that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.
OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
keying in debug messages. Previously it would be difficult to tell which
direction it was talking about
OpenBSD-Commit-ID: c2b71bfcceb2a7389b9d0b497fb2122a406a522d
parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
use this to give packet-related fatal error messages more context (esp. the
remote endpoint) ok markus@
OpenBSD-Commit-ID: de57211f9543426b515a8a10a4f481666b2b2a50
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
Some versions of OpenSSL have "free_func" in their headers, which zlib
typedefs. Including openssl after zlib (eg via sshkey.h) results in
"syntax error before `free_func'", which this fixes.
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.
ok markus@
OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.
ok markus@
OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
the error path instead of trying to read from the socket on the way out,
which resets errno and causes the true error to be misreported. ok djm@
OpenBSD-Commit-ID: 2614edaadbd05a957aa977728aa7a030af7c6f0a
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth
to post-auth unpriviledged child processes; ok markus@
OpenBSD-Commit-ID: 4a35bc7af0a5f8a232d1361f79f4ebc376137302
Put remote client info back into the ClientAlive
connection termination message. Based in part on diff from lars.nooden at
gmail, ok djm
OpenBSD-Commit-ID: 80a0f619a29bbf2f32eb5297a69978a0e05d0ee0
Add monotime_ts and monotime_tv that return monotonic
timespec and timeval respectively. Replace calls to gettimeofday() in packet
timing with monotime_tv so that the callers will work over a clock step.
Should prevent integer overflow during clock steps reported by wangle6 at
huawei.com. "I like" markus@
OpenBSD-Commit-ID: 74d684264814ff806f197948b87aa732cb1b0b8a
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
ok markus@
Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
Allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default; ok dtucker@
Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
don't pass pointer to struct sshcipher between privsep
processes, just redo the lookup in each using the already-passed cipher name.
bz#2704 based on patch from Brooks Davis; ok markus dtucker
Upstream-ID: 2eab434c09bdf549dafd7da3e32a0d2d540adbe0
Fix compression output stats broken in rev 1.201. Patch
originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok
djm@
Upstream-ID: 83a1903b95ec2e4ed100703debb4b4a313b01016
I was too aggressive with the scalpel in the last commit;
unbreak sshd, spotted quickly by naddy@
Upstream-ID: fb7e75d2b2c7e6ca57dee00ca645e322dd49adbf
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
remove the (in)famous SSHv1 CRC compensation attack
detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
Upstream-ID: 44261fce51a56d93cdb2af7b6e184be629f667e0
Don't count the initial block twice when computing how
many bytes to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
small memleak: free fd_set on connection timeout (though
we are heading to exit anyway). From Tom Rix in bz#2683
Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
add ssh_packet_set_log_preamble() to allow inclusion of a
preamble string in disconnect messages; ok markus@
Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
markus@openbsd.org
djm@openbsd.org
dtucker@openbsd.org
tobhe@openbsd.org
Darren Tucker
deraadt@openbsd.org
sf@openbsd.org
Damien Miller
dtucker@openbsd.org@openbsd.org
naddy@openbsd.org