Darren Tucker
9edcbff46f
- (dtucker) [configure.ac] Have --without-toolchain-hardening not turn off
...
stack-protector since that has a separate flag that's been around a while.
2014-01-17 21:54:32 +11:00
Darren Tucker
6d725687c4
- (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.
2014-01-17 19:17:34 +11:00
Darren Tucker
5055699c7f
- (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we
...
need them to cut down on the name collisions.
2014-01-17 18:48:22 +11:00
Darren Tucker
a5cf1e220d
- (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c
...
openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
to be useful (and for the regression tests to pass) on platforms that
have statfs and fstatfs. ok djm@
2014-01-17 18:10:58 +11:00
Darren Tucker
1357d71d7b
- (dtucker) Fix typo in #ifndef.
2014-01-17 18:00:40 +11:00
Darren Tucker
d23a91ffb2
- (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c
...
openbsd-compat/openssl-compat.h] Add compatibility layer for older
openssl versions. ok djm@
2014-01-17 17:32:30 +11:00
Damien Miller
868ea1ea1c
- (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
...
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
2014-01-17 16:47:04 +11:00
Darren Tucker
a9d186a8b5
- dtucker@cvs.openbsd.org 2014/01/17 05:26:41
...
[digest.c]
remove unused includes. ok djm@
2014-01-17 16:30:49 +11:00
Darren Tucker
5f1c57a7a7
- djm@cvs.openbsd.org 2014/01/17 00:21:06
...
[sftp-client.c]
signed/unsigned comparison warning fix; from portable (Id sync only)
2014-01-17 16:29:45 +11:00
Darren Tucker
c548722361
- (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into
...
separate lines and alphabetize for easier diffing of changes.
2014-01-17 15:12:16 +11:00
Darren Tucker
acad351a5b
- (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that
...
don't have them.
2014-01-17 14:20:05 +11:00
Darren Tucker
c3ed065ce8
- (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside
...
#ifdef HAVE_STDINT_H.
2014-01-17 14:18:45 +11:00
Darren Tucker
f45f78ae43
- (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include
...
includes.h to pull in all of the compatibility stuff.
2014-01-17 12:43:43 +11:00
Darren Tucker
99df369d03
- (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
2014-01-17 12:42:17 +11:00
Darren Tucker
ac413b62ea
- (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
2014-01-17 12:31:33 +11:00
Darren Tucker
1c4a011e9c
- (dtucker) [loginrec.c] Cast to the types specfied in the format
...
specification to prevent warnings.
2014-01-17 12:23:23 +11:00
Damien Miller
c3d483f9a8
- (djm) [sftp-client.c] signed/unsigned comparison fix
2014-01-17 11:20:26 +11:00
Darren Tucker
fd994379dd
- (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain
...
hardening flags including -fstack-protector-strong. These default to on
if the toolchain supports them, but there is a configure-time knob
(--without-hardening) to disable them if necessary. ok djm@
2014-01-17 09:53:24 +11:00
Damien Miller
366224d217
- (djm) [README] update release notes URL.
2014-01-16 18:51:44 +11:00
Damien Miller
2ae77e64f8
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Crank RPM spec version numbers.
2014-01-16 18:51:07 +11:00
Damien Miller
0fa29e6d77
- djm@cvs.openbsd.org 2014/01/16 07:32:00
...
[version.h]
openssh-6.5
2014-01-16 18:42:31 +11:00
Damien Miller
52c371cd6d
- djm@cvs.openbsd.org 2014/01/16 07:31:09
...
[sftp-client.c]
needless and incorrect cast to size_t can break resumption of
large download; patch from tobias@
2014-01-16 18:42:10 +11:00
Damien Miller
91b580e4be
- djm@cvs.openbsd.org 2014/01/12 08:13:13
...
[bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
[kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
avoid use of OpenSSL BIGNUM type and functions for KEX with
Curve25519 by adding a buffer_put_bignum2_from_string() that stores
a string using the bignum encoding rules. Will make it easier to
build a reduced-feature OpenSSH without OpenSSL in the future;
ok markus@
2014-01-12 19:21:22 +11:00
Damien Miller
af5d4481f4
- djm@cvs.openbsd.org 2014/01/10 05:59:19
...
[sshd_config]
the /etc/ssh/ssh_host_ed25519_key is loaded by default too
2014-01-12 19:20:47 +11:00
Damien Miller
58cd63bc63
- djm@cvs.openbsd.org 2014/01/09 23:26:48
...
[sshconnect.c sshd.c]
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
deranged and might make some attacks on KEX easier; ok markus@
2014-01-10 10:59:24 +11:00
Damien Miller
b3051d01e5
- djm@cvs.openbsd.org 2014/01/09 23:20:00
...
[digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
[kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
[kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
[schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@
2014-01-10 10:58:53 +11:00
Damien Miller
e00e413dd1
- guenther@cvs.openbsd.org 2014/01/09 03:26:00
...
[sftp-common.c]
When formating the time for "ls -l"-style output, show dates in the future
with the year, and rearrange a comparison to avoid a potentional signed
arithmetic overflow that would give the wrong result.
ok djm@
2014-01-10 10:40:45 +11:00
Damien Miller
3e49853650
- tedu@cvs.openbsd.org 2014/01/04 17:50:55
...
[mac.c monitor_mm.c monitor_mm.h xmalloc.c]
use standard types and formats for size_t like variables. ok dtucker
2014-01-10 10:37:05 +11:00
Damien Miller
a9c1e500ef
- (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
2014-01-08 16:13:12 +11:00
Damien Miller
324541e526
- djm@cvs.openbsd.org 2013/12/30 23:52:28
...
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
2013-12-31 12:25:40 +11:00
Damien Miller
9f4c8e797e
- (djm) [regress/Makefile] Add some generated files for cleaning
2013-12-29 17:57:46 +11:00
Damien Miller
106bf1ca3c
- djm@cvs.openbsd.org 2013/12/29 05:57:02
...
[sshconnect.c]
when showing other hostkeys, don't forget Ed25519 keys
2013-12-29 17:54:03 +11:00
Damien Miller
0fa47cfb32
- djm@cvs.openbsd.org 2013/12/29 05:42:16
...
[ssh.c]
don't forget to load Ed25519 certs too
2013-12-29 17:53:39 +11:00
Damien Miller
b9a95490da
- djm@cvs.openbsd.org 2013/12/29 04:35:50
...
[authfile.c]
don't refuse to load Ed25519 certificates
2013-12-29 17:50:15 +11:00
Damien Miller
f72cdde6e6
- djm@cvs.openbsd.org 2013/12/29 04:29:25
...
[authfd.c]
allow deletion of ed25519 keys from the agent
2013-12-29 17:49:55 +11:00
Damien Miller
29ace1cb68
- djm@cvs.openbsd.org 2013/12/29 04:20:04
...
[key.c]
to make sure we don't omit any key types as valid CA keys again,
factor the valid key type check into a key_type_is_valid_ca()
function
2013-12-29 17:49:31 +11:00
Damien Miller
9de4fcdc5a
- djm@cvs.openbsd.org 2013/12/29 02:49:52
...
[key.c]
correct comment for key_drop_cert()
2013-12-29 17:49:13 +11:00
Damien Miller
5baeacf8a8
- djm@cvs.openbsd.org 2013/12/29 02:37:04
...
[key.c]
correct comment for key_to_certified()
2013-12-29 17:48:55 +11:00
Damien Miller
83f2fe26cb
- djm@cvs.openbsd.org 2013/12/29 02:28:10
...
[key.c]
allow ed25519 keys to appear as certificate authorities
2013-12-29 17:48:38 +11:00
Damien Miller
06122e9a74
- djm@cvs.openbsd.org 2013/12/27 22:37:18
...
[ssh-rsa.c]
correct comment
2013-12-29 17:48:15 +11:00
Damien Miller
3e19295c3a
- djm@cvs.openbsd.org 2013/12/27 22:30:17
...
[ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
make the original RSA and DSA signing/verification code look more like
the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
rather than tediously listing all variants, use __func__ for debug/
error messages
2013-12-29 17:47:50 +11:00
Damien Miller
137977180b
- tedu@cvs.openbsd.org 2013/12/21 07:10:47
...
[ssh-keygen.1]
small typo
2013-12-29 17:47:14 +11:00
Damien Miller
339a48fe7f
- djm@cvs.openbsd.org 2013/12/19 22:57:13
...
[poly1305.c poly1305.h]
use full name for author, with his permission
2013-12-29 17:46:49 +11:00
Damien Miller
0b36c83148
- djm@cvs.openbsd.org 2013/12/19 01:19:41
...
[ssh-agent.c]
bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
ok dtucker
2013-12-29 17:45:51 +11:00
Damien Miller
4def184e9b
- djm@cvs.openbsd.org 2013/12/19 01:04:36
...
[channels.c]
bz#2147: fix multiple remote forwardings with dynamically assigned
listen ports. In the s->c message to open the channel we were sending
zero (the magic number to request a dynamic port) instead of the actual
listen port. The client therefore had no way of discriminating between
them.
Diagnosis and fix by ronf AT timeheart.net
2013-12-29 17:45:26 +11:00
Damien Miller
bf25d114e2
- djm@cvs.openbsd.org 2013/12/19 00:27:57
...
[auth-options.c]
simplify freeing of source-address certificate restriction
2013-12-29 17:44:56 +11:00
Damien Miller
bb3dafe702
- dtucker@cvs.openbsd.org 2013/12/19 00:19:12
...
[serverloop.c]
Cast client_alive_interval to u_int64_t before assinging to
max_time_milliseconds to avoid potential integer overflow in the timeout.
bz#2170, patch from Loganaden Velvindron, ok djm@
2013-12-29 17:44:29 +11:00
Damien Miller
ef275ead3d
- djm@cvs.openbsd.org 2013/12/19 00:10:30
...
[ssh-add.c]
skip requesting smartcard PIN when removing keys from agent; bz#2187
patch from jay AT slushpupie.com; ok dtucker
2013-12-29 17:44:07 +11:00
Damien Miller
7d97fd9a1c
- (djm) [loginrec.c] Check for username truncation when looking up lastlog
...
entries
2013-12-29 17:40:18 +11:00
Darren Tucker
77244afe3b
20131221
...
- (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
2013-12-21 17:02:39 +11:00
Darren Tucker
53f8e784dc
- (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
...
Patch from Loganaden Velvindron.
2013-12-19 11:31:44 +11:00
Darren Tucker
1fcec9d4f2
- (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions
...
greater than 11 either rather than just 11. Patch from Tomas Kuthan.
2013-12-19 11:00:12 +11:00
Damien Miller
6674eb9683
- markus@cvs.openbsd.org 2013/12/17 10:36:38
...
[crypto_api.h]
I've assempled the header file by cut&pasting from generated headers
and the source files.
2013-12-18 17:50:39 +11:00
Damien Miller
d58a596442
- djm@cvs.openbsd.org 2013/12/15 21:42:35
...
[cipher-chachapoly.c]
add some comments and constify a constant
2013-12-18 17:50:13 +11:00
Damien Miller
059321d19a
- pascal@cvs.openbsd.org 2013/12/15 18:17:26
...
[ssh-add.c]
Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page.
ok markus@
2013-12-18 17:49:48 +11:00
Damien Miller
155b5a5bf1
- markus@cvs.openbsd.org 2013/12/09 11:08:17
...
[crypto_api.h]
remove unused defines
2013-12-18 17:48:32 +11:00
Damien Miller
8a56dc2b6b
- markus@cvs.openbsd.org 2013/12/09 11:03:45
...
[blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
[ge25519_base.data hash.c sc25519.c sc25519.h verify.c]
Add Authors for the public domain ed25519/nacl code.
see also http://nacl.cr.yp.to/features.html
All of the NaCl software is in the public domain.
and http://ed25519.cr.yp.to/software.html
The Ed25519 software is in the public domain.
2013-12-18 17:48:11 +11:00
Damien Miller
6575c3acf3
- dtucker@cvs.openbsd.org 2013/12/08 09:53:27
...
[sshd_config.5]
Use a literal for the default value of KEXAlgorithms. ok deraadt jmc
2013-12-18 17:47:02 +11:00
Damien Miller
8ba0ead698
- naddy@cvs.openbsd.org 2013/12/07 11:58:46
...
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller
4f752cf71c
- djm@cvs.openbsd.org 2013/12/07 08:08:26
...
[ssh-keygen.1]
document -a and -o wrt new key format
2013-12-18 17:45:35 +11:00
Damien Miller
6d6fcd14e2
- (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh]
...
[regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid
filesystem before running agent-ptrace.sh; ok dtucker
2013-12-08 15:53:28 +11:00
Damien Miller
7e6e42fb53
- (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
...
Vinschen
2013-12-08 08:23:08 +11:00
Damien Miller
da3ca351b4
- (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from
...
Loganaden Velvindron @ AfriNIC in bz#2179
2013-12-07 21:43:46 +11:00
Damien Miller
eb401585bb
- (djm) [regress/cert-hostkey.sh] Fix merge botch
2013-12-07 17:07:15 +11:00
Damien Miller
f54542af3a
- markus@cvs.openbsd.org 2013/12/06 13:52:46
...
[regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
[regress/cert-userkey.sh regress/keytype.sh]
test ed25519 support; from djm@
2013-12-07 16:32:44 +11:00
Damien Miller
f104da263d
- (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in]
...
[openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on
Linux
2013-12-07 12:37:53 +11:00
Damien Miller
1ff130dac9
- [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c]
...
[openbsd-compat/blf.h openbsd-compat/blowfish.c]
[openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in
portable.
2013-12-07 11:51:51 +11:00
Damien Miller
4260828a29
- [authfile.c] Conditionalise inclusion of util.h
2013-12-07 11:38:03 +11:00
Damien Miller
a913442bac
- [Makefile.in] Add ed25519 sources
2013-12-07 11:35:36 +11:00
Damien Miller
ca570a519c
- djm@cvs.openbsd.org 2013/12/07 00:19:15
...
[key.c]
set k->cert = NULL after freeing it
2013-12-07 11:29:09 +11:00
Damien Miller
3cccc0e155
- [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
...
[ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
2013-12-07 11:27:47 +11:00
Damien Miller
a7827c11b3
- jmc@cvs.openbsd.org 2013/12/06 15:29:07
...
[sshd.8]
missing comma;
2013-12-07 11:24:30 +11:00
Damien Miller
5be9d9e3cb
- markus@cvs.openbsd.org 2013/12/06 13:39:49
...
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
[servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
[ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
[sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
[fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
support ed25519 keys (hostkeys and user identities) using the public
domain ed25519 reference code from SUPERCOP, see
http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller
bcd00abd84
- markus@cvs.openbsd.org 2013/12/06 13:34:54
...
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
[ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
default; details in PROTOCOL.key; feedback and lots help from djm;
ok djm@
2013-12-07 10:41:55 +11:00
Damien Miller
f0e9060d23
- markus@cvs.openbsd.org 2013/12/06 13:30:08
...
[authfd.c key.c key.h ssh-agent.c]
move private key (de)serialization to key.c; ok djm
2013-12-07 10:40:26 +11:00
Damien Miller
0f8536da23
- djm@cvs.openbsd.org 2013/12/06 03:40:51
...
[ssh-keygen.c]
remove duplicated character ('g') in getopt() string;
document the (few) remaining option characters so we don't have to
rummage next time.
2013-12-07 10:31:37 +11:00
Damien Miller
393920745f
- djm@cvs.openbsd.org 2013/12/05 22:59:45
...
[sftp-client.c]
fix memory leak in error path in do_readdir(); pointed out by
Loganaden Velvindron @ AfriNIC in bz#2163
2013-12-07 10:31:08 +11:00
Damien Miller
534b2ccade
- djm@cvs.openbsd.org 2013/12/05 01:16:41
...
[servconf.c servconf.h]
bz#2161 - fix AuthorizedKeysCommand inside a Match block and
rearrange things so the same error is harder to make next time;
with and ok dtucker@
2013-12-05 14:07:27 +11:00
Darren Tucker
8369c8e61a
- (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
...
-L location for libedit. Patch from Serge van den Boom.
2013-12-05 11:00:16 +11:00
Damien Miller
9275df3e0a
- djm@cvs.openbsd.org 2013/12/04 04:20:01
...
[sftp-client.c]
bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
AfriNIC
2013-12-05 10:26:32 +11:00
Damien Miller
960f6a2b52
- djm@cvs.openbsd.org 2013/12/02 03:13:14
...
[cipher.c]
correct bzero of chacha20+poly1305 key context. bz#2177 from
Loganaden Velvindron @ AfriNIC
Also make it a memset for consistency with the rest of cipher.c
2013-12-05 10:26:14 +11:00
Damien Miller
f7e8a8796d
- djm@cvs.openbsd.org 2013/12/02 03:09:22
...
[key.c]
make key_to_blob() return a NULL blob on failure; part of
bz#2175 from Loganaden Velvindron @ AfriNIC
2013-12-05 10:25:51 +11:00
Damien Miller
f1e44ea9d9
- djm@cvs.openbsd.org 2013/12/02 02:56:17
...
[ssh-pkcs11-helper.c]
use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
2013-12-05 10:23:21 +11:00
Damien Miller
114e540b15
- djm@cvs.openbsd.org 2013/12/02 02:50:27
...
[PROTOCOL.chacha20poly1305]
typo; from Jon Cave
2013-12-05 10:22:57 +11:00
Damien Miller
e4870c0906
- djm@cvs.openbsd.org 2013/12/01 23:19:05
...
[PROTOCOL]
mention curve25519-sha256@libssh.org key exchange algorithm
2013-12-05 10:22:39 +11:00
Damien Miller
1d2f8804a6
- deraadt@cvs.openbsd.org 2013/11/26 19:15:09
...
[pkcs11.h]
cleanup 1 << 31 idioms. Resurrection of this issue pointed out by
Eitan Adler ok markus for ssh, implies same change in kerberosV
2013-12-05 10:22:03 +11:00
Damien Miller
bdb352a54f
- jmc@cvs.openbsd.org 2013/11/26 12:14:54
...
[ssh.1 ssh.c]
- put -Q in the right place
- Ar was a poor choice for the arguments to -Q. i've chosen an
admittedly equally poor Cm, at least consistent with the rest
of the docs. also no need for multiple instances
- zap a now redundant Nm
- usage() sync
2013-12-05 10:20:52 +11:00
Damien Miller
d937dc084a
- deraadt@cvs.openbsd.org 2013/11/25 18:04:21
...
[ssh.1 ssh.c]
improve -Q usage and such. One usage change is that the option is now
case-sensitive
ok dtucker markus djm
2013-12-05 10:19:54 +11:00
Damien Miller
dec0393f7e
- jmc@cvs.openbsd.org 2013/11/21 08:05:09
...
[ssh_config.5 sshd_config.5]
no need for .Pp before displays;
2013-12-05 10:18:43 +11:00
Damien Miller
8a073cf579
- djm@cvs.openbsd.org 2013/11/21 03:18:51
...
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
[regress/try-ciphers.sh]
use new "ssh -Q cipher-auth" query to obtain lists of authenticated
encryption ciphers instead of specifying them manually; ensures that
the new chacha20poly1305@openssh.com mode is tested;
ok markus@ and naddy@ as part of the diff to add
chacha20poly1305@openssh.com
2013-11-21 14:26:18 +11:00
Damien Miller
ea61b2179f
- djm@cvs.openbsd.org 2013/11/21 03:16:47
...
[regress/modpipe.c]
use unsigned long long instead of u_int64_t here to avoid warnings
on some systems portable OpenSSH is built on.
2013-11-21 14:25:15 +11:00
Damien Miller
36aba25b04
- djm@cvs.openbsd.org 2013/11/21 03:15:46
...
[regress/krl.sh]
add some reminders for additional tests that I'd like to implement
2013-11-21 14:24:42 +11:00
Damien Miller
fa7a20bc28
- naddy@cvs.openbsd.org 2013/11/18 05:09:32
...
[regress/forward-control.sh]
bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164)
to successfully run this; ok djm@
(ID sync only; our timeouts are already longer)
2013-11-21 14:24:08 +11:00
Damien Miller
0fde8acdad
- djm@cvs.openbsd.org 2013/11/21 00:45:44
...
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
2013-11-21 14:12:23 +11:00
Damien Miller
fdb2306acd
- deraadt@cvs.openbsd.org 2013/11/20 20:54:10
...
[canohost.c clientloop.c match.c readconf.c sftp.c]
unsigned casts for ctype macros where neccessary
ok guenther millert markus
2013-11-21 13:57:15 +11:00
Damien Miller
e00167307e
- deraadt@cvs.openbsd.org 2013/11/20 20:53:10
...
[scp.c]
unsigned casts for ctype macros where neccessary
ok guenther millert markus
2013-11-21 13:56:49 +11:00
Damien Miller
23e00aa6ba
- djm@cvs.openbsd.org 2013/11/20 02:19:01
...
[sshd.c]
delay closure of in/out fds until after "Bad protocol version
identification..." message, as get_remote_ipaddr/get_remote_port
require them open.
2013-11-21 13:56:28 +11:00
Damien Miller
867e6934be
- markus@cvs.openbsd.org 2013/11/13 13:48:20
...
[ssh-pkcs11.c]
add missing braces found by pedro
2013-11-21 13:56:06 +11:00
Damien Miller
0600c7020f
- dtucker@cvs.openbsd.org 2013/11/08 11:15:19
...
[bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
[uidswap.c] Include stdlib.h for free() as per the man page.
2013-11-21 13:55:43 +11:00
Darren Tucker
b6a75b0b93
- (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
...
querying the ones that are compiled in.
2013-11-10 20:25:22 +11:00
Darren Tucker
2c89430119
- (dtucker) [key.c] Check for the correct defines for NID_secp521r1.
2013-11-10 12:38:42 +11:00
Darren Tucker
dd5264db5f
- (dtucker) [configure.ac] Add missing "test".
2013-11-09 22:32:51 +11:00
Darren Tucker
95cb2d4eb0
- (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test.
2013-11-09 22:02:31 +11:00
Darren Tucker
37bcef51b3
- (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
...
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
latter actually works before using it. Fedora (at least) has NID_secp521r1
that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897 ).
2013-11-09 18:39:25 +11:00
Darren Tucker
6e2fe81f92
- dtucker@cvs.openbsd.org 2013/11/09 05:41:34
...
[regress/test-exec.sh regress/rekey.sh]
Use smaller test data files to speed up tests. Grow test datafiles
where necessary for a specific test.
2013-11-09 16:55:03 +11:00
Darren Tucker
aff7ef1bb8
- (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
...
rather than testing and generating each key, call ssh-keygen -A.
Patch from vinschen at redhat.com.
2013-11-09 00:19:22 +11:00
Darren Tucker
882abfd3fb
- (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
...
and pass in TEST_ENV. Unknown options cause stderr to get polluted
and the stderr-data test to fail.
2013-11-09 00:17:41 +11:00
Darren Tucker
8c333ec23b
- (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile
...
warnings.
2013-11-08 21:12:58 +11:00
Darren Tucker
d94240b2f6
- (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.
2013-11-08 21:10:04 +11:00
Darren Tucker
1c8ce34909
- (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have
...
EVP_sha256.
2013-11-08 19:50:32 +11:00
Darren Tucker
ccdb9bec46
- (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
...
arc4random_stir for platforms that have arc4random but don't have
arc4random_stir (right now this is only OpenBSD -current).
2013-11-08 18:54:38 +11:00
Damien Miller
3420a50169
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Update version numbers following release.
2013-11-08 16:48:13 +11:00
Damien Miller
3ac4a234df
- djm@cvs.openbsd.org 2013/11/08 01:38:11
...
[version.h]
openssh-6.4
2013-11-08 12:39:49 +11:00
Damien Miller
6c81fee693
- djm@cvs.openbsd.org 2013/11/08 00:39:15
...
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
[clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
[sftp-client.c sftp-glob.c]
use calloc for all structure allocations; from markus@
2013-11-08 12:19:55 +11:00
Damien Miller
690d989008
- dtucker@cvs.openbsd.org 2013/11/07 11:58:27
...
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
2013-11-08 12:16:49 +11:00
Darren Tucker
08998c5fb9
- dtucker@cvs.openbsd.org 2013/11/08 01:06:14
...
[regress/rekey.sh]
Rekey less frequently during tests to speed them up
2013-11-08 12:11:46 +11:00
Darren Tucker
4bf7e50e53
- (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
...
variable. It's no longer used now that we get the supported MACs from
ssh -Q.
2013-11-07 22:33:48 +11:00
Darren Tucker
6e9d6f4112
- dtucker@cvs.openbsd.org 2013/11/07 04:26:56
...
[regress/kextype.sh]
trailing space
2013-11-07 15:32:37 +11:00
Darren Tucker
74cbc22529
- dtucker@cvs.openbsd.org 2013/11/07 03:55:41
...
[regress/kextype.sh]
Use ssh -Q to get kex types instead of a static list.
2013-11-07 15:26:12 +11:00
Darren Tucker
a955041c93
- dtucker@cvs.openbsd.org 2013/11/07 02:48:38
...
[regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
Use ssh -Q instead of hardcoding lists of ciphers or MACs.
2013-11-07 15:21:19 +11:00
Darren Tucker
06595d6395
- dtucker@cvs.openbsd.org 2013/11/07 01:12:51
...
[regress/rekey.sh]
Factor out the data transfer rekey tests
2013-11-07 15:08:02 +11:00
Darren Tucker
651dc8b259
- dtucker@cvs.openbsd.org 2013/11/07 00:12:05
...
[regress/rekey.sh]
Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
the GCM ciphers.
2013-11-07 15:04:44 +11:00
Darren Tucker
234557762b
- dtucker@cvs.openbsd.org 2013/11/04 12:27:42
...
[regress/rekey.sh]
Test rekeying with all KexAlgorithms.
2013-11-07 15:00:51 +11:00
Darren Tucker
bbfb9b0f38
- markus@cvs.openbsd.org 2013/11/02 22:39:53
...
[regress/kextype.sh]
add curve25519-sha256@libssh.org
2013-11-07 14:56:43 +11:00
Darren Tucker
aa19548a98
- djm@cvs.openbsd.org 2013/10/09 23:44:14
...
[regress/Makefile] (ID sync only)
regression test for sftp request white/blacklisting and readonly mode.
2013-11-07 14:50:09 +11:00
Damien Miller
c8908aabff
- djm@cvs.openbsd.org 2013/11/06 23:05:59
...
[ssh-pkcs11.c]
from portable: s/true/true_val/ to avoid name collisions on dump platforms
RCSID sync only
2013-11-07 13:38:35 +11:00
Damien Miller
49c145c5e8
- markus@cvs.openbsd.org 2013/11/06 16:52:11
...
[monitor_wrap.c]
fix rekeying for AES-GCM modes; ok deraadt
2013-11-07 13:35:39 +11:00
Damien Miller
67a8800f29
- markus@cvs.openbsd.org 2013/11/04 11:51:16
...
[monitor.c]
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
RCSID sync only; I thought this was a merge botch and fixed it already
2013-11-07 13:32:51 +11:00
Damien Miller
df8b030b15
- (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms
...
that lack it but have arc4random_uniform()
2013-11-07 13:28:16 +11:00
Damien Miller
a6fd1d3c38
- (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these
2013-11-07 12:03:26 +11:00
Damien Miller
c98319750b
- (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff
2013-11-07 12:00:23 +11:00
Damien Miller
61c5c2319e
- (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
...
that got lost in recent merge.
2013-11-07 11:34:14 +11:00
Damien Miller
094003f545
- (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
...
KEX/curve25519 change
2013-11-04 22:59:27 +11:00
Damien Miller
ca67a7eaf8
- djm@cvs.openbsd.org 2013/11/03 10:37:19
...
[roaming_common.c]
fix a couple of function definitions foo() -> foo(void)
(-Wold-style-definition)
2013-11-04 09:05:17 +11:00
Damien Miller
0bd8f1519d
- markus@cvs.openbsd.org 2013/11/02 22:39:19
...
[ssh_config.5 sshd_config.5]
the default kex is now curve25519-sha256@libssh.org
2013-11-04 08:55:43 +11:00
Damien Miller
4c3ba0767f
- markus@cvs.openbsd.org 2013/11/02 22:34:01
...
[auth-options.c]
no need to include monitor_wrap.h and ssh-gss.h
2013-11-04 08:40:13 +11:00
Damien Miller
660621b210
- markus@cvs.openbsd.org 2013/11/02 22:24:24
...
[kexdhs.c kexecdhs.c]
no need to include ssh-gss.h
2013-11-04 08:37:51 +11:00
Damien Miller
abdca986de
- markus@cvs.openbsd.org 2013/11/02 22:10:15
...
[kexdhs.c kexecdhs.c]
no need to include monitor_wrap.h
2013-11-04 08:30:05 +11:00
Damien Miller
1e1242604e
- markus@cvs.openbsd.org 2013/11/02 21:59:15
...
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
use curve25519 for default key exchange (curve25519-sha256@libssh.org );
initial patch from Aris Adamantiadis; ok djm@
2013-11-04 08:26:52 +11:00
Damien Miller
d2252c7919
- markus@cvs.openbsd.org 2013/11/02 20:03:54
...
[ssh-pkcs11.c]
support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
fixes bz#1908; based on patch from Laurent Barbe; ok djm
2013-11-04 07:41:48 +11:00
Darren Tucker
007e3b357e
- (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t
...
for platforms that don't have them.
2013-11-03 18:43:55 +11:00
Darren Tucker
710f374735
- (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd
...
vsnprintf. From eric at openbsd via chl@.
2013-11-03 17:20:34 +11:00
Darren Tucker
d527704523
- (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
...
From OpenSMTPD where it prevents "implicit declaration" warnings (it's
a no-op in OpenSSH). From chl at openbsd.
2013-11-03 16:30:46 +11:00
Damien Miller
63857c9340
- jmc@cvs.openbsd.org 2013/10/29 18:49:32
...
[sshd_config.5]
pty(4), not pty(7);
2013-10-30 22:31:06 +11:00
Damien Miller
5ff30c6b68
- djm@cvs.openbsd.org 2013/10/29 09:48:02
...
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
2013-10-30 22:21:50 +11:00
Damien Miller
4a3a9d4bbf
- djm@cvs.openbsd.org 2013/10/29 09:42:11
...
[key.c key.h]
fix potential stack exhaustion caused by nested certificates;
report by Mateusz Kocielski; ok dtucker@ markus@
2013-10-30 22:19:47 +11:00
Damien Miller
28631ceaa7
- djm@cvs.openbsd.org 2013/10/25 23:04:51
...
[ssh.c]
fix crash when using ProxyCommand caused by previous commit - was calling
freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
2013-10-26 10:07:56 +11:00
Damien Miller
26506ad293
- (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
...
unnecessary arc4random_stir() calls. The only ones left are to ensure
that the PRNG gets a different state after fork() for platforms that
have broken the API.
2013-10-26 10:05:46 +11:00
Tim Rice
bd43e88723
- (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd"
2013-10-24 12:22:49 -07:00
Damien Miller
a90c033808
- djm@cvs.openbsd.org 2013/10/24 08:19:36
...
[ssh.c]
fix bug introduced in hostname canonicalisation commit: don't try to
resolve hostnames when a ProxyCommand is set unless the user has forced
canonicalisation; spotted by Iain Morgan
2013-10-24 21:03:17 +11:00