Commit Graph

1234 Commits

Author SHA1 Message Date
Ed Maste
9faa27f263 ssh: update FREEBSD-upgrade for upstream CheckHostIP default change
We changed the CheckHostIP default to "no" years ago.  Upstream has now
made the same change, so do not list it as a local change any longer.

I did not just remove the "Modified client-side defaults" section to
avoid having to renumber everything, and we may add a new local change
in the future.

Sponsored by:	The FreeBSD Foundation
2023-03-29 19:32:44 -04:00
Ed Maste
c888b3b228 sftp: add description of memory leak fix 2023-03-22 11:04:29 -04:00
Ed Maste
69c72a57af sftp: avoid leaking path arg in calls to make_absolute_pwd_glob
As Coverity reports:
    Overwriting tmp in tmp = make_absolute_pwd_glob(tmp, remote_path)
    leaks the storage that tmp points to.

Consume the first arg in make_absolute_pwd_glob, and add xstrdup() to
the one case which did not assign to the same variable that was passed
in. With this change make_absolute() and make_absolute_pwd_glob() have
the same semantics with respect to freeing the input string.

This change was reported to OpenSSH in
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-November/040497.html
but was not acted on. It appears that OpenBSD subsequently received a
Coverity report for the same issue (their Coverity ID 405196) but fixed
only the specific instance reported by Coverity.

This change reverts OpenBSD's sftp.c 1.228 / OpenSSH-portable
commit 36c6c3eff5e4.

Reported by:	Coverity Scan
CID:		1500409
Reviewed by:	markj
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D37253
2023-03-22 10:54:35 -04:00
Kornel Dulęba
19a4869d66 OpenSSL: aes/asm/bsaes-armv7.pl: Replace adrl with add
"adrl" is a pseudo-instruction used to calculate an address relative
to PC. It's not recognized by clang resulting in a compilation error.
I've stumbled upon it when trying to integrate the bsaes-armv7 assmebly
logic into FreeBSD kernel, which uses clang as it's default compiler.
Note that this affect the build only if BSAES_ASM_EXTENDED_KEY is
defined, which is not the default option in OpenSSL.

The solution here is to replace it with an add instruction.
This mimics what has already been done in !BSAES_ASM_EXTENDED_KEY logic.
Because of that I've marked this as trivial CLA.

No objections from: jkim
Obtained from: OpenSSL commit 27093ba73372935fe4ef91d0a45ce6ea90a1ac8e
Differential Revision:	https://reviews.freebsd.org/D39091
2023-03-21 20:04:04 +01:00
Ed Maste
4d3fc8b057 ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes.  Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

Sponsored by:	The FreeBSD Foundation
2023-03-16 10:29:55 -04:00
Ed Maste
6834ca8a43 ssh: update FREEBSD-upgrade instructions
Make it clear that the 'freebsd-configure.sh' and 'freebsd-namespace.sh'
scripts are run from the crypto/openssh directory.

Sponsored by:	The FreeBSD Foundation
2023-03-15 13:37:49 -04:00
Ed Maste
19aba210e1 ssh: fix leak and apply style(9) to hostname canonicalization
Fixes:		bf2e2524a2 ("ssh: canonicize the host name before...")
Fixes:		3e74849a1e ("ssh: canonicize the host name before...")
Reviewed by:	rew
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D38441
2023-03-14 13:16:57 -04:00
Cy Schubert
5abaf08664 heimdal: Fix CVE-2022-4152, signature validation error
When CVE-2022-3437 was fixed by changing memcmp to be a constant
time and the workaround for th e compiler was to add "!=0". However
the logic implmented was inverted resulting in CVE-2022-4152.

Reported by:	Timothy E Zingelman <zingelman _AT_ fnal.gov>
MFC after:	1 day
Security:	CVE-2022-4152
Security:	https://www.cve.org/CVERecord?id=CVE-2022-45142
Security:	https://nvd.nist.gov/vuln/detail/CVE-2022-45142
Security:	https://security-tracker.debian.org/tracker/CVE-2022-45142
Security:	https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-45142
Security:	https://bugzilla.samba.org/show_bug.cgi?id=15296
Security:	https://www.openwall.com/lists/oss-security/2023/02/08/1
2023-03-09 17:18:49 -08:00
Ed Maste
41ff5ea22c ssh: default VerifyHostKeyDNS to no, following upstream
Revert to upstream's default.  Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.

This reverts commit 83c6a5242c.

Reported by:	David Leadbeater, G-Research
Reviewed by:	gordon
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D38648
2023-03-01 09:19:07 -05:00
Ed Maste
1aa9a35f63 ssh: fix SIZEOF_TIME_T #define on i386
Reported by:	imp
Reviewed by:	imp
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D38443
2023-02-08 18:34:09 -05:00
Cy Schubert
6a70e0b4cd heimdal: Resolve hdb_free_entry() SIGSEGV/SIGILL
When the client sends kadmind a create principal (kadm_create) request
kadm_s_create_principal() returns an error before zeroing out ent (an
hdb entry structure wrapper -- hdb_entry_ex), resulting in a NULL
reference.

Fix obtained from upstream commit 35ea4955a.

PR:		268059
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Obtained from:	Heimdal commit 35ea4955a
MFC after:	3 days
2023-02-08 15:08:54 -08:00
Ed Maste
232b4f33b4 ssh: add information on hostname canonicalization patch
We introduced hostname canonicalization in 2002, while upstream OpenSSH
added similar support in 2014.

It would be good to review our handling of CNAMEs in hostname
canonicalization.

Sponsored by:	The FreeBSD Foundation
2023-02-07 15:34:11 -05:00
Jung-uk Kim
640242a591 OpenSSL: Merge OpenSSL 1.1.1t
Merge commit '0d51f658515c605fcc4a8073cb5a8e0d7d904088'
2023-02-07 13:51:38 -05:00
Jung-uk Kim
0d51f65851 Import OpenSSL 1.1.1t 2023-02-07 12:05:11 -05:00
Ed Maste
77934b7a13 ssh: default X11Forwarding to no, following upstream
Administrators can enable it if required.

Reviewed by:	bz, kevans
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D37411
2023-02-06 18:41:10 -05:00
Ed Maste
f374ba41f5 ssh: update to OpenSSH 9.2p1
Release notes are available at https://www.openssh.com/txt/release-9.2

OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem.  The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.

Some other notable items from the release notes:

 * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
   controls whether the client-side ~C escape sequence that provides a
   command-line is available. Among other things, the ~C command-line
   could be used to add additional port-forwards at runtime.

 * sshd(8): add support for channel inactivity timeouts via a new
   sshd_config(5) ChannelTimeout directive. This allows channels that
   have not seen traffic in a configurable interval to be
   automatically closed. Different timeouts may be applied to session,
   X11, agent and TCP forwarding channels.

 * sshd(8): add a sshd_config UnusedConnectionTimeout option to
   terminate client connections that have no open channels for a
   length of time. This complements the ChannelTimeout option above.
    
 * sshd(8): add a -V (version) option to sshd like the ssh client has.

 * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
   allow control over some SFTP protocol parameters: the copy buffer
   length and the number of in-flight requests, both of which are used
   during upload/download. Previously these could be controlled in
   sftp(1) only. This makes them available in both SFTP protocol
   clients using the same option character sequence.
    
 * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
   e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
   it will be expanded to all possible addresses in the range
   including the all-0s and all-1s addresses. bz#976

 * ssh(1): support dynamic remote port forwarding in escape
   command-line's -R processing. bz#3499

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2023-02-06 16:54:56 -05:00
Ed Maste
2e82822057 ssh: Be more paranoid with host/domain names coming from the
never write a name with bad characters to a known_hosts file.

replace recently-added valid_domain() check for hostnames going to
known_hosts with a more relaxed check for bad characters.

Obtained from:	OpenSSH-portable commit 445363433ba2
Obtained from:	OpenSSH-portable commit 3cae9f92a318
Sponsored by:	The FreeBSD Foundation
2023-02-06 12:06:26 -05:00
Ed Maste
94e21add45 ssh: fix bug in PermitRemoteOpen which caused it to ignore...
its first argument unless it was one of the special keywords "any" or
"none".

Obtained from:	OpenSSH-portable commit b3daa8dc5823
Sponsored by:	The FreeBSD Foundation
2023-02-06 11:33:38 -05:00
Ed Maste
fe1371e8f3 ssh: fix double-free caused by compat_kex_proposal()
Security:	CVE-2023-25136
Obtained from:	OpenSSH-portable commit 12da78233364
Sponsored by:	The FreeBSD Foundation
2023-02-06 11:31:18 -05:00
Ed Maste
c755a7cc1e ssh: remove old reference from update instructions
ssh_config and ssh_config.5 no longer contain the VersionAddendum,
so remove instructions to update these files.

Fixes:		bffe60ead0 ("ssh: retire client VersionAddendum")
Sponsored By:	The FreeBSD Foundation
2023-02-05 13:17:46 -05:00
Ed Maste
9b7eddfeed openssh: remove mention of now-unused svn:keywords
Reported by:	gshapiro
2023-01-16 10:56:27 -05:00
Ed Maste
8974fa4515 ssh: describe two additional changes present in base system ssh
Sponsored by:	The FreeBSD Foundation
2022-12-13 09:45:56 -05:00
Ed Maste
a752e011a8 ssh: remove note about local change to [Use]PrivilegeSeparation
We documented "[Use]PrivilegeSeparation defaults to sandbox" as one of
our modifications to ssh's server-side defaults, but this is not (any
longer) a difference from upstream.

Sponsored by:	The FreeBSD Foundation
2022-12-12 17:07:27 -05:00
Cy Schubert
f6d5d31cd5 heimdal: kadm5_c_get_principal() should check return code
kadm5_c_get_principal() should check the return code from
kadm5_ret_principal_ent(). As it doesn't it assumes success when
there is none and can lead to potential vulnerability. Fix this.

Reported by:	rtm@csail.mit.edu
MFC after:	3 days
2022-12-09 06:09:54 -08:00
Cy Schubert
3deefb0d14 heimdal: Properly ix bus fault when zero-length request received
Zero length client requests result in a bus fault when attempting to
free malloc()ed pointers within the requests softc. Return an error
when the request is zero length.

This properly fixes PR/268062 without regressions.

PR:		268062
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
2022-12-09 06:09:54 -08:00
Cy Schubert
5319949668 Revert "heimdal: Fix bus fault when zero-length request received"
This is the wrong fix for PR/268062.

MFC after:	immediately

This reverts commit 6742ff42ab.
2022-12-09 06:09:54 -08:00
Cy Schubert
6742ff42ab heimdal: Fix bus fault when zero-length request received
Zero length client requests result in a bus fault when attempting to
free malloc()ed pointers within the requests softc. Return an error
when the request is zero length.

PR:		268062
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
2022-12-01 06:24:12 -08:00
Cy Schubert
d24b272832 heimdal: Add additional checks for bad kadmind input
Check return codes for bad input.

MFC after:	3 days
2022-12-01 06:24:12 -08:00
Cy Schubert
671f55828d heimdal: Check return code from _hdb_fetch_kvno()
A malformed principal will cause kadmind to segfault. The PR
addresses only when chpass is requested but delete is also affected.
Fix both.

PR:		268002
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
2022-11-26 18:41:52 -08:00
Cy Schubert
5040a7a9aa heimdal: Add missing iprop error checks.
Inspired by upstream 9d6dd21256f87988605fa75172be9cc92535064c.

Obtained from:	Heimdal 9d6dd21256f87988605fa75172be9cc92535064c
MFC after:	3 days
2022-11-26 18:41:52 -08:00
Cy Schubert
80999dcd5b heimdal: Add missing kadmind error checks
Inspired by:	Heimdal commmit 1b213c1082be4ef5a1c23928d614c762f837dbe7
MFC after:	3 days
2022-11-26 18:41:52 -08:00
Cy Schubert
879b0e9cd2 heimdal: Add missing kadm5 error checks
Obtained from:	Heimdal commit 4a0e01f9edabe36d0f2cab188078dd29fa5aaf02
MFC after:	3 days
2022-11-26 18:41:52 -08:00
Cy Schubert
780f663df3 heimdal: Add missing kadm5 error checks
Generally obtained from upstream 655c057769f56bd8cdb7d16e93f1e7a7cb260342.

PR:		267944, 267972
Obtained from:	Heimdal commit 655c057769f56bd8cdb7d16e93f1e7a7cb260342
MFC after:	3 days
2022-11-26 18:41:51 -08:00
Cy Schubert
e13150e28c heimdal: Fix uninitialized pointer dereference
krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.

PR:		267944, 267972
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
2022-11-26 18:41:51 -08:00
Cy Schubert
91db848212 heimdal: Handle other types of garbage data
In addition to garbage realm data, also handle garbage dbname, acl_file,
stash_file, and invalid bitmask garbage data.

PR:		267912
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
2022-11-24 09:23:23 -08:00
Cy Schubert
05bc50bdb1 heimdal: Fix NULL dereference when mangled realm message
Fix a NULL dereference in _kadm5_s_init_context() when the client
sends a mangled realm message.

PR:		267912
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
2022-11-24 09:21:13 -08:00
Cy Schubert
d7e8666ffb heimdal: The version string must always contain a terminating NUL
Should the sender send a string without a terminating NUL, ensure that
the NUL terminates the string regardless.

And while at it only process the version string when bytes are returned.

PR:		267884
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D37471
2022-11-24 09:21:13 -08:00
Cy Schubert
f556a05c49 heimdal: Fix: Too large time skew, client time 1970-01-01T01:00:00
Part of ed549cb0c5 zeroed out a data structure in the resulting code-file
when a TUTCTime type was freed. This part of the patch applies to Heimdal
7.1+ and not our Heimdal 1.5.2.

PR:		267827
Reported by:	Peter Much <pmc@citylink.dinoex.sub.org>
Tested by:	Peter Much <pmc@citylink.dinoex.sub.org>
Fixes:		ed549cb0c5
MFC after:	TBD with philip@
2022-11-17 09:29:17 -08:00
Cy Schubert
ed549cb0c5 heimdal: Fix multiple security vulnerabilities
The following issues are patched:

 - CVE-2022-42898 PAC parse integer overflows
 - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
 - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

    Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
    on the Common Vulnerability Scoring System (CVSS) v3, as we believe
    it should be possible to get an RCE on a KDC, which means that
    credentials can be compromised that can be used to impersonate
    anyone in a realm or forest of realms.

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all extensible CHOICE types
    used in Heimdal, though not all cases will be exploitable.  We have
    not completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
    only affect Heimdal 1.6 and up.  It was first reported by Douglas
    Bagnall, though it had been found independently by the Heimdal
    maintainers via fuzzing a few weeks earlier.

    While no zero-day exploit is known, such an exploit will likely be
    available soon after public disclosure.

 - CVE-2019-14870: Validate client attributes in protocol-transition
 - CVE-2019-14870: Apply forwardable policy in protocol-transition
 - CVE-2019-14870: Always lookup impersonate client in DB

Sponsored by:	so (philip)
Obtained from:	so (philip)
Tested by:	philip, cy
MFC after:	immediately
2022-11-15 13:12:37 -08:00
Ed Maste
c72f259727 ssh: remove VersionAddendum from list of client side config changes
Fixes: bffe60ead0 ("ssh: retire client VersionAddendum")
Sponsored by:	The FreeBSD Foundation
2022-11-14 15:33:51 -05:00
Ed Maste
733bf3b108 ssh: update comment text to match upstream
Reported by:	bz
Obtained from:	OpenSSH dffa64480163
2022-11-09 11:32:47 -05:00
Ed Maste
4232f36eda sshd: sync tracing disable with upstream
Old versions of FreeBSD do not support using id 0 to refer to the
current pid for procctl, so pass getpid() explicitly.

Although this is not required in current FreeBSD branches I am merging
it to reduce differences with upstream.

Obtained from:	OpenSSH commit 0f7e1eba5525
2022-11-07 12:23:00 -05:00
Ed Maste
0657b2325d ssh: correct parse_cert_times case for hex "to" time
This appeared to be a copy-paste error from the "from" time case above.

Reported by:	Coverity Scan
CID:		1500407
Reviewed by:	markj
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D37252
2022-11-03 10:10:28 -04:00
Jung-uk Kim
cfc39718e9 OpenSSL: Merge OpenSSL 1.1.1s
Merge commit 'b6b67f23b82101d4c04c89f81d726b902ab77106'
2022-11-01 18:58:59 -04:00
Jung-uk Kim
b6b67f23b8 Import OpenSSL 1.1.1s 2022-11-01 18:43:36 -04:00
Ed Maste
38a52bd3b5 ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1

9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.

Some highlights copied from the release notes:

Potentially-incompatible changes
--------------------------------

 * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
   are now first-match-wins to match other directives. Previously
   if an environment variable was multiply specified the last set
   value would have been used. bz3438

 * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
   will no longer generate DSA keys, as these are insecure and have
   not been used by default for some years.

New features
------------

 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8).

 * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
   request that allows the client to obtain user/group names that
   correspond to a set of uids/gids.

 * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
   extension (when available) to fill in user/group names for
   directory listings.

 * sftp-server(8): support the "home-directory" extension request
   defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
   a bit with the existing "expand-path@openssh.com", but some other
   clients support it.

 * ssh-keygen(1), sshd(8): allow certificate validity intervals,
   sshsig verification times and authorized_keys expiry-time options
   to accept dates in the UTC time zone in addition to the default
   of interpreting them in the system time zone. YYYYMMDD and
   YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
   with a 'Z' character.

   Also allow certificate validity intervals to be specified in raw
   seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
   is intended for use by regress tests and other tools that call
   ssh-keygen as part of a CA workflow. bz3468

 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
   "/usr/libexec/sftp-server -el debug3"

 * ssh-keygen(1): allow the existing -U (use agent) flag to work
   with "-Y sign" operations, where it will be interpreted to require
   that the private keys is hosted in an agent; bz3429

MFC after:	2 weeks
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-10-19 10:27:11 -04:00
Ed Maste
fca7ac55f8 ssh: remove pre- and post-merge update steps
We no longer use the pre- and post-merge scripts to strip/add RCS tags.
The tags have been removed from main, but persist on older branches.

While here renumber the steps in the update documentation using a more
conventional scheme.

Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D36904
2022-10-12 13:54:08 -04:00
Ed Maste
a1e39f96d2 nanobsd: remove unmodified copies of ssh config files
Nanobsd included copies of ssh_config and sshd_config.  The former is
identical to the one provided by the base system, and the latter is
identical except for PermitRootLogin, which is updated by nanobsd's
cust_allow_ssh_root anyhow.  Remove nanobsd's copies and use the
existing base system ones.

Reported by:	Jose Luis Duran <jlduran@gmail.com> in D34937
Reviewed by:	Jose Luis Duran <jlduran@gmail.com>, imp
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D36933
2022-10-11 12:53:57 -04:00
Ed Maste
963c7b084b ssh-keysign: fix double free in error path
From OpenSSH-portable commit 141535b904b6, OpenBSD commit 3d21aa127b1f.

MFC after:		3 days
2022-10-04 16:34:37 -04:00
Ed Maste
666605ad2d ssh-keygen: fix double free in error path
From OpenSSH-portable commit 5062ad48814b, OpenBSD commit 39f35e16ba87.

MFC after:	3 days
2022-10-04 16:33:11 -04:00