7fca94edbe
upstream: Fix inverted logic for redirecting ProxyCommand stderr to
...
/dev/null. Fixes mosh in proxycommand mode that was broken by the previous
ProxyCommand change that was reported by matthieu@. ok djm@ danj@
OpenBSD-Commit-ID: c6fc9641bc250221a0a81c6beb2e72d603f8add6
2018-11-19 15:13:38 +11:00
ccef7c4faf
upstream: redirect stderr of ProxyCommands to /dev/null when ssh is
...
started with ControlPersist; based on patch from Steffen Prohaska
OpenBSD-Commit-ID: 1bcaa14a03ae80369d31021271ec75dce2597957
2018-11-16 17:18:29 +11:00
15182fd968
upstream: make grandparent-parent-child sshbuf chains robust to
...
use-after-free faults if the ancestors are freed before the descendents.
Nothing in OpenSSH uses this deallocation pattern. Reported by Jann Horn
OpenBSD-Commit-ID: d93501d1d2734245aac802a252b9bb2eccdba0f2
2018-11-16 17:18:29 +11:00
2a35862e66
upstream: use path_absolute() for pathname checks; from Manoj Ampalam
...
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2018-11-16 14:37:33 +11:00
d0d1dfa55b
Test for OPENSSL_init_crypto before using.
...
Check for the presence of OPENSSL_init_crypto and all the flags we want
before trying to use it (bz#2931).
2018-11-16 14:11:44 +11:00
6010c0303a
upstream: disallow empty incoming filename or ones that refer to the
...
current directory; based on report/patch from Harry Sintonen
OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
2018-11-16 14:04:35 +11:00
aaed635e3a
upstream: fix bug in client that was keeping a redundant ssh-agent
...
socket around for the life of the connection; bz#2912; reported by Simon
Tatham; ok dtucker@
OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478
2018-11-16 13:52:18 +11:00
e76135e300
upstream: fix bug in HostbasedAcceptedKeyTypes and
...
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
specified, then authentication would always fail for RSA keys as the monitor
checks only the base key (not the signature algorithm) type against
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
2018-11-16 13:52:17 +11:00
5c1a63562c
upstream: support a prefix of '@' to suppress echo of sftp batch
...
commands; bz#2926; ok dtucker@
OpenBSD-Commit-ID: 9d635636bc84aeae796467e059f7634de990a79d
2018-11-16 13:51:58 +11:00
90ef45f7aa
upstream: fix markup error (missing blank before delimiter); from
...
Mike Frysinger <vapier at gentoo dot org>
OpenBSD-Commit-ID: 1bc5392f795ca86318d695e0947eaf71a5a4f6d9
2018-11-16 13:51:12 +11:00
960e7c672d
upstream: typo in error message; caught by Debian lintian, via
...
Colin Watson
OpenBSD-Commit-ID: bff614c7bd1f4ca491a84e9b5999f848d0d66758
2018-11-16 13:51:12 +11:00
81f1620c83
upstream: correct local variable name; from yawang AT microsoft.com
...
OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87
2018-11-16 13:51:12 +11:00
1293740e80
upstream: Import new moduli.
...
OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403
2018-11-16 13:51:12 +11:00
46925ae28e
upstream: mention ssh-ed25519-cert-v01@openssh.com in list of cert
...
key type at start of doc
OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324
2018-11-16 13:50:32 +11:00
8d8340e2c2
Remove fallback check for /usr/local/ssl.
...
If configure could not find a working OpenSSL installation it would
fall back to checking in /usr/local/ssl. This made sense back when
systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't
use that as a default any more. The fallback behaviour also meant
that if you pointed --with-ssl-dir at a specific directory and it
didn't work, it would silently use either the system libs or the ones
in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to
pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
2018-11-16 13:32:13 +11:00
ce93472134
Fix check for OpenSSL 1.0.1 exactly.
...
Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix
compile-time check for 1.0.1 to match.
2018-11-16 12:44:01 +11:00
f2970868f8
Improve warnings in cygwin service setup.
...
bz#2922, patch from vinschen at redhat.com.
2018-11-11 15:58:20 +11:00
bd2d54fc1e
Remove hardcoded service name in cygwin setup.
...
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check
by vinschen at redhat.com.
2018-11-11 15:54:54 +11:00
d0153c77bf
AC_CHECK_SIZEOF() no longer needs a second argument.
2018-11-10 19:45:14 +11:00
9b47b083ca
Fix error message w/out nistp521.
...
Correct error message when OpenSSL doesn't support certain ECDSA key
lengths.
2018-11-10 19:17:55 +11:00
624d19ac2d
fix compilation with openssl built without ECC
...
ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
guarded by OPENSSL_HAS_ECC
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-11-09 14:19:24 +11:00
1801cd11d9
Simplify OpenSSL 1.1 function checks.
...
Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single
AC_CHECK_FUNCS. ok djm@
2018-11-08 15:03:11 +11:00
bc32f118d4
Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.
...
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
2018-11-05 17:31:24 +11:00
3719df60c6
Import new moduli.
2018-10-31 22:21:03 +11:00
595605d4ab
Update check for minimum OpenSSL version.
2018-10-28 15:18:13 +11:00
6ab75aba34
Update required OpenSSL versions to match current.
2018-10-28 15:16:31 +11:00
c801b0e38e
Use detected version functions in openssl compat.
...
Use detected functions in compat layer instead of guessing based on
versions. Really fixes builds with LibreSSL, not just configure.
2018-10-28 14:34:12 +11:00
262d81a259
Check for the existence of openssl version funcs.
...
Check for the existence of openssl version functions and use the ones
detected instead of trying to guess based on the int32 version
identifier. Fixes builds with LibreSSL.
2018-10-27 16:45:59 +11:00
406a24b25d
fix builds on OpenSSL <= 1.0.x
...
I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API
to obtain version number, but they don't.
2018-10-26 13:43:28 +11:00
859754bdeb
remove remaining references to SSLeay
...
Prompted by Rosen Penev
2018-10-23 17:10:41 +11:00
b9fea45a68
regen depend
2018-10-23 17:10:35 +11:00
a65784c9f9
upstream: refer to OpenSSL not SSLeay;
...
we're old, but we don't have to act it
OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
2018-10-23 16:57:54 +11:00
c0a3526590
fix compile for openssl 1.0.x w/ --with-ssl-engine
...
bz#2921, patch from cotequeiroz
2018-10-23 16:19:56 +11:00
31b4952516
Include openssl compatibility.
...
Patch from rosenp at gmail.com via openssh-unix-dev.
2018-10-22 20:05:18 +11:00
a4fc253f5f
upstream: when printing certificate contents "ssh-keygen -Lf
...
/path/certificate", include the algorithm that the CA used to sign the cert.
OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
2018-10-22 10:58:06 +11:00
83b3d99d2b
upstream: struct sockaddr_storage is guaranteed to be large enough,
...
no need to check the size. OK kn, deraadt
OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
2018-10-22 10:58:06 +11:00
aede1c3424
Require OpenSSL 1.1.x series 1.1.0g or greater
...
Previous versions have a bug with EVP_CipherInit() when passed a
NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613
ok dtucker@
2018-10-17 11:01:20 +11:00
08300c2114
unbreak compilation with --with-ssl-engine
...
Missing last argument to OPENSSL_init_crypto()
2018-10-17 08:12:02 +11:00
1673274aee
Remove gcc spectre mitigation flags.
...
Current impementions of the gcc spectre mitigation flags cause
miscompilations when combined with other flags and do not provide much
protection. Found by fweimer at redhat.com, ok djm@
2018-10-16 14:45:57 +11:00
4e23deefd7
Avoid deprecated OPENSSL_config when using 1.1.x
...
OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of
OPENSSL_init_crypto; pointed out by Jakub Jelen
2018-10-16 10:54:37 +11:00
797cdd9c84
Don't avoid our *sprintf replacements.
...
Don't let systems with broken printf(3) avoid our replacements
via asprintf(3)/vasprintf(3) calling libc internally. From djm@
2018-10-12 16:58:47 +11:00
e526127cbd
Check if snprintf understands %zu.
...
If the platforms snprintf and friends don't understand %zu, use the
compat replacement. Prevents segfaults on those platforms.
2018-10-12 16:43:35 +11:00
cf39f87519
remove stale link, tweak
2018-10-12 09:48:05 +11:00
a7205e68de
update version numbers ahead of release
2018-10-12 09:47:20 +11:00
1a4a9cf80f
upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names to
...
older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker
OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
2018-10-12 09:43:30 +11:00
dc8ddcdf1a
update depends
2018-10-11 13:08:59 +11:00
26841ac265
some more duplicated key algorithm lines
...
From Adam Eijdenberg
2018-10-11 13:02:11 +11:00
5d9d17603b
fix duplicated algorithm specification lines
...
Spotted by Adam Eijdenberg
2018-10-11 11:56:36 +11:00
ebfafd9c7a
upstream: typo in plain RSA algorithm counterpart names for
...
certificates; spotted by Adam Eijdenberg; ok dtucker@
OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11 11:55:57 +11:00
c29b111e7d
check pw_passwd != NULL here too
...
Again, for systems with broken NIS implementations.
Prompted by coolbugcheckers AT gmail.com
2018-10-11 11:29:35 +11:00
dtucker@openbsd.org
djm@openbsd.org
Darren Tucker
schwarze@openbsd.org
Dag-Erling Smørgrav
Manoj Ampalam
Eneas U de Queiroz
Damien Miller
florian@openbsd.org