141efe4954
upstream commit
...
move authfd.c and its tentacles to the new buffer/key
API; ok markus@
2015-01-15 21:37:34 +11:00
0088c57af3
upstream commit
...
fix small regression: ssh-agent would return a success
message but an empty signature if asked to sign using an unknown key; ok
markus@
2015-01-15 21:37:33 +11:00
b03ebe2c22
more --without-openssl
...
fix some regressions caused by upstream merges
enable KRLs now that they no longer require BIGNUMs
2015-01-15 03:08:58 +11:00
bc42cc6fe7
kludge around tun API mismatch betterer
2015-01-15 03:08:29 +11:00
c332110291
some systems lack SO_REUSEPORT
2015-01-15 02:59:51 +11:00
83b9678a62
fix merge botch
2015-01-15 02:35:50 +11:00
0cdc5a3eb6
unbreak across API change
2015-01-15 02:35:33 +11:00
6e2549ac2b
need includes.h for portable OpenSSH
2015-01-15 02:30:18 +11:00
72ef7c148c
support --without-openssl at configure time
...
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
2015-01-15 02:28:36 +11:00
4f38c61c68
add files missed in last commit
2015-01-15 02:28:00 +11:00
a165bab605
upstream commit
...
avoid BIGNUM in KRL code by using a simple bitmap;
feedback and ok markus
2015-01-15 02:22:18 +11:00
7d845f4a0b
upstream commit
...
update sftp client and server to new buffer API. pretty
much just mechanical changes; with & ok markus
2015-01-15 02:22:18 +11:00
139ca81866
upstream commit
...
switch to sshbuf/sshkey; with & ok djm@
2015-01-15 02:22:17 +11:00
81bfbd0bd3
support --without-openssl at configure time
...
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
2015-01-14 21:48:18 +11:00
54924b53af
upstream commit
...
avoid an warning for the !OPENSSL case
2015-01-14 21:46:49 +11:00
ae8b463217
upstream commit
...
swith auth-options to new sshbuf/sshkey; ok djm@
2015-01-14 21:34:20 +11:00
540e891191
upstream commit
...
make non-OpenSSL aes-ctr work on sshd w/ privsep; ok
markus@
2015-01-14 21:32:55 +11:00
60c2c4ea5e
upstream commit
...
remove unneeded includes, sync my copyright across files
& whitespace; ok djm@
2015-01-14 21:32:54 +11:00
128343bcdb
upstream commit
...
adapt mac.c to ssherr.h return codes (de-fatal) and
simplify dependencies ok djm@
2015-01-14 20:43:11 +11:00
e7fd952f4e
upstream commit
...
sync changes from libopenssh; prepared by markus@ mostly
debug output tweaks, a couple of error return value changes and some other
minor stuff
2015-01-14 20:32:42 +11:00
76c0480a85
add --without-ssh1 option to configure
...
Allows disabling support for SSH protocol 1.
2015-01-13 19:38:18 +11:00
1f729f0614
upstream commit
...
add sshd_config HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
will be accepted. Currently defaults to all. Feedback & ok markus@
2015-01-13 19:27:18 +11:00
816d1538c2
upstream commit
...
unbreak parsing of pubkey comments; with gerhard; ok
djm/deraadt
2015-01-13 19:26:12 +11:00
0097565f84
upstream commit
...
missing error assigment on sshbuf_put_string()
2015-01-13 19:26:12 +11:00
a7f49dcb52
upstream commit
...
apparently memcpy(x, NULL, 0) is undefined behaviour
according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls
when length==0; ok markus@
2015-01-13 19:25:52 +11:00
905fe30fca
upstream commit
...
free->sshkey_free; ok djm@
2015-01-13 19:25:52 +11:00
f067cca2bc
upstream commit
...
allow WITH_OPENSSL w/o WITH_SSH1; ok djm@
2015-01-13 19:25:08 +11:00
c4bfafcc2a
upstream commit
...
adjust for sshkey_load_file() API change
2015-01-09 00:46:04 +11:00
e752c6d547
upstream commit
...
fix ssh_config FingerprintHash evaluation order; from Petr
Lautrbach
2015-01-09 00:45:50 +11:00
ab24ab847b
upstream commit
...
reorder hostbased key attempts to better match the
default hostkey algorithms order in myproposal.h; ok markus@
2015-01-09 00:20:25 +11:00
1195f4cb07
upstream commit
...
deprecate key_load_private_pem() and
sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
not require pathnames to be specified (they weren't really used).
Fixes a few other things en passant:
Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).
Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.
ok markus@
2015-01-09 00:17:12 +11:00
febbe09e4e
upstream commit
...
workaround for the Meyer, et al, Bleichenbacher Side
Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm
markus
2015-01-09 00:13:35 +11:00
5191df927d
upstream commit
...
KNF and add a little more debug()
2015-01-09 00:13:35 +11:00
8abd80315d
upstream commit
...
add fingerprinthash to the options list;
2015-01-09 00:13:35 +11:00
296ef0560f
upstream commit
...
tweak previous;
2015-01-09 00:13:34 +11:00
462082eacb
avoid uninitialised free of ldns_res
...
If an invalid rdclass was passed to getrrsetbyname() then
this would execute a free on an uninitialised pointer.
OpenSSH only ever calls this with a fixed and valid rdclass.
Reported by Joshua Rogers
2014-12-30 08:16:11 +11:00
01b6349880
pull updated OpenBSD BCrypt PBKDF implementation
...
Includes fix for 1 byte output overflow for large key length
requests (not reachable in OpenSSH).
Pointed out by Joshua Rogers
2014-12-29 18:10:18 +11:00
c528c1b4af
fix variable name for IPv6 case in construct_utmpx
...
patch from writeonce AT midipix.org via bz#2296
2014-12-23 15:26:13 +11:00
293cac52dc
include and use OpenBSD netcat in regress/
2014-12-23 08:38:12 +11:00
8f6784f0cb
upstream commit
...
mention ssh -Q feature to list supported { MAC, cipher,
KEX, key } algorithms in more places and include the query string used to
list the relevant information; bz#2288
2014-12-22 20:05:41 +11:00
449e11b4d7
upstream commit
...
tweak previous;
2014-12-22 20:05:40 +11:00
4bea0ab329
upstream commit
...
regression test for multiple required pubkey authentication;
ok markus@
2014-12-22 19:13:38 +11:00
f1c4d8ec52
upstream commit
...
correct description of what will happen when a
AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd
will refuse to start)
2014-12-22 19:08:12 +11:00
161cf419f4
upstream commit
...
make internal handling of filename arguments of "none"
more consistent with ssh. "none" arguments are now replaced with NULL when
the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@
2014-12-22 19:08:12 +11:00
f69b69b862
upstream commit
...
remember which public keys have been used for
authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ pubkeys.
ok markus@
2014-12-22 19:06:52 +11:00
46ac2ed467
upstream commit
...
fix passing of wildcard forward bind addresses when
connection multiplexing is in use; patch from Sami Hartikainen via bz#2324;
ok dtucker@
2014-12-22 19:06:27 +11:00
0d1b241a26
upstream commit
...
make this slightly easier to diff against portable
2014-12-22 17:21:51 +11:00
0715bcdddb
add missing regress output file
2014-12-22 13:47:07 +11:00
1e30483c8a
upstream commit
...
adjust for new SHA256 key fingerprints and
slightly-different MD5 hex fingerprint format
2014-12-22 13:21:07 +11:00
6b40567ed7
upstream commit
...
poll changes to netcat (usr.bin/netcat.c r1.125) broke
this test; fix it by ensuring more stdio fds are sent to devnull
2014-12-22 13:18:41 +11:00
djm@openbsd.org
Damien Miller
markus@openbsd.org
tedu@openbsd.org
jmc@openbsd.org
Damien Miller