make struct sshbuf private and remove an unused field; ok dtucker

revert previous; it was broken (spotted by Theo)

make SSHBUF_DBG/SSHBUF_TELL (off by default and only enabled via
#define) dump to stderr rather than stdout

two defensive changes from Tobias Stoeckmann via GHPR287

enforce stricter invarient for sshbuf_set_parent() - never allow
a buffer to have a previously-set parent changed.

In sshbuf_reset(), if the reallocation fails, then zero the entire
buffer and not the (potentially smaller) default initial alloc size.

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

make grandparent-parent-child sshbuf chains robust to use-after-free
faults if the ancestors are freed before the descendents. Nothing in
OpenSSH uses this deallocation pattern. Reported by Jann Horn

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

revert previous; it was broken (spotted by Theo)

make SSHBUF_DBG/SSHBUF_TELL (off by default and only enabled via
#define) dump to stderr rather than stdout

two defensive changes from Tobias Stoeckmann via GHPR287

enforce stricter invarient for sshbuf_set_parent() - never allow
a buffer to have a previously-set parent changed.

In sshbuf_reset(), if the reallocation fails, then zero the entire
buffer and not the (potentially smaller) default initial alloc size.

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

make grandparent-parent-child sshbuf chains robust to use-after-free
faults if the ancestors are freed before the descendents. Nothing in
OpenSSH uses this deallocation pattern. Reported by Jann Horn

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

two defensive changes from Tobias Stoeckmann via GHPR287

enforce stricter invarient for sshbuf_set_parent() - never allow
a buffer to have a previously-set parent changed.

In sshbuf_reset(), if the reallocation fails, then zero the entire
buffer and not the (potentially smaller) default initial alloc size.

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

make grandparent-parent-child sshbuf chains robust to use-after-free
faults if the ancestors are freed before the descendents. Nothing in
OpenSSH uses this deallocation pattern. Reported by Jann Horn

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

make grandparent-parent-child sshbuf chains robust to use-after-free
faults if the ancestors are freed before the descendents. Nothing in
OpenSSH uses this deallocation pattern. Reported by Jann Horn

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

make grandparent-parent-child sshbuf chains robust to use-after-free
faults if the ancestors are freed before the descendents. Nothing in
OpenSSH uses this deallocation pattern. Reported by Jann Horn

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

make grandparent-parent-child sshbuf chains robust to use-after-free
faults if the ancestors are freed before the descendents. Nothing in
OpenSSH uses this deallocation pattern. Reported by Jann Horn

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.