Pinning actions/checkout, actions/upload-artifact, and
cygwin/cygwin-install-action to their full commit SHA instead of
mutable branch/tag references (main, master).
Using mutable refs means a compromised or malicious update to the
action repository could silently alter the workflow behavior.
Pinning to SHA makes the exact version immutable and auditable.
Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>
Replace sscanf %hhx (which is C99) with plain %x for better compatibility
in -portable. ok djm@
OpenBSD-Regress-ID: 4d30bb27ffdf2154f1a9f2317df18d256717b300
This was the case for some old Solaris versions, but the support for it
has long been removed from our compat layer so there's no point checking
for it.
enabled by default.
1) Add all hostkey types in the "multiple hostkeys" subtest.
Previously known_hosts was accidentally clobbered, causing
only the last added hostkey type to be used.
2) Explicitly enable the hostkey types under test via
HostKeyAlgorithms
OpenBSD-Regress-ID: 8f12d18b79b5cc8a748e187a0e95529cd85a9dcc
keys.
Includes a new unittests/crypto test that tests basic functionality
of the underlying crypto primitives against public test vectors
OpenBSD-Regress-ID: 4463b2e8adec391efa24a953f3c911b72892ca80
signature scheme that combines ML-DSA 44 and Ed25519 using the construction
specified in draft-ietf-lamps-pq-composite-sigs. There's also an early draft
documenting use of the integration of this scheme into SSH as
draft-miller-sshm-mldsa44-ed25519-composite-sigs
This scheme is not enabled by default. To you use, you'll need
to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.
Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
The ML-DSA implementation comes from libcrux. Thanks to
Jonas Schneider-Bensch and Jonathan Protzenko for their work to
make this available.
Consensus is that it's time to get this in to allow people to
experiment with it.
feedback markus@ tb@ logan@ deraadt@
OpenBSD-Commit-ID: 85f2d41e3d3374b4e8c28a45a7c92f153c4489e2
Notably picks up this commit:
revision 1.24
date: 2026/06/06 23:49:25; author: djm; state: Exp; lines: +28 -12; commitid: oznzDs0MaUT3FEqO;
rearrange scan_scaled(3) ordering of multiplications and divisions
to better preserve accuracy for large exponents. From metsw24-max
via https://github.com/openssh/openssh-portable/pull/671/
ok tb@
ed25519 verification (SSH doesn't depend on these properties) Pointed out by
Soatok Dreamseeker
Add an explicit-seed variant of the keygen function.
feedback / "looks fine" tb@
OpenBSD-Commit-ID: 2a71926bfda24628cf34a88357f44a790e338d5d
Some platforms' basic awk don't have toupper, but other awks like nawk
or gawk do. Pass the one found by configure through to the regress
tests, and make a wrapper for it so we don't need to modify any tests.
When enumerating resident keys, encountering a credential with an
unsupported COSE key type (not ES256 or EdDSA) caused the entire
enumeration to abort via goto out, discarding all valid keys.
Move the key type check before the per-credential allocation so
unsupported types can be skipped with continue instead. This
preserves all valid resident keys on the token.
Patch from Akhilesh Arora via GHPR657
OpenBSD-Commit-ID: b344a44ff97d26faf099b8e0cad72ad1e793ac0f
channels; previously we were throwing away the events we computed if the
channel had a c->sock distinct from it's other read and write fds.
Fortunately, it appears that this case happens rarely, if ever.
Reported by Darafei Praliaskouski via GHPR660
OpenBSD-Commit-ID: d3f483b7919946c5649e8c697d5b927af35aac4b
