diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2015-08-26 09:27:05 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2015-08-26 09:27:05 +0000 |
| commit | a7a7e85cd3829fe5c5348d8fbd25e98c3b315b58 (patch) | |
| tree | 34ddb85735a7fec244e86171995167e702b46838 | |
| parent | d994eeedda788efc28b630e10a33548453293473 (diff) | |
Vendor import of OpenSSH 7.1p1.vendor/openssh/7.1p1
Notes
Notes:
svn path=/vendor-crypto/openssh/dist/; revision=287158
svn path=/vendor-crypto/openssh/7.1p1/; revision=287159; tag=vendor/openssh/7.1p1
| -rw-r--r-- | ChangeLog | 249 | ||||
| -rw-r--r-- | README | 6 | ||||
| -rw-r--r-- | auth.c | 4 | ||||
| -rw-r--r-- | compat.c | 15 | ||||
| -rw-r--r-- | contrib/README | 2 | ||||
| -rw-r--r-- | contrib/redhat/openssh.spec | 2 | ||||
| -rw-r--r-- | contrib/suse/openssh.spec | 2 | ||||
| -rw-r--r-- | dns.c | 4 | ||||
| -rw-r--r-- | mux.c | 6 | ||||
| -rw-r--r-- | packet.c | 6 | ||||
| -rw-r--r-- | sftp-server.c | 6 | ||||
| -rw-r--r-- | sftp.c | 6 | ||||
| -rw-r--r-- | ssh-keygen.0 | 6 | ||||
| -rw-r--r-- | ssh-keygen.1 | 8 | ||||
| -rw-r--r-- | ssh-keygen.c | 5 | ||||
| -rw-r--r-- | ssh-pkcs11-helper.c | 6 | ||||
| -rw-r--r-- | ssh_config.0 | 4 | ||||
| -rw-r--r-- | ssh_config.5 | 6 | ||||
| -rw-r--r-- | sshconnect.c | 4 | ||||
| -rw-r--r-- | sshd.c | 4 | ||||
| -rw-r--r-- | sshd_config.0 | 8 | ||||
| -rw-r--r-- | sshd_config.5 | 10 | ||||
| -rw-r--r-- | sshkey.c | 3 | ||||
| -rw-r--r-- | version.h | 4 |
24 files changed, 191 insertions, 185 deletions
diff --git a/ChangeLog b/ChangeLog index ed0502115658..0e0dd8787da1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,121 @@ +commit e91346dc2bbf460246df2ab591b7613908c1b0ad +Author: Damien Miller <djm@mindrot.org> +Date: Fri Aug 21 14:49:03 2015 +1000 + + we don't use Github for issues/pull-requests + +commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Aug 21 14:43:55 2015 +1000 + + fix URL for connect.c + +commit d026a8d3da0f8186598442997c7d0a28e7275414 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Aug 21 13:47:10 2015 +1000 + + update version numbers for 7.1 + +commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Aug 21 03:45:26 2015 +0000 + + upstream commit + + openssh-7.1 + + Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f + +commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Aug 21 03:42:19 2015 +0000 + + upstream commit + + fix inverted logic that broke PermitRootLogin; reported + by Mantas Mikulenas; ok markus@ + + Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5 + +commit ce445b0ed927e45bd5bdce8f836eb353998dd65c +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Thu Aug 20 22:32:42 2015 +0000 + + upstream commit + + Do not cast result of malloc/calloc/realloc* if stdlib.h + is in scope ok krw millert + + Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667 + +commit 05291e5288704d1a98bacda269eb5a0153599146 +Author: naddy@openbsd.org <naddy@openbsd.org> +Date: Thu Aug 20 19:20:06 2015 +0000 + + upstream commit + + In the certificates section, be consistent about using + "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@ + + Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb + +commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Aug 19 23:21:42 2015 +0000 + + upstream commit + + Better compat matching for WinSCP, add compat matching + for FuTTY (fork of PuTTY); ok markus@ deraadt@ + + Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389 + +commit ec6eda16ebab771aa3dfc90629b41953b999cb1e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Aug 19 23:19:01 2015 +0000 + + upstream commit + + fix double-free() in error path of DSA key generation + reported by Mateusz Kocielski; ok markus@ + + Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c + +commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Aug 19 23:18:26 2015 +0000 + + upstream commit + + fix free() of uninitialised pointer reported by Mateusz + Kocielski; ok markus@ + + Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663 + +commit c837643b93509a3ef538cb6624b678c5fe32ff79 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Aug 19 23:17:51 2015 +0000 + + upstream commit + + fixed unlink([uninitialised memory]) reported by Mateusz + Kocielski; ok markus@ + + Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109 + +commit 1f8d3d629cd553031021068eb9c646a5f1e50994 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Aug 14 15:32:41 2015 +0000 + + upstream commit + + match myproposal.h order; from brian conway (i snuck in a + tweak while here) + + ok dtucker + + Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67 + commit 1dc8d93ce69d6565747eb44446ed117187621b26 Author: deraadt@openbsd.org <deraadt@openbsd.org> Date: Thu Aug 6 14:53:21 2015 +0000 @@ -9013,134 +9131,3 @@ Date: Wed Aug 28 12:49:43 2013 +1000 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we start to use them in the future. - -commit f2f6c315a920a256937e1b6a3702757f3195a592 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:44:58 2013 +1000 - - - jmc@cvs.openbsd.org 2013/08/20 06:56:07 - [ssh.1 ssh_config.5] - some proxyusefdpass tweaks; - -commit 1262b6638f7d01ab110fd373dd90d915c882fe1a -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:44:24 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/20 00:11:38 - [readconf.c readconf.h ssh_config.5 sshconnect.c] - Add a ssh_config ProxyUseFDPass option that supports the use of - ProxyCommands that establish a connection and then pass a connected - file descriptor back to ssh(1). This allows the ProxyCommand to exit - rather than have to shuffle data back and forth and enables ssh to use - getpeername, etc. to obtain address information just like it does with - regular directly-connected sockets. ok markus@ - -commit b7727df37efde4dbe4f5a33b19cbf42022aabf66 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:43:49 2013 +1000 - - - jmc@cvs.openbsd.org 2013/08/14 08:39:27 - [scp.1 ssh.1] - some Bx/Ox conversion; - From: Jan Stary - -commit d5d9d7b1fdacf0551de4c747728bd159be40590a -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:43:27 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/13 18:33:08 - [ssh-keygen.c] - another of the same typo - -commit d234afb0b3a8de1be78cbeafed5fc86912594c3c -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:42:58 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/13 18:32:08 - [ssh-keygen.c] - typo in error message; from Stephan Rickauer - -commit e0ee727b8281a7c2ae20630ce83f6b200b404059 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:42:35 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/09 03:56:42 - [sftp.c] - enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; - matching ksh's relatively recent change. - -commit fec029f1dc2c338f3fae3fa82aabc988dc07868c -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:42:12 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/09 03:39:13 - [sftp-client.c] - two problems found by a to-be-committed regress test: 1) msg_id was not - being initialised so was starting at a random value from the heap - (harmless, but confusing). 2) some error conditions were not being - propagated back to the caller - -commit 036d30743fc914089f9849ca52d615891d47e616 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:41:46 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/09 03:37:25 - [sftp.c] - do getopt parsing for all sftp commands (with an empty optstring for - commands without arguments) to ensure consistent behaviour - -commit c7dba12bf95eb1d69711881a153cc286c1987663 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:41:15 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/08 05:04:03 - [sftp-client.c sftp-client.h sftp.c] - add a "-l" flag for the rename command to force it to use the silly - standard SSH_FXP_RENAME command instead of the POSIX-rename- like - posix-rename@openssh.com extension. - - intended for use in regress tests, so no documentation. - -commit 034f27a0c09e69fe3589045b41f03f6e345b63f5 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:40:44 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/08 04:52:04 - [sftp.c] - fix two year old regression: symlinking a file would incorrectly - canonicalise the target path. bz#2129 report from delphij AT freebsd.org - -commit c6895c5c67492144dd28589e5788f783be9152ed -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:40:21 2013 +1000 - - - jmc@cvs.openbsd.org 2013/08/07 06:24:51 - [sftp.1 sftp.c] - sort -a; - -commit a6d6c1f38ac9b4a5e1bd4df889e1020a8370ed55 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:40:01 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/06 23:06:01 - [servconf.c] - add cast to avoid format warning; from portable - -commit eec840673bce3f69ad269672fba7ed8ff05f154f -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:39:39 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/06 23:05:01 - [sftp.1] - document top-level -a option (the -a option to 'get' was already - documented) - -commit 02e878070d0eddad4e11f2c82644b275418eb112 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Aug 21 02:38:51 2013 +1000 - - - djm@cvs.openbsd.org 2013/08/06 23:03:49 - [sftp.c] - fix some whitespace at EOL - make list of commands an enum rather than a long list of defines - add -a to usage() @@ -1,4 +1,8 @@ -See http://www.openssh.com/txt/release-7.0 for the release notes. +See http://www.openssh.com/txt/release-7.1 for the release notes. + +Please read http://www.openssh.com/report.html for bug reporting +instructions and note that we do not use Github for bug reporting or +patch/pull-request management. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */ +/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -354,7 +354,7 @@ auth_root_allowed(const char *method) case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || strcmp(method, "hostbased") == 0 || - strcmp(method, "gssapi-with-mic")) + strcmp(method, "gssapi-with-mic") == 0) return 1; break; case PERMIT_FORCED_ONLY: @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.96 2015/07/28 23:20:42 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.97 2015/08/19 23:21:42 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -176,6 +176,7 @@ compat_datafellows(const char *version) "PuTTY_Release_0.63*," "PuTTY_Release_0.64*", SSH_OLD_DHGEX }, + { "FuTTY*", SSH_OLD_DHGEX }, /* Putty Fork */ { "Probe-*", SSH_BUG_PROBE }, { "TeraTerm SSH*," @@ -189,7 +190,17 @@ compat_datafellows(const char *version) "TTSSH/2.70*," "TTSSH/2.71*," "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, - { "WinSCP*", SSH_OLD_DHGEX }, + { "WinSCP_release_4*," + "WinSCP_release_5.0*," + "WinSCP_release_5.1*," + "WinSCP_release_5.5*," + "WinSCP_release_5.6*," + "WinSCP_release_5.7," + "WinSCP_release_5.7.1," + "WinSCP_release_5.7.2," + "WinSCP_release_5.7.3," + "WinSCP_release_5.7.4", + SSH_OLD_DHGEX }, { NULL, 0 } }; diff --git a/contrib/README b/contrib/README index c00223865519..60e19ba9faa8 100644 --- a/contrib/README +++ b/contrib/README @@ -11,7 +11,7 @@ which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or https CONNECT style proxy server. His page for connect.c has extensive documentation on its use as well as compiled versions for Win32. -http://www.taiyo.co.jp/~gotoh/ssh/connect.html +https://bitbucket.org/gotoh/connect/wiki/Home X11 SSH Askpass: diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 5de787555051..5b27106fb10c 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 7.0p1 +%define ver 7.1p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index dd9692da145a..59689588282f 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 7.0p1 +Version: 7.1p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.34 2015/01/28 22:36:00 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -154,7 +154,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type, *digest_len = rdata_len - 2; if (*digest_len > 0) { - *digest = (u_char *) xmalloc(*digest_len); + *digest = xmalloc(*digest_len); memcpy(*digest, rdata + 2, *digest_len); } else { *digest = (u_char *)xstrdup(""); @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.53 2015/05/01 04:03:20 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> * @@ -665,6 +665,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) u_int lport, cport; int i, ret = 0, freefwd = 1; + memset(&fwd, 0, sizeof(fwd)); + /* XXX - lport/cport check redundant */ if (buffer_get_int_ret(&ftype, m) != 0 || (listen_addr = buffer_get_string_ret(m, NULL)) == NULL || @@ -832,6 +834,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) int i, ret = 0; u_int lport, cport; + memset(&fwd, 0, sizeof(fwd)); + if (buffer_get_int_ret(&ftype, m) != 0 || (listen_addr = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&lport, m) != 0 || @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.213 2015/07/29 04:43:06 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.214 2015/08/20 22:32:42 deraadt Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1272,7 +1272,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) DBG(debug("packet_read()")); - setp = (fd_set *)calloc(howmany(state->connection_in + 1, + setp = calloc(howmany(state->connection_in + 1, NFDBITS), sizeof(fd_mask)); if (setp == NULL) return SSH_ERR_ALLOC_FAIL; @@ -2036,7 +2036,7 @@ ssh_packet_write_wait(struct ssh *ssh) struct timeval start, timeout, *timeoutp = NULL; struct session_state *state = ssh->state; - setp = (fd_set *)calloc(howmany(state->connection_out + 1, + setp = calloc(howmany(state->connection_out + 1, NFDBITS), sizeof(fd_mask)); if (setp == NULL) return SSH_ERR_ALLOC_FAIL; diff --git a/sftp-server.c b/sftp-server.c index d1831bf8d8a3..eac11d7e695d 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.106 2015/04/24 01:36:01 deraadt Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.107 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1632,8 +1632,8 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) fatal("%s: sshbuf_new failed", __func__); set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); - rset = (fd_set *)xmalloc(set_size); - wset = (fd_set *)xmalloc(set_size); + rset = xmalloc(set_size); + wset = xmalloc(set_size); if (homedir != NULL) { if (chdir(homedir) != 0) { @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.170 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: sftp.c,v 1.171 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> * @@ -1958,7 +1958,7 @@ complete(EditLine *el, int ch) /* Figure out which argument the cursor points to */ cursor = lf->cursor - lf->buffer; - line = (char *)xmalloc(cursor + 1); + line = xmalloc(cursor + 1); memcpy(line, lf->buffer, cursor); line[cursor] = '\0'; argv = makeargv(line, &carg, 1, "e, &terminated); @@ -1966,7 +1966,7 @@ complete(EditLine *el, int ch) /* Get all the arguments on the line */ len = lf->lastchar - lf->buffer; - line = (char *)xmalloc(len + 1); + line = xmalloc(len + 1); memcpy(line, lf->buffer, len); line[len] = '\0'; argv = makeargv(line, &argc, 1, NULL, NULL); diff --git a/ssh-keygen.0 b/ssh-keygen.0 index a471a40559ef..07a45b36b9b9 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -426,7 +426,7 @@ CERTIFICATES providing the token library using -D and identifying the CA key by providing its public half as an argument to -s: - $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub + $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub In all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication. @@ -437,7 +437,7 @@ CERTIFICATES principals: $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub - $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub + $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub Additional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may @@ -563,4 +563,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 +OpenBSD 5.8 August 20, 2015 OpenBSD 5.8 diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 8c3317be7029..ed17a08fab28 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.126 2015/07/03 03:49:45 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 3 2015 $ +.Dd $Mdocdate: August 20 2015 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -680,7 +680,7 @@ and identifying the CA key by providing its public half as an argument to .Fl s : .Pp -.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub +.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub .Pp In all cases, .Ar key_id @@ -693,7 +693,7 @@ By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals: .Pp .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub -.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" +.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub" .Pp Additional limitations on the validity and use of user certificates may be specified through certificate options. diff --git a/ssh-keygen.c b/ssh-keygen.c index ea5f1e49e3d0..4e0a8555434c 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.276 2015/07/03 03:49:45 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1201,7 +1201,8 @@ do_known_hosts(struct passwd *pw, const char *name) exit(1); } else if (delete_host && !ctx.found_key) { logit("Host %s not found in %s", name, identity_file); - unlink(tmp); + if (inplace) + unlink(tmp); } else if (inplace) { /* Backup existing file */ if (unlink(old) == -1 && errno != ENOENT) diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index ceabc8ba7fe4..f2d586395472 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.10 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.11 2015/08/20 22:32:42 deraadt Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -301,8 +301,8 @@ main(int argc, char **argv) buffer_init(&oqueue); set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); - rset = (fd_set *)xmalloc(set_size); - wset = (fd_set *)xmalloc(set_size); + rset = xmalloc(set_size); + wset = xmalloc(set_size); for (;;) { memset(rset, 0, set_size); diff --git a/ssh_config.0 b/ssh_config.0 index 654807779d25..67133cd4d49b 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -205,9 +205,9 @@ DESCRIPTION The default is: + chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, - chacha20-poly1305@openssh.com, arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, aes192-cbc,aes256-cbc,arcfour @@ -1023,4 +1023,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 5.8 July 30, 2015 OpenBSD 5.8 +OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 diff --git a/ssh_config.5 b/ssh_config.5 index 5b0975f87e2f..a47f3ca9e3e2 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $ -.Dd $Mdocdate: July 30 2015 $ +.\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $ +.Dd $Mdocdate: August 14 2015 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -415,9 +415,9 @@ chacha20-poly1305@openssh.com .Pp The default is: .Bd -literal -offset indent +chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, -chacha20-poly1305@openssh.com, arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, aes192-cbc,aes256-cbc,arcfour diff --git a/sshconnect.c b/sshconnect.c index f41960c5df8f..17fbe39b007a 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.262 2015/05/28 05:41:29 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -356,7 +356,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, goto done; } - fdset = (fd_set *)xcalloc(howmany(sockfd + 1, NFDBITS), + fdset = xcalloc(howmany(sockfd + 1, NFDBITS), sizeof(fd_mask)); FD_SET(sockfd, fdset); ms_to_timeval(&tv, *timeoutp); @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.458 2015/08/20 22:32:42 deraadt Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1253,7 +1253,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) sighup_restart(); if (fdset != NULL) free(fdset); - fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), + fdset = xcalloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask)); for (i = 0; i < num_listen_socks; i++) diff --git a/sshd_config.0 b/sshd_config.0 index 1cc7459f87bf..aae7fb6afaea 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -286,9 +286,9 @@ DESCRIPTION The default is: + chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, - aes128-gcm@openssh.com,aes256-gcm@openssh.com, - chacha20-poly1305@openssh.com + aes128-gcm@openssh.com,aes256-gcm@openssh.com The list of available ciphers may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. @@ -927,7 +927,7 @@ DESCRIPTION If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses and not host names may be used in ~/.ssh/known_hosts from and - sshd_config(5) Match Host directives. + sshd_config Match Host directives. UseLogin Specifies whether login(1) is used for interactive login @@ -1049,4 +1049,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 5.8 August 6, 2015 OpenBSD 5.8 +OpenBSD 5.8 August 14, 2015 OpenBSD 5.8 diff --git a/sshd_config.5 b/sshd_config.5 index 58e277f958f6..b18d340af67b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ -.Dd $Mdocdate: August 6 2015 $ +.\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $ +.Dd $Mdocdate: August 14 2015 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -476,9 +476,9 @@ chacha20-poly1305@openssh.com .Pp The default is: .Bd -literal -offset indent +chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com, -chacha20-poly1305@openssh.com +aes128-gcm@openssh.com,aes256-gcm@openssh.com .Ed .Pp The list of available ciphers may also be obtained using the @@ -1528,7 +1528,7 @@ If this option is set to .Pa ~/.ssh/known_hosts .Cm from and -.Xr sshd_config 5 +.Nm .Cm Match .Cm Host directives. @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -1556,7 +1556,6 @@ dsa_generate_private_key(u_int bits, DSA **dsap) *dsap = NULL; if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, NULL, NULL) || !DSA_generate_key(private)) { - DSA_free(private); ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } diff --git a/version.h b/version.h index 7a5dbc8a2300..d917ca1f6cc5 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.74 2015/08/02 09:56:42 djm Exp $ */ +/* $OpenBSD: version.h,v 1.75 2015/08/21 03:45:26 djm Exp $ */ -#define SSH_VERSION "OpenSSH_7.0" +#define SSH_VERSION "OpenSSH_7.1" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE |