github, move it to the head of the list so it's the first one started and split the longest tests out into a second instance that runs concurrently with the first. * Add a couple more test VMs. * upstream: Correct reference to signature algorithms as keys; from Jakub Jelen OpenBSD-Commit-ID: 36f7ecee86fc811aa0f8e21e7a872eee044b4be5 * upstream: lots more s/key types/signature algorithms/ mostly in HostbasedAcceptedAlgorithms and HostKeyAlgorithms; prompted by Jakub Jelen OpenBSD-Commit-ID: 3f719de4385b1a89e4323b2549c66aae050129cb * upstream: Put obsolete aliases for hostbasedalgorithms and pubkeyacceptedalgorithms after their current names so that the config-dump mode finds and uses the current names. Spotted by Phil Pennock. OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15 * upstream: Rename pubkeyacceptedkeytypes to pubkeyacceptedalgorithms in test to match change to config-dump output. OpenBSD-Regress-ID: 74c9a4ad50306be873d032819d5e55c24eb74d5d * upstream: s/PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms/ OpenBSD-Regress-ID: 3dbc005fa29f69dc23d97e433b6dffed6fe7cb69 * restorecon the correct directory if using different path for authorized_keys file SSH-Copy-ID-Upstream: 791a3df47b48412c726bff6f7b1d190721e65d51 * use $AUTH_KEY_DIR, now that we have it since that was a change made since jjelen's commit was written also, quote the variables SSH-Copy-ID-Upstream: 588cd8e5cbf95f3443d92b9ab27c5d73ceaf6616 * if unable to add a missing newline, fail SSH-Copy-ID-Upstream: 76b25e18f55499ea9edb4c4d6dc4a80bebc36d95 * tidy the $INSTALLKEY_SH code layout a little SSH-Copy-ID-Upstream: 78178aa5017222773e4c23d9001391eeaeca8983 * Remove macos-11.0 from the test target list. It has been consistently failing for the past few days with a github actions internal error. * upstream: a bit more debugging behind #ifdef DEBUG_SK OpenBSD-Commit-ID: d9fbce14945721061cb322f0084c2165d33d1993 * Remove macos-11.00 PAM test target too. These are failing apparently due to some kind of infrastructure problem, making it look like every commit is busted. * upstream: remove this KEX fuzzer; it's awkward to use and doesn't play nice with popular fuzzing drivers like libfuzzer. AFAIK nobody has used it but me. OpenBSD-Regress-ID: cad919522b3ce90c147c95abaf81b0492ac296c9 * ssh: optional bind interface if bind address specified. Allows the -b and -B options to be used together. For example, when the interface is in the VRF. * detech BSD libc hash functions in libbsd / libmd Some Linux distributions are shipping the BSD-style hashing functions (e.g. SHA256Update) in libbsd and/or libmd. Detect this situation to avoid header/replacement clashes later. ok dtucker@ * Revert "ssh: optional bind interface if bind address specified." This reverts commit 5a878a7. Apologies - I accidentally pushed this. * Fix punctuatio and typo in README.md. Some very minor fixes, missing 's' and punctuation. * zlib is now optional. * upstream: fix alphabetic ordering of options; spotted by Iain Morgan OpenBSD-Commit-ID: f955fec617d74af0feb5b275831a9fee813d7ad5 * upstream: Do not try to reset signal handler for signal 0 in subprocess. Prevents spurious debug message. ok djm@ OpenBSD-Commit-ID: 7f9785e292dcf304457566ad4637effd27ad1d46 * upstream: Add %k to list of keywords. From =?UTF-8?q?=20Eero=20H=C3=A4kkinenvia=20bz#3267?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: 9c87f39a048cee2a7d1c8bab951b2f716256865e * Only upload config logs if configure fails. * upstream: openssh-8.5 OpenBSD-Commit-ID: 185e85d60fe042b8f8fa1ef29d4ef637bdf397d6 * update RPM spec version numbers * update relnotes URL * update depend * upstream: needs FILE*; from Mike Frysinger OpenBSD-Commit-ID: dddb3aa9cb5792eeeaa37a1af67b5a3f25ded41d * upstream: typo in other_hostkeys_message() display output, ok djm OpenBSD-Commit-ID: 276f58afc97b6f5826e0be58380b737603dbf5f5 * upstream: don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269 OpenBSD-Commit-ID: 99a30a8f1df9bd72be54e21eee5c56a0f050921a * upstream: Fix PRINT macro, the suffix param to sshlog() was missing. Also remove redundant __func__ prefix from PRINT calls as the macro already adds __FILE__, __func__ and __LINE__. From Christos Zoulas. OK dtucker@ OpenBSD-Commit-ID: 01fdfa9c5541151b5461d9d7d6ca186a3413d949 * Import regenerated moduli file. * Move generic includes outside of ifdef. This ensures that the macros in log.h are defined in the case where either of --with-solaris-projects or --with-solaris-privs are used without --with-solaris-contracts. bz#3278. * Allow (but return EACCES) fstatat64 in sandbox. This is apparently used in some configurations of OpenSSL when glibc has getrandom(). bz#3276, patch from Kris Karas, ok djm@ * upstream: Add TEST_SSH_MODULI_FILE variable to allow overriding of the moduli file used during the test run. OpenBSD-Regress-ID: be10f785263120edb64fc87db0e0d6570a10220a * upstream: no need to reset buffer after send_msg() as that is done for us; patch from Mike Frysinger OpenBSD-Commit-ID: 565516495ff8362a38231e0f1a087b8ae66da59c * upstream: Import regenerated moduli file. OpenBSD-Commit-ID: 7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b * upstream: pwcopy() struct passwd that we're going to reuse across a bunch of library calls; bz3273 ok dtucker@ OpenBSD-Commit-ID: b6eafa977b2e44607b1b121f5de855107809b762 * upstream: Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@ OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66 * upstream: spelling OpenBSD-Commit-ID: 478bc3db04f62f1048ed6e1765400f3ab325e60f * Point TEST_SSH_MODULI_FILE at our own moduli. This will allow the test to run without requiring a moduli file installed at the configured default path. * Don't install moduli during tests. Now that we have TEST_SSH_MODULI_FILE pointing to the moduli in the soure directory we don't need to install the file to prevent warnings about it being missing. * Only call dh_set_moduli_file if using OpenSSL. Fixes link failure when configuring --without-openssl since dh.c is not linked in. * upstream: don't let logging clobber errno before use OpenBSD-Commit-ID: ce6cca370005c270c277c51c111bb6911e1680ec * upstream: increase maximum SSH2_FXP_READ to match the maximum packet size. Also handle zero-length reads that are borderline nonsensical but not explicitly banned by the spec. Based on patch from Mike Frysinger, feedback deraadt@ ok dtucker@ OpenBSD-Commit-ID: 4e67d60d81bde7b84a742b4ee5a34001bdf80d9c * upstream: return non-zero exit status when killed by signal; bz#3281 ok dtucker@ OpenBSD-Commit-ID: 117b31cf3c807993077b596bd730c24da9e9b816 * gnome-ssh-askpass3 is a valid target here * upstream: do not advertise protocol extensions that have been disallowed by the command-line options (e.g. -p/-P/-R); ok dtucker@ OpenBSD-Commit-ID: 3a8a76b3f5131741aca4b41bfab8d101c9926205 * upstream: Use new limits@openssh.com protocol extension to let the client select good limits based on what the server supports. Split the download and upload buffer sizes to allow them to be chosen independently. In practice (and assuming upgraded sftp/sftp-server at each end), this increases the download buffer 32->64KiB and the upload buffer 32->255KiB. Patches from Mike Frysinger; ok dtucker@ OpenBSD-Commit-ID: ebd61c80d85b951b794164acc4b2f2fd8e88606c * upstream: split OpenBSD-Regress-ID: f6c03c0e4c58b3b9e04b161757b8c10dc8378c34 * upstream: add a test for misc.c:argv_split(), currently fails OpenBSD-Regress-ID: ad6b96d6ebeb9643b698b3575bdd6f78bb144200 * upstream: cannot effectively test posix-rename extension after changes in feature advertisment. OpenBSD-Regress-ID: 5e390bf88d379162aaa81b60ed86b34cb0c54d29 * missing bits from 259d648 * upstream: Fix two problems in string->argv conversion: 1) multiple backslashes were not being dequoted correctly and 2) quoted space in the middle of a string was being incorrectly split. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A unit test for these cases has already been committed prompted by and based on GHPR#223 by Eero Häkkinen; ok markus@ OpenBSD-Commit-ID: d7ef27abb4eeeaf6e167e9312e4abe9e89faf1e4 * upstream: unused variable OpenBSD-Commit-ID: 85f6a394c8e0f60d15ecddda75176f112007b205 * upstream: ensure that pkcs11_del_provider() is called before exit - some PKCS#11 providers get upset if C_Initialize is not matched with C_Finalize. From Adithya Baglody via GHPR#234; ok markus OpenBSD-Commit-ID: f8e770e03b416ee9a58f9762e162add900f832b6 * upstream: fix incorrect plural; from Ville Skyt =?UTF-8?q?t=C3=A4=20via=20GHPR#181?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: 92f31754c6296d8f403d7c293e09dc27292d22c9 * Save config.h and config.log on failure too. * upstream: whitespace (tab after space) OpenBSD-Commit-ID: 0e2b3f7674e985d3f7c27ff5028e690ba1c2efd4 * upstream: highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9 * polish whitespace for portable files * upstream: sync CASignatureAlgorithms lists with reality. GHPR#174 from Matt Hazinski OpenBSD-Commit-ID: f05e4ca54d7e67b90fe58fe1bdb1d2a37e0e2696 * upstream: typos in comments; GHPR#180 from Vill =?UTF-8?q?e=20Skytt=C3=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: 93c732381ae0e2b680c79e67c40c1814b7ceed2c * enable authopt and misc unit tests Neither were wired into the build, both required some build adaptations for -portable * Install libcbor with libfido2. * upstream: missing comma; from kawashima james OpenBSD-Commit-ID: 31cec6bf26c6db4ffefc8a070715ebef274e68ea * upstream: remove stray inserts; from matthias schmidt OpenBSD-Commit-ID: 2c36ebdc54e14bbf1daad70c6a05479a073d5c63 * upstream: Don't check return value of unsetenv(). It's part of the environment setup and not part of the actual test, and some platforms -portable runs on declare it as returning void, which prevents the test from compiling. OpenBSD-Regress-ID: 24f08543ee3cdebc404f2951f3e388cc82b844a1 * wrap getrlimit call in HAVE_GETRLIMIT; bz3291 * wrap struct rlimit in HAVE_GETRLIMIT too * upstream: include "ssherr.h" not <ssherr.h>; from Balu Gajjala via bz#3292 OpenBSD-Commit-ID: e9535cd9966eb2e69e73d1ede1f44905c30310bd * Further split Valgrind tests. Even split in two, the Valgrind tests take by far the longest to run, so split them four ways to further increase parallelism. * Move the TEST_SSH_PORT section down a bit. This groups the portable-specific changes together and makes it a little more likely that patches will apply cleanly. * upstream: Add TEST_SSH_ELAPSED_TIMES environment variable to print the elapsed time in seconds of each test. This depends on "date +%s" which is not specified by POSIX but is commonly implemented. OpenBSD-Regress-ID: ec3c8c19ff49b2192116a0a646ee7c9b944e8a9c * Move make_tmpdir() into portable-specific area. Reduces diff vs OpenBSD and makes it more likely diffs will apply cleanly. * Remove only use of warn(). The warn() function is only used in one place in portable and does not exist upstream. Upgrade the only instance it's used to fail() (the privsep/sandbox+proxyconnect, from back when that was new) and remove the now-unused function. * ifdef out MIN and MAX. In -portable, defines.h ensures that these are defined, so redefining potentially causes a warning. We don't just delete it to make any future code syncs a little but easier. bz#3293. * Run unit tests under valgrind. Run a separate build for the unit tests under Valgrind. They take long enough that running in parallel with the other Valgrind tests helps. * Add pattern for valgrind-unit. * Pass OBJ to unit test make invocation. At least the Valgrind unit tests uses $OBJ. * Ensure valgrind-out exists. Normally the regress tests would create it, but running the unit tests on their own would fail because the directory did not exist. * dedicated gnome-ssk-askpass3 source Compatibility with Wayland requires that we use the gdk_seat_grab() API for grabbing mouse/keyboard, however these API don't exist in Gtk+2. This branches gnome-ssk-askpass2.c => gnome-ssk-askpass3.c and makes the changes to use the gdk_seat_grab() instead of grabbing mouse/focus separately via GDK. In the future, we can also use the branched file to avoid some API that has been soft-deprecated in GTK+3, e.g. gtk_widget_modify_fg * perform report_failed_grab() inline * sshd don't exit on transient read errors openssh-8.5 introduced a regression that would cause sshd to exit because of transient read errors on the network socket (e.g. EINTR, EAGAIN). Reported by balu.gajjala AT gmail.com via bz3297 * upstream: do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@ OpenBSD-Commit-ID: 85ae5c063845c410283cbdce685515dcd19479fa * upstream: openssh-8.6 OpenBSD-Commit-ID: b5f3e133c846127ec114812248bc17eff07c3e19 * crank version in README and RPM spec files * depend Co-authored-by: Darren Tucker <dtucker@dtucker.net> Co-authored-by: djm@openbsd.org <djm@openbsd.org> Co-authored-by: dtucker@openbsd.org <dtucker@openbsd.org> Co-authored-by: Damien Miller <djm@mindrot.org> Co-authored-by: tobhe@openbsd.org <tobhe@openbsd.org> Co-authored-by: tb@openbsd.org <tb@openbsd.org> Co-authored-by: jmc@openbsd.org <jmc@openbsd.org> Co-authored-by: anatasluo <luolongjuna@gmail.com> Co-authored-by: rob@openbsd.org <rob@openbsd.org> Co-authored-by: naddy@openbsd.org <naddy@openbsd.org> Co-authored-by: Luca Weiss <luca@z3ntu.xyz> Co-authored-by: David Carlier <devnexen@gmail.com> Co-authored-by: dlg@openbsd.org <dlg@openbsd.org> Co-authored-by: markus@openbsd.org <markus@openbsd.org> Co-authored-by: Jakub Jelen <jjelen@redhat.com> Co-authored-by: Philip Hands <phil@hands.com> Co-authored-by: Dmitrii Turlupov <dturlupov@factor-ts.ru> Co-authored-by: Jeffrey H. Johnson <61629094+johnsonjh@users.noreply.github.com> Co-authored-by: sthen@openbsd.org <sthen@openbsd.org> Co-authored-by: millert@openbsd.org <millert@openbsd.org> Co-authored-by: jsg@openbsd.org <jsg@openbsd.org>
I am working on a project where I have to integrate both OpenSSL & OpenSSH and I have been experiencing a similar symptom to what it is described with the try-ciphers script in #9524 . I can SSH into my system if it's AESGCM, but not with AESCTR.
I've been trying to debug-by-printf (ugh) this situation from OpenSSH side, and I think I have some idea of what happened.
I added some tracing to various routines within OpenSSH. I discovered that the context was getting called with some IV, then we would encrypt / decrypt a handful of times, then OpenSSH tries to marshal the state (key, IV, etc) via a blob to an inferior process. When it does this, I observed it was sending out the original IV, and not the running IV.
In the LibreSSL compatibility layer of OpenSSH , there is an EVP_CIPHER_CTX_get_iv() routine. This overlaps with an OpenSSL routine of the same name, of course... so with the right defines / configuration it calls into the OpenSSL one instead. But looking at the LibreSSL routine is instructive...
It seems, at least to me, that the above is meant to get the running IV and not the original IV.
When I modified the OpenSSH call to EVP_CIPHER_CTX_get_iv() and instead had it call EVP_CIPHER_CTX_get_iv_state(), it fixed the problem as observed in my setup.
There is some subsequent discussion in #9524 about the merits of changing
the name(s) before beta. I'll let project members move salient discussion points along those lines into this issue as needed...
The text was updated successfully, but these errors were encountered: