Commit Graph

7257 Commits

Author SHA1 Message Date
Damien Miller fb3423b612 - markus@cvs.openbsd.org 2014/02/26 21:53:37
[sshd.c]
     ssh_gssapi_prepare_supported_oids needs GSSAPI
2014-02-27 10:20:07 +11:00
Damien Miller 1348129a34 - djm@cvs.openbsd.org 2014/02/26 20:29:29
[channels.c]
     don't assume that the socks4 username is \0 terminated;
     spotted by Ben Hawkes; ok markus@
2014-02-27 10:18:32 +11:00
Damien Miller e6a74aeeac - djm@cvs.openbsd.org 2014/02/26 20:28:44
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
     sandboxing, as running this code in the sandbox can cause violations;
     ok markus@
2014-02-27 10:17:49 +11:00
Damien Miller 08b57c67f3 - djm@cvs.openbsd.org 2014/02/26 20:18:37
[ssh.c]
     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
     ok dtucker@ markus@
2014-02-27 10:17:13 +11:00
Damien Miller 13f97b2286 - djm@cvs.openbsd.org 2014/02/23 20:11:36
[readconf.c readconf.h ssh.c ssh_config.5]
     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
     the hostname. This allows users to write configurations that always
     refer to canonical hostnames, e.g.

     CanonicalizeHostname yes
     CanonicalDomains int.example.org example.org
     CanonicalizeFallbackLocal no

     Host *.int.example.org
         Compression off
     Host *.example.org
         User djm

     ok markus@
2014-02-24 15:57:55 +11:00
Damien Miller bee3a234f3 - djm@cvs.openbsd.org 2014/02/23 20:03:42
[ssh-ed25519.c]
     check for unsigned overflow; not reachable in OpenSSH but others might
     copy our code...
2014-02-24 15:57:22 +11:00
Damien Miller 0628780abe - djm@cvs.openbsd.org 2014/02/22 01:32:19
[readconf.c]
     when processing Match blocks, skip 'exec' clauses if previous predicates
     failed to match; ok markus@
2014-02-24 15:56:45 +11:00
Damien Miller 0890dc8191 - djm@cvs.openbsd.org 2014/02/15 23:05:36
[channels.c]
     avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
     bz#2200, debian#738692 via Colin Watson; ok dtucker@
2014-02-24 15:56:07 +11:00
Damien Miller d3cf67e111 - djm@cvs.openbsd.org 2014/02/07 06:55:54
[cipher.c mac.c]
     remove some logging that makes ssh debugging output very verbose;
     ok markus
2014-02-24 15:55:36 +11:00
Tim Rice 03ae081aea 20140221
- (tim) [configure.ac]  Fix cut-and-paste error. Patch from Bryan Drewery.
2014-02-21 09:09:34 -08:00
Darren Tucker 4a20959d2e - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
2014-02-13 16:38:32 +11:00
Damien Miller d1a7a9c0fd - djm@cvs.openbsd.org 2014/02/06 22:21:01
[sshconnect.c]
     in ssh_create_socket(), only do the getaddrinfo for BindAddress when
     BindAddress is actually specified. Fixes regression in 6.5 for
     UsePrivilegedPort=yes; patch from Corinna Vinschen
2014-02-07 09:24:33 +11:00
Damien Miller 6ce35b6cc4 - naddy@cvs.openbsd.org 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
     while here, fix ordering in usage(); requested by jmc@
2014-02-07 09:24:14 +11:00
Damien Miller 6434cb2cfb - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
__NR_shutdown; some go via the socketcall(2) multiplexer.
2014-02-06 11:17:50 +11:00
Darren Tucker 8d36f9ac71 - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
before freeing since free(NULL) is a no-op.  ok djm.
2014-02-06 10:44:13 +11:00
Damien Miller a0959da368 - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
headers/libc but not supported by the kernel. Patch from Loganaden
   Velvindron @ AfriNIC
2014-02-05 10:33:45 +11:00
Damien Miller 9c449bc183 - (djm) [regress/setuid-allowed.c] Missing string.h for strerror() 2014-02-04 11:38:28 +11:00
Damien Miller bf7e0f03be - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o 2014-02-04 11:37:50 +11:00
Damien Miller eb6d870a0e - djm@cvs.openbsd.org 2014/02/04 00:24:29
[ssh.c]
     delay lowercasing of hostname until right before hostname
     canonicalisation to unbreak case-sensitive matching of ssh_config;
     reported by Ike Devolder; ok markus@
2014-02-04 11:26:34 +11:00
Damien Miller d56b44d2df - djm@cvs.openbsd.org 2014/02/04 00:24:29
[ssh.c]
     delay lowercasing of hostname until right before hostname
     canonicalisation to unbreak case-sensitive matching of ssh_config;
     reported by Ike Devolder; ok markus@
2014-02-04 11:26:04 +11:00
Damien Miller db3c595ea7 - djm@cvs.openbsd.org 2014/02/02 03:44:31
[digest-libc.c digest-openssl.c]
     convert memset of potentially-private data to explicit_bzero()
2014-02-04 11:25:45 +11:00
Damien Miller aae07e2e20 - djm@cvs.openbsd.org 2014/02/03 23:28:00
[ssh-ecdsa.c]
     fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
     DSA_SIG_new. Reported by Batz Spear; ok markus@
2014-02-04 11:20:40 +11:00
Damien Miller a5103f413b - djm@cvs.openbsd.org 2014/02/02 03:44:32
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
     [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
     [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
     [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
     [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
     [sshd.c]
     convert memset of potentially-private data to explicit_bzero()
2014-02-04 11:20:14 +11:00
Damien Miller 1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00
Damien Miller 3928de067c - djm@cvs.openbsd.org 2014/01/30 22:26:14
[sandbox-systrace.c]
     allow shutdown(2) syscall in sandbox - it may be called by packet_close()
     from portable
     (Id sync only; change is already in portable)
2014-02-04 11:13:54 +11:00
Damien Miller e1e480aee8 - jmc@cvs.openbsd.org 2014/01/29 14:04:51
[sshd_config.5]
     document kbdinteractiveauthentication;
     requested From: Ross L Richardson

     dtucker/markus helped explain its workings;
2014-02-04 11:13:17 +11:00
Damien Miller 7cc194f70d - djm@cvs.openbsd.org 2014/01/29 06:18:35
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
     [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
     [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
     remove experimental, never-enabled JPAKE code; ok markus@
2014-02-04 11:12:56 +11:00
Damien Miller b0f26544cf - djm@cvs.openbsd.org 2014/01/29 00:19:26
[sshd.c]
     use kill(0, ...) instead of killpg(0, ...); on most operating systems
     they are equivalent, but SUSv2 describes the latter as having undefined
     behaviour; from portable; ok dtucker
     (Id sync only; change is already in portable)
2014-02-04 11:10:01 +11:00
Damien Miller f8f35bc471 - jmc@cvs.openbsd.org 2014/01/28 14:13:39
[ssh-keyscan.1]
     kill some bad Pa;
     From: Jan Stary
2014-02-04 11:09:12 +11:00
Damien Miller 0ba85d696a ignore a few more regress droppings 2014-02-04 11:08:38 +11:00
Damien Miller ec93d15170 - markus@cvs.openbsd.org 2014/01/27 20:13:46
[digest.c digest-openssl.c digest-libc.c Makefile.in]
     rename digest.c to digest-openssl.c and add libc variant; ok djm@
2014-02-04 11:07:13 +11:00
Damien Miller 4a1c7aa640 - markus@cvs.openbsd.org 2014/01/27 19:18:54
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
     replace openssl MD5 with our ssh_digest_*; ok djm@
2014-02-04 11:03:36 +11:00
Damien Miller 4e8d937af7 - markus@cvs.openbsd.org 2014/01/27 18:58:14
[Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
     replace openssl HMAC with an implementation based on our ssh_digest_*
     ok and feedback djm@
2014-02-04 11:02:42 +11:00
Tim Rice 69d0d09f76 - (tim) [Makefile.in] build regress/setuid-allow. 2014-01-31 14:25:18 -08:00
Darren Tucker 0eeafcd76b - (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros. Fixes
build with HP-UX's compiler.  Patch from Kevin Brott.
2014-01-31 14:18:51 +11:00
Damien Miller 7e5cec6070 - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
syscall from sandboxes; it may be called by packet_close.
2014-01-31 09:25:34 +11:00
Damien Miller cdb6c90811 - (djm) Release openssh-6.5p1 2014-01-30 12:50:17 +11:00
Damien Miller 996ea80b18 trim entries prior to openssh-6.0p1 2014-01-30 12:49:55 +11:00
Damien Miller f5bbd3b657 - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
different symbols for 'read' when various compiler flags are
   in use, causing atomicio.c comparisons against it to break and
   read/write operations to hang; ok dtucker
2014-01-30 11:26:46 +11:00
Damien Miller c2868192dd - (djm) [configure.ac] Only check for width-specified integer types
in headers that actually exist. patch from Tom G. Christensen;
   ok dtucker@
2014-01-30 10:21:19 +11:00
Damien Miller c161fc90fc - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
Tom G. Christensen
2014-01-29 21:01:33 +11:00
Tim Rice 6f917ad376 - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
when used as an error message inside an if statement so we display the
   correct into. agent.sh patch from Petr Lautrbach.
2014-01-28 10:26:25 -08:00
Damien Miller ab16ef4152 - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
latter being specified to have undefined behaviour in SUSv3;
   ok dtucker
2014-01-28 15:08:12 +11:00
Damien Miller ab03949058 - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
ok dtucker
2014-01-28 15:07:10 +11:00
Darren Tucker 4ab20a82d4 - (dtucker) [Makefile.in] Remove trailing backslash which some make
implementations (eg older Solaris) do not cope with.
2014-01-27 17:35:04 +11:00
Darren Tucker e7e8b3cfe9 Welcome to 2014 2014-01-27 17:32:50 +11:00
Damien Miller 5b447c0aac - (djm) [configure.ac] correct AC_DEFINE for previous. 2014-01-26 09:46:53 +11:00
Damien Miller 2035b2236d - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
    libc will attempt to open additional file descriptors for crypto
    offload and crash if they cannot be opened.
2014-01-26 09:39:53 +11:00
Damien Miller a92ac74104 - markus@cvs.openbsd.org 2014/01/25 20:35:37
[kex.c]
     dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
     ok dtucker@, noted by mancha
2014-01-26 09:38:03 +11:00
Damien Miller 76eea4ab4e - dtucker@cvs.openbsd.org 2014/01/25 10:12:50
[cipher.c cipher.h kex.c kex.h kexgexc.c]
     Add a special case for the DH group size for 3des-cbc, which has an
     effective strength much lower than the key size.  This causes problems
     with some cryptlib implementations, which don't support group sizes larger
     than 4k but also don't use the largest group size it does support as
     specified in the RFC.  Based on a patch from Petr Lautrbach at Redhat,
     reduced by me with input from Markus.  ok djm@ markus@
2014-01-26 09:37:25 +11:00