81f1620c83
upstream: correct local variable name; from yawang AT microsoft.com
...
OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87
2018-11-16 13:51:12 +11:00
1293740e80
upstream: Import new moduli.
...
OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403
2018-11-16 13:51:12 +11:00
46925ae28e
upstream: mention ssh-ed25519-cert-v01@openssh.com in list of cert
...
key type at start of doc
OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324
2018-11-16 13:50:32 +11:00
8d8340e2c2
Remove fallback check for /usr/local/ssl.
...
If configure could not find a working OpenSSL installation it would
fall back to checking in /usr/local/ssl. This made sense back when
systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't
use that as a default any more. The fallback behaviour also meant
that if you pointed --with-ssl-dir at a specific directory and it
didn't work, it would silently use either the system libs or the ones
in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to
pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
2018-11-16 13:32:13 +11:00
ce93472134
Fix check for OpenSSL 1.0.1 exactly.
...
Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix
compile-time check for 1.0.1 to match.
2018-11-16 12:44:01 +11:00
f2970868f8
Improve warnings in cygwin service setup.
...
bz#2922, patch from vinschen at redhat.com.
2018-11-11 15:58:20 +11:00
bd2d54fc1e
Remove hardcoded service name in cygwin setup.
...
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check
by vinschen at redhat.com.
2018-11-11 15:54:54 +11:00
d0153c77bf
AC_CHECK_SIZEOF() no longer needs a second argument.
2018-11-10 19:45:14 +11:00
9b47b083ca
Fix error message w/out nistp521.
...
Correct error message when OpenSSL doesn't support certain ECDSA key
lengths.
2018-11-10 19:17:55 +11:00
624d19ac2d
fix compilation with openssl built without ECC
...
ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
guarded by OPENSSL_HAS_ECC
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-11-09 14:19:24 +11:00
1801cd11d9
Simplify OpenSSL 1.1 function checks.
...
Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single
AC_CHECK_FUNCS. ok djm@
2018-11-08 15:03:11 +11:00
bc32f118d4
Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.
...
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
2018-11-05 17:31:24 +11:00
3719df60c6
Import new moduli.
2018-10-31 22:21:03 +11:00
595605d4ab
Update check for minimum OpenSSL version.
2018-10-28 15:18:13 +11:00
6ab75aba34
Update required OpenSSL versions to match current.
2018-10-28 15:16:31 +11:00
c801b0e38e
Use detected version functions in openssl compat.
...
Use detected functions in compat layer instead of guessing based on
versions. Really fixes builds with LibreSSL, not just configure.
2018-10-28 14:34:12 +11:00
262d81a259
Check for the existence of openssl version funcs.
...
Check for the existence of openssl version functions and use the ones
detected instead of trying to guess based on the int32 version
identifier. Fixes builds with LibreSSL.
2018-10-27 16:45:59 +11:00
406a24b25d
fix builds on OpenSSL <= 1.0.x
...
I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API
to obtain version number, but they don't.
2018-10-26 13:43:28 +11:00
859754bdeb
remove remaining references to SSLeay
...
Prompted by Rosen Penev
2018-10-23 17:10:41 +11:00
b9fea45a68
regen depend
2018-10-23 17:10:35 +11:00
a65784c9f9
upstream: refer to OpenSSL not SSLeay;
...
we're old, but we don't have to act it
OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
2018-10-23 16:57:54 +11:00
c0a3526590
fix compile for openssl 1.0.x w/ --with-ssl-engine
...
bz#2921, patch from cotequeiroz
2018-10-23 16:19:56 +11:00
31b4952516
Include openssl compatibility.
...
Patch from rosenp at gmail.com via openssh-unix-dev.
2018-10-22 20:05:18 +11:00
a4fc253f5f
upstream: when printing certificate contents "ssh-keygen -Lf
...
/path/certificate", include the algorithm that the CA used to sign the cert.
OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
2018-10-22 10:58:06 +11:00
83b3d99d2b
upstream: struct sockaddr_storage is guaranteed to be large enough,
...
no need to check the size. OK kn, deraadt
OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
2018-10-22 10:58:06 +11:00
aede1c3424
Require OpenSSL 1.1.x series 1.1.0g or greater
...
Previous versions have a bug with EVP_CipherInit() when passed a
NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613
ok dtucker@
2018-10-17 11:01:20 +11:00
08300c2114
unbreak compilation with --with-ssl-engine
...
Missing last argument to OPENSSL_init_crypto()
2018-10-17 08:12:02 +11:00
1673274aee
Remove gcc spectre mitigation flags.
...
Current impementions of the gcc spectre mitigation flags cause
miscompilations when combined with other flags and do not provide much
protection. Found by fweimer at redhat.com, ok djm@
2018-10-16 14:45:57 +11:00
4e23deefd7
Avoid deprecated OPENSSL_config when using 1.1.x
...
OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of
OPENSSL_init_crypto; pointed out by Jakub Jelen
2018-10-16 10:54:37 +11:00
797cdd9c84
Don't avoid our *sprintf replacements.
...
Don't let systems with broken printf(3) avoid our replacements
via asprintf(3)/vasprintf(3) calling libc internally. From djm@
2018-10-12 16:58:47 +11:00
e526127cbd
Check if snprintf understands %zu.
...
If the platforms snprintf and friends don't understand %zu, use the
compat replacement. Prevents segfaults on those platforms.
2018-10-12 16:43:35 +11:00
cf39f87519
remove stale link, tweak
2018-10-12 09:48:05 +11:00
a7205e68de
update version numbers ahead of release
2018-10-12 09:47:20 +11:00
1a4a9cf80f
upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names to
...
older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker
OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
2018-10-12 09:43:30 +11:00
dc8ddcdf1a
update depends
2018-10-11 13:08:59 +11:00
26841ac265
some more duplicated key algorithm lines
...
From Adam Eijdenberg
2018-10-11 13:02:11 +11:00
5d9d17603b
fix duplicated algorithm specification lines
...
Spotted by Adam Eijdenberg
2018-10-11 11:56:36 +11:00
ebfafd9c7a
upstream: typo in plain RSA algorithm counterpart names for
...
certificates; spotted by Adam Eijdenberg; ok dtucker@
OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11 11:55:57 +11:00
c29b111e7d
check pw_passwd != NULL here too
...
Again, for systems with broken NIS implementations.
Prompted by coolbugcheckers AT gmail.com
2018-10-11 11:29:35 +11:00
fe8e8f349a
check for NULL return from shadow_pw()
...
probably unreachable on this platform; pointed out by
coolbugcheckers AT gmail.com
2018-10-11 11:03:54 +11:00
acc59cbe7a
upstream: introducing openssh 7.9
...
OpenBSD-Commit-ID: 42d526a9fe01a40dd299ac58014d3349adf40e25
2018-10-11 11:03:53 +11:00
12731158c7
supply callback to PEM_read_bio_PrivateKey
...
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs,
so that empty passphrases are interpreted differently. This
probabalistically breaks loading some keys, because the PEM format
is terrible and doesn't include a proper MAC.
Avoid this by providing a basic callback to avoid passing empty
passphrases to OpenSSL in cases where one is required.
Based on patch from Jakub Jelen in bz#2913; ok dtucker@
2018-10-11 10:29:29 +11:00
d1d301a1dd
in pick_salt() avoid dereference of NULL passwords
...
Apparently some NIS implementations can leave pw->pw_passwd (or the
shadow equivalent) NULL.
bz#2909; based on patch from Todd Eigenschink
2018-10-10 14:57:00 +11:00
edbb6febcc
upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrase
...
is specified as "incorrect passphrase" instead of trying to choose between
that and "invalid format".
libcrypto can return ASN1 parsing errors rather than the expected
decrypt error in certain infrequent cases when trying to decrypt/parse
PEM private keys when supplied with an invalid passphrase.
Report and repro recipe from Thomas Deutschmann in bz#2901
ok markus@
OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
2018-10-09 16:45:45 +11:00
2581333d56
upstream: Support using service names for port numbers.
...
* Try to resolve a port specification with getservbyname(3) if a
numeric conversion fails.
* Make the "Port" option in ssh_config handle its argument as a
port rather than a plain integer.
ok dtucker@ deraadt@
OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
2018-10-07 14:58:24 +11:00
e0d6501e86
upstream: when the peer sends a channel-close message, make sure we
...
close the local extended read fd (stderr) along with the regular read fd
(stdout). Avoids weird stuck processed in multiplexing mode.
Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863
ok dtucker@ markus@
OpenBSD-Commit-ID: a48a2467fe938de4de69d2e7193d5fa701f12ae9
2018-10-04 17:50:22 +10:00
6f1aabb128
upstream: factor out channel status formatting from
...
channel_open_message() so we can use it in other debug messages
OpenBSD-Commit-ID: 9c3903ca28fcabad57f566c9d0045b41ab7d52ba
2018-10-04 17:50:22 +10:00
f1dd179e12
upstream: include a little more information about the status and
...
disposition of channel's extended (stderr) fd; makes debugging some things a
bit easier. No behaviour change.
OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce
2018-10-04 10:44:49 +10:00
2d1428b11c
upstream: explicit_bzero here to be consistent with other kex*.c;
...
report from coolbugcheckers AT gmail.com
OpenBSD-Commit-ID: a90f146c5b5f5b1408700395e394f70b440856cb
2018-10-04 10:42:34 +10:00
5eff5b858e
upstream: Allow ssh_config IdentityAgent directive to accept
...
environment variable names as well as explicit paths. ok dtucker@
OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
2018-10-03 16:39:58 +10:00
djm@openbsd.org
dtucker@openbsd.org
Darren Tucker
Dag-Erling Smørgrav
Manoj Ampalam
Eneas U de Queiroz
Damien Miller
florian@openbsd.org
deraadt@openbsd.org
naddy@openbsd.org