IABSD.fr/src/usr.bin

Branch :


Log

Author Commit Date CI Message
6541b77c 2023-08-11 05:02:21 Switch rcs_{get,set}_mtime() from returning and taking a time_t to doing so with a struct timespec and then use tv_nsec = UTIME_OMIT instead of a (time_t)-1 as a "do nothing" value. They can then fully preserve the timestamp ok millert@
fd71e6a3 2023-08-11 04:48:14 cvs_file_copy() used futimes(), but only set the tv_sec fields, which presumably meant passing stack garbage in the tv_usec and failing with EINVAL, whee. Switch to futimens() and set the full timespecs from the incoming struct stat ok millert@
79b54589 2023-08-11 04:45:05 Replace use of the old BSD st_*timespec members in struct stat with the POSIX-standard st_*tim members. ok millert@
03d5d688 2023-08-11 04:44:28 When used by itself, replace use of the old BSD st_mtimespec.tv_sec member in struct stat with for-all-time st_mtime member. ok millert@
3e579263 2023-08-10 23:05:48 better debug logging of sessions' exit status
f17d0bb0 2023-08-10 14:37:32 drop a wayward comma, ok jmc@
90e9bc0b 2023-08-10 10:56:34 document .VARIABLES
d4eb5638 2023-08-10 10:52:43 Add support for .VARIABLES, to which I have use. This is an extension but also exists in gnu-make. okay millert@, kn@, thfr@ (I've added an XXX comment on top of the patch you've seen, no actual further code change)
4bd1fa4c 2023-08-10 01:01:07 openssh-9.4
e49f8566 2023-08-08 08:21:29 Add flag to next-prompt/previous-prompt to go to command output instead, from Magnus Gross.
17d7ce67 2023-08-08 08:08:47 Add options and flags for menu styles similar to those existing for popups, from Alexis Hildebrandt. GitHub issue 3650.
e340e6cc 2023-08-08 07:41:04 Extend the menu drawing function to support custom characters and styles, from Alexis Hildebrandt.
47712579 2023-08-08 07:19:48 Fix a couple of rounded border characters, from Alexis Hildebrandt.
4b5f3832 2023-08-07 10:52:00 Free title earlier, from Alexis Hildebrandt.
0803d750 2023-08-07 10:04:29 Trim can generate strings longer than the original if there are many #s, so create a bigger buffer. Reported by Robert Morris.
fa7c2eee 2023-08-06 19:36:13 Prefer the POSIX standard st_*tim struct timespec members over the older BSD st_*timespec names. ok millert@
a4b17896 2023-08-06 19:33:54 Apply rev 1.29 from NetBSD: ----- Don't printf time_t with %d; fixes PR 44128 from yamt. With this change it successfully prints mtimes after 2038. ----- ok millert@
1fa342e1 2023-08-04 06:32:40 Apply ConnectTimeout to multiplexing local socket connections. If the multiplex socket exists but the connection times out, ssh will fall back to a direct connection the same way it would if the socket did not exist at all. ok djm@
270e7910 2023-08-02 23:04:38 CheckHostIP has defaulted to 'no' for a while; make the commented- out config option match. From Ed Maste
bc597a2f 2023-08-01 08:15:04 remove unnecessary if statement. github PR#422 from eyalasulin999, ok djm@
f7c26a86 2023-07-29 17:15:45 Drop unused conf, pem, and x509 headers, add unistd for pledge
3829959e 2023-07-28 05:42:36 %C is a callable macro in mdoc(7) so, as we do for %D, escape it;
2c6bff6f 2023-07-27 22:26:49 don't incorrectly truncate logged strings retrieved from PKCS#11 modules; based on GHPR406 by Jakub Jelen; ok markus
ce44d278 2023-07-27 22:25:17 make sshd_config AuthorizedPrincipalsCommand and AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection address/port 4-tuple) as expansion sequences; ok markus
49771933 2023-07-27 22:23:05 increase default KDF work-factor for OpenSSH format private keys from 16 to 24; { feedback ok } x { deraadt markus }
418576f2 2023-07-27 07:01:50 Remove antiquated options output This is uninteresting and rather meaningless except for the implementer. No need to have several hundred lines of code backing half a dozen symbols in the public API for this. ok jsing
e39a844e 2023-07-26 23:06:00 make ssh -f (fork after authentication) work properly in multiplexed cases (inc. ControlPersist). bz3589 bz3589 Based on patches by Peter Chubb; ok dtucker@
935597db 2023-07-23 20:04:45 man page typos; ok jmc@
440d1414 2023-07-23 11:39:29 sprinkle some void between () in function definitions
3228b0c4 2023-07-23 11:20:11 Remove -stats option from openssl(1) errstr. This is the only consumer of ERR_get_string_table(), which will go away. ok jsing
646fc284 2023-07-20 05:43:39 tweak the allow-remote-pkcs11 text;
c3ac409d 2023-07-19 14:03:45 Separate ssh-pkcs11-helpers for each p11 module Make ssh-pkcs11-client start an independent helper for each provider, providing better isolation between modules and reliability if a single module misbehaves. This also implements reference counting of PKCS#11-hosted keys, allowing ssh-pkcs11-helper subprocesses to be automatically reaped when no remaining keys reference them. This fixes some bugs we have that make PKCS11 keys unusable after they have been deleted, e.g. https://bugzilla.mindrot.org/show_bug.cgi?id=3125 ok markus@
f8f5a6b0 2023-07-19 14:02:27 Ensure FIDO/PKCS11 libraries contain expected symbols This checks via nlist(3) that candidate provider libraries contain one of the symbols that we will require prior to dlopen(), which can cause a number of side effects, including execution of constructors. Feedback deraadt; ok markus
7bc29a9d 2023-07-19 13:56:33 Disallow remote addition of FIDO/PKCS11 provider libraries to ssh-agent by default. The old behaviour of allowing remote clients from loading providers can be restored using `ssh-agent -O allow-remote-pkcs11`. Detection of local/remote clients requires a ssh(1) that supports the `session-bind@openssh.com` extension. Forwarding access to a ssh-agent socket using non-OpenSSH tools may circumvent this control. ok markus@
f03a4faa 2023-07-19 13:55:53 terminate process if requested to load a PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
311f4bd0 2023-07-19 13:26:20 Partially fix interactive mode in patch If ask() can't open /dev/tty for reading, it assumes the default answer and carries on. Add missing unveil, so that ask() waits for an answer. This isn't a full fix since it won't allow giving paths outside the tree rooted at the current directory, but that's expected by the recent change. Questions are only asked outside of force or batch mode. fix suggested by op and semarie ok deraadt florian
bdc25a05 2023-07-19 13:03:36 Correct visited flag when the last window list is rebuilt by renumbering windows, appears to fix hang reported by Mark Kelly.
fdddc64a 2023-07-17 06:16:33 missing match localnetwork negation check
66d544a9 2023-07-17 05:41:53 - add -P to usage() - sync the arg name to -J in usage() with that in ssh.1 - reformat usage() to match what "man ssh" does on 80width
a6e39761 2023-07-17 05:38:10 -P before -p in SYNOPSIS;
75e4a6d8 2023-07-17 05:36:14 configuation -> configuration
254cc503 2023-07-17 05:26:38 move other RCSIDs to before their respective license blocks too no code change
f981e348 2023-07-17 05:22:30 Move RCSID to before license block and away from #includes, where it caused merge conflict in -portable for each commit :(
83e109d2 2023-07-17 05:20:15 return SSH_ERR_KRL_BAD_MAGIC when a KRL doesn't contain a valid magic number and not SSH_ERR_MESSAGE_INCOMPLETE; the former is needed to fall back to text revocation lists in some cases; fixes t-cert-hostkey.
e41e10e3 2023-07-17 04:08:31 Add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. ok markus
af0d252a 2023-07-17 04:04:36 add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location (e.g. to use a ProxyJump when not on a particular network). ok markus@
a63bc561 2023-07-17 04:01:10 remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. Now, some years later, we have SSHSIG support in ssh-keygen that is more general, well tested and actually works. So this removes the semi-finished KRL signing/verification support from OpenSSH and refactors the remaining code to realise the benefit - primarily, we no longer need to perform multiple parsing passes over KRL objects. ok markus@
95561aef 2023-07-17 03:57:21 Support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. ok markus
cea35e79 2023-07-16 03:01:31 Make the mbstat preserve the same size which is actually used. Also revert the previous that the mbstat is located on the stack. ok claudio
4d951e93 2023-07-15 10:42:54 Prevent patch(1) from scribbling all over the place. Arguably the only sensible use of patch(1) is changing files in the current working directory and subdirectories. However, patch(1) has this anti-feature, or dare I say bug, where it will happily follow "../" upwards and outside of the current working directory to find files to change. All it takes is a line like +++ ../../../../home/florian/.ssh/authorized_keys in the patchfile. patch(1) operates on untrusted input and it already pledge(2)'ed to not execute arbitrary programs, but of course it needs to write files. A simple unveil(".", "rwc") restricts patch(1) to its current working directory. We also need to allow /tmp and potentially the output file and reject file if given on the command line. But those paths are safe. input op, deraadt OK millert, sthen
b514c1a1 2023-07-14 19:32:59 Set extended keys flag again after reset, from Eric T Johnson.
1557ddea 2023-07-14 07:44:21 Include stdint.h for SIZE_MAX. Fixes OPENSSL=no build.
eacd9bb8 2023-07-14 05:31:44 add defence-in-depth checks for some unreachable integer overflows reported by Yair Mizrahi @ JFrog; feedback/ok millert@
f353bcb0 2023-07-13 06:03:48 Use 8 for underscore colour defaults instead of 0 which is less confusing, and fix writing tge default colour. GitHub issue 3627.
f344f57b 2023-07-12 15:45:34 Don't run off the end of path if it ends in /. OK op, sthen
ce198a4a 2023-07-12 15:44:47 basename(3) can fail, prevent segfault in strlen(3). OK tb, sthen
24f68354 2023-07-12 11:26:13 Use ssize_t instead of short for line lengths sthen hit a binary patch containing a 'line' of length > 32kB. This made the short used for storing the line length wrap and resulted in a buffer underflow and segfault. This uses a larger type, which doesn't actually fix the problem, but makes it much less likely to be hit. ok florian otto sthen
9b09dd35 2023-07-11 16:09:09 Remove Ns and Li and change Nm to Ic, suggested by jmc.
23aaa182 2023-07-11 07:34:23 Add descriptions of copy mode commands, from Michael Bianco.
eb36563f 2023-07-10 12:00:08 It should no longer be necessary to ignore SIGCHLD because it is now blocked around daemon(), and doing so causes trouble with newer libevent (it cannot restore the original handler). Reported by Azat Khuzhin in GitHub issue 3626.
bc5de943 2023-07-10 09:35:46 Loop around waitpid in client, from Azat Khuzhin.
da9bce4f 2023-07-10 09:29:48 finish v5.36, UList was a bit more work
a0aa010a 2023-07-10 09:24:53 Use a stack for last panes line windows, from Thomas Bertschinger in GitHub issue 3588.
611ae5ac 2023-07-10 04:51:26 misplaced debug message
b3dc7a2c 2023-07-09 22:54:52 Call closefrom after removing signals because newer libevent doesn't like its signal fd being closed Azat Khuzhin.
ea5a4cac 2023-07-08 21:51:45 max_processes -> max_jobs in usage();
93d8fa4c 2023-07-08 18:42:27 nitpicking: singular of children is child
301af155 2023-07-08 18:02:00 talk about "jobs" because that's make knows, and mention the heuristics about the recursive non exploding kitten recursive behavior outside of BUGS. okay naddy@, jca@
209510b6 2023-07-08 08:45:54 cosmetic clean-up of UList.pm, no signatures yet remove prototype that's actually unused, since method call
0a6aab58 2023-07-08 08:15:32 move everyone besides UList to use v5.36
032e1cec 2023-07-07 14:17:34 Expand the counters in struct mbstat from u_short to u_long. ok blumn mvs
f1b80c89 2023-07-07 09:15:13 Use "llu%" for printing the uint64_t fields in tcpcb. ok blumn
228cff34 2023-07-06 22:17:59 minleft and maxsign are u_int so cast appropriately. Prompted by github PR#410, ok deraadt.
f41ccc36 2023-07-06 08:29:26 start moving a few files to use v5.36; (this went through a full bulk)
d2364f60 2023-07-04 11:34:19 The recent change to DIOCGETRULE allows applications which periodically read rules from pf(4) to consume all kernel memory. The bug has been discovered and root caused by florian@. In this particular case it was snmpd(8) what ate all kernel memory. This commit introduces DIOCXEND to pf(4) so applications such as snmpd(8) and systat(1) to close ticket/transaction when they are done with fetching the rules. This change also updates snmpd(8) and systat(1) to use newly introduced DIOCXEND ioctl(2). OK claudio@, deraadt@, kn@
fe20b749 2023-07-04 03:59:21 add support for unix domain sockets to ssh -W ok djm@ dtucker@
cbbd91a4 2023-07-03 16:47:43 Add support for marking lines with a shell prompt based on the OSC 133 extension, from Munif Tanjim in GitHub issue 3596.
2cba1c74 2023-07-03 10:48:26 Do not risk writing over the end of the buffer when it ends in # (because strchr \0 will be non-NULL), reported by Robert Morris in GitHub issue 3610.
fb770183 2023-07-03 08:37:22 some minor fix up;
423d19d0 2023-07-03 08:37:14 Another warning fix for GCC from Thomas Klausner.
b5c24d4f 2023-07-03 08:03:56 Bring back no_tls1 and no_tls1_1 as undocumented silently discarded opitons While I'm here, change the no_ssl2 and no_ssl3 options to use OPTION_DISCARD as well instead of continuing to set a no-op option flag. ok jsing@ tb@
91e7614a 2023-07-03 06:22:07 Remove the tls1.0 and 1.1 related options from the openssl(1) toolkit ok tb@
a3c0391f 2023-07-02 19:59:15 Use TSO and LRO on the loopback interface to transfer TCP faster. If tcplro is activated on lo(4), ignore the MTU with TCP packets. They are passed along with the information that they have to be chopped in case they are forwarded later. New netstat(1) counter shows that software LRO is in effect. The feature is currently turned off by default. tested by jan@; OK claudio@ jan@
df970faa 2023-07-02 07:08:57 Teach openssl ca about Ed25519 certificates This adds a few logic curlies to end up setting the EVP_MD to EVP_md_null() as required by the API. This way ASN1_item_sign() now knows how to behave. "ok = (rv == 2);" beck
d348a60a 2023-07-02 07:05:14 Teach openssl req about EdDSA certs After a few things in libcrypto were adjusted, this diff makes issuing certificate requests with Ed25519 work. ok beck
6af87e9a 2023-06-30 21:55:08 Change a few types to fix warnings, from Thomas Klausner.
e3eeb0f8 2023-06-30 13:19:32 Get rid of some warnings with GCC 10, from Thomas Klausner.
40542d6f 2023-06-28 17:36:51 revert makefile change included by mistake in previous
1ff56c59 2023-06-28 17:35:06 drop needless strcspn in the header parsing since fetch.c revision 1.211, ftp removes trailingwhitespaces early so there's no need to re-do that when parsing a header. while here, remove an unused variable too. ok tb, millert
e846c64d 2023-06-28 11:07:28 fix parsing of the Last-Modified header Was overlooked in r1.209. diff from 'a dog' (OpenBSD [at] anthropomorphic [dot] dog) ok tb, sthen
4807cddd 2023-06-28 08:37:52 add `notab' to the list of modes that can be set with set-default-mode specify also that it can be set globally with set-default-mode, as done in the description of the other built-in modes. Diff from Simon Branch (that I got via jmc@), thanks!
37e1ec45 2023-06-26 08:14:19 When exiting alternate screen, there is no need to reflow when going back to old size since the contents will be overwritten. GitHub issue 3510.
f0daa7d1 2023-06-26 07:17:40 Add "us" to styles for underscore colour, GitHub issue 3589.
c3035900 2023-06-25 15:53:07 SGR 0 should not end hyperlink, reported by Lucas Trzesniewski.
80ddc267 2023-06-23 15:06:45 Fix a bug in ex's 's' command with the 'c' flag when 'number' is off. The underlining was positioned in the wrong place. This fixes the problem and matches historic ex behavior. OK op@
0b091dd3 2023-06-21 06:28:18 Check fdopen return value, from Christian Menges.
fd6d8a57 2023-06-21 05:10:26 better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. part of bz3577; ok dtucker@
7800c160 2023-06-21 05:08:32 make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms (OpenSSH certificates do not support CA chains). part of bz3577; ok dtucker@
cdc6f5c1 2023-06-21 05:06:04 handle rlimits > INT_MAX (rlim_t is u64); ok dtucker bz3581
5f60496e 2023-06-20 23:59:33 prepare for support for connecting to unix domain sockets using ssh -W by explicitly decoding PORT_STREAMLOCAL (a negative number) from the u32 that's passed over the multiplexing socket; previously code would just cast, which is UB.