Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tinyssh for openSUSE:Factory checked in at 2026-04-11 22:26:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tinyssh (Old) and /work/SRC/openSUSE:Factory/.tinyssh.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tinyssh" Sat Apr 11 22:26:27 2026 rev:12 rq:1346050 version:20260401 Changes: -------- --- /work/SRC/openSUSE:Factory/tinyssh/tinyssh.changes 2026-03-27 06:51:15.978320207 +0100 +++ /work/SRC/openSUSE:Factory/.tinyssh.new.21863/tinyssh.changes 2026-04-11 22:31:37.401271963 +0200 @@ -1,0 +2,12 @@ +Mon Apr 6 13:08:12 UTC 2026 - Lucas Mulling <[email protected]> + +- Update to 20260401: + * Fixed session handling, now rejects out-of-order or duplicate channel requests. + * Fixed connection shutdown, timeout handling and subprocess waiting edge cases. + * Fixed inherited file-descriptor leak before fork. + * Fixed file descriptor leak in authorized_keys processing. + * Fixed log buffer purging and a potential out-of-bounds read in buf_putsharedsecret_. + * Updated makefilegen.sh to use gcc -MM -isystem /usr/local/include + * Moved LICENCE.md -> LICENSE.md + +------------------------------------------------------------------- Old: ---- tinyssh-20260301.tar.gz tinyssh-20260301.tar.gz.asc New: ---- tinyssh-20260401.tar.gz tinyssh-20260401.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tinyssh.spec ++++++ --- /var/tmp/diff_new_pack.3vxUmB/_old 2026-04-11 22:31:38.105300758 +0200 +++ /var/tmp/diff_new_pack.3vxUmB/_new 2026-04-11 22:31:38.105300758 +0200 @@ -17,7 +17,7 @@ Name: tinyssh -Version: 20260301 +Version: 20260401 Release: 0 Summary: A minimalistic SSH server which implements only a subset of SSHv2 features License: CC0-1.0 @@ -53,7 +53,7 @@ %endif %files -%license LICENCE.md +%license LICENSE.md %doc README* %{_sbindir}/tinysshd %{_sbindir}/tinysshd-makekey ++++++ tinyssh-20260301.tar.gz -> tinyssh-20260401.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/CHANGELOG.md new/tinyssh-20260401/CHANGELOG.md --- old/tinyssh-20260301/CHANGELOG.md 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/CHANGELOG.md 2026-04-01 06:24:44.000000000 +0200 @@ -1,3 +1,12 @@ +### 20260401 +- Fixed session handling, now rejects out-of-order or duplicate channel requests. +- Fixed connection shutdown, timeout handling and subprocess waiting edge cases. +- Fixed inherited file-descriptor leak before fork. +- Fixed file descriptor leak in authorized_keys processing. +- Fixed log buffer purging and a potential out-of-bounds read in buf_putsharedsecret_. +- Updated makefilegen.sh to use gcc -MM -isystem /usr/local/include +- Moved LICENCE.md -> LICENSE.md + ### 20260301 - Fixed crypto_sign_ed25519_tinyssh_open, now rejects signatures where S >= L (Ed25519 group order). @@ -10,11 +19,11 @@ - Relicensed under CC0-1.0 OR 0BSD OR MIT-0 OR MIT - Final reformatting using clang-format -### 20250126 (pre-relase) +### 20250126 (pre-release) - Fixed more compiler warnings - More used cryptoint -### 20241201 (pre-relase) +### 20241201 (pre-release) - Switched to [cryptoint](https://libntruprime.cr.yp.to/libntruprime-20241021/cryptoint.html) 20241003 - Switched to tests from [SUPERCOP](https://bench.cr.yp.to/supercop.html) for crypto primitives - Fixed various compiler warnings diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/LICENCE.md new/tinyssh-20260401/LICENCE.md --- old/tinyssh-20260301/LICENCE.md 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/LICENCE.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,20 +0,0 @@ -TinySSH is hereby placed into the public domain. - -SPDX-License-Identifier: CC0-1.0 OR 0BSD OR MIT-0 OR MIT - -- [CC0-1.0](https://spdx.org/licenses/CC0-1.0.html) -- [0BSD](https://spdx.org/licenses/0BSD.html) -- [MIT-0](https://spdx.org/licenses/MIT-0.html) -- [MIT](https://spdx.org/licenses/MIT.html) - -Comment: -"Public domain" works differently depending on the country, therefore LICENCE updated to CC0-1.0 OR 0BSD OR MIT-0 OR MIT. - -History: -- initial release - public domain -- 20230101 - CC0 -- 20250201 - CC0-1.0 OR 0BSD OR MIT-0 OR MIT. - -Other: -_crypto-test_*.inc: derived from djb work from supercop/lib25519/libntruprime/lib1305, license: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MIT -cryptoint/*: copy of cryptoint library from D. J. Bernstein, see cryptoint/README.md, license: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MIT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/LICENSE.md new/tinyssh-20260401/LICENSE.md --- old/tinyssh-20260301/LICENSE.md 1970-01-01 01:00:00.000000000 +0100 +++ new/tinyssh-20260401/LICENSE.md 2026-04-01 06:24:44.000000000 +0200 @@ -0,0 +1,20 @@ +TinySSH is hereby placed into the public domain. + +SPDX-License-Identifier: CC0-1.0 OR 0BSD OR MIT-0 OR MIT + +- [CC0-1.0](https://spdx.org/licenses/CC0-1.0.html) +- [0BSD](https://spdx.org/licenses/0BSD.html) +- [MIT-0](https://spdx.org/licenses/MIT-0.html) +- [MIT](https://spdx.org/licenses/MIT.html) + +Comment: +"Public domain" works differently depending on the country, therefore LICENCE updated to CC0-1.0 OR 0BSD OR MIT-0 OR MIT. + +History: +- initial release - public domain +- 20230101 - CC0 +- 20250201 - CC0-1.0 OR 0BSD OR MIT-0 OR MIT. + +Other: +_crypto-test_*.inc: derived from djb work from supercop/lib25519/libntruprime/lib1305, license: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MIT +cryptoint/*: copy of cryptoint library from D. J. Bernstein, see cryptoint/README.md, license: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MIT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/Makefile new/tinyssh-20260401/Makefile --- old/tinyssh-20260301/Makefile 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/Makefile 2026-04-01 06:24:44.000000000 +0200 @@ -10,9 +10,9 @@ LINKS=tinysshd-makekey tinysshd-printkey tinysshnoneauthd -BINARIES=tinysshd _tinysshd-printkex _tinysshd-speed _tinysshd-test-hello1 \ +BINARIES=_tinysshd-printkex _tinysshd-speed _tinysshd-test-hello1 \ _tinysshd-test-hello2 _tinysshd-test-kex1 _tinysshd-test-kex2 \ - _tinysshd-unauthenticated + _tinysshd-unauthenticated tinysshd TESTCRYPTOBINARIES=test-crypto @@ -24,14 +24,14 @@ crypto_onetimeauth_poly1305_lib1305.o crypto_onetimeauth_poly1305_tinyssh.o \ crypto_scalarmult_curve25519.o crypto_sign_ed25519_lib25519.o \ crypto_sign_ed25519_tinyssh.o crypto_sort_uint32.o crypto_stream_chacha20.o \ - crypto_verify_16.o crypto_verify_32.o die.o dropuidgid.o e.o env.o fe25519.o \ - fe.o ge25519.o getln.o global.o int16_optblocker.o int32_optblocker.o \ + crypto_verify_16.o crypto_verify_32.o die.o dropuidgid.o e.o env.o fe.o \ + fe25519.o ge25519.o getln.o global.o int16_optblocker.o int32_optblocker.o \ int64_optblocker.o int8_optblocker.o iptostr.o load.o log.o loginshell.o \ logsys.o main_tinysshd.o main_tinysshd_makekey.o main_tinysshd_printkey.o \ - newenv.o numtostr.o open.o packet_auth.o packet.o packet_channel_open.o \ + newenv.o numtostr.o open.o packet.o packet_auth.o packet_channel_open.o \ packet_channel_recv.o packet_channel_request.o packet_channel_send.o \ - packet_get.o packet_hello.o packet_kex.o packet_kexdh.o packetparser.o \ - packet_put.o packet_recv.o packet_send.o packet_unimplemented.o porttostr.o \ + packet_get.o packet_hello.o packet_kex.o packet_kexdh.o packet_put.o \ + packet_recv.o packet_send.o packet_unimplemented.o packetparser.o porttostr.o \ randommod.o readall.o savesync.o sc25519.o ssh.o sshcrypto.o sshcrypto_cipher.o \ sshcrypto_cipher_chachapoly.o sshcrypto_kex.o sshcrypto_kex_curve25519.o \ sshcrypto_kex_sntrup761x25519.o sshcrypto_key.o sshcrypto_key_ed25519.o str.o \ @@ -39,37 +39,37 @@ uint16_optblocker.o uint32_optblocker.o uint64_optblocker.o uint8_optblocker.o \ writeall.o -OBJALL=blocking.o buf.o byte.o channel.o channel_drop.o channel_fork.o \ - channel_forkpty.o channel_subsystem.o cleanup.o coe.o connectioninfo.o \ - crypto_dh_x25519.o crypto_hash_sha256.o crypto_hash_sha512_lib25519.o \ - crypto_hash_sha512_tinyssh.o crypto_kem_sntrup761_libntruprime.o \ - crypto_kem_sntrup761_tinyssh.o crypto_kem_sntrup761x25519.o \ - crypto_onetimeauth_poly1305_lib1305.o crypto_onetimeauth_poly1305_tinyssh.o \ - crypto_scalarmult_curve25519.o crypto_sign_ed25519_lib25519.o \ - crypto_sign_ed25519_tinyssh.o crypto_sort_uint32.o crypto_stream_chacha20.o \ - crypto_verify_16.o crypto_verify_32.o die.o dropuidgid.o e.o env.o fe25519.o \ - fe.o ge25519.o getln.o global.o int16_optblocker.o int32_optblocker.o \ - int64_optblocker.o int8_optblocker.o iptostr.o load.o log.o loginshell.o \ - logsys.o main_tinysshd.o main_tinysshd_makekey.o main_tinysshd_printkey.o \ - newenv.o numtostr.o open.o packet_auth.o packet.o packet_channel_open.o \ - packet_channel_recv.o packet_channel_request.o packet_channel_send.o \ - packet_get.o packet_hello.o packet_kex.o packet_kexdh.o packetparser.o \ - packet_put.o packet_recv.o packet_send.o packet_unimplemented.o porttostr.o \ - randombytes.o randommod.o readall.o savesync.o sc25519.o ssh.o sshcrypto.o \ - sshcrypto_cipher.o sshcrypto_cipher_chachapoly.o sshcrypto_kex.o \ - sshcrypto_kex_curve25519.o sshcrypto_kex_sntrup761x25519.o sshcrypto_key.o \ - sshcrypto_key_ed25519.o str.o stringparser.o subprocess_auth.o \ - subprocess_sign.o test-crypto.o tinysshd.o _tinysshd-printkex.o \ - _tinysshd-speed.o _tinysshd-test-hello1.o _tinysshd-test-hello2.o \ - _tinysshd-test-kex1.o _tinysshd-test-kex2.o _tinysshd-unauthenticated.o \ +OBJALL=_tinysshd-printkex.o _tinysshd-speed.o _tinysshd-test-hello1.o \ + _tinysshd-test-hello2.o _tinysshd-test-kex1.o _tinysshd-test-kex2.o \ + _tinysshd-unauthenticated.o blocking.o buf.o byte.o channel.o channel_drop.o \ + channel_fork.o channel_forkpty.o channel_subsystem.o cleanup.o coe.o \ + connectioninfo.o crypto_dh_x25519.o crypto_hash_sha256.o \ + crypto_hash_sha512_lib25519.o crypto_hash_sha512_tinyssh.o \ + crypto_kem_sntrup761_libntruprime.o crypto_kem_sntrup761_tinyssh.o \ + crypto_kem_sntrup761x25519.o crypto_onetimeauth_poly1305_lib1305.o \ + crypto_onetimeauth_poly1305_tinyssh.o crypto_scalarmult_curve25519.o \ + crypto_sign_ed25519_lib25519.o crypto_sign_ed25519_tinyssh.o \ + crypto_sort_uint32.o crypto_stream_chacha20.o crypto_verify_16.o \ + crypto_verify_32.o die.o dropuidgid.o e.o env.o fe.o fe25519.o ge25519.o \ + getln.o global.o int16_optblocker.o int32_optblocker.o int64_optblocker.o \ + int8_optblocker.o iptostr.o load.o log.o loginshell.o logsys.o main_tinysshd.o \ + main_tinysshd_makekey.o main_tinysshd_printkey.o newenv.o numtostr.o open.o \ + packet.o packet_auth.o packet_channel_open.o packet_channel_recv.o \ + packet_channel_request.o packet_channel_send.o packet_get.o packet_hello.o \ + packet_kex.o packet_kexdh.o packet_put.o packet_recv.o packet_send.o \ + packet_unimplemented.o packetparser.o porttostr.o randombytes.o randommod.o \ + readall.o savesync.o sc25519.o ssh.o sshcrypto.o sshcrypto_cipher.o \ + sshcrypto_cipher_chachapoly.o sshcrypto_kex.o sshcrypto_kex_curve25519.o \ + sshcrypto_kex_sntrup761x25519.o sshcrypto_key.o sshcrypto_key_ed25519.o str.o \ + stringparser.o subprocess_auth.o subprocess_sign.o test-crypto.o tinysshd.o \ trymlock.o uint16_optblocker.o uint32_optblocker.o uint64_optblocker.o \ uint8_optblocker.o writeall.o AUTOHEADERS=haslib1305.h haslib25519.h haslibntruprime.h haslibrandombytes.h \ haslibutilh.h haslimits.h haslogintty.h hasmlock.h hasopenpty.h hasutilh.h \ - hasutmpaddrv6.h hasutmp.h hasutmphost.h hasutmploginlogout.h hasutmplogwtmp.h \ + hasutmp.h hasutmpaddrv6.h hasutmphost.h hasutmploginlogout.h hasutmplogwtmp.h \ hasutmpname.h hasutmppid.h hasutmptime.h hasutmptv.h hasutmptype.h \ - hasutmpuser.h hasutmpxaddrv6.h hasutmpx.h hasutmpxsyslen.h hasutmpxupdwtmpx.h \ + hasutmpuser.h hasutmpx.h hasutmpxaddrv6.h hasutmpxsyslen.h hasutmpxupdwtmpx.h \ hasvalgrind.h TESTOUT=test-crypto-dh.out test-crypto-hash.out test-crypto-kem.out \ @@ -79,6 +79,92 @@ all: $(AUTOHEADERS) $(BINARIES) $(LINKS) +_tinysshd-printkex.o: _tinysshd-printkex.c log.h packet.h buf.h \ + cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ + cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ + cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ + cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ + crypto_verify_32.h haslibrandombytes.h randombytes.h \ + crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ + crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ + crypto_onetimeauth_poly1305.h haslib1305.h \ + crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ + crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ + channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-printkex.c + +_tinysshd-speed.o: _tinysshd-speed.c crypto.h cryptoint/crypto_int16.h \ + cryptoint/crypto_int32.h cryptoint/crypto_int64.h \ + cryptoint/crypto_int8.h cryptoint/crypto_uint16.h \ + cryptoint/crypto_uint32.h cryptoint/crypto_uint64.h \ + cryptoint/crypto_uint8.h crypto_verify_16.h crypto_verify_32.h \ + haslibrandombytes.h randombytes.h crypto_hash_sha256.h \ + crypto_hash_sha512.h haslib25519.h crypto_kem_sntrup761.h \ + haslibntruprime.h crypto_kem_sntrup761x25519.h \ + crypto_onetimeauth_poly1305.h haslib1305.h \ + crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ + crypto_sort_uint32.h crypto_stream_chacha20.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-speed.c + +_tinysshd-test-hello1.o: _tinysshd-test-hello1.c + $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-hello1.c + +_tinysshd-test-hello2.o: _tinysshd-test-hello2.c log.h packet.h buf.h \ + cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ + cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ + cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ + cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ + crypto_verify_32.h haslibrandombytes.h randombytes.h \ + crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ + crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ + crypto_onetimeauth_poly1305.h haslib1305.h \ + crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ + crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ + channel.h iptostr.h porttostr.h global.h str.h writeall.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-hello2.c + +_tinysshd-test-kex1.o: _tinysshd-test-kex1.c log.h packet.h buf.h \ + cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ + cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ + cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ + cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ + crypto_verify_32.h haslibrandombytes.h randombytes.h \ + crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ + crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ + crypto_onetimeauth_poly1305.h haslib1305.h \ + crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ + crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ + channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-kex1.c + +_tinysshd-test-kex2.o: _tinysshd-test-kex2.c log.h packet.h buf.h \ + cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ + cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ + cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ + cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ + crypto_verify_32.h haslibrandombytes.h randombytes.h \ + crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ + crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ + crypto_onetimeauth_poly1305.h haslib1305.h \ + crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ + crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ + channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-kex2.c + +_tinysshd-unauthenticated.o: _tinysshd-unauthenticated.c log.h packet.h \ + buf.h cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h \ + crypto.h cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ + cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ + cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ + crypto_verify_32.h haslibrandombytes.h randombytes.h \ + crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ + crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ + crypto_onetimeauth_poly1305.h haslib1305.h \ + crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ + crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ + channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-unauthenticated.c + blocking.o: blocking.c blocking.h $(CC) $(CFLAGS) $(CPPFLAGS) -c blocking.c @@ -100,7 +186,7 @@ cryptoint/crypto_uint32.h iptostr.h porttostr.h limit.h haslimits.h $(CC) $(CFLAGS) $(CPPFLAGS) -c channel_drop.c -channel_fork.o: channel_fork.c blocking.h open.h channel.h \ +channel_fork.o: channel_fork.c blocking.h open.h e.h channel.h \ cryptoint/crypto_uint32.h iptostr.h porttostr.h limit.h haslimits.h $(CC) $(CFLAGS) $(CPPFLAGS) -c channel_fork.c @@ -210,13 +296,13 @@ env.o: env.c str.h env.h $(CC) $(CFLAGS) $(CPPFLAGS) -c env.c +fe.o: fe.c fe.h cryptoint/crypto_uint32.h cryptoint/crypto_uint64.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c fe.c + fe25519.o: fe25519.c crypto_verify_32.h cleanup.h fe.h \ cryptoint/crypto_uint32.h cryptoint/crypto_uint64.h fe25519.h $(CC) $(CFLAGS) $(CPPFLAGS) -c fe25519.c -fe.o: fe.c fe.h cryptoint/crypto_uint32.h cryptoint/crypto_uint64.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c fe.c - ge25519.o: ge25519.c fe25519.h fe.h cryptoint/crypto_uint32.h \ cryptoint/crypto_uint64.h cleanup.h ge25519.h $(CC) $(CFLAGS) $(CPPFLAGS) -c ge25519.c @@ -323,9 +409,9 @@ open.o: open.c blocking.h open.h $(CC) $(CFLAGS) $(CPPFLAGS) -c open.c -packet_auth.o: packet_auth.c buf.h cryptoint/crypto_uint8.h \ - cryptoint/crypto_uint32.h ssh.h e.h str.h packetparser.h subprocess.h \ - sshcrypto.h crypto.h cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ +packet.o: packet.c purge.h cleanup.h trymlock.h packet.h buf.h \ + cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ + cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ crypto_verify_32.h haslibrandombytes.h randombytes.h \ @@ -333,14 +419,13 @@ crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ crypto_onetimeauth_poly1305.h haslib1305.h \ crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h bug.h global.h log.h \ - purge.h cleanup.h packet.h limit.h haslimits.h channel.h iptostr.h \ - porttostr.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c packet_auth.c + crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ + channel.h iptostr.h porttostr.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c packet.c -packet.o: packet.c purge.h cleanup.h trymlock.h packet.h buf.h \ - cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ - cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ +packet_auth.o: packet_auth.c buf.h cryptoint/crypto_uint8.h \ + cryptoint/crypto_uint32.h ssh.h e.h str.h packetparser.h subprocess.h \ + sshcrypto.h crypto.h cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ crypto_verify_32.h haslibrandombytes.h randombytes.h \ @@ -348,9 +433,10 @@ crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ crypto_onetimeauth_poly1305.h haslib1305.h \ crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ - channel.h iptostr.h porttostr.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c packet.c + crypto_sort_uint32.h crypto_stream_chacha20.h bug.h global.h log.h \ + purge.h cleanup.h packet.h limit.h haslimits.h channel.h iptostr.h \ + porttostr.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c packet_auth.c packet_channel_open.o: packet_channel_open.c buf.h \ cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h ssh.h e.h bug.h \ @@ -470,10 +556,6 @@ haslimits.h channel.h iptostr.h porttostr.h $(CC) $(CFLAGS) $(CPPFLAGS) -c packet_kexdh.c -packetparser.o: packetparser.c e.h cryptoint/crypto_uint32.h bug.h \ - global.h log.h byte.h packetparser.h cryptoint/crypto_uint8.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c packetparser.c - packet_put.o: packet_put.c cryptoint/crypto_uint32.h buf.h \ cryptoint/crypto_uint8.h bug.h global.h e.h log.h sshcrypto.h crypto.h \ cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ @@ -531,6 +613,10 @@ channel.h iptostr.h porttostr.h $(CC) $(CFLAGS) $(CPPFLAGS) -c packet_unimplemented.c +packetparser.o: packetparser.c e.h cryptoint/crypto_uint32.h bug.h \ + global.h log.h byte.h packetparser.h cryptoint/crypto_uint8.h + $(CC) $(CFLAGS) $(CPPFLAGS) -c packetparser.c + porttostr.o: porttostr.c cryptoint/crypto_uint16.h porttostr.h $(CC) $(CFLAGS) $(CPPFLAGS) -c porttostr.c @@ -722,92 +808,6 @@ tinysshd.o: tinysshd.c str.h main.h $(CC) $(CFLAGS) $(CPPFLAGS) -c tinysshd.c -_tinysshd-printkex.o: _tinysshd-printkex.c log.h packet.h buf.h \ - cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ - cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ - cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ - cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ - crypto_verify_32.h haslibrandombytes.h randombytes.h \ - crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ - crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ - crypto_onetimeauth_poly1305.h haslib1305.h \ - crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ - channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-printkex.c - -_tinysshd-speed.o: _tinysshd-speed.c crypto.h cryptoint/crypto_int16.h \ - cryptoint/crypto_int32.h cryptoint/crypto_int64.h \ - cryptoint/crypto_int8.h cryptoint/crypto_uint16.h \ - cryptoint/crypto_uint32.h cryptoint/crypto_uint64.h \ - cryptoint/crypto_uint8.h crypto_verify_16.h crypto_verify_32.h \ - haslibrandombytes.h randombytes.h crypto_hash_sha256.h \ - crypto_hash_sha512.h haslib25519.h crypto_kem_sntrup761.h \ - haslibntruprime.h crypto_kem_sntrup761x25519.h \ - crypto_onetimeauth_poly1305.h haslib1305.h \ - crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-speed.c - -_tinysshd-test-hello1.o: _tinysshd-test-hello1.c - $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-hello1.c - -_tinysshd-test-hello2.o: _tinysshd-test-hello2.c log.h packet.h buf.h \ - cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ - cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ - cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ - cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ - crypto_verify_32.h haslibrandombytes.h randombytes.h \ - crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ - crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ - crypto_onetimeauth_poly1305.h haslib1305.h \ - crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ - channel.h iptostr.h porttostr.h global.h str.h writeall.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-hello2.c - -_tinysshd-test-kex1.o: _tinysshd-test-kex1.c log.h packet.h buf.h \ - cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ - cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ - cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ - cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ - crypto_verify_32.h haslibrandombytes.h randombytes.h \ - crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ - crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ - crypto_onetimeauth_poly1305.h haslib1305.h \ - crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ - channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-kex1.c - -_tinysshd-test-kex2.o: _tinysshd-test-kex2.c log.h packet.h buf.h \ - cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h crypto.h \ - cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ - cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ - cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ - crypto_verify_32.h haslibrandombytes.h randombytes.h \ - crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ - crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ - crypto_onetimeauth_poly1305.h haslib1305.h \ - crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ - channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-test-kex2.c - -_tinysshd-unauthenticated.o: _tinysshd-unauthenticated.c log.h packet.h \ - buf.h cryptoint/crypto_uint8.h cryptoint/crypto_uint32.h sshcrypto.h \ - crypto.h cryptoint/crypto_int16.h cryptoint/crypto_int32.h \ - cryptoint/crypto_int64.h cryptoint/crypto_int8.h \ - cryptoint/crypto_uint16.h cryptoint/crypto_uint64.h crypto_verify_16.h \ - crypto_verify_32.h haslibrandombytes.h randombytes.h \ - crypto_hash_sha256.h crypto_hash_sha512.h haslib25519.h \ - crypto_kem_sntrup761.h haslibntruprime.h crypto_kem_sntrup761x25519.h \ - crypto_onetimeauth_poly1305.h haslib1305.h \ - crypto_scalarmult_curve25519.h crypto_dh_x25519.h crypto_sign_ed25519.h \ - crypto_sort_uint32.h crypto_stream_chacha20.h limit.h haslimits.h \ - channel.h iptostr.h porttostr.h ssh.h bug.h global.h e.h packetparser.h - $(CC) $(CFLAGS) $(CPPFLAGS) -c _tinysshd-unauthenticated.c - trymlock.o: trymlock.c hasmlock.h trymlock.h $(CC) $(CFLAGS) $(CPPFLAGS) -c trymlock.c @@ -826,10 +826,6 @@ writeall.o: writeall.c e.h writeall.h $(CC) $(CFLAGS) $(CPPFLAGS) -c writeall.c -tinysshd: tinysshd.o $(OBJLIB) randombytes.o libs - $(CC) $(CFLAGS) $(CPPFLAGS) -o tinysshd tinysshd.o \ - $(OBJLIB) $(LDFLAGS) `cat libs` randombytes.o - _tinysshd-printkex: _tinysshd-printkex.o $(OBJLIB) randombytes.o libs $(CC) $(CFLAGS) $(CPPFLAGS) -o _tinysshd-printkex _tinysshd-printkex.o \ $(OBJLIB) $(LDFLAGS) `cat libs` randombytes.o @@ -858,6 +854,10 @@ $(CC) $(CFLAGS) $(CPPFLAGS) -o _tinysshd-unauthenticated _tinysshd-unauthenticated.o \ $(OBJLIB) $(LDFLAGS) `cat libs` randombytes.o +tinysshd: tinysshd.o $(OBJLIB) randombytes.o libs + $(CC) $(CFLAGS) $(CPPFLAGS) -o tinysshd tinysshd.o \ + $(OBJLIB) $(LDFLAGS) `cat libs` randombytes.o + test-crypto: test-crypto.o $(OBJLIB) libs $(CC) $(CFLAGS) $(CPPFLAGS) -o test-crypto test-crypto.o \ @@ -914,16 +914,16 @@ ./tryfeature.sh hasutilh.c >hasutilh.h 2>hasutilh.log cat hasutilh.h -hasutmpaddrv6.h: tryfeature.sh hasutmpaddrv6.c libs - env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ - ./tryfeature.sh hasutmpaddrv6.c >hasutmpaddrv6.h 2>hasutmpaddrv6.log - cat hasutmpaddrv6.h - hasutmp.h: tryfeature.sh hasutmp.c libs env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ ./tryfeature.sh hasutmp.c >hasutmp.h 2>hasutmp.log cat hasutmp.h +hasutmpaddrv6.h: tryfeature.sh hasutmpaddrv6.c libs + env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ + ./tryfeature.sh hasutmpaddrv6.c >hasutmpaddrv6.h 2>hasutmpaddrv6.log + cat hasutmpaddrv6.h + hasutmphost.h: tryfeature.sh hasutmphost.c libs env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ ./tryfeature.sh hasutmphost.c >hasutmphost.h 2>hasutmphost.log @@ -969,16 +969,16 @@ ./tryfeature.sh hasutmpuser.c >hasutmpuser.h 2>hasutmpuser.log cat hasutmpuser.h -hasutmpxaddrv6.h: tryfeature.sh hasutmpxaddrv6.c libs - env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ - ./tryfeature.sh hasutmpxaddrv6.c >hasutmpxaddrv6.h 2>hasutmpxaddrv6.log - cat hasutmpxaddrv6.h - hasutmpx.h: tryfeature.sh hasutmpx.c libs env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ ./tryfeature.sh hasutmpx.c >hasutmpx.h 2>hasutmpx.log cat hasutmpx.h +hasutmpxaddrv6.h: tryfeature.sh hasutmpxaddrv6.c libs + env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ + ./tryfeature.sh hasutmpxaddrv6.c >hasutmpxaddrv6.h 2>hasutmpxaddrv6.log + cat hasutmpxaddrv6.h + hasutmpxsyslen.h: tryfeature.sh hasutmpxsyslen.c libs env CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) `cat libs`" \ ./tryfeature.sh hasutmpxsyslen.c >hasutmpxsyslen.h 2>hasutmpxsyslen.log diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/README.md new/tinyssh-20260401/README.md --- old/tinyssh-20260301/README.md 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/README.md 2026-04-01 06:24:44.000000000 +0200 @@ -11,13 +11,13 @@ * Older standard: <strike>ecdsa-sha2-nistp256, ecdh-sha2-nistp256, aes256-ctr, hmac-sha2-256</strike> removed in version 20190101 * Postquantum crypto: [email protected], [email protected] -### Project timelime ### +### Project timeline ### * <strike>experimental: 2014.01.01 - 2014.12.31 (experimentation)</strike> * <strike>alpha(updated): 2015.01.01 - 2017.12.31 (not ready for production use, ready for testing)</strike> * beta(updated): 2018.01.01 - ????.??.?? (ready for production use) * stable: expected ????.??.?? - (ready for production use - including post-quantum crypto) -### Current release (20260301) ### +### Current release (20260401) ### * has 74260 words of code * beta release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/buf.c new/tinyssh-20260401/buf.c --- old/tinyssh-20260301/buf.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/buf.c 2026-04-01 06:24:44.000000000 +0200 @@ -184,7 +184,7 @@ for (pos = 0; pos < len; ++pos) if (x[pos]) break; - if (x[pos] & 0x80) { + if (pos < len && (x[pos] & 0x80)) { buf_putnum32_(fn, line, b, len - pos + 1); buf_putnum8_(fn, line, b, 0); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/channel.c new/tinyssh-20260401/channel.c --- old/tinyssh-20260301/channel.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/channel.c 2026-04-01 06:24:44.000000000 +0200 @@ -444,7 +444,7 @@ } /* -Remove sentitive data from allocated memory. +Remove sensitive data from allocated memory. */ void channel_purge(void) { purge(&channel, sizeof channel); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/channel_fork.c new/tinyssh-20260401/channel_fork.c --- old/tinyssh-20260301/channel_fork.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/channel_fork.c 2026-04-01 06:24:44.000000000 +0200 @@ -8,6 +8,7 @@ #include <unistd.h> #include "blocking.h" #include "open.h" +#include "e.h" #include "channel.h" /* @@ -39,6 +40,8 @@ blocking_enable(ch[i]); if (dup(ch[i]) != i) _exit(111); } + for (i = 3; i < 4096; ++i) close(i); + errno = 0; return 0; } for (i = 0; i < 3; ++i) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/channel_forkpty.c new/tinyssh-20260401/channel_forkpty.c --- old/tinyssh-20260301/channel_forkpty.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/channel_forkpty.c 2026-04-01 06:24:44.000000000 +0200 @@ -134,7 +134,7 @@ long long channel_forkpty(int fd[3], int master, int slave) { - long long pid, r; + long long pid, r, i; char ch; int pi[2]; @@ -163,6 +163,8 @@ /* Trigger a read event on the other side of the pipe. */ do { r = write(pi[1], "", 1); } while (r == -1 && errno == EINTR); close(pi[1]); + for (i = 3; i < 4096; ++i) close(i); + errno = 0; return 0; default: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/dropuidgid.c new/tinyssh-20260401/dropuidgid.c --- old/tinyssh-20260301/dropuidgid.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/dropuidgid.c 2026-04-01 06:24:44.000000000 +0200 @@ -12,9 +12,9 @@ /* The 'dropuidgid' function is used to drop root privileges. If the process has -appropriate permittions, the 'dropuidgid' function sets user ID and group ID -of calling process to uid and gid. The 'dropuidgid' function also initialize -supplementary group IDs. +appropriate permissions, the 'dropuidgid' function sets user ID and group ID +of the calling process to uid and gid. The 'dropuidgid' function also +initializes supplementary group IDs. */ int dropuidgid(const char *name, uid_t uid, gid_t gid) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/global.c new/tinyssh-20260401/global.c --- old/tinyssh-20260301/global.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/global.c 2026-04-01 06:24:44.000000000 +0200 @@ -40,7 +40,7 @@ } /* -Remove sentitive data from allocated memory. +Remove sensitive data from allocated memory. */ void global_purge(void) { @@ -61,7 +61,7 @@ } /* -Remove sentitive data from allocated memory +Remove sensitive data from allocated memory and exit with status 'x'. */ __attribute__((noreturn)) void global_die(int x) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/log.c new/tinyssh-20260401/log.c --- old/tinyssh-20260301/log.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/log.c 2026-04-01 06:24:44.000000000 +0200 @@ -27,7 +27,7 @@ static int logflagsyslog = 0; static char chars[] = - "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRTSUVWXYZ0123456789"; + "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; void log_init(int level, const char *text, int line, int flagsyslog) { @@ -62,8 +62,8 @@ syslog(LOG_INFO, "%s", buf); } else { writeall(2, buf, buflen); } - buflen = 0; purge(buf, buflen); + buflen = 0; } static void outs(const char *x) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/main_tinysshd.c new/tinyssh-20260401/main_tinysshd.c --- old/tinyssh-20260301/main_tinysshd.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/main_tinysshd.c 2026-04-01 06:24:44.000000000 +0200 @@ -40,8 +40,12 @@ static struct buf b2 = {global_bspace2, 0, sizeof global_bspace2}; static void timeout(int x) { - errno = x = ETIMEDOUT; + (void) x; + /* + errno = ETIMEDOUT; die_fatal("closing connection", 0, 0); + */ + _exit(111); } static int selfpipe[2] = {-1, -1}; @@ -259,7 +263,9 @@ for (;;) { if (channel_iseof()) if (!packet.sendbuf.len) - if (packet.flagchanneleofreceived) break; + if (packet.flagchanneleofreceived) + if (packet.flagclosesent) + break; watch0 = watch1 = 0; watchtochild = watchfromchild1 = watchfromchild2 = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/makefilegen.sh new/tinyssh-20260401/makefilegen.sh --- old/tinyssh-20260301/makefilegen.sh 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/makefilegen.sh 2026-04-01 06:24:44.000000000 +0200 @@ -84,7 +84,7 @@ for ofile in ${objall}; do ( cfile=`echo ${ofile} | sed 's/\.o/.c/'` - gcc -MM -Icryptoint "${cfile}" + gcc -MM -isystem /usr/local/include -Icryptoint "${cfile}" echo " \$(CC) \$(CFLAGS) \$(CPPFLAGS) -c ${cfile}" echo ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/man/tinysshd-makekey.8 new/tinyssh-20260401/man/tinysshd-makekey.8 --- old/tinyssh-20260301/man/tinysshd-makekey.8 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/man/tinysshd-makekey.8 2026-04-01 06:24:44.000000000 +0200 @@ -17,7 +17,6 @@ .B \-Q print error messages (default) .TP -.TP .I keydir directory for TinySSH keys, typically /etc/tinyssh/sshkeydir .SH EXAMPLE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/man/tinysshnoneauthd.8 new/tinyssh-20260401/man/tinysshnoneauthd.8 --- old/tinyssh-20260301/man/tinysshnoneauthd.8 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/man/tinysshnoneauthd.8 2026-04-01 06:24:44.000000000 +0200 @@ -7,7 +7,7 @@ .I keydir .SH DESCRIPTION .B tinysshnoneauthd -creates encrypted (but not auhenticated) SSH connection. +creates encrypted (but not authenticated) SSH connection. It's used to protect older protocols which uses e.g. telnet etc. .SH OPTIONS .TP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/newenv.c new/tinyssh-20260401/newenv.c --- old/tinyssh-20260301/newenv.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/newenv.c 2026-04-01 06:24:44.000000000 +0200 @@ -28,7 +28,7 @@ } n = {{0}, 0, {0}, 0}; /* -Remove sentitive data from allocated memory. +Remove sensitive data from allocated memory. */ void newenv_purge(void) { purge(&n, sizeof n); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/packet_channel_request.c new/tinyssh-20260401/packet_channel_request.c --- old/tinyssh-20260301/packet_channel_request.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/packet_channel_request.c 2026-04-01 06:24:44.000000000 +0200 @@ -12,6 +12,7 @@ #include "log.h" #include "packetparser.h" #include "packet.h" +#include "channel.h" int packet_channel_request(struct buf *b1, struct buf *b2, const char *customcmd) { @@ -55,6 +56,12 @@ buf_putnum8(b1, 0); p1[plen1] = 0; + if (channel.pid != 0) { + log_d3("packet=SSH_MSG_CHANNEL_REQUEST, exec ", p1, + ", rejected: session already started"); + goto reject; + } + if (customcmd) { log_d4("packet=SSH_MSG_CHANNEL_REQUEST, exec ", p1, ", rejected: custom program is selected using param. -e ", @@ -82,6 +89,12 @@ buf_putnum8(b1, 0); p1[plen1] = 0; + if (channel.pid != 0) { + log_d3("packet=SSH_MSG_CHANNEL_REQUEST, subsystem ", p1, + ", rejected: session already started"); + goto reject; + } + if (customcmd) { log_d4("packet=SSH_MSG_CHANNEL_REQUEST, subsystem ", p1, ", rejected: custom program is selected using param. -e ", @@ -113,6 +126,11 @@ pos = packetparser_end(b1->buf, b1->len, pos); + if (channel.pid != 0) { + log_d1("packet=SSH_MSG_CHANNEL_REQUEST, shell, rejected: session already started"); + goto reject; + } + if (customcmd) { if (!channel_exec(customcmd)) bug(); log_d3("packet=SSH_MSG_CHANNEL_REQUEST, shell, accepted, executing " @@ -186,6 +204,12 @@ pos = packetparser_skip(b1->buf, b1->len, pos, plen2); pos = packetparser_end(b1->buf, b1->len, pos); buf_putnum8(b1, 0); + if (channel.pid != 0 || channel.flagterminal) { + log_d3("packet=SSH_MSG_CHANNEL_REQUEST, pty-req ", p1, + ", rejected: terminal already initialized"); + goto reject; + } + /* XXX TODO encoded terminal modes (p2, plen2) */ p1[plen1] = 0; p2[plen2] = 0; @@ -216,6 +240,11 @@ pos = packetparser_uint32(b1->buf, b1->len, pos, &y); pos = packetparser_end(b1->buf, b1->len, pos); + if (channel.pid <= 0 || !channel.flagterminal) { + log_d1("packet=SSH_MSG_CHANNEL_REQUEST, window-change, rejected: no active terminal"); + goto reject; + } + channel_ptyresize(a, b, x, y); log_d1("packet=SSH_MSG_CHANNEL_REQUEST, window-change, accepted"); goto accept; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/sshcrypto.c new/tinyssh-20260401/sshcrypto.c --- old/tinyssh-20260301/sshcrypto.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/sshcrypto.c 2026-04-01 06:24:44.000000000 +0200 @@ -46,7 +46,7 @@ } /* -Remove sentitive data from allocated memory. +Remove sensitive data from allocated memory. */ void sshcrypto_purge(void) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/subprocess_auth.c new/tinyssh-20260401/subprocess_auth.c --- old/tinyssh-20260301/subprocess_auth.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/subprocess_auth.c 2026-04-01 06:24:44.000000000 +0200 @@ -125,10 +125,15 @@ if (r == -1) { log_w3("auth: unable to read from file ", dir, "/.ssh/authorized_keys"); + close(fd); return 0; } - if (findnameandkey(keyname, key, buf)) return 1; /* authorized */ + if (findnameandkey(keyname, key, buf)) { + close(fd); + return 1; /* authorized */ + } } while (r > 0); + close(fd); log_w1("auth: unable to authorize using authorized_keys: key not found"); return 0; } @@ -139,7 +144,7 @@ */ int subprocess_auth(const char *account, const char *keyname, const char *key) { - pid_t pid; + pid_t pid, r; int status; pid = fork(); @@ -184,7 +189,10 @@ global_die(0); } - while (waitpid(pid, &status, 0) != pid) {} + do { + r = waitpid(pid, &status, 0); + } while (r == -1 && errno == EINTR); + if (r != pid) return -1; if (!WIFEXITED(status)) return -1; return WEXITSTATUS(status); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tinyssh-20260301/subprocess_sign.c new/tinyssh-20260401/subprocess_sign.c --- old/tinyssh-20260301/subprocess_sign.c 2026-03-01 07:37:31.000000000 +0100 +++ new/tinyssh-20260401/subprocess_sign.c 2026-04-01 06:24:44.000000000 +0200 @@ -31,7 +31,7 @@ int subprocess_sign(unsigned char *y, long long ylen, const char *keydir, unsigned char *x, long long xlen) { - pid_t pid; + pid_t pid, r; int status, fromchild[2] = {-1, -1}; if (ylen != sshcrypto_sign_bytes) bug_inval(); @@ -72,7 +72,7 @@ } purge(sk, sizeof sk); if (writeall(fromchild[1], sm, sshcrypto_sign_bytes) == -1) { - log_w1("sign: unable to write signature to parrent process"); + log_w1("sign: unable to write signature to parent process"); global_die(111); } close(fromchild[1]); @@ -89,7 +89,10 @@ } close(fromchild[0]); - while (waitpid(pid, &status, 0) != pid) {} + do { + r = waitpid(pid, &status, 0); + } while (r == -1 && errno == EINTR); + if (r != pid) return -1; if (!WIFEXITED(status)) return -1; return WEXITSTATUS(status); }
