Commit Graph

7565 Commits

Author SHA1 Message Date
Damien Miller d7fd8bedd4 - dtucker@cvs.openbsd.org 2014/04/29 19:58:50
[sftp.c]
     Move nulling of variable next to where it's freed.  ok markus@
2014-05-15 14:24:59 +10:00
Damien Miller 1f0311c7c7 - markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
2014-05-15 14:24:09 +10:00
Damien Miller c589378556 - djm@cvs.openbsd.org 2014/04/29 13:10:30
[clientloop.c serverloop.c]
     bz#1818 - don't send channel success/failre replies on channels that
     have sent a close already; analysis and patch from Simon Tatham;
     ok markus@
2014-05-15 13:48:49 +10:00
Damien Miller 633de33b19 - djm@cvs.openbsd.org 2014/04/28 03:09:18
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
     [ssh-keygen.c]
     buffer_get_string_ptr's return should be const to remind
     callers that futzing with it will futz with the actual buffer
     contents
2014-05-15 13:48:26 +10:00
Damien Miller 1527190784 - djm@cvs.openbsd.org 2014/04/23 12:42:34
[readconf.c]
     don't record duplicate IdentityFiles
2014-05-15 13:47:56 +10:00
Damien Miller 798a02568b - jmc@cvs.openbsd.org 2014/04/22 14:16:30
[sftp.1]
     zap eol whitespace;
2014-05-15 13:47:37 +10:00
Damien Miller d875ff78d2 - logan@cvs.openbsd.org 2014/04/22 12:42:04
[sftp.1]
     Document sftp upload resume.
     OK from djm@, with feedback from okan@.
2014-05-15 13:47:15 +10:00
Damien Miller b15cd7bb09 - logan@cvs.openbsd.org 2014/04/22 10:07:12
[sftp.c]
     Sort the sftp command list.
     OK from djm@
2014-05-15 13:46:52 +10:00
Damien Miller d8accc0aa7 - logan@cvs.openbsd.org 2014/04/21 14:36:16
[sftp-client.c sftp-client.h sftp.c]
     Implement sftp upload resume support.
     OK from djm@, with input from guenther@, mlarkin@ and
     okan@
2014-05-15 13:46:25 +10:00
Damien Miller 16cd3928a8 - logan@cvs.openbsd.org 2014/04/20 09:24:26
[dns.c dns.h ssh-keygen.c]
     Add support for SSHFP DNS records for ED25519 key types.
     OK from djm@
2014-05-15 13:45:58 +10:00
Damien Miller ec0b67eb3b - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
OpenBSD
2014-05-15 13:45:26 +10:00
Darren Tucker f028460d0b - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
have it.  Only attempt to use __attribute__(__bounded__) for gcc.
2014-05-01 02:24:35 +10:00
Damien Miller b628cc4c3e - djm@cvs.openbsd.org 2014/04/20 02:49:32
[compat.c]
     add a canonical 6.6 + curve25519 bignum fix fake version that I can
     recommend people use ahead of the openssh-6.7 release
2014-04-20 13:33:58 +10:00
Damien Miller 8885669139 - djm@cvs.openbsd.org 2014/04/20 02:30:25
[misc.c misc.h umac.c]
     use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
     strict-alignment architectures; reported by and ok stsp@
2014-04-20 13:33:19 +10:00
Damien Miller 16f85cbc7e - tedu@cvs.openbsd.org 2014/04/19 18:42:19
[ssh.1]
     delete .xr to hosts.equiv. there's still an unfortunate amount of
     documentation referring to rhosts equivalency in here.
2014-04-20 13:29:28 +10:00
Damien Miller 69cb24b735 - tedu@cvs.openbsd.org 2014/04/19 18:15:16
[sshd.8]
     remove some really old rsh references
2014-04-20 13:29:06 +10:00
Damien Miller 84c1e7bca8 - tedu@cvs.openbsd.org 2014/04/19 14:53:48
[ssh-keysign.c sshd.c]
     Delete futile calls to RAND_seed. ok djm
     NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
2014-04-20 13:27:53 +10:00
Damien Miller 0e6b67423b - djm@cvs.openbsd.org 2014/04/19 05:54:59
[compat.c]
     missing wildcard; pointed out by naddy@
2014-04-20 13:27:01 +10:00
Damien Miller 9395b28223 - djm@cvs.openbsd.org 2014/04/18 23:52:25
[compat.c compat.h sshconnect2.c sshd.c version.h]
     OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
     using the curve25519-sha256@libssh.org KEX exchange method to fail
     when connecting with something that implements the spec properly.

     Disable this KEX method when speaking to one of the affected
     versions.

     reported by Aris Adamantiadis; ok markus@
2014-04-20 13:25:30 +10:00
Damien Miller 8c492da58f - djm@cvs.openbsd.org 2014/04/16 23:28:12
[ssh-agent.1]
     remove the identity files from this manpage - ssh-agent doesn't deal
     with them at all and the same information is duplicated in ssh-add.1
     (which does deal with them); prodded by deraadt@
2014-04-20 13:25:09 +10:00
Damien Miller adbfdbbdcc - djm@cvs.openbsd.org 2014/04/16 23:22:45
[bufaux.c]
     skip leading zero bytes in buffer_put_bignum2_from_string();
     reported by jan AT mojzis.com; ok markus@
2014-04-20 13:24:49 +10:00
Damien Miller 75c62728dc - djm@cvs.openbsd.org 2014/04/12 04:55:53
[sshd.c]
     avoid crash at exit: check that pmonitor!=NULL before dereferencing;
     bz#2225, patch from kavi AT juniper.net
2014-04-20 13:24:31 +10:00
Damien Miller 2a328437fb - djm@cvs.openbsd.org 2014/04/01 05:32:57
[packet.c]
     demote a debug3 to PACKET_DEBUG; ok markus@
2014-04-20 13:24:01 +10:00
Damien Miller 7d6a9fb660 - djm@cvs.openbsd.org 2014/04/01 03:34:10
[sshconnect.c]
     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
     certificate keys to plain keys and attempt SSHFP resolution.

     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
     dialog by offering only certificate keys.

     Reported by mcv21 AT cam.ac.uk
2014-04-20 13:23:43 +10:00
Damien Miller fcd62c0b66 - djm@cvs.openbsd.org 2014/04/01 02:05:27
[ssh-keysign.c]
     include fingerprint of key not found
     use arc4random_buf() instead of loop+arc4random()
2014-04-20 13:23:21 +10:00
Damien Miller 43b156cf72 - jmc@cvs.openbsd.org 2014/03/31 13:39:34
[ssh-keygen.1]
     the text for the -K option was inserted in the wrong place in -r1.108;
     fix From: Matthew Clarke
2014-04-20 13:23:03 +10:00
Damien Miller c1621c84f2 - naddy@cvs.openbsd.org 2014/03/28 05:17:11
[ssh_config.5 sshd_config.5]
     sync available and default algorithms, improve algorithm list formatting
     help from jmc@ and schwarze@, ok deraadt@
2014-04-20 13:22:46 +10:00
Damien Miller f2719b7c2b - tedu@cvs.openbsd.org 2014/03/26 19:58:37
[sshd.8 sshd.c]
     remove libwrap support. ok deraadt djm mfriedl
2014-04-20 13:22:18 +10:00
Damien Miller 4f40209aa4 - djm@cvs.openbsd.org 2014/03/26 04:55:35
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
     [misc.h poly1305.h ssh-pkcs11.c]
     use __bounded(...) attribute recently added to sys/cdefs.h instead of
     longform __attribute__(__bounded(...));

     for brevity and a warning free compilation with llvm/clang
2014-04-20 13:21:22 +10:00
Damien Miller 9235a030ad Three commits in one (since they touch the same heavily-diverged file
repeatedly):

   - markus@cvs.openbsd.org 2014/03/25 09:40:03
     [myproposal.h]
     trimm default proposals.

     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
     (arcfour), and the broken modes (CBC) from the default configuration
     (the patch only changes the default, all the modes are still available
     for the config files).

     ok djm@, reminded by tedu@ & naddy@ and discussed with many
   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
     [myproposal.h]
     The current sharing of myproposal[] between both client and server code
     makes the previous diff highly unpallatable.  We want to go in that
     direction for the server, but not for the client.  Sigh.
     Brought up by naddy.
   - markus@cvs.openbsd.org 2014/03/27 23:01:27
     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
     disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 13:17:20 +10:00
Damien Miller 6e1777f592 - tedu@cvs.openbsd.org 2014/03/19 14:42:44
[scp.1]
     there is no need for rcp anymore
     ok deraadt millert
2014-04-20 13:02:58 +10:00
Damien Miller eb1b7c514d - tedu@cvs.openbsd.org 2014/03/17 19:44:10
[ssh.1]
     old descriptions of des and blowfish are old. maybe ok deraadt
2014-04-20 13:02:26 +10:00
Damien Miller f0858de6e1 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form.
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
2014-04-20 13:01:30 +10:00
Damien Miller 94bfe0fbd6 - naddy@cvs.openbsd.org 2014/03/12 13:06:59
[ssh-keyscan.1]
     scan for Ed25519 keys by default too
2014-04-20 13:00:51 +10:00
Damien Miller 3819519288 - djm@cvs.openbsd.org 2014/03/12 04:51:12
[authfile.c]
     correct test that kdf name is not "none" or "bcrypt"
2014-04-20 13:00:28 +10:00
Damien Miller 8f9cd709c7 - djm@cvs.openbsd.org 2014/03/12 04:50:32
[auth-bsdauth.c ssh-keygen.c]
     don't count on things that accept arguments by reference to clear
     things for us on error; most things do, but it's unsafe form.
2014-04-20 13:00:11 +10:00
Damien Miller 1c7ef4be83 - djm@cvs.openbsd.org 2014/03/12 04:44:58
[ssh-keyscan.c]
     scan for Ed25519 keys by default too
2014-04-20 12:59:46 +10:00
Damien Miller c10bf4d051 - djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
     Id sync only - portable already has this.
2014-04-20 12:58:04 +10:00
Damien Miller c2e49062fa - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
version. From des@des.no
2014-04-01 14:42:46 +11:00
Damien Miller 14928b7492 - (djm) On platforms that support it, use prctl() to prevent sftp-server
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
2014-04-01 14:38:07 +11:00
Damien Miller 48abc47e60 - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
remind myself to add sandbox violation logging via the log socket.
2014-03-17 14:45:56 +11:00
Tim Rice 9c36698ca2 20140314
- (tim) [opensshd.init.in] Add support for ed25519
2014-03-14 12:45:01 -07:00
Damien Miller 19158b2447 - (djm) Release OpenSSH 6.6 2014-03-13 13:14:21 +11:00
Damien Miller 8569eba5d7 - djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
2014-03-04 09:35:17 +11:00
Damien Miller 2476c31b96 - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
no moduli file exists at the expected location.
2014-03-02 04:01:00 +11:00
Damien Miller c83fdf30e9 - (djm) [regress/host-expand.sh] Add RCS Id 2014-02-28 10:34:03 +11:00
Damien Miller 834aeac355 - djm@cvs.openbsd.org 2014/02/27 21:21:25
[agent-ptrace.sh agent.sh]
     keep return values that are printed in error messages;
     from portable
     (Id sync only)
2014-02-28 10:25:16 +11:00
Damien Miller 4f7f1a9a0d - djm@cvs.openbsd.org 2014/02/27 20:04:16
[login-timeout.sh]
     remove any existing LoginGraceTime from sshd_config before adding
     a specific one for the test back in
2014-02-28 10:24:11 +11:00
Damien Miller d705d987c2 - djm@cvs.openbsd.org 2014/01/26 10:49:17
[scp-ssh-wrapper.sh scp.sh]
     make sure $SCP is tested on the remote end rather than whichever one
     happens to be in $PATH; from portable
     (Id sync only)
2014-02-28 10:23:26 +11:00
Damien Miller 624a3ca376 - djm@cvs.openbsd.org 2014/01/26 10:22:10
[regress/cert-hostkey.sh]
     automatically generate revoked keys from listed keys rather than
     manually specifying each type; from portable
     (Id sync only)
2014-02-28 10:22:37 +11:00