djm@openbsd.org
669aee9943
upstream commit
...
permit KRLs that revoke certificates by serial number or
key ID without scoping to a particular CA; ok markus@
2015-01-30 12:17:07 +11:00
djm@openbsd.org
7a2c368477
upstream commit
...
missing parentheses after if in do_convert_from() broke
private key conversion from other formats some time in 2010; bz#2345 reported
by jjelen AT redhat.com
2015-01-30 12:16:33 +11:00
djm@openbsd.org
25f5f78d8b
upstream commit
...
fix ssh protocol 1, spotted by miod@
2015-01-30 12:16:33 +11:00
djm@openbsd.org
9ce86c926d
upstream commit
...
update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values; ok markus
2015-01-29 10:18:56 +11:00
djm@openbsd.org
9125525c37
upstream commit
...
avoid fatal() calls in packet code makes ssh-keyscan more
reliable against server failures ok dtucker@ markus@
2015-01-29 09:08:07 +11:00
djm@openbsd.org
fae7bbe544
upstream commit
...
avoid fatal() calls in packet code makes ssh-keyscan more
reliable against server failures ok dtucker@ markus@
2015-01-29 09:08:07 +11:00
djm@openbsd.org
1a3d14f6b4
upstream commit
...
remove obsolete comment
2015-01-29 09:08:07 +11:00
okan@openbsd.org
80c25b7bc0
upstream commit
...
Since r1.2 removed the use of PRI* macros, inttypes.h is
no longer required.
ok djm@
2015-01-29 09:08:06 +11:00
Damien Miller
69ff64f696
compile on systems without TCP_MD5SIG (e.g. OSX)
2015-01-27 23:07:43 +11:00
Damien Miller
358964f308
use ssh-keygen under test rather than system's
2015-01-27 23:07:25 +11:00
Damien Miller
a2c95c1bf3
OSX lacks HOST_NAME_MAX, has _POSIX_HOST_NAME_MAX
2015-01-27 23:06:59 +11:00
Damien Miller
ade31d7b6f
these need active_state defined to link on OSX
...
temporary measure until active_state goes away entirely
2015-01-27 23:06:23 +11:00
djm@openbsd.org
e56aa87502
upstream commit
...
use printf instead of echo -n to reduce diff against
-portable
2015-01-27 23:03:15 +11:00
jmc@openbsd.org
9f7637f56e
upstream commit
...
sort previous;
2015-01-27 23:02:44 +11:00
djm@openbsd.org
3076ee7d53
upstream commit
...
properly restore umask
2015-01-27 00:37:35 +11:00
djm@openbsd.org
d411d39555
upstream commit
...
regression test for host key rotation
2015-01-27 00:03:53 +11:00
djm@openbsd.org
fe8a3a5169
upstream commit
...
adapt to sshkey API tweaks
2015-01-27 00:03:31 +11:00
miod@openbsd.org
7dd355fb1f
upstream commit
...
Move -lz late in the linker commandline for things to
build on static arches.
2015-01-27 00:03:30 +11:00
miod@openbsd.org
0dad3b806f
upstream commit
...
-Wpointer-sign is supported by gcc 4 only.
2015-01-27 00:03:30 +11:00
djm@openbsd.org
2b3b1c1e4b
upstream commit
...
use SUBDIR to recuse into unit tests; makes "make obj"
actually work
2015-01-27 00:03:12 +11:00
djm@openbsd.org
1d1092bff8
upstream commit
...
correct description of UpdateHostKeys in ssh_config.5 and
add it to -o lists for ssh, scp and sftp; pointed out by jmc@
2015-01-27 00:00:58 +11:00
djm@openbsd.org
5104db7cbd
upstream commit
...
correctly match ECDSA subtype (== curve) for
offered/recevied host keys. Fixes connection-killing host key mismatches when
a server offers multiple ECDSA keys with different curve type (an extremely
unlikely configuration).
ok markus, "looks mechanical" deraadt@
2015-01-27 00:00:57 +11:00
djm@openbsd.org
8d4f87258f
upstream commit
...
Host key rotation support.
Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default on).
ok markus@
2015-01-27 00:00:57 +11:00
djm@openbsd.org
60b1825262
upstream commit
...
small refactor and add some convenience functions; ok
markus
2015-01-27 00:00:36 +11:00
jmc@openbsd.org
a5a3e3328d
upstream commit
...
heirarchy -> hierarchy;
2015-01-26 23:58:54 +11:00
deraadt@openbsd.org
dcff5810a1
upstream commit
...
Provide a warning about chroot misuses (which sadly, seem
to have become quite popular because shiny). sshd cannot detect/manage/do
anything about these cases, best we can do is warn in the right spot in the
man page. ok markus
2015-01-26 23:58:53 +11:00
deraadt@openbsd.org
087266ec33
upstream commit
...
Reduce use of <sys/param.h> and transition to <limits.h>
throughout. ok djm markus
2015-01-26 23:58:53 +11:00
markus@openbsd.org
57e783c8ba
upstream commit
...
kex_setup errors are fatal()
2015-01-26 23:53:56 +11:00
djm@openbsd.org
1d6424a6ff
upstream commit
...
this test would accidentally delete agent.sh if run without
obj/
2015-01-20 19:03:08 +11:00
djm@openbsd.org
12b5f50777
upstream commit
...
make this compile with KERBEROS5 enabled
2015-01-20 18:58:37 +11:00
djm@openbsd.org
e2cc6bef08
upstream commit
...
fix hostkeys in agent; ok markus@
2015-01-20 18:58:36 +11:00
Damien Miller
1ca3e2155a
fix kex test
2015-01-20 10:11:31 +11:00
markus@openbsd.org
c78a578107
upstream commit
...
finally enable the KEX tests I wrote some years ago...
2015-01-20 09:50:34 +11:00
markus@openbsd.org
31821d7217
upstream commit
...
adapt to new error message (SSH_ERR_MAC_INVALID)
2015-01-20 09:46:48 +11:00
djm@openbsd.org
d3716ca19e
upstream commit
...
this test was broken in at least two ways, such that it
wasn't checking that a KRL was not excluding valid keys
2015-01-20 09:45:56 +11:00
markus@openbsd.org
3f79765374
upstream commit
...
switch ssh-keyscan from setjmp to multiple ssh transport
layer instances ok djm@
2015-01-20 09:24:11 +11:00
markus@openbsd.org
f582f0e917
upstream commit
...
add experimental api for packet layer; ok djm@
2015-01-20 09:23:46 +11:00
markus@openbsd.org
48b3b2ba75
upstream commit
...
store compat flags in struct ssh; ok djm@
2015-01-20 09:19:40 +11:00
markus@openbsd.org
57d10cbe86
upstream commit
...
adapt kex to sshbuf and struct ssh; ok djm@
2015-01-20 09:19:39 +11:00
markus@openbsd.org
3fdc88a0de
upstream commit
...
move dispatch to struct ssh; ok djm@
2015-01-20 09:14:16 +11:00
markus@openbsd.org
091c302829
upstream commit
...
update packet.c & isolate, introduce struct ssh a) switch
packet.c to buffer api and isolate per-connection info into struct ssh b)
(de)serialization of the state is moved from monitor to packet.c c) the old
packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
integrated into packet.c with and ok djm@
2015-01-20 09:13:01 +11:00
djm@openbsd.org
4e62cc68ce
upstream commit
...
fix format strings in (disabled) debugging
2015-01-20 08:33:01 +11:00
djm@openbsd.org
d85e062459
upstream commit
...
be a bit more careful in these tests to ensure that
known_hosts is clean
2015-01-20 00:26:13 +11:00
djm@openbsd.org
7947810eab
upstream commit
...
regression test for known_host file editing using
ssh-keygen (-H / -R / -F) after hostkeys_foreach() change; feedback and ok
markus@
2015-01-20 00:26:13 +11:00
djm@openbsd.org
3a2b09d147
upstream commit
...
more and better key tests
test signatures and verification
test certificate generation
flesh out nested cert test
removes most of the XXX todo markers
2015-01-20 00:25:12 +11:00
djm@openbsd.org
589e69fd82
upstream commit
...
make the signature fuzzing test much more rigorous:
ensure that the fuzzed input cases do not match the original (using new
fuzz_matches_original() function) and check that the verification fails in
each case
2015-01-20 00:24:40 +11:00
djm@openbsd.org
80603c0daa
upstream commit
...
add a fuzz_matches_original() function to the fuzzer to
detect fuzz cases that are identical to the original data. Hacky
implementation, but very useful when you need the fuzz to be different, e.g.
when verifying signature
2015-01-20 00:24:39 +11:00
djm@openbsd.org
87d5495bd3
upstream commit
...
better dumps from the fuzzer (shown on errors) -
include the original data as well as the fuzzed copy.
2015-01-20 00:24:39 +11:00
djm@openbsd.org
d59ec478c4
upstream commit
...
enable hostkey-agent.sh test
2015-01-20 00:24:17 +11:00
djm@openbsd.org
26b3425170
upstream commit
...
unit test for hostkeys in ssh-agent
2015-01-20 00:23:43 +11:00