commit 0cbfa66cdb87e23928a110d9b02839f403e32c11
Author: Daniel Fojt <d...@neosystem.org>
Date: Wed Jul 22 17:18:18 2020 +0200
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private
keys when they are not in use with a symmetric key that is derived from
a relatively large "prekey" consisting of random data (currently 16KB)
- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates
- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from
the default key exchange proposal for both the client and server
- ssh-keygen(1): the command-line options related to the generation and
screening of safe prime numbers used by the diffie-hellman-group-* key
exchange algorithms have changed, most options have been folded under
the -O flag
- support PKCS8 as an optional format for storage of private keys to disk,
native key format remains the default, but PKCS8 is a superior format to
PEM if interoperability with non-OpenSSH software is required
- ssh(1), sshd(8): prefer to use chacha20 from libcrypto
- sshd(8): the sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured
by MaxStartups
- sshd(8): when clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2
- sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns
- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow .shosts files but not .rhosts
- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks
- ssh(1), sshd(8): allow prepending a list of algorithms to the default
set by starting the list with the '^' character, e.g.
"HostKeyAlgorithms ^ssh-ed25519"
- ssh(1): allow forwarding a different agent socket to the path specified
by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in
addition to yes/no
- ssh(1): add %TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding
- ssh(1): allow %n to be expanded in ProxyCommand strings
- sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it
- sftp(1): check for user@host when parsing sftp target, this allows
user@[1.2.3.4] to work without a path
- sftp(1): fix a race condition in the SIGCHILD handler that could
turn in to a kill(-1)
For detailed list of all improvements, enhancements and bugfixes see
release notes:
https://www.openssh.com/releasenotes.html
Summary of changes:
crypto/openssh/CREDITS | 2 +-
crypto/openssh/LICENCE | 2 +-
crypto/openssh/PROTOCOL | 6 +-
crypto/openssh/PROTOCOL.certkeys | 9 +-
crypto/openssh/PROTOCOL.chacha20poly1305 | 4 +-
crypto/openssh/PROTOCOL.mux | 4 +-
crypto/openssh/PROTOCOL.sshsig | 99 ++
crypto/openssh/README | 36 +-
crypto/openssh/README.dns | 8 +-
crypto/openssh/auth-options.c | 124 +-
crypto/openssh/auth-options.h | 8 +-
crypto/openssh/auth-pam.c | 46 +-
crypto/openssh/auth-rhosts.c | 15 +-
crypto/openssh/auth.c | 42 +-
crypto/openssh/auth.h | 8 +-
crypto/openssh/auth2-chall.c | 8 +-
crypto/openssh/auth2-hostbased.c | 5 +-
crypto/openssh/auth2-kbdint.c | 4 +-
crypto/openssh/auth2-passwd.c | 7 +-
crypto/openssh/auth2-pubkey.c | 109 +-
crypto/openssh/auth2.c | 10 +-
crypto/openssh/authfd.c | 103 +-
crypto/openssh/authfd.h | 10 +-
crypto/openssh/authfile.c | 257 ++--
crypto/openssh/authfile.h | 10 +-
crypto/openssh/canohost.c | 6 +-
crypto/openssh/channels.c | 123 +-
crypto/openssh/channels.h | 10 +-
...-chachapoly.c => cipher-chachapoly-libcrypto.c} | 95 +-
crypto/openssh/cipher-chachapoly.h | 13 +-
crypto/openssh/cipher.c | 40 +-
crypto/openssh/cipher.h | 5 +-
crypto/openssh/clientloop.c | 178 ++-
crypto/openssh/clientloop.h | 5 +-
crypto/openssh/contrib/ssh-copy-id.1 | 2 +-
crypto/openssh/crc32.h | 30 -
crypto/openssh/defines.h | 37 +-
crypto/openssh/dh.c | 8 +-
crypto/openssh/dh.h | 7 +-
crypto/openssh/digest-openssl.c | 9 +-
crypto/openssh/dns.c | 1 -
crypto/openssh/entropy.c | 19 +-
crypto/openssh/hash.c | 34 +-
crypto/openssh/hmac.c | 7 +-
crypto/openssh/hostfile.c | 16 +-
crypto/openssh/kex.c | 127 +-
crypto/openssh/kex.h | 9 +-
crypto/openssh/kexecdh.c | 28 +
crypto/openssh/kexgen.c | 5 +-
crypto/openssh/kexgexc.c | 4 +-
crypto/openssh/krl.c | 118 +-
crypto/openssh/krl.h | 5 +-
crypto/openssh/log.h | 4 +-
crypto/openssh/loginrec.c | 2 +
crypto/openssh/mac.c | 7 +-
crypto/openssh/match.c | 7 +-
crypto/openssh/misc.c | 208 ++-
crypto/openssh/misc.h | 17 +-
crypto/openssh/moduli | 865 ++++++------
crypto/openssh/moduli.c | 16 +-
crypto/openssh/monitor.c | 109 +-
crypto/openssh/monitor_wrap.c | 29 +-
crypto/openssh/monitor_wrap.h | 9 +-
crypto/openssh/msg.c | 14 +-
crypto/openssh/mux.c | 29 +-
crypto/openssh/myproposal.h | 135 +-
crypto/openssh/nchan.c | 6 +-
crypto/openssh/packet.c | 68 +-
crypto/openssh/packet.h | 5 +-
crypto/openssh/pathnames.h | 9 +-
crypto/openssh/platform.c | 1 +
crypto/openssh/progressmeter.c | 12 +-
crypto/openssh/readconf.c | 215 ++-
crypto/openssh/readconf.h | 7 +-
crypto/openssh/readpass.c | 127 +-
crypto/openssh/scp.1 | 13 +-
crypto/openssh/scp.c | 147 +-
crypto/openssh/servconf.c | 326 ++++-
crypto/openssh/servconf.h | 32 +-
crypto/openssh/serverloop.c | 32 +-
crypto/openssh/session.c | 62 +-
crypto/openssh/sftp-client.c | 12 +-
crypto/openssh/sftp-glob.c | 4 +-
crypto/openssh/sftp-realpath.c | 226 +++
crypto/openssh/sftp-server-main.c | 3 +-
crypto/openssh/sftp-server.8 | 6 +-
crypto/openssh/sftp-server.c | 29 +-
crypto/openssh/sftp.1 | 56 +-
crypto/openssh/sftp.c | 83 +-
crypto/openssh/sk-api.h | 95 ++
crypto/openssh/ssh-add.1 | 33 +-
crypto/openssh/ssh-add.c | 171 ++-
crypto/openssh/ssh-agent.1 | 170 ++-
crypto/openssh/ssh-agent.c | 168 ++-
crypto/openssh/ssh-dss.c | 8 +-
crypto/openssh/{ssh-ecdsa.c => ssh-ecdsa-sk.c} | 183 +--
crypto/openssh/ssh-ed25519-sk.c | 164 +++
crypto/openssh/ssh-ed25519.c | 20 +-
crypto/openssh/ssh-keygen.1 | 599 +++++---
crypto/openssh/ssh-keygen.c | 1479 +++++++++++++++-----
crypto/openssh/ssh-keyscan.1 | 6 +-
crypto/openssh/ssh-keyscan.c | 44 +-
crypto/openssh/ssh-keysign.8 | 6 +-
crypto/openssh/ssh-keysign.c | 11 +-
crypto/openssh/ssh-pkcs11-helper.8 | 6 +-
crypto/openssh/ssh-pkcs11-helper.c | 56 +-
crypto/openssh/ssh-pkcs11.h | 4 +-
crypto/openssh/ssh-sk-client.c | 449 ++++++
crypto/openssh/ssh-sk.h | 69 +
crypto/openssh/ssh.1 | 43 +-
crypto/openssh/ssh.c | 396 ++++--
crypto/openssh/ssh_api.c | 51 +-
crypto/openssh/ssh_config.5 | 230 +--
crypto/openssh/sshbuf-getput-basic.c | 169 ++-
crypto/openssh/sshbuf-getput-crypto.c | 15 +-
crypto/openssh/sshbuf-io.c | 117 ++
crypto/openssh/sshbuf-misc.c | 105 +-
crypto/openssh/sshbuf.c | 7 +-
crypto/openssh/sshbuf.h | 71 +-
crypto/openssh/sshconnect.c | 102 +-
crypto/openssh/sshconnect.h | 10 +-
crypto/openssh/sshconnect2.c | 215 ++-
crypto/openssh/sshd.8 | 64 +-
crypto/openssh/sshd.c | 222 ++-
crypto/openssh/sshd_config.5 | 203 ++-
crypto/openssh/ssherr.c | 6 +-
crypto/openssh/ssherr.h | 4 +-
crypto/openssh/sshkey.c | 1302 ++++++++++++-----
crypto/openssh/sshkey.h | 84 +-
crypto/openssh/sshlogin.c | 7 +-
crypto/openssh/sshpty.c | 22 +-
crypto/openssh/sshsig.c | 1041 ++++++++++++++
crypto/openssh/sshsig.h | 104 ++
crypto/openssh/uidswap.c | 38 +-
crypto/openssh/umac.c | 8 +-
crypto/openssh/umac.h | 6 +-
crypto/openssh/utf8.c | 27 +-
crypto/openssh/utf8.h | 5 +-
crypto/openssh/uuencode.c | 95 --
crypto/openssh/uuencode.h | 29 -
crypto/openssh/version.h | 4 +-
crypto/openssh/xmalloc.c | 31 +-
crypto/openssh/xmalloc.h | 5 +-
143 files changed, 9705 insertions(+), 3683 deletions(-)
create mode 100644 crypto/openssh/PROTOCOL.sshsig
rename crypto/openssh/{cipher-chachapoly.c => cipher-chachapoly-libcrypto.c}
(57%)
delete mode 100644 crypto/openssh/crc32.h
create mode 100644 crypto/openssh/sftp-realpath.c
create mode 100644 crypto/openssh/sk-api.h
copy crypto/openssh/{ssh-ecdsa.c => ssh-ecdsa-sk.c} (50%)
create mode 100644 crypto/openssh/ssh-ed25519-sk.c
create mode 100644 crypto/openssh/ssh-sk-client.c
create mode 100644 crypto/openssh/ssh-sk.h
create mode 100644 crypto/openssh/sshbuf-io.c
create mode 100644 crypto/openssh/sshsig.c
create mode 100644 crypto/openssh/sshsig.h
delete mode 100644 crypto/openssh/uuencode.c
delete mode 100644 crypto/openssh/uuencode.h
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/0cbfa66cdb87e23928a110d9b02839f403e32c11
--
DragonFly BSD source repository
