[openssh-commits] [openssh] branch master updated (f3f56df8 -> 099cdf59)

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Jul 20 00:31:31 AEST 2023 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

      from  f3f56df8  agent_fuzz doesn't want stdint.h conditionalised
       new  892506b1  upstream: terminate process if requested to load a PKCS#11 provider
       new  1f2731f5  upstream: Disallow remote addition of FIDO/PKCS11 provider
       new  29ef8a04  upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
       new  099cdf59  upstream: Separate ssh-pkcs11-helpers for each p11 module

The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 099cdf59ce1e72f55d421c8445bf6321b3004755
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jul 19 14:03:45 2023 +0000

    upstream: Separate ssh-pkcs11-helpers for each p11 module
    
    Make ssh-pkcs11-client start an independent helper for each provider,
    providing better isolation between modules and reliability if a single
    module misbehaves.
    
    This also implements reference counting of PKCS#11-hosted keys,
    allowing ssh-pkcs11-helper subprocesses to be automatically reaped
    when no remaining keys reference them. This fixes some bugs we have
    that make PKCS11 keys unusable after they have been deleted, e.g.
    https://bugzilla.mindrot.org/show_bug.cgi?id=3125
    
    ok markus@
    
    OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e

commit 29ef8a04866ca14688d5b7fed7b8b9deab851f77
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jul 19 14:02:27 2023 +0000

    upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
    
    This checks via nlist(3) that candidate provider libraries contain one
    of the symbols that we will require prior to dlopen(), which can cause
    a number of side effects, including execution of constructors.
    
    Feedback deraadt; ok markus
    
    OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe

commit 1f2731f5d7a8f8a8385c6031667ed29072c0d92a
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jul 19 13:56:33 2023 +0000

    upstream: Disallow remote addition of FIDO/PKCS11 provider
    
    libraries to ssh-agent by default.
    
    The old behaviour of allowing remote clients from loading providers
    can be restored using `ssh-agent -O allow-remote-pkcs11`.
    
    Detection of local/remote clients requires a ssh(1) that supports
    the `session-bind at openssh.com` extension. Forwarding access to a
    ssh-agent socket using non-OpenSSH tools may circumvent this control.
    
    ok markus@
    
    OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c

commit 892506b13654301f69f9545f48213fc210e5c5cc
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jul 19 13:55:53 2023 +0000

    upstream: terminate process if requested to load a PKCS#11 provider
    
    that isn't a PKCS#11 provider; from / ok markus@
    
    OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c

Summary of changes:
 misc.c              |  78 ++++++++++-
 misc.h              |   3 +-
 ssh-agent.1         |  26 +++-
 ssh-agent.c         |  23 +++-
 ssh-pkcs11-client.c | 378 +++++++++++++++++++++++++++++++++++++++-------------
 ssh-pkcs11.c        |  12 +-
 ssh-sk.c            |   8 +-
 7 files changed, 419 insertions(+), 109 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list