0097565f84
upstream commit
...
missing error assigment on sshbuf_put_string()
2015-01-13 19:26:12 +11:00
a7f49dcb52
upstream commit
...
apparently memcpy(x, NULL, 0) is undefined behaviour
according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls
when length==0; ok markus@
2015-01-13 19:25:52 +11:00
905fe30fca
upstream commit
...
free->sshkey_free; ok djm@
2015-01-13 19:25:52 +11:00
f067cca2bc
upstream commit
...
allow WITH_OPENSSL w/o WITH_SSH1; ok djm@
2015-01-13 19:25:08 +11:00
c4bfafcc2a
upstream commit
...
adjust for sshkey_load_file() API change
2015-01-09 00:46:04 +11:00
e752c6d547
upstream commit
...
fix ssh_config FingerprintHash evaluation order; from Petr
Lautrbach
2015-01-09 00:45:50 +11:00
ab24ab847b
upstream commit
...
reorder hostbased key attempts to better match the
default hostkey algorithms order in myproposal.h; ok markus@
2015-01-09 00:20:25 +11:00
1195f4cb07
upstream commit
...
deprecate key_load_private_pem() and
sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
not require pathnames to be specified (they weren't really used).
Fixes a few other things en passant:
Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).
Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.
ok markus@
2015-01-09 00:17:12 +11:00
febbe09e4e
upstream commit
...
workaround for the Meyer, et al, Bleichenbacher Side
Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm
markus
2015-01-09 00:13:35 +11:00
5191df927d
upstream commit
...
KNF and add a little more debug()
2015-01-09 00:13:35 +11:00
8abd80315d
upstream commit
...
add fingerprinthash to the options list;
2015-01-09 00:13:35 +11:00
296ef0560f
upstream commit
...
tweak previous;
2015-01-09 00:13:34 +11:00
462082eacb
avoid uninitialised free of ldns_res
...
If an invalid rdclass was passed to getrrsetbyname() then
this would execute a free on an uninitialised pointer.
OpenSSH only ever calls this with a fixed and valid rdclass.
Reported by Joshua Rogers
2014-12-30 08:16:11 +11:00
01b6349880
pull updated OpenBSD BCrypt PBKDF implementation
...
Includes fix for 1 byte output overflow for large key length
requests (not reachable in OpenSSH).
Pointed out by Joshua Rogers
2014-12-29 18:10:18 +11:00
c528c1b4af
fix variable name for IPv6 case in construct_utmpx
...
patch from writeonce AT midipix.org via bz#2296
2014-12-23 15:26:13 +11:00
293cac52dc
include and use OpenBSD netcat in regress/
2014-12-23 08:38:12 +11:00
8f6784f0cb
upstream commit
...
mention ssh -Q feature to list supported { MAC, cipher,
KEX, key } algorithms in more places and include the query string used to
list the relevant information; bz#2288
2014-12-22 20:05:41 +11:00
449e11b4d7
upstream commit
...
tweak previous;
2014-12-22 20:05:40 +11:00
4bea0ab329
upstream commit
...
regression test for multiple required pubkey authentication;
ok markus@
2014-12-22 19:13:38 +11:00
f1c4d8ec52
upstream commit
...
correct description of what will happen when a
AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd
will refuse to start)
2014-12-22 19:08:12 +11:00
161cf419f4
upstream commit
...
make internal handling of filename arguments of "none"
more consistent with ssh. "none" arguments are now replaced with NULL when
the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@
2014-12-22 19:08:12 +11:00
f69b69b862
upstream commit
...
remember which public keys have been used for
authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ pubkeys.
ok markus@
2014-12-22 19:06:52 +11:00
46ac2ed467
upstream commit
...
fix passing of wildcard forward bind addresses when
connection multiplexing is in use; patch from Sami Hartikainen via bz#2324;
ok dtucker@
2014-12-22 19:06:27 +11:00
0d1b241a26
upstream commit
...
make this slightly easier to diff against portable
2014-12-22 17:21:51 +11:00
0715bcdddb
add missing regress output file
2014-12-22 13:47:07 +11:00
1e30483c8a
upstream commit
...
adjust for new SHA256 key fingerprints and
slightly-different MD5 hex fingerprint format
2014-12-22 13:21:07 +11:00
6b40567ed7
upstream commit
...
poll changes to netcat (usr.bin/netcat.c r1.125) broke
this test; fix it by ensuring more stdio fds are sent to devnull
2014-12-22 13:18:41 +11:00
a5375ccb97
upstream commit
...
tweak previous;
2014-12-22 13:16:58 +11:00
b79efde5c3
upstream commit
...
document FingerprintHash here too
2014-12-22 13:16:57 +11:00
d16bdd8027
missing include for base64 encoding
2014-12-22 10:18:09 +11:00
56d1c83cdd
upstream commit
...
Add FingerprintHash option to control algorithm used for
key fingerprints. Default changes from MD5 to SHA256 and format from hex to
base64.
Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
058f839fe1
upstream commit
...
don't count partial authentication success as a failure
against MaxAuthTries; ok deraadt@
2014-12-22 09:31:19 +11:00
c7219f4f54
upstream commit
...
revert chunk I didn't mean to commit yet; via jmc@
2014-12-18 11:46:15 +11:00
7de5991aa3
upstream libc change
...
revision 1.2
date: 2014/12/08 03:45:00; author: bcook; state: Exp; lines: +2 -2; commitid: 7zWEBgJJOCZ2hvTV;
avoid left shift overflow in reallocarray.
Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting
1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with
(size_t)1 so that we get the correct constant size for the platform.
discussed with tedu@ & deraadt@
2014-12-18 11:44:06 +11:00
2048f85a5e
include CFLAGS in gnome askpass targets
...
from Fedora
2014-12-18 10:15:49 +11:00
48b68ce19c
upstream commit
...
explicitly include sys/param.h in files that use the
howmany() macro; from portable
2014-12-11 19:20:29 +11:00
d663bea30a
upstream commit
...
mention AuthorizedKeysCommandUser must be set for
AuthorizedKeysCommand to be run; bz#2287
2014-12-11 19:17:25 +11:00
17bf3d81e0
upstream commit
...
show in debug output which hostkeys are being tried when
attempting hostbased auth; patch from Iain Morgan
2014-12-11 19:17:25 +11:00
da0277e371
upstream commit
...
Make manual reflect reality: sftp-server's -d option
accepts a "%d" option, not a "%h" one.
bz#2316; reported by Kirk Wolf
2014-12-11 19:17:24 +11:00
4cf87f4b81
upstream commit
...
better error value for invalid signature length
2014-12-10 12:21:40 +11:00
4bfad14ca5
Resync more with OpenBSD's rijndael.c, in particular "#if 0"-ing out some
...
unused code. Should fix compile error reported by plautrba at redhat.
2014-12-10 02:12:51 +11:00
642652d280
Add reallocarray to compat library
2014-12-10 01:32:23 +11:00
3dfd8d93df
upstream commit
...
add tests for new client RevokedHostKeys option; refactor
to make it a bit more readable
2014-12-05 09:31:08 +11:00
a31046cad1
upstream commit
...
Nuke yet more obvious #include duplications.
ok deraadt@
2014-12-05 09:31:07 +11:00
a7c762e5b2
upstream commit
...
key_in_file() wrapper is no longer used
2014-12-05 09:29:48 +11:00
5e39a49930
upstream commit
...
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
2014-12-05 09:29:47 +11:00
74de254bb9
upstream commit
...
convert KRL code to new buffer API
ok markus@
2014-12-05 09:29:46 +11:00
db995f2eed
upstream commit
...
Prefer setvbuf() to setlinebuf() for portability; ok
deraadt@
2014-12-05 09:28:50 +11:00
72bba3d179
upstream commit
...
Fix crashes in the handling of the sshd config file found
with the afl fuzzer.
ok deraadt@ djm@
2014-11-26 13:37:41 +11:00
867f49c666
Avoid Cygwin ssh-host-config reading /etc/group
...
Patch from Corinna Vinschen
2014-11-26 13:22:41 +11:00
markus@openbsd.org
djm@openbsd.org
tedu@openbsd.org
jmc@openbsd.org
Damien Miller
Damien Miller
Darren Tucker
krw@openbsd.org
millert@openbsd.org
jsg@openbsd.org