upstream: use the new variant log macros instead of prepending

__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8

upstream: There are lots of place where we want to redirect stdin,

stdout and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of w

upstream: There are lots of place where we want to redirect stdin,

stdout and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these to redirect.
ok markus@

OpenBSD-Commit-ID: 3033ba5a4c47cacfd5def020d42cabc52fad3099

show more ...

upstream: handle EINTR in waitfd() and timeout_connect() helpers;

bz#3071; ok dtucker@

OpenBSD-Commit-ID: 08fa87be50070bd8b754d9b1ebb1138d7bc9d8ee

upstream: Make dollar_expand variadic and pass a real va_list to

vdollar_percent_expand. Fixes build error on arm64 spotted by otto@.

OpenBSD-Commit-ID: 181910d7ae489f40ad609b4cf4a2

upstream: Make dollar_expand variadic and pass a real va_list to

vdollar_percent_expand. Fixes build error on arm64 spotted by otto@.

OpenBSD-Commit-ID: 181910d7ae489f40ad609b4cf4a20f3d068a7279

show more ...

upstream: Pass a NULL instead of zeroed out va_list from

dollar_expand. The original intent was in case there's some platform where
va_list is not a pointer equivalent, but on i386 this

upstream: Pass a NULL instead of zeroed out va_list from

dollar_expand. The original intent was in case there's some platform where
va_list is not a pointer equivalent, but on i386 this chokes on the memset.
This unbreaks that build, but will require further consideration.

OpenBSD-Commit-ID: 7b90afcd8e1137a1d863204060052aef415baaf7

show more ...

upstream: Allow some keywords to expand shell-style ${ENV}

environment variables on the client side. The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityF

upstream: Allow some keywords to expand shell-style ${ENV}

environment variables on the client side. The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket paths. This
would for example allow forwarding of Unix domain socket paths that change at
runtime. bz#3140, ok djm@

OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa

show more ...

upstream: Fix multiplier in convtime when handling seconds after

other units. bz#3171, spotted by ronf at timeheart.net, ok djm@.

OpenBSD-Commit-ID: 95b7a848e1083974a65fbb6ccb381d43

upstream: Fix multiplier in convtime when handling seconds after

other units. bz#3171, spotted by ronf at timeheart.net, ok djm@.

OpenBSD-Commit-ID: 95b7a848e1083974a65fbb6ccb381d438e1dd5be

show more ...

upstream: add fmt_timeframe() (from bgpd) to format a time

interval in a human- friendly format. Switch copyright for this file from BSD
to MIT to make it easier to add Henning's copyrig

upstream: add fmt_timeframe() (from bgpd) to format a time

interval in a human- friendly format. Switch copyright for this file from BSD
to MIT to make it easier to add Henning's copyright for this function. ok
markus@

OpenBSD-Commit-ID: 414a831c662df7e68893e5233e86f2cac081ccf9

show more ...

See if SA_RESTART signals will interrupt select().

On some platforms (at least older HP-UXes such as 11.11, possibly others)
setting SA_RESTART on signal handers will cause it to not int

See if SA_RESTART signals will interrupt select().

On some platforms (at least older HP-UXes such as 11.11, possibly others)
setting SA_RESTART on signal handers will cause it to not interrupt
select(), at least for calls that do not specify a timeout. Try to
detect this and if found, don't use SA_RESTART.

POSIX says "If SA_RESTART has been set for the interrupting signal, it
is implementation-dependent whether select() restarts or returns with
[EINTR]" so this behaviour is within spec.

show more ...

upstream: We've standardized on memset over bzero, replace a couple

that had slipped in. ok deraadt markus djm.

OpenBSD-Commit-ID: f5be055554ee93e6cc66b0053b590bef3728dbd6

upstream: make IPTOS_DSCP_LE available via IPQoS directive; bz2986,

based on patch by veegish AT cyberstorm.mu

OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425

upstream: add xextendf() to extend a string with a format

(reallocating as necessary). ok aja@ as part of a larger diff

OpenBSD-Commit-ID: 30796b50d330b3e0e201747fe40cdf9aa70a77f9

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTA

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519

show more ...

upstream: Wait for FD to be readable or writeable during a nonblocking

connect, not just readable. Prevents a timeout when the server doesn't
immediately send a banner (eg multiplexers

upstream: Wait for FD to be readable or writeable during a nonblocking

connect, not just readable. Prevents a timeout when the server doesn't
immediately send a banner (eg multiplexers like sslh) but is also slightly
quicker for other connections since, unlike ssh1, ssh2 doesn't specify
that the client should parse the server banner before sending its own.
Patch from mnissler@chromium.org, ok djm@

OpenBSD-Commit-ID: aba9cd8480d1d9dd31d0ca0422ea155c26c5df1d

show more ...

Wrap poll.h includes in HAVE_POLL_H.

upstream: move authorized_keys option parsing helpsers to misc.c

and make them public; ok markus@

OpenBSD-Commit-ID: c18bcb2a687227b3478377c981c2d56af2638ea2

upstream: move skip_space() to misc.c and make it public; ok

markus@

OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae

upstream: switch percent_expand() to use sshbuf instead of a limited

fixed buffer; ok markus@

OpenBSD-Commit-ID: 3f9ef20bca5ef5058b48c1cac67c53b9a1d15711

upstream: When system calls indicate an error they return -1, not

some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this be

upstream: When system calls indicate an error they return -1, not

some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075

show more ...

upstream: Some asprintf() calls were checked < 0, rather than the

precise == -1. ok millert nicm tb, etc

OpenBSD-Commit-ID: caecf8f57938685c04f125515b9f2806ad408d53

upstream: Remove support for obsolete host/port syntax.

host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised

upstream: Remove support for obsolete host/port syntax.

host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things. Remove the slash
notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
at redhat.com, ok markus@

OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7

show more ...

upstream: move client/server SSH-* banners to buffers under

ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be mor

upstream: move client/server SSH-* banners to buffers under

ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b

show more ...

upstream: Fix calculation of initial bandwidth limits. Account for

written bytes before the initial timer check so that the first buffer written
is accounted. Set the threshold after wh

upstream: Fix calculation of initial bandwidth limits. Account for

written bytes before the initial timer check so that the first buffer written
is accounted. Set the threshold after which the timer is checked such that
the limit starts being computed as soon as possible, ie after the second
buffer is written. This prevents an initial burst of traffic and provides a
more accurate bandwidth limit. bz#2927, ok djm.

OpenBSD-Commit-ID: ff3ef76e4e43040ec198c2718d5682c36b255cb6

show more ...

upstream: use path_absolute() for pathname checks; from Manoj Ampalam

OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925

upstream: Support using service names for port numbers.

* Try to resolve a port specification with getservbyname(3) if a
numeric conversion fails.
* Make the "Port" option in ssh_co

upstream: Support using service names for port numbers.

* Try to resolve a port specification with getservbyname(3) if a
numeric conversion fails.
* Make the "Port" option in ssh_config handle its argument as a
port rather than a plain integer.

ok dtucker@ deraadt@

OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d

show more ...