summaryrefslogtreecommitdiffstats
path: root/match.h (unfollow)
Commit message (Collapse)AuthorFilesLines
2023-12-18upstream: apply destination constraints to all p11 keysdjm@openbsd.org1-5/+100
Previously applied only to the first key returned from each token. ok markus@ OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
2023-12-18upstream: add "ext-info-in-auth@openssh.com" extensiondjm@openbsd.org7-67/+260
This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to. This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated. Full details in the PROTOCOL file OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
2023-12-18upstream: implement "strict key exchange" in ssh and sshddjm@openbsd.org6-85/+148
This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. with markus@ OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
2023-12-18better detection of broken -fzero-call-used-regsDamien Miller2-3/+15
Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend test program to exercise varargs, which seems to catch more stuff. ok dtucker@
2023-12-13upstream: when invoking KnownHostsCommand to determine the order ofdjm@openbsd.org1-2/+2
host key algorithms to request, ensure that the hostname passed to the command is decorated with the port number for ports other than 22. This matches the behaviour of KnownHostsCommand when invoked to look up the actual host key. bz3643, ok dtucker@ OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
2023-12-13upstream: prevent leak in sshsig_match_principals; ok djm@markus@openbsd.org1-4/+3
OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae
2023-12-06upstream: short circuit debug log processing early if we're not goingdjm@openbsd.org1-1/+5
to log anything. From Kobe Housen OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea
2023-11-26Add tests for OpenSSL 3.2.0 and 3.2 stable branch.Darren Tucker1-0/+2
2023-11-24Use non-zero arg in compiler test program.Darren Tucker1-1/+1
Now that we're running the test program, passing zero to the test function can cause divide-by-zero exceptions which might show up in logs.
2023-11-24upstream: Plug mem leak of msg when processing a quit message.dtucker@openbsd.org1-1/+2
Coverity CID#427852, ok djm@ OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7
2023-11-24upstream: Include existing mux path in debug message.dtucker@openbsd.org1-2/+2
OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16
2023-11-23Add an Ubuntu 22.04 test VM.Darren Tucker1-0/+1
This is the same version as Github's runners so most of the testing on it is over there, but having a local VM makes debugging much easier.
2023-11-23Add gcc-12 -Werror test on Ubuntu 22.04.Darren Tucker2-3/+14
Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler).
2023-11-23Check return value from write to prevent warning.Darren Tucker1-1/+1
... and since we're testing for flags with -Werror, this caused configure to mis-detect compiler flags.
2023-11-23Run compiler test program when compiling natively.Darren Tucker1-6/+27
ok djm@
2023-11-23Factor out compiler test program into a macro.Darren Tucker1-49/+24
ok djm@
2023-11-21Add fbsd14 VM to test pool.Darren Tucker1-0/+2
2023-11-21Expand -fzero-call-used-regs test to cover gcc 11.Darren Tucker1-1/+7
It turns out that gcc also has some problems with -fzero-call-used-regs, at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE was sufficient to catch it with "=all", but not sufficient for "=used". Expand the testcase and include it in the other tests for good measure. See bz#3629. ok djm@.
2023-11-21Stop using -fzero-call-used-regs=allDarren Tucker1-2/+5
... since it seems to be problematic with several different versions of clang. Only use -fzero-call-used-regs=used which is less problematic, except with Apple's clang where we don't use it at all. bz#3629, ok djm@
2023-11-21Allow for vendor prefix on clang version numbers.Darren Tucker1-3/+4
Correctly detects the version of OpenBSD's native clang, as well as Apple's. Spotted tb@, ok djm@.
2023-11-20upstream: set errno=EAFNOSUPPORT when filtering addresses that don'tdjm@openbsd.org1-2/+2
match AddressFamily; yields slightly better error message if no address matches. bz#3526 OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
2023-11-16upstream: when connecting via socket (the default case), filterdjm@openbsd.org1-1/+9
addresses by AddressFamily if one was specified. Fixes the case where, if CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok dtucker OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
2023-11-15upstream: when deciding whether to enable keystroke timingdjm@openbsd.org3-4/+22
obfuscation, only consider enabling it when a channel with a tty is open. Avoids turning on the obfucation when X11 forwarding only is in use, which slows it right down. Reported by Roger Marsh OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
2023-11-15upstream: Make sure sftp_get_limits() only returns 0 if 'limits'tobhe@openbsd.org1-2/+2
was initialized. This fixes a potential uninitialized use of 'limits' in sftp_init() if sftp_get_limits() returned early because of an unexpected message type. ok djm@ OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
2023-11-13Test current releases of LibreSSL and OpenSSL.Darren Tucker1-4/+4
Retire some of the older releases.
2023-11-01upstream: Specify ssh binary to usedtucker@openbsd.org1-5/+5
... instead of relying on installed one. Fixes test failures in -portable when running tests prior to installation. OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
2023-11-01Put long-running test targets on hipri runners.Darren Tucker1-7/+8
Some of the selfhosted test targets take a long time to run for various reasons, so label them for "libvirt-hipri" runners so that they can start immediately. This should reduce the time to complete all tests.
2023-11-01upstream: add some tests of forced commands overriding Subsystemdjm@openbsd.org1-12/+44
directives OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
2023-10-31upstream: Don't try to use sudo inside sshd log wrapper.dtucker@openbsd.org1-2/+2
We still need to check if we're using sudo since we don't want to chown unecessarily, as on some platforms this causes an error which pollutes stderr. We also don't want to unnecessarily invoke sudo, since it's running in the context of the proxycommand, on *other* platforms it may not be able to authenticate, and if we're using SUDO then it should already be privileged. OpenBSD-Regress-ID: 70d58df7503db699de579a9479300e5f3735f4ee
2023-10-31upstream: Only try to chmod logfile if we have sudo. If we don't havedtucker@openbsd.org1-2/+2
sudo then we won't need to chmod. OpenBSD-Regress-ID: dbad2f5ece839658ef8af3376cb1fb1cabe2e324
2023-10-31upstream: move PKCS#11 setup code to test-exec.sh so it can be reuseddjm@openbsd.org2-90/+93
elsewhere OpenBSD-Regress-ID: 1d29e6be40f994419795d9e660a8d07f538f0acb
2023-10-30upstream: tidy and refactor PKCS#11 setup codedjm@openbsd.org1-61/+72
Replace the use of a perl script to delete the controlling TTY with a SSH_ASKPASS script to directly load the PIN. Move PKCS#11 setup code to functions in anticipation of it being used elsewhere in additional tests. Reduce stdout spam OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262
2023-10-30Add obsd74 test VM and retire obsd69 and obsd70.Darren Tucker1-2/+1
2023-10-30Add OpenSSL 3.3.0 as a known dev version.Darren Tucker1-1/+1
2023-10-30Restore nopasswd sudo rule on Mac OS X.Darren Tucker1-7/+19
This seems to be missing from some (but not all) github runners, so restore it if it seems to be missing.
2023-10-30Don't exit early when setting up on Mac OS X.Darren Tucker1-5/+12
We probably need some of the other bits in there (specifically, setting the perms on the home directory) so make it less of a special snowflake.
2023-10-29upstream: Only try to chown logfiles that exist to prevent spuriousdtucker@openbsd.org1-5/+7
errors. OpenBSD-Regress-ID: f1b20a476734e885078c481f1324c9ea03af991e
2023-10-29upstream: make use of bsd.regress.mk in extra and interop targets; okanton@openbsd.org1-1/+1
dtucker@ OpenBSD-Regress-ID: 7ea21b5f6fc4506165093b2123d88d20ff13a4f0
2023-10-26upstream: Skip conch interop tests when not enabled instead of fatal.dtucker@openbsd.org1-2/+2
OpenBSD-Regress-ID: b0abf81c24ac6c21f367233663228ba16fa96a46
2023-10-26upstream: Import regenerated moduli.dtucker@openbsd.org1-444/+454
OpenBSD-Commit-ID: 95f5dd6107e8902b87dc5b005ef2b53f1ff378b8
2023-10-26upstream: ssh conch interop tests requires a controlling terminal;anton@openbsd.org1-3/+6
ok dtucker@ OpenBSD-Regress-ID: cbf2701bc347c2f19d907f113779c666f1ecae4a
2023-10-26upstream: Use private key that is allowed by sshd defaults in conchanton@openbsd.org1-2/+2
interop tests. ok dtucker@ OpenBSD-Regress-ID: 3b7f65c8f409c328bcd4b704f60cb3d31746f045
2023-10-20Install Dropbear for interop testing.Darren Tucker1-2/+2
2023-10-20Resync PuTTY and Conch path handling with upstream.Darren Tucker1-22/+10
Now that configure finds these for us we can remove these -portable specific changes.
2023-10-20Have configure find PuTTY and Conch binaries.Darren Tucker2-3/+6
This will let us remove some -portable specific changes from test-exec.sh.
2023-10-20upstream: Allow overriding the locations of the Dropbear binariesdtucker@openbsd.org3-1/+23
similar to what we do for the PuTTY ones. OpenBSD-Regress-ID: 7de0e00518fb0c8fdc5f243b7f82f523c936049c
2023-10-20upstream: Add interop test with Dropbear.dtucker@openbsd.org4-2/+102
Right now this is only dbclient not the Dropbear server since it won't currently run as a ProxyCommand. OpenBSD-Regress-ID: 8cb898c414fcdb252ca6328896b0687acdaee496
2023-10-16Update openssl-devel dependency in RPM spec.Fabio Pedretti1-9/+14
Since openssh 9.4p1, openssl >= 1.1.1 is required, so build with --without-openssl elsewhere. According to https://repology.org/project/openssl/versions openssl 1.1.1 is available on fedora >= 29 and rhel >= 8. Successfully build tested, installed and run on rhel 6
2023-10-16Remove reference of dropped sshd.pam.old fileFabio Pedretti1-5/+4
The file was removed in openssh 8.8
2023-10-16upstream: Move declaration of "len" into the block where it's used.dtucker@openbsd.org1-2/+3
This lets us compile Portable with -Werror with when OpenSSL doesn't have Ed25519 support. OpenBSD-Commit-ID: e02e4b4af351946562a7caee905da60eff16ba29
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 14:00:12 +0100