Source snapshot from Powershell/openssh-portable:latestw_cwb

Author: manojampalam

.skipped-commit-ids

@@ -9,3 +9,5 @@ edbfde98c40007b7752a4ac106095e060c25c1ef	Regen moduli
 180d84674be1344e45a63990d60349988187c1ae	Update moduli
 f6ae971186ba68d066cd102e57d5b0b2c211a5ee	systrace is dead.
 96c5054e3e1f170c6276902d5bc65bb3b87a2603	remove DEBUGLIBS from Makefile
+6da9a37f74aef9f9cc639004345ad893cad582d8	Update moduli file
+77bcb50e47b68c7209c7f0a5a020d73761e5143b	unset REGRESS_FAIL_EARLY

CREDITS

@@ -100,6 +100,3 @@ Zack Weinberg <[email protected]> - GNOME askpass enhancement
 Apologies to anyone I have missed.
 
 Damien Miller <[email protected]>
-
-$Id: CREDITS,v 1.81 2006/08/30 17:24:41 djm Exp $
-

INSTALL

@@ -1,10 +1,15 @@
-1. Prerequisites
 ----------------
 
+A C compiler.  Any C89 or better compiler should work.  Where supported,
+configure will attempt to enable the compiler's run-time integrity checking
+options.  Some notes about specific compilers:
+ - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
+  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
+
 You will need working installations of Zlib and libcrypto (LibreSSL /
 OpenSSL)
 
-Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
+Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
 http://www.gzip.org/zlib/
 
 libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
@@ -85,7 +90,7 @@ http://nlnetlabs.nl/projects/ldns/
 Autoconf:
 
 If you modify configure.ac or configure doesn't exist (eg if you checked
-the code out of CVS yourself) then you will need autoconf-2.68 to rebuild
+the code out of CVS yourself) then you will need autoconf-2.69 to rebuild
 the automatically generated files by running "autoreconf".  Earlier
 versions may also work but this is not guaranteed.
 
@@ -224,9 +229,13 @@ review it to ensure that it matches your security requirements.
 To generate a host key, run "make host-key". Alternately you can do so
 manually using the following commands:
 
-    ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
-    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
-    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
+    ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
+
+for each of the types you wish to generate (rsa, dsa or ecdsaa) or
+
+    ssh-keygen -A
+
+to generate keys for all supported types.
 
 Replacing /etc/ssh with the correct path to the configuration directory.
 (${prefix}/etc or whatever you specified with --sysconfdir during
@@ -257,7 +266,4 @@ summary data may be published.
 
 If you experience problems compiling, installing or running OpenSSH.
 Please refer to the "reporting bugs" section of the webpage at
-http://www.openssh.com/
-
-
-$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $
+https://www.openssh.com/

Makefile.in

@@ -97,14 +97,14 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o
 
-SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
 	audit.o audit-bsm.o audit-linux.o platform.o \
 	sshpty.o sshlogin.o servconf.o serverloop.o \
-	auth.o auth1.o auth2.o auth-options.o session.o \
-	auth-chall.o auth2-chall.o groupaccess.o \
+	auth.o auth2.o auth-options.o session.o \
+	auth2-chall.o groupaccess.o \
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
-	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
+	monitor.o monitor_wrap.o auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
@@ -240,6 +240,10 @@ clean:	regressclean
 	rm -f regress/unittests/hostkeys/test_hostkeys
 	rm -f regress/unittests/kex/*.o
 	rm -f regress/unittests/kex/test_kex
+	rm -f regress/unittests/match/*.o
+	rm -f regress/unittests/match/test_match
+	rm -f regress/unittests/utf8/*.o
+	rm -f regress/unittests/utf8/test_utf8
 	rm -f regress/misc/kexfuzz/*.o
 	rm -f regress/misc/kexfuzz/kexfuzz
 	(cd openbsd-compat && $(MAKE) clean)
@@ -262,6 +266,10 @@ distclean:	regressclean
 	rm -f regress/unittests/hostkeys/test_hostkeys
 	rm -f regress/unittests/kex/*.o
 	rm -f regress/unittests/kex/test_kex
+	rm -f regress/unittests/match/*.o
+	rm -f regress/unittests/match/test_match
+	rm -f regress/unittests/utf8/*.o
+	rm -f regress/unittests/utf8/test_utf8
 	rm -f regress/unittests/misc/kexfuzz
 	(cd openbsd-compat && $(MAKE) distclean)
 	if test -d pkg ; then \
@@ -422,6 +430,10 @@ regress-prep:
 		mkdir -p `pwd`/regress/unittests/hostkeys
 	[ -d `pwd`/regress/unittests/kex ] || \
 		mkdir -p `pwd`/regress/unittests/kex
+	[ -d `pwd`/regress/unittests/match ] || \
+		mkdir -p `pwd`/regress/unittests/match
+	[ -d `pwd`/regress/unittests/utf8 ] || \
+		mkdir -p `pwd`/regress/unittests/utf8
 	[ -d `pwd`/regress/misc/kexfuzz ] || \
 		mkdir -p `pwd`/regress/misc/kexfuzz
 	[ -f `pwd`/regress/Makefile ] || \
@@ -512,6 +524,26 @@ regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
 	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
+UNITTESTS_TEST_MATCH_OBJS=\
+	regress/unittests/match/tests.o
+
+regress/unittests/match/test_match$(EXEEXT): \
+    ${UNITTESTS_TEST_MATCH_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_MATCH_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_UTF8_OBJS=\
+	regress/unittests/utf8/tests.o
+
+regress/unittests/utf8/test_utf8$(EXEEXT): \
+    ${UNITTESTS_TEST_UTF8_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_UTF8_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
 MISC_KEX_FUZZ_OBJS=\
 	regress/misc/kexfuzz/kexfuzz.o
 
@@ -528,6 +560,8 @@ regress-binaries: regress/modpipe$(EXEEXT) \
 	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
 	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
 	regress/unittests/kex/test_kex$(EXEEXT) \
+	regress/unittests/match/test_match$(EXEEXT) \
+	regress/unittests/utf8/test_utf8$(EXEEXT) \
 	regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 
 tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS)
@@ -546,6 +580,7 @@ tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS)
 	TEST_SSH_PUTTYGEN="puttygen"; \
 	TEST_SSH_CONCH="conch"; \
 	TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
+	TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \
 	TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
 	cd $(srcdir)/regress || exit $$?; \
 	$(MAKE) \
@@ -570,6 +605,7 @@ tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS)
 		TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
 		TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
 		TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
+		TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \
 		TEST_SSH_ECC="$${TEST_SSH_ECC}" \
 		TEST_SHELL="${TEST_SHELL}" \
 		EXEEXT="$(EXEEXT)" \

PROTOCOL

@@ -4,7 +4,7 @@ protocol.
 Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
 filexfer protocol described in:
 
-http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
+https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
 
 Newer versions of the draft will not be supported, though some features
 are individually implemented as extensions described below.
@@ -20,7 +20,7 @@ This is a new transport-layer MAC method using the UMAC algorithm
 (rfc4418). This method is identical to the "umac-64" method documented
 in:
 
-http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
+https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
 
 1.2. transport: Protocol 2 compression algorithm "[email protected]"
 
@@ -31,7 +31,7 @@ avoids exposing compression code to attacks from unauthenticated users.
 
 The method is documented in:
 
-http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
+https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
 
 1.3. transport: New public key algorithms "[email protected]",
      "[email protected]",

README

@@ -1,10 +1,10 @@
-See http://www.openssh.com/txt/release-7.3p1 for the release notes.
+See https://www.openssh.com/releasenotes.html#7.3p1 for the release notes.
 
-Please read http://www.openssh.com/report.html for bug reporting
+Please read https://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or
 patch/pull-request management.
 
-- A Japanese translation of this document and of the OpenSSH FAQ is
+- A Japanese translation of this document and of the release notes is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
 - Thanks to HARUYAMA Seigo <[email protected]>
 
@@ -16,7 +16,7 @@ implementation with all patent-encumbered algorithms removed (to
 external libraries), all known security bugs fixed, new features
 reintroduced and many other clean-ups.  OpenSSH has been created by
 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
-and Dug Song. It has a homepage at http://www.openssh.com/
+and Dug Song. It has a homepage at https://www.openssh.com/
 
 This port consists of the re-introduction of autoconf support, PAM
 support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
@@ -33,17 +33,15 @@ all logins, not just when using password authentication.
 OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5].
 
 There is now several mailing lists for this port of OpenSSH. Please
-refer to http://www.openssh.com/list.html for details on how to join.
+refer to https://www.openssh.com/list.html for details on how to join.
 
 Please send bug reports and patches to the mailing list
-[email protected]. The list is open to posting by
-unsubscribed users.Code contribution are welcomed, but please follow the 
-OpenBSD style guidelines[6].
+[email protected]. The list is open to posting by unsubscribed
+users.  Code contribution are welcomed, but please follow the OpenBSD
+style guidelines[6].
 
 Please refer to the INSTALL document for information on how to install
-OpenSSH on your system. There are a number of differences between this
-port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7]
-for details and general tips.
+OpenSSH on your system.
 
 Damien Miller <[email protected]>
 
@@ -55,15 +53,12 @@ implementation released by Tatu Ylonen.
 
 References -
 
-[0] http://www.openssh.com/faq.html
+[0] https://www.openssh.com/
 [1] http://www.lothar.com/tech/crypto/
 [2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
 [3] http://www.gzip.org/zlib/
 [4] http://www.openssl.org/
 [5] http://www.openpam.org
-    http://www.kernel.org/pub/linux/libs/pam/ 
+    http://www.kernel.org/pub/linux/libs/pam/
     (PAM also is standard on Solaris and HP-UX 11)
-[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
-[7] http://www.openssh.com/faq.html
-
-$Id: README,v 1.87 2014/08/10 01:35:06 djm Exp $
+[6] http://man.openbsd.org/style.9

README.platform

@@ -94,6 +94,3 @@ added to sshd's session stack which will prevent users from starting shell
 sessions.  Alternatively, pam_nologin can be added to either the auth or
 account stacks which will prevent authentication entirely, but will still
 return the output from pam_nologin to the client.
-
-
-$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $

README.privsep

@@ -8,10 +8,6 @@ More information is available at:
 Privilege separation is now enabled by default; see the
 UsePrivilegeSeparation option in sshd_config(5).
 
-On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
-compression must be disabled in order for privilege separation to
-function.
-
 When privsep is enabled, during the pre-authentication phase sshd will
 chroot(2) to "/var/empty" and change its privileges to the "sshd" user
 and its primary group.  sshd is a pseudo-account that should not be
@@ -35,9 +31,6 @@ privsep user and chroot directory:
   --with-privsep-path=xxx Path for privilege separation chroot
   --with-privsep-user=user Specify non-privileged user for privilege separation
 
-Privsep requires operating system support for file descriptor passing.
-Compression will be disabled on systems without a working mmap MAP_ANON.
-
 PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
 HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
 
@@ -59,5 +52,3 @@ Given the following process listing (from HP-UX):
 process 1005 is the sshd process listening for new connections.
 process 6917 is the privileged monitor process, 6919 is the user owned
 sshd process and 6921 is the shell process.
-
-$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $

TODO

@@ -69,10 +69,6 @@ Packaging:
   ([email protected])
 
 PrivSep Issues:
-- mmap() issues.
-  + /dev/zero solution (Solaris)
-  + No/broken MAP_ANON (Irix)
-  + broken /dev/zero parse (Linux)
 - PAM
   + See above PAM notes
 - AIX
@@ -82,5 +78,3 @@ PrivSep Issues:
   + SIA is broken
 - Cygwin
   + Privsep for Pre-auth only (no fd passing)
-
-$Id: TODO,v 1.58 2004/12/06 11:40:11 dtucker Exp $

aclocal.m4

@@ -1,5 +1,3 @@
-dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $
-dnl
 dnl OpenSSH-specific autoconf macros
 dnl
 
@@ -59,7 +57,8 @@ int main(int argc, char **argv) {
 	float l = i * 2.1;
 	double m = l / 0.5;
 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
-	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+	long long int p = n * o;
+	printf("%d %d %d %f %f %lld %lld %lld\n", i, j, k, l, m, n, o, p);
 	exit(0);
 }
 	]])],
@@ -96,7 +95,8 @@ int main(int argc, char **argv) {
 	float l = i * 2.1;
 	double m = l / 0.5;
 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
-	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+	long long p = n * o;
+	printf("%d %d %d %f %f %lld %lld %lld\n", i, j, k, l, m, n, o, p);
 	exit(0);
 }
 		]])],

addrmatch.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: addrmatch.c,v 1.10 2015/07/08 19:04:21 markus Exp $ */
+/*	$OpenBSD: addrmatch.c,v 1.13 2016/09/21 16:55:42 djm Exp $ */
 
 /*
  * Copyright (c) 2004-2008 Damien Miller <[email protected]>
@@ -398,8 +398,8 @@ addr_match_list(const char *addr, const char *_list)
 		/* Prefer CIDR address matching */
 		r = addr_pton_cidr(cp, &match_addr, &masklen);
 		if (r == -2) {
-			error("Inconsistent mask length for "
-			    "network \"%.100s\"", cp);
+			debug2("%s: inconsistent mask length for "
+			    "match network \"%.100s\"", __func__, cp);
 			ret = -2;
 			break;
 		} else if (r == 0) {

appveyor.yml

@@ -4,6 +4,7 @@ image: Visual Studio 2015
 branches:
   only:
     - V_7_3w
+    - latestw_cwb
 
 init:
   - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))

atomicio.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.27 2015/01/16 06:40:12 deraadt Exp $ */
+/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
 /*
  * Copyright (c) 2006 Damien Miller. All rights reserved.
  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -107,12 +107,12 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
 	struct iovec iov_array[IOV_MAX], *iov = iov_array;
 	struct pollfd pfd;
 
-	if (iovcnt > IOV_MAX) {
+	if (iovcnt < 0 || iovcnt > IOV_MAX) {
 		errno = EINVAL;
 		return 0;
 	}
 	/* Make a copy of the iov array because we may modify it below */
-	memcpy(iov, _iov, iovcnt * sizeof(*_iov));
+	memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov));
 
 #ifndef BROKEN_READV_COMPARISON
 	pfd.fd = fd;

audit-bsm.c

@@ -1,5 +1,3 @@
-/* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */
-
 /*
  * TODO
  *

audit-linux.c

@@ -1,5 +1,3 @@
-/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */
-
 /*
  * Copyright 2010 Red Hat, Inc.  All rights reserved.
  * Use is subject to license terms.