d8accc0aa7
- logan@cvs.openbsd.org 2014/04/21 14:36:16
...
[sftp-client.c sftp-client.h sftp.c]
Implement sftp upload resume support.
OK from djm@, with input from guenther@, mlarkin@ and
okan@
2014-05-15 13:46:25 +10:00
16cd3928a8
- logan@cvs.openbsd.org 2014/04/20 09:24:26
...
[dns.c dns.h ssh-keygen.c]
Add support for SSHFP DNS records for ED25519 key types.
OK from djm@
2014-05-15 13:45:58 +10:00
ec0b67eb3b
- (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
...
OpenBSD
2014-05-15 13:45:26 +10:00
f028460d0b
- (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
...
have it. Only attempt to use __attribute__(__bounded__) for gcc.
2014-05-01 02:24:35 +10:00
b628cc4c3e
- djm@cvs.openbsd.org 2014/04/20 02:49:32
...
[compat.c]
add a canonical 6.6 + curve25519 bignum fix fake version that I can
recommend people use ahead of the openssh-6.7 release
2014-04-20 13:33:58 +10:00
8885669139
- djm@cvs.openbsd.org 2014/04/20 02:30:25
...
[misc.c misc.h umac.c]
use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
strict-alignment architectures; reported by and ok stsp@
2014-04-20 13:33:19 +10:00
16f85cbc7e
- tedu@cvs.openbsd.org 2014/04/19 18:42:19
...
[ssh.1]
delete .xr to hosts.equiv. there's still an unfortunate amount of
documentation referring to rhosts equivalency in here.
2014-04-20 13:29:28 +10:00
69cb24b735
- tedu@cvs.openbsd.org 2014/04/19 18:15:16
...
[sshd.8]
remove some really old rsh references
2014-04-20 13:29:06 +10:00
84c1e7bca8
- tedu@cvs.openbsd.org 2014/04/19 14:53:48
...
[ssh-keysign.c sshd.c]
Delete futile calls to RAND_seed. ok djm
NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
2014-04-20 13:27:53 +10:00
0e6b67423b
- djm@cvs.openbsd.org 2014/04/19 05:54:59
...
[compat.c]
missing wildcard; pointed out by naddy@
2014-04-20 13:27:01 +10:00
9395b28223
- djm@cvs.openbsd.org 2014/04/18 23:52:25
...
[compat.c compat.h sshconnect2.c sshd.c version.h]
OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
using the curve25519-sha256@libssh.org KEX exchange method to fail
when connecting with something that implements the spec properly.
Disable this KEX method when speaking to one of the affected
versions.
reported by Aris Adamantiadis; ok markus@
2014-04-20 13:25:30 +10:00
8c492da58f
- djm@cvs.openbsd.org 2014/04/16 23:28:12
...
[ssh-agent.1]
remove the identity files from this manpage - ssh-agent doesn't deal
with them at all and the same information is duplicated in ssh-add.1
(which does deal with them); prodded by deraadt@
2014-04-20 13:25:09 +10:00
adbfdbbdcc
- djm@cvs.openbsd.org 2014/04/16 23:22:45
...
[bufaux.c]
skip leading zero bytes in buffer_put_bignum2_from_string();
reported by jan AT mojzis.com; ok markus@
2014-04-20 13:24:49 +10:00
75c62728dc
- djm@cvs.openbsd.org 2014/04/12 04:55:53
...
[sshd.c]
avoid crash at exit: check that pmonitor!=NULL before dereferencing;
bz#2225, patch from kavi AT juniper.net
2014-04-20 13:24:31 +10:00
2a328437fb
- djm@cvs.openbsd.org 2014/04/01 05:32:57
...
[packet.c]
demote a debug3 to PACKET_DEBUG; ok markus@
2014-04-20 13:24:01 +10:00
7d6a9fb660
- djm@cvs.openbsd.org 2014/04/01 03:34:10
...
[sshconnect.c]
When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
certificate keys to plain keys and attempt SSHFP resolution.
Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
dialog by offering only certificate keys.
Reported by mcv21 AT cam.ac.uk
2014-04-20 13:23:43 +10:00
fcd62c0b66
- djm@cvs.openbsd.org 2014/04/01 02:05:27
...
[ssh-keysign.c]
include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()
2014-04-20 13:23:21 +10:00
43b156cf72
- jmc@cvs.openbsd.org 2014/03/31 13:39:34
...
[ssh-keygen.1]
the text for the -K option was inserted in the wrong place in -r1.108;
fix From: Matthew Clarke
2014-04-20 13:23:03 +10:00
c1621c84f2
- naddy@cvs.openbsd.org 2014/03/28 05:17:11
...
[ssh_config.5 sshd_config.5]
sync available and default algorithms, improve algorithm list formatting
help from jmc@ and schwarze@, ok deraadt@
2014-04-20 13:22:46 +10:00
f2719b7c2b
- tedu@cvs.openbsd.org 2014/03/26 19:58:37
...
[sshd.8 sshd.c]
remove libwrap support. ok deraadt djm mfriedl
2014-04-20 13:22:18 +10:00
4f40209aa4
- djm@cvs.openbsd.org 2014/03/26 04:55:35
...
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
[misc.h poly1305.h ssh-pkcs11.c]
use __bounded(...) attribute recently added to sys/cdefs.h instead of
longform __attribute__(__bounded(...));
for brevity and a warning free compilation with llvm/clang
2014-04-20 13:21:22 +10:00
9235a030ad
Three commits in one (since they touch the same heavily-diverged file
...
repeatedly):
- markus@cvs.openbsd.org 2014/03/25 09:40:03
[myproposal.h]
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers
(arcfour), and the broken modes (CBC) from the default configuration
(the patch only changes the default, all the modes are still available
for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
- deraadt@cvs.openbsd.org 2014/03/26 17:16:26
[myproposal.h]
The current sharing of myproposal[] between both client and server code
makes the previous diff highly unpallatable. We want to go in that
direction for the server, but not for the client. Sigh.
Brought up by naddy.
- markus@cvs.openbsd.org 2014/03/27 23:01:27
[myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 13:17:20 +10:00
6e1777f592
- tedu@cvs.openbsd.org 2014/03/19 14:42:44
...
[scp.1]
there is no need for rcp anymore
ok deraadt millert
2014-04-20 13:02:58 +10:00
f0858de6e1
- deraadt@cvs.openbsd.org 2014/03/15 17:28:26
...
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
Improve usage() and documentation towards the standard form.
In particular, this line saves a lot of man page reading time.
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
[-N new_passphrase] [-C comment] [-f output_keyfile]
ok schwarze jmc
2014-04-20 13:01:30 +10:00
94bfe0fbd6
- naddy@cvs.openbsd.org 2014/03/12 13:06:59
...
[ssh-keyscan.1]
scan for Ed25519 keys by default too
2014-04-20 13:00:51 +10:00
3819519288
- djm@cvs.openbsd.org 2014/03/12 04:51:12
...
[authfile.c]
correct test that kdf name is not "none" or "bcrypt"
2014-04-20 13:00:28 +10:00
8f9cd709c7
- djm@cvs.openbsd.org 2014/03/12 04:50:32
...
[auth-bsdauth.c ssh-keygen.c]
don't count on things that accept arguments by reference to clear
things for us on error; most things do, but it's unsafe form.
2014-04-20 13:00:11 +10:00
1c7ef4be83
- djm@cvs.openbsd.org 2014/03/12 04:44:58
...
[ssh-keyscan.c]
scan for Ed25519 keys by default too
2014-04-20 12:59:46 +10:00
c10bf4d051
- djm@cvs.openbsd.org 2014/03/03 22:22:30
...
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
Id sync only - portable already has this.
2014-04-20 12:58:04 +10:00
c2e49062fa
- (djm) Use full release (e.g. 6.5p1) in debug output rather than just
...
version. From des@des.no
2014-04-01 14:42:46 +11:00
14928b7492
- (djm) On platforms that support it, use prctl() to prevent sftp-server
...
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
2014-04-01 14:38:07 +11:00
48abc47e60
- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
...
remind myself to add sandbox violation logging via the log socket.
2014-03-17 14:45:56 +11:00
9c36698ca2
20140314
...
- (tim) [opensshd.init.in] Add support for ed25519
2014-03-14 12:45:01 -07:00
19158b2447
- (djm) Release OpenSSH 6.6
2014-03-13 13:14:21 +11:00
8569eba5d7
- djm@cvs.openbsd.org 2014/03/03 22:22:30
...
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
2014-03-04 09:35:17 +11:00
2476c31b96
- (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
...
no moduli file exists at the expected location.
2014-03-02 04:01:00 +11:00
c83fdf30e9
- (djm) [regress/host-expand.sh] Add RCS Id
2014-02-28 10:34:03 +11:00
834aeac355
- djm@cvs.openbsd.org 2014/02/27 21:21:25
...
[agent-ptrace.sh agent.sh]
keep return values that are printed in error messages;
from portable
(Id sync only)
2014-02-28 10:25:16 +11:00
4f7f1a9a0d
- djm@cvs.openbsd.org 2014/02/27 20:04:16
...
[login-timeout.sh]
remove any existing LoginGraceTime from sshd_config before adding
a specific one for the test back in
2014-02-28 10:24:11 +11:00
d705d987c2
- djm@cvs.openbsd.org 2014/01/26 10:49:17
...
[scp-ssh-wrapper.sh scp.sh]
make sure $SCP is tested on the remote end rather than whichever one
happens to be in $PATH; from portable
(Id sync only)
2014-02-28 10:23:26 +11:00
624a3ca376
- djm@cvs.openbsd.org 2014/01/26 10:22:10
...
[regress/cert-hostkey.sh]
automatically generate revoked keys from listed keys rather than
manually specifying each type; from portable
(Id sync only)
2014-02-28 10:22:37 +11:00
b843923284
- dtucker@cvs.openbsd.org 2014/01/25 04:35:32
...
[regress/Makefile regress/dhgex.sh]
Add a test for DH GEX sizes
2014-02-28 10:21:26 +11:00
1e2aa3d904
- dtucker@cvs.openbsd.org 2014/01/20 00:00:30
...
[sftp-chroot.sh]
append to rather than truncating the log file
2014-02-28 10:19:51 +11:00
f483cc16fe
- dtucker@cvs.openbsd.org 2014/01/19 23:43:02
...
[regress/sftp-chroot.sh]
Don't use -q on sftp as it suppresses logging, instead redirect the
output to the regress logfile.
2014-02-28 10:19:11 +11:00
6486f16f1c
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Crank version numbers
2014-02-28 10:03:52 +11:00
92cf5adea1
- djm@cvs.openbsd.org 2014/02/27 22:57:40
...
[version.h]
openssh-6.6
2014-02-28 10:01:53 +11:00
fc5d6759ab
- djm@cvs.openbsd.org 2014/02/27 22:47:07
...
[sshd_config.5]
bz#2184 clarify behaviour of a keyword that appears in multiple
matching Match blocks; ok dtucker@
2014-02-28 10:01:28 +11:00
172ec7e0af
- djm@cvs.openbsd.org 2014/02/27 08:25:09
...
[bufbn.c]
off by one in range check
2014-02-28 10:00:57 +11:00
f9a9aaba43
- djm@cvs.openbsd.org 2014/02/27 00:41:49
...
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
2014-02-28 10:00:27 +11:00
fb3423b612
- markus@cvs.openbsd.org 2014/02/26 21:53:37
...
[sshd.c]
ssh_gssapi_prepare_supported_oids needs GSSAPI
2014-02-27 10:20:07 +11:00
1348129a34
- djm@cvs.openbsd.org 2014/02/26 20:29:29
...
[channels.c]
don't assume that the socks4 username is \0 terminated;
spotted by Ben Hawkes; ok markus@
2014-02-27 10:18:32 +11:00
e6a74aeeac
- djm@cvs.openbsd.org 2014/02/26 20:28:44
...
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
2014-02-27 10:17:49 +11:00
08b57c67f3
- djm@cvs.openbsd.org 2014/02/26 20:18:37
...
[ssh.c]
bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
ok dtucker@ markus@
2014-02-27 10:17:13 +11:00
13f97b2286
- djm@cvs.openbsd.org 2014/02/23 20:11:36
...
[readconf.c readconf.h ssh.c ssh_config.5]
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
2014-02-24 15:57:55 +11:00
bee3a234f3
- djm@cvs.openbsd.org 2014/02/23 20:03:42
...
[ssh-ed25519.c]
check for unsigned overflow; not reachable in OpenSSH but others might
copy our code...
2014-02-24 15:57:22 +11:00
0628780abe
- djm@cvs.openbsd.org 2014/02/22 01:32:19
...
[readconf.c]
when processing Match blocks, skip 'exec' clauses if previous predicates
failed to match; ok markus@
2014-02-24 15:56:45 +11:00
0890dc8191
- djm@cvs.openbsd.org 2014/02/15 23:05:36
...
[channels.c]
avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
bz#2200, debian#738692 via Colin Watson; ok dtucker@
2014-02-24 15:56:07 +11:00
d3cf67e111
- djm@cvs.openbsd.org 2014/02/07 06:55:54
...
[cipher.c mac.c]
remove some logging that makes ssh debugging output very verbose;
ok markus
2014-02-24 15:55:36 +11:00
03ae081aea
20140221
...
- (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery.
2014-02-21 09:09:34 -08:00
4a20959d2e
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat
...
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
2014-02-13 16:38:32 +11:00
d1a7a9c0fd
- djm@cvs.openbsd.org 2014/02/06 22:21:01
...
[sshconnect.c]
in ssh_create_socket(), only do the getaddrinfo for BindAddress when
BindAddress is actually specified. Fixes regression in 6.5 for
UsePrivilegedPort=yes; patch from Corinna Vinschen
2014-02-07 09:24:33 +11:00
6ce35b6cc4
- naddy@cvs.openbsd.org 2014/02/05 20:13:25
...
[ssh-keygen.1 ssh-keygen.c]
tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
while here, fix ordering in usage(); requested by jmc@
2014-02-07 09:24:14 +11:00
6434cb2cfb
- (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
...
__NR_shutdown; some go via the socketcall(2) multiplexer.
2014-02-06 11:17:50 +11:00
8d36f9ac71
- (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
...
before freeing since free(NULL) is a no-op. ok djm.
2014-02-06 10:44:13 +11:00
a0959da368
- (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
...
headers/libc but not supported by the kernel. Patch from Loganaden
Velvindron @ AfriNIC
2014-02-05 10:33:45 +11:00
9c449bc183
- (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
2014-02-04 11:38:28 +11:00
bf7e0f03be
- (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
2014-02-04 11:37:50 +11:00
eb6d870a0e
- djm@cvs.openbsd.org 2014/02/04 00:24:29
...
[ssh.c]
delay lowercasing of hostname until right before hostname
canonicalisation to unbreak case-sensitive matching of ssh_config;
reported by Ike Devolder; ok markus@
2014-02-04 11:26:34 +11:00
db3c595ea7
- djm@cvs.openbsd.org 2014/02/02 03:44:31
...
[digest-libc.c digest-openssl.c]
convert memset of potentially-private data to explicit_bzero()
2014-02-04 11:25:45 +11:00
aae07e2e20
- djm@cvs.openbsd.org 2014/02/03 23:28:00
...
[ssh-ecdsa.c]
fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
DSA_SIG_new. Reported by Batz Spear; ok markus@
2014-02-04 11:20:40 +11:00
a5103f413b
- djm@cvs.openbsd.org 2014/02/02 03:44:32
...
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
[buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
[kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
[monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
[ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c]
convert memset of potentially-private data to explicit_bzero()
2014-02-04 11:20:14 +11:00
1d2c456426
- tedu@cvs.openbsd.org 2014/01/31 16:39:19
...
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
2014-02-04 11:18:20 +11:00
3928de067c
- djm@cvs.openbsd.org 2014/01/30 22:26:14
...
[sandbox-systrace.c]
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable
(Id sync only; change is already in portable)
2014-02-04 11:13:54 +11:00
e1e480aee8
- jmc@cvs.openbsd.org 2014/01/29 14:04:51
...
[sshd_config.5]
document kbdinteractiveauthentication;
requested From: Ross L Richardson
dtucker/markus helped explain its workings;
2014-02-04 11:13:17 +11:00
7cc194f70d
- djm@cvs.openbsd.org 2014/01/29 06:18:35
...
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
remove experimental, never-enabled JPAKE code; ok markus@
2014-02-04 11:12:56 +11:00
b0f26544cf
- djm@cvs.openbsd.org 2014/01/29 00:19:26
...
[sshd.c]
use kill(0, ...) instead of killpg(0, ...); on most operating systems
they are equivalent, but SUSv2 describes the latter as having undefined
behaviour; from portable; ok dtucker
(Id sync only; change is already in portable)
2014-02-04 11:10:01 +11:00
f8f35bc471
- jmc@cvs.openbsd.org 2014/01/28 14:13:39
...
[ssh-keyscan.1]
kill some bad Pa;
From: Jan Stary
2014-02-04 11:09:12 +11:00
ec93d15170
- markus@cvs.openbsd.org 2014/01/27 20:13:46
...
[digest.c digest-openssl.c digest-libc.c Makefile.in]
rename digest.c to digest-openssl.c and add libc variant; ok djm@
2014-02-04 11:07:13 +11:00
4a1c7aa640
- markus@cvs.openbsd.org 2014/01/27 19:18:54
...
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
replace openssl MD5 with our ssh_digest_*; ok djm@
2014-02-04 11:03:36 +11:00
4e8d937af7
- markus@cvs.openbsd.org 2014/01/27 18:58:14
...
[Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
replace openssl HMAC with an implementation based on our ssh_digest_*
ok and feedback djm@
2014-02-04 11:02:42 +11:00
69d0d09f76
- (tim) [Makefile.in] build regress/setuid-allow.
2014-01-31 14:25:18 -08:00
0eeafcd76b
- (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros. Fixes
...
build with HP-UX's compiler. Patch from Kevin Brott.
2014-01-31 14:18:51 +11:00
7e5cec6070
- (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
...
syscall from sandboxes; it may be called by packet_close.
2014-01-31 09:25:34 +11:00
cdb6c90811
- (djm) Release openssh-6.5p1
2014-01-30 12:50:17 +11:00
996ea80b18
trim entries prior to openssh-6.0p1
2014-01-30 12:49:55 +11:00
f5bbd3b657
- (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
...
different symbols for 'read' when various compiler flags are
in use, causing atomicio.c comparisons against it to break and
read/write operations to hang; ok dtucker
2014-01-30 11:26:46 +11:00
c2868192dd
- (djm) [configure.ac] Only check for width-specified integer types
...
in headers that actually exist. patch from Tom G. Christensen;
ok dtucker@
2014-01-30 10:21:19 +11:00
c161fc90fc
- (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
...
Tom G. Christensen
2014-01-29 21:01:33 +11:00
6f917ad376
- (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
...
when used as an error message inside an if statement so we display the
correct into. agent.sh patch from Petr Lautrbach.
2014-01-28 10:26:25 -08:00
ab16ef4152
- (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
...
latter being specified to have undefined behaviour in SUSv3;
ok dtucker
2014-01-28 15:08:12 +11:00
ab03949058
- (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
...
ok dtucker
2014-01-28 15:07:10 +11:00
4ab20a82d4
- (dtucker) [Makefile.in] Remove trailing backslash which some make
...
implementations (eg older Solaris) do not cope with.
2014-01-27 17:35:04 +11:00
e7e8b3cfe9
Welcome to 2014
2014-01-27 17:32:50 +11:00
5b447c0aac
- (djm) [configure.ac] correct AC_DEFINE for previous.
2014-01-26 09:46:53 +11:00
2035b2236d
- (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
...
RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
libc will attempt to open additional file descriptors for crypto
offload and crash if they cannot be opened.
2014-01-26 09:39:53 +11:00
a92ac74104
- markus@cvs.openbsd.org 2014/01/25 20:35:37
...
[kex.c]
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
ok dtucker@, noted by mancha
2014-01-26 09:38:03 +11:00
76eea4ab4e
- dtucker@cvs.openbsd.org 2014/01/25 10:12:50
...
[cipher.c cipher.h kex.c kex.h kexgexc.c]
Add a special case for the DH group size for 3des-cbc, which has an
effective strength much lower than the key size. This causes problems
with some cryptlib implementations, which don't support group sizes larger
than 4k but also don't use the largest group size it does support as
specified in the RFC. Based on a patch from Petr Lautrbach at Redhat,
reduced by me with input from Markus. ok djm@ markus@
2014-01-26 09:37:25 +11:00
603b8f47f1
- (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test
...
against the correct thing.
2014-01-25 13:16:59 +11:00
c96d85376d
- (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
...
sys/capability.h exists and cap_rights_limit is in libc. Fixes
build on FreeBSD9x which provides the header but not the libc
support.
2014-01-25 13:12:28 +11:00
f62ecef993
- (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
2014-01-25 12:34:38 +11:00
Damien Miller
Darren Tucker
Tim Rice