[openssh-commits] [openssh] branch master updated (6eafc52a4 -> b9c318777)

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Dec 30 11:37:50 AEDT 2025 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from 6eafc52a4 Update ssh-agent.1
     new 55b6b1697 upstream: Add sshbuf_consume_upto_child(), to similify particular
     new ca313fef2 upstream: Enforce maximum packet/block limit during
     new dd49a87bf upstream: Remove bug compatibility for implementations that don't
     new b9c318777 upstream: unit tests for sshbuf_consume_upto_child()

The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit b9c318777eb40db66fb92df87666c3642467d0e7
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Dec 30 00:12:58 2025 +0000

    upstream: unit tests for sshbuf_consume_upto_child()
    
    OpenBSD-Regress-ID: 13cbd0370ebca7c61c35346b3e0356517719a447

commit dd49a87bf4e4a219978bf20f03e2a72041f57b2f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Dec 30 00:35:37 2025 +0000

    upstream: Remove bug compatibility for implementations that don't
    
    support rekeying. AFAIK this is only an ancient Sun SSH version.
    
    If such an implementation tries to interoperate with OpenSSH, it
    will eventually fail when the transport needs rekeying.
    
    This is probably long enough to use it to download a modern SSH
    implementation that lacks this problem :)
    
    ok markus@ deraadt@
    
    OpenBSD-Commit-ID: 228a502fee808cf8b7caee23169eb6a1ab1c331a

commit ca313fef2deed90668fe0706da8529310092d1dd
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Dec 30 00:22:58 2025 +0000

    upstream: Enforce maximum packet/block limit during
    
    pre-authentication phase
    
    OpenSSH doesn't support rekeying before authentication completes to
    minimise pre-auth attack surface.
    
    Given LoginGraceTime, MaxAuthTries and strict KEX, it would be
    difficult to send enough data or packets before authentication
    completes to reach a point where rekeying is required, but we'd
    prefer it to be completely impossible.
    
    So this applies the default volume/packet rekeying limits to the
    pre-auth phase. If these limits are exceeded the connection will
    simply be closed.
    
    ok dtucker markus
    
    OpenBSD-Commit-ID: 70415098db739058006e4ebd1630b6bae8cc8bf6

commit 55b6b1697433eca98052f5c45281133ca793a9c8
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 29 23:52:09 2025 +0000

    upstream: Add sshbuf_consume_upto_child(), to similify particular
    
    parsing patterns using parent/child buffer; ok markus@
    
    OpenBSD-Commit-ID: c11ed27907751f2a16c1283313e77f88617e4852

Summary of changes:
 packet.c                               | 98 ++++++++++++++++++++++++----------
 regress/unittests/sshbuf/test_sshbuf.c | 39 +++++++++++++-
 sshbuf.c                               | 22 +++++++-
 sshbuf.h                               | 20 ++++++-
 sshconnect.c                           |  8 ++-
 sshd-session.c                         |  5 +-
 6 files changed, 157 insertions(+), 35 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list