9134 lines
298 KiB
Plaintext
9134 lines
298 KiB
Plaintext
commit e91346dc2bbf460246df2ab591b7613908c1b0ad
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 21 14:49:03 2015 +1000
|
|
|
|
we don't use Github for issues/pull-requests
|
|
|
|
commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 21 14:43:55 2015 +1000
|
|
|
|
fix URL for connect.c
|
|
|
|
commit d026a8d3da0f8186598442997c7d0a28e7275414
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 21 13:47:10 2015 +1000
|
|
|
|
update version numbers for 7.1
|
|
|
|
commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 21 03:45:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh-7.1
|
|
|
|
Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
|
|
|
|
commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 21 03:42:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix inverted logic that broke PermitRootLogin; reported
|
|
by Mantas Mikulenas; ok markus@
|
|
|
|
Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
|
|
|
|
commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Aug 20 22:32:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Do not cast result of malloc/calloc/realloc* if stdlib.h
|
|
is in scope ok krw millert
|
|
|
|
Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
|
|
|
|
commit 05291e5288704d1a98bacda269eb5a0153599146
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Thu Aug 20 19:20:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
In the certificates section, be consistent about using
|
|
"host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
|
|
|
|
Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
|
|
|
|
commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:21:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Better compat matching for WinSCP, add compat matching
|
|
for FuTTY (fork of PuTTY); ok markus@ deraadt@
|
|
|
|
Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
|
|
|
|
commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:19:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix double-free() in error path of DSA key generation
|
|
reported by Mateusz Kocielski; ok markus@
|
|
|
|
Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
|
|
|
|
commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:18:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix free() of uninitialised pointer reported by Mateusz
|
|
Kocielski; ok markus@
|
|
|
|
Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
|
|
|
|
commit c837643b93509a3ef538cb6624b678c5fe32ff79
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:17:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fixed unlink([uninitialised memory]) reported by Mateusz
|
|
Kocielski; ok markus@
|
|
|
|
Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
|
|
|
|
commit 1f8d3d629cd553031021068eb9c646a5f1e50994
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Aug 14 15:32:41 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
match myproposal.h order; from brian conway (i snuck in a
|
|
tweak while here)
|
|
|
|
ok dtucker
|
|
|
|
Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
|
|
|
|
commit 1dc8d93ce69d6565747eb44446ed117187621b26
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Aug 6 14:53:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add prohibit-password as a synonymn for without-password,
|
|
since the without-password is causing too many questions. Harden it to ban
|
|
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
|
|
djm, ok markus
|
|
|
|
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
|
|
|
|
commit 90a95a4745a531b62b81ce3b025e892bdc434de5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:53:41 2015 +1000
|
|
|
|
update version in README
|
|
|
|
commit 318c37743534b58124f1bab37a8a0087a3a9bd2f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:53:09 2015 +1000
|
|
|
|
update versions in *.spec
|
|
|
|
commit 5e75f5198769056089fb06c4d738ab0e5abc66f7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:34:12 2015 +1000
|
|
|
|
set sshpam_ctxt to NULL after free
|
|
|
|
Avoids use-after-free in monitor when privsep child is compromised.
|
|
Reported by Moritz Jodeit; ok dtucker@
|
|
|
|
commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:33:24 2015 +1000
|
|
|
|
Don't resend username to PAM; it already has it.
|
|
|
|
Pointed out by Moritz Jodeit; ok dtucker@
|
|
|
|
commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 27 12:14:25 2015 +1000
|
|
|
|
Import updated moduli file from OpenBSD.
|
|
|
|
commit 55b263fb7cfeacb81aaf1c2036e0394c881637da
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Aug 10 11:13:44 2015 +1000
|
|
|
|
let principals-command.sh work for noexec /var/run
|
|
|
|
commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Aug 6 11:43:42 2015 +1000
|
|
|
|
work around echo -n / sed behaviour in tests
|
|
|
|
commit d85dad81778c1aa8106acd46930b25fdf0d15b2a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 5 05:27:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adjust for RSA minimum modulus switch; ok deraadt@
|
|
|
|
Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
|
|
|
|
commit 57e8e229bad5fe6056b5f1199665f5f7008192c6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 4 05:23:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
|
|
release; problems spotted by sthen@ ok deraadt@ markus@
|
|
|
|
Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
|
|
|
|
commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Aug 2 09:56:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh 7.0; ok deraadt@
|
|
|
|
Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
|
|
|
|
commit 3d5728a0f6874ce4efb16913a12963595070f3a9
|
|
Author: chris@openbsd.org <chris@openbsd.org>
|
|
Date: Fri Jul 31 15:38:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow PermitRootLogin to be overridden by config
|
|
|
|
ok markus@ deeradt@
|
|
|
|
Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
|
|
|
|
commit 6f941396b6835ad18018845f515b0c4fe20be21a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jul 30 23:09:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix pty permissions; patch from Nikolay Edigaryev; ok
|
|
deraadt
|
|
|
|
Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
|
|
|
|
commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Jul 30 19:23:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
change default: PermitRootLogin without-password matching
|
|
install script changes coming as well ok djm markus
|
|
|
|
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
|
|
|
|
commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 30 12:31:39 2015 +1000
|
|
|
|
downgrade OOM adjustment logging: verbose -> debug
|
|
|
|
commit f9eca249d4961f28ae4b09186d7dc91de74b5895
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jul 30 00:01:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow ssh_config and sshd_config kex parameters options be
|
|
prefixed by a '+' to indicate that the specified items be appended to the
|
|
default rather than replacing it.
|
|
|
|
approach suggested by dtucker@, feedback dlg@, ok markus@
|
|
|
|
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
|
|
|
|
commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 29 08:34:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix bug in previous; was printing incorrect string for
|
|
failed host key algorithms negotiation
|
|
|
|
Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
|
|
|
|
commit f319912b0d0e1675b8bb051ed8213792c788bcb2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 29 04:43:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
include the peer's offer when logging a failure to
|
|
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
|
|
|
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
|
|
|
|
commit b6ea0e573042eb85d84defb19227c89eb74cf05a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jul 28 23:20:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add Cisco to the list of clients that choke on the
|
|
hostkeys update extension. Pointed out by Howard Kash
|
|
|
|
Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
|
|
|
|
commit 3f628c7b537291c1019ce86af90756fb4e66d0fd
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Mon Jul 27 16:29:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Permit kbind(2) use in the sandbox now, to ease testing
|
|
of ld.so work using it
|
|
|
|
reminded by miod@, ok deraadt@
|
|
|
|
Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
|
|
|
|
commit ebe27ebe520098bbc0fe58945a87ce8490121edb
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Jul 20 18:44:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Move .Pp before .Bl, not after to quiet mandoc -Tlint.
|
|
Noticed by jmc@
|
|
|
|
Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
|
|
|
|
commit d5d91d0da819611167782c66ab629159169d94d4
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Jul 20 18:42:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Sync usage with SYNOPSIS
|
|
|
|
Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
|
|
|
|
commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Jul 20 15:39:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Better desciption of Unix domain socket forwarding.
|
|
bz#2423; ok jmc@
|
|
|
|
Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
|
|
|
|
commit d56fd1828074a4031b18b8faa0bf949669eb18a0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Jul 20 11:19:51 2015 +1000
|
|
|
|
make realpath.c compile -Wsign-compare clean
|
|
|
|
commit c63c9a691dca26bb7648827f5a13668832948929
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jul 20 00:30:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention that the default of UseDNS=no implies that
|
|
hostnames cannot be used for host matching in sshd_config and
|
|
authorized_keys; bz#2045, ok dtucker@
|
|
|
|
Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
|
|
|
|
commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jul 18 08:02:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't ignore PKCS#11 hosted keys that return empty
|
|
CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
|
|
|
|
Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
|
|
|
|
commit b15fd989c8c62074397160147a8d5bc34b3f3c63
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jul 18 08:00:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
skip uninitialised PKCS#11 slots; patch from Jakub Jelen
|
|
in bz#2427 ok markus@
|
|
|
|
Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
|
|
|
|
commit 5b64f85bb811246c59ebab70aed331f26ba37b18
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jul 18 07:57:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
only query each keyboard-interactive device once per
|
|
authentication request regardless of how many times it is listed; ok markus@
|
|
|
|
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
|
|
|
|
commit cd7324d0667794eb5c236d8a4e0f236251babc2d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 03:34:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove -u flag to diff (only used for error output) to make
|
|
things easier for -portable
|
|
|
|
Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
|
|
|
|
commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 03:09:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
direct-streamlocal@openssh.com Unix domain foward
|
|
messages do not contain a "reserved for future use" field and in fact,
|
|
serverloop.c checks that there isn't one. Remove erroneous mention from
|
|
PROTOCOL description. bz#2421 from Daniel Black
|
|
|
|
Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
|
|
|
|
commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 03:04:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
describe magic for setting up Unix domain socket fowards
|
|
via the mux channel; bz#2422 patch from Daniel Black
|
|
|
|
Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
|
|
|
|
commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jul 17 12:52:34 2015 +1000
|
|
|
|
Check if realpath works on nonexistent files.
|
|
|
|
On some platforms the native realpath doesn't work with non-existent
|
|
files (this is actually specified in some versions of POSIX), however
|
|
the sftp spec says its realpath with "canonicalize any given path name".
|
|
On those platforms, use realpath from the compat library.
|
|
|
|
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
|
|
the realpath symbol to the checked version, so redefine ours to
|
|
something else so we pick up the compat version we want.
|
|
|
|
bz#2428, ok djm@
|
|
|
|
commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 02:47:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix incorrect test for SSH1 keys when compiled without SSH1
|
|
support
|
|
|
|
Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
|
|
|
|
commit df56a8035d429b2184ee94aaa7e580c1ff67f73a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 15 08:00:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix NULL-deref when SSH1 reenabled
|
|
|
|
Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
|
|
|
|
commit 41e38c4d49dd60908484e6703316651333f16b93
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 15 07:19:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regen RSA1 test keys; the last batch was missing their
|
|
private parts
|
|
|
|
Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
|
|
|
|
commit 5bf0933184cb622ca3f96d224bf3299fd2285acc
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Jul 10 06:23:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Adapt tests, now that DSA if off by default; use
|
|
PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
|
|
|
|
Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
|
|
|
|
commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jul 7 14:54:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regen test data after mktestdata.sh changes
|
|
|
|
Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
|
|
|
|
commit 7c8c174c69f681d4910fa41c37646763692b28e2
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jul 7 14:53:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt tests to new minimum RSA size and default FP format
|
|
|
|
Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
|
|
|
|
commit 6a977a4b68747ade189e43d302f33403fd4a47ac
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 04:39:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
legacy v00 certificates are gone; adapt and don't try to
|
|
test them; "sure" markus@ dtucker@
|
|
|
|
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
|
|
|
|
commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 23:11:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't expect SSH v.1 in unittests
|
|
|
|
Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
|
|
|
|
commit 3c099845798a817cdde513c39074ec2063781f18
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 15 06:38:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
turn SSH1 back on to match src/usr.bin/ssh being tested
|
|
|
|
Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
|
|
|
|
commit b1dc2b33689668c75e95f873a42d5aea1f4af1db
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Jul 13 04:57:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add "PuTTY_Local:" to the clients to which we do not
|
|
offer DH-GEX. This was the string that was used for development versions
|
|
prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
|
|
there are some extant products based on those versions. bx2424 from Jay
|
|
Rouman, ok markus@ djm@
|
|
|
|
Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
|
|
|
|
commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Jul 10 06:21:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
|
|
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
|
|
tested or turned back on; feedback and ok djm@
|
|
|
|
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
|
|
commit 16db0a7ee9a87945cc594d13863cfcb86038db59
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jul 9 09:49:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
re-enable ed25519-certs if compiled w/o openssl; ok djm
|
|
|
|
Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
|
|
|
|
commit c355bf306ac33de6545ce9dac22b84a194601e2f
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 20:24:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
no need to include the old buffer/key API
|
|
|
|
Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
|
|
|
|
commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 19:09:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
typedefs for Cipher&CipherContext are unused
|
|
|
|
Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
|
|
|
|
commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 19:04:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
xmalloc.h is unused
|
|
|
|
Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
|
|
|
|
commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 19:01:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
compress.c is gone
|
|
|
|
Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
|
|
|
|
commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 04:05:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
|
|
cranking
|
|
|
|
Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
|
|
|
|
commit b1f383da5cd3cb921fc7776f17a14f44b8a31757
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:56:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add an XXX reminder for getting correct key paths from
|
|
sshd_config
|
|
|
|
Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
|
|
|
|
commit 933935ce8d093996c34d7efa4d59113163080680
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:49:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
refuse to generate or accept RSA keys smaller than 1024
|
|
bits; feedback and ok dtucker@
|
|
|
|
Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
|
|
|
|
commit bdfd29f60b74f3e678297269dc6247a5699583c1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:47:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
turn off 1024 bit diffie-hellman-group1-sha1 key
|
|
exchange method (already off in server, this turns it off in the client by
|
|
default too) ok dtucker@
|
|
|
|
Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
|
|
|
|
commit c28fc62d789d860c75e23a9fa9fb250eb2beca57
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:43:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
delete support for legacy v00 certificates; "sure"
|
|
markus@ dtucker@
|
|
|
|
Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
|
|
|
|
commit 564d63e1b4a9637a209d42a9d49646781fc9caef
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 23:10:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Compile-time disable SSH v.1 again
|
|
|
|
Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
|
|
|
|
commit 868109b650504dd9bcccdb1f51d0906f967c20ff
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 02:39:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
twiddle PermitRootLogin back
|
|
|
|
Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
|
|
|
|
commit 7de4b03a6e4071d454b72927ffaf52949fa34545
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 02:32:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
twiddle; (this commit marks the openssh-6.9 release)
|
|
|
|
Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
|
|
|
|
commit 1bf477d3cdf1a864646d59820878783d42357a1d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 02:26:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
better refuse ForwardX11Trusted=no connections attempted
|
|
after ForwardX11Timeout expires; reported by Jann Horn
|
|
|
|
Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
|
|
|
|
commit 47aa7a0f8551b471fcae0447c1d78464f6dba869
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 01:56:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
put back default PermitRootLogin=no
|
|
|
|
Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
|
|
|
|
commit 984b064fe2a23733733262f88d2e1b2a1a501662
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 01:55:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh-6.9
|
|
|
|
Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
|
|
|
|
commit d921082ed670f516652eeba50705e1e9f6325346
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 01:55:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reset default PermitRootLogin to 'yes' (momentarily, for
|
|
release)
|
|
|
|
Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
|
|
|
|
commit 66295e0e1ba860e527f191b6325d2d77dec4dbce
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 1 11:49:12 2015 +1000
|
|
|
|
crank version numbers for release
|
|
|
|
commit 37035c07d4f26bb1fbe000d2acf78efdb008681d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 1 10:49:37 2015 +1000
|
|
|
|
s/--with-ssh1/--without-ssh1/
|
|
|
|
commit 629df770dbadc2accfbe1c81b3f31f876d0acd84
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jun 30 05:25:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fatal() when a remote window update causes the window
|
|
value to overflow. Reported by Georg Wicherski, ok markus@
|
|
|
|
Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
|
|
|
|
commit f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jun 30 05:23:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix math error in remote window calculations that causes
|
|
eventual stalls for datagram channels. Reported by Georg Wicherski, ok
|
|
markus@
|
|
|
|
Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
|
|
|
|
commit 52fb6b9b034fcfd24bf88cc7be313e9c31de9889
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jun 30 16:05:40 2015 +1000
|
|
|
|
skip IPv6-related portions on hosts without IPv6
|
|
|
|
with Tim Rice
|
|
|
|
commit 512caddf590857af6aa12218461b5c0441028cf5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 29 22:35:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add getpid to sandbox, reachable by grace_alarm_handler
|
|
|
|
reported by Jakub Jelen; bz#2419
|
|
|
|
Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
|
|
|
|
commit 78c2a4f883ea9aba866358e2acd9793a7f42ca93
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jun 26 05:13:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix \-escaping bug that caused forward path parsing to skip
|
|
two characters and skip past the end of the string.
|
|
|
|
Based on patch by Salvador Fandino; ok dtucker@
|
|
|
|
Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
|
|
|
|
commit bc20205c91c9920361d12b15d253d4997dba494a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jun 25 09:51:39 2015 +1000
|
|
|
|
add missing pselect6
|
|
|
|
patch from Jakub Jelen
|
|
|
|
commit 9d27fb73b4a4e5e99cb880af790d5b1ce44f720a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jun 24 23:47:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct test to sshkey_sign(); spotted by Albert S.
|
|
|
|
Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
|
|
|
|
commit 7ed01a96a1911d8b4a9ef4f3d064e1923bfad7e3
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jun 24 01:49:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Revert previous commit. We still want to call setgroups
|
|
in the case where there are zero groups to remove any that we might otherwise
|
|
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
|
|
to setgroups is always a static global it's always valid to dereference in
|
|
this case. ok deraadt@ djm@
|
|
|
|
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
|
|
commit 882f8bf94f79528caa65b0ba71c185d705bb7195
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jun 24 01:49:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Revert previous commit. We still want to call setgroups in
|
|
the case where there are zero groups to remove any that we might otherwise
|
|
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
|
|
to setgroups is always a static global it's always valid to dereference in
|
|
this case. ok deraadt@ djm@
|
|
|
|
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
|
|
commit 9488538a726951e82b3a4374f3c558d72c80a89b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 22 23:42:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't count successful partial authentication as failures
|
|
in monitor; this may have caused the monitor to refuse multiple
|
|
authentications that would otherwise have successfully completed; ok markus@
|
|
|
|
Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
|
|
|
|
commit 63b78d003bd8ca111a736e6cea6333da50f5f09b
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Jun 22 12:29:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't call setgroups if we have zero groups; there's no
|
|
guarantee that it won't try to deref the pointer. Based on a patch from mail
|
|
at quitesimple.org, ok djm deraadt
|
|
|
|
Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
|
|
|
|
commit 5c15e22c691c79a47747bcf5490126656f97cecd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jun 18 15:07:56 2015 +1000
|
|
|
|
fix syntax error
|
|
|
|
commit 596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403
|
|
Author: jsing@openbsd.org <jsing@openbsd.org>
|
|
Date: Mon Jun 15 18:44:22 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
If AuthorizedPrincipalsCommand is specified, however
|
|
AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
|
|
potentially fail due to key_cert_check_authority() failing to locate a
|
|
principal that matches the username, even though an authorized principal has
|
|
already been matched in the output of the subprocess. Fix this by using the
|
|
same logic to determine if pw->pw_name should be passed, as is used to
|
|
determine if a authorized principal must be matched earlier on.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
|
|
|
|
commit aff3e94c0d75d0d0fa84ea392b50ab04f8c57905
|
|
Author: jsing@openbsd.org <jsing@openbsd.org>
|
|
Date: Mon Jun 15 18:42:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Make the arguments to match_principals_command() similar
|
|
to match_principals_file(), by changing the last argument a struct
|
|
sshkey_cert * and dereferencing key->cert in the caller.
|
|
|
|
No functional change.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
|
|
|
|
commit 97e2e1596c202a4693468378b16b2353fd2d6c5e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jun 17 14:36:54 2015 +1000
|
|
|
|
trivial optimisation for seccomp-bpf
|
|
|
|
When doing arg inspection and the syscall doesn't match, skip
|
|
past the instruction that reloads the syscall into the accumulator,
|
|
since the accumulator hasn't been modified at this point.
|
|
|
|
commit 99f33d7304893bd9fa04d227cb6e870171cded19
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jun 17 10:50:51 2015 +1000
|
|
|
|
aarch64 support for seccomp-bpf sandbox
|
|
|
|
Also resort and tidy syscall list. Based on patches by Jakub Jelen
|
|
bz#2361; ok dtucker@
|
|
|
|
commit 4ef702e1244633c1025ec7cfe044b9ab267097bf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 15 01:32:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
return failure on RSA signature error; reported by Albert S
|
|
|
|
Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa
|
|
|
|
commit a170f22baf18af0b1acf2788b8b715605f41a1f9
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue Jun 9 22:41:13 2015 -0700
|
|
|
|
Fix t12 rules for out of tree builds.
|
|
|
|
commit ec04dc4a5515c913121bc04ed261857e68fa5c18
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Fri Jun 5 15:13:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
For "ssh -L 12345:/tmp/sock" don't fail with "No forward host
|
|
name." (we have a path, not a host name). Based on a diff from Jared
|
|
Yanovich. OK djm@
|
|
|
|
Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
|
|
|
|
commit 732d61f417a6aea0aa5308b59cb0f563bcd6edd6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jun 5 03:44:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
typo: accidental repetition; bz#2386
|
|
|
|
Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
|
|
|
|
commit adfb24c69d1b6f5e758db200866c711e25a2ba73
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jun 5 14:51:40 2015 +1000
|
|
|
|
Add Linux powerpc64le and powerpcle entries.
|
|
|
|
Stopgap to resolve bz#2409 because we are so close to release and will
|
|
update config.guess and friends shortly after the release. ok djm@
|
|
|
|
commit a1195a0fdc9eddddb04d3e9e44c4775431cb77da
|
|
Merge: 6397eed d2480bc
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Jun 3 21:43:13 2015 -0700
|
|
|
|
Merge branch 'master' of git.mindrot.org:/var/git/openssh
|
|
|
|
commit 6397eedf953b2b973d2d7cbb504ab501a07f8ddc
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Jun 3 21:41:11 2015 -0700
|
|
|
|
Remove unneeded backslashes. Patch from Ángel González
|
|
|
|
commit d2480bcac1caf31b03068de877a47d6e1027bf6d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jun 4 14:10:55 2015 +1000
|
|
|
|
Remove redundant include of stdarg.h. bz#2410
|
|
|
|
commit 5e67859a623826ccdf2df284cbb37e2d8e2787eb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jun 2 09:10:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention CheckHostIP adding addresses to known_hosts;
|
|
bz#1993; ok dtucker@
|
|
|
|
Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7
|
|
|
|
commit d7a58bbac6583e33fd5eca8e2c2cc70c57617818
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jun 2 20:15:26 2015 +1000
|
|
|
|
Replace strcpy with strlcpy.
|
|
|
|
ok djm, sanity check by Corinna Vinschen.
|
|
|
|
commit 51a1c2115265c6e80ede8a5c9dccada9aeed7143
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri May 29 18:27:21 2015 +1000
|
|
|
|
skip, rather than fatal when run without SUDO set
|
|
|
|
commit 599f01142a376645b15cbc9349d7e8975e1cf245
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri May 29 18:03:15 2015 +1000
|
|
|
|
fix merge botch that left ",," in KEX algs
|
|
|
|
commit 0c2a81dfc21822f2423edd30751e5ec53467b347
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri May 29 17:08:28 2015 +1000
|
|
|
|
re-enable SSH protocol 1 at compile time
|
|
|
|
commit db438f9285d64282d3ac9e8c0944f59f037c0151
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 29 03:05:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make this work without SUDO set; ok dtucker@
|
|
|
|
Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715
|
|
|
|
commit 1d9a2e2849c9864fe75daabf433436341c968e14
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 28 07:37:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
wrap all moduli-related code in #ifdef WITH_OPENSSL.
|
|
based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@
|
|
|
|
Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
|
|
|
|
commit 496aeb25bc2d6c434171292e4714771b594bd00e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu May 28 05:41:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Increase the allowed length of the known host file name
|
|
in the log message to be consistent with other cases. Part of bz#1993, ok
|
|
deraadt.
|
|
|
|
Upstream-ID: a9e97567be49f25daf286721450968251ff78397
|
|
|
|
commit dd2cfeb586c646ff8d70eb93567b2e559ace5b14
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu May 28 05:09:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix typo (keywork->keyword)
|
|
|
|
Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534
|
|
|
|
commit 9cc6842493fbf23025ccc1edab064869640d3bec
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 28 04:50:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add error message on ftruncate failure; bz#2176
|
|
|
|
Upstream-ID: cbcc606e0b748520c74a210d8f3cc9718d3148cf
|
|
|
|
commit d1958793a0072c22be26d136dbda5ae263e717a0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 28 04:40:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make ssh-keygen default to ed25519 keys when compiled
|
|
without OpenSSL; bz#2388, ok dtucker@
|
|
|
|
Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71
|
|
|
|
commit 3ecde664c9fc5fb3667aedf9e6671462600f6496
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 27 23:51:10 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Reorder client proposal to prefer
|
|
diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
|
|
|
Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
|
|
|
|
commit 40f64292b907afd0a674fdbf3e4c2356d17a7d68
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 27 23:39:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a stronger (4k bit) fallback group that sshd can use
|
|
when the moduli file is missing or broken, sourced from RFC3526. bz#2302, ok
|
|
markus@ (earlier version), djm@
|
|
|
|
Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4
|
|
|
|
commit 5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu May 28 10:03:40 2015 +1000
|
|
|
|
New moduli file from OpenBSD, removing 1k groups.
|
|
|
|
Remove 1k bit groups. ok deraadt@, markus@
|
|
|
|
commit a71ba58adf34e599f30cdda6e9b93ae6e3937eea
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed May 27 05:15:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
support PKCS#11 devices with external PIN entry devices
|
|
bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@
|
|
|
|
Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
|
|
|
|
commit b282fec1aa05246ed3482270eb70fc3ec5f39a00
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 26 23:23:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Cap DH-GEX group size at 4kbits for Cisco implementations.
|
|
Some of them will choke when asked for preferred sizes >4k instead of
|
|
returning the 4k group that they do have. bz#2209, ok djm@
|
|
|
|
Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
|
|
|
|
commit 3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun May 24 23:39:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add missing 'c' option to getopt(), case statement was
|
|
already there; from Felix Bolte
|
|
|
|
Upstream-ID: 9b19b4e2e0b54d6fefa0dfac707c51cf4bae3081
|
|
|
|
commit 64a89ec07660abba4d0da7c0095b7371c98bab62
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Sat May 23 14:28:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix a memory leak in an error path ok markus@ dtucker@
|
|
|
|
Upstream-ID: bc1da0f205494944918533d8780fde65dff6c598
|
|
|
|
commit f948737449257d2cb83ffcfe7275eb79b677fd4a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 22 05:28:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention ssh-keygen -E for comparing legacy MD5
|
|
fingerprints; bz#2332
|
|
|
|
Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
|
|
|
|
commit 0882332616e4f0272c31cc47bf2018f9cb258a4e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 22 04:45:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Reorder EscapeChar option parsing to avoid a single-byte
|
|
out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
|
|
|
|
Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060
|
|
|
|
commit d7c31da4d42c115843edee2074d7d501f8804420
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 22 03:50:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add knob to relax GSSAPI host credential check for
|
|
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
|
|
(kerberos/GSSAPI is not compiled by default on OpenBSD)
|
|
|
|
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
|
|
|
|
commit aa72196a00be6e0b666215edcffbc10af234cb0e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri May 22 17:49:46 2015 +1000
|
|
|
|
Include signal.h for sig_atomic_t, used by kex.h.
|
|
|
|
bz#2402, from tomas.kuthan at oracle com.
|
|
|
|
commit 8b02481143d75e91c49d1bfae0876ac1fbf9511a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri May 22 12:47:24 2015 +1000
|
|
|
|
Import updated moduli file from OpenBSD.
|
|
|
|
commit 4739e8d5e1c0be49624082bd9f6b077e9e758db9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 12:01:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Support "ssh-keygen -lF hostname" to find search known_hosts
|
|
and print key hashes. Already advertised by ssh-keygen(1), but not delivered
|
|
by code; ok dtucker@
|
|
|
|
Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387
|
|
|
|
commit e97201feca10b5196da35819ae516d0b87cf3a50
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 21 17:55:15 2015 +1000
|
|
|
|
conditionalise util.h inclusion
|
|
|
|
commit 13640798c7dd011ece0a7d02841fe48e94cfa0e0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:44:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for AuthorizedPrincipalsCommand
|
|
|
|
Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219
|
|
|
|
commit 84452c5d03c21f9bfb28c234e0dc1dc67dd817b1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:40:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for AuthorizedKeysCommand arguments
|
|
|
|
Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12
|
|
|
|
commit bcc50d816187fa9a03907ac1f3a52f04a52e10d1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:43:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add AuthorizedPrincipalsCommand that allows getting
|
|
authorized_principals from a subprocess rather than a file, which is quite
|
|
useful in deployments with large userbases
|
|
|
|
feedback and ok markus@
|
|
|
|
Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
|
|
|
|
commit 24232a3e5ab467678a86aa67968bbb915caffed4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:38:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
support arguments to AuthorizedKeysCommand
|
|
|
|
bz#2081 loosely based on patch by Sami Hartikainen
|
|
feedback and ok markus@
|
|
|
|
Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
|
|
|
|
commit d80fbe41a57c72420c87a628444da16d09d66ca7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 04:55:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
refactor: split base64 encoding of pubkey into its own
|
|
sshkey_to_base64() function and out of sshkey_write(); ok markus@
|
|
|
|
Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a
|
|
|
|
commit 7cc44ef74133a473734bbcbd3484f24d6a7328c5
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Mon May 18 15:06:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
getentropy() and sendsyslog() have been around long
|
|
enough. openssh-portable may want the #ifdef's but not base. discussed with
|
|
djm few weeks back
|
|
|
|
Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
|
|
|
|
commit 9173d0fbe44de7ebcad8a15618e13a8b8d78902e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri May 15 05:44:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use a salted hash of the lock passphrase instead of plain
|
|
text and do constant-time comparisons of it. Should prevent leaking any
|
|
information about it via timing, pointed out by Ryan Castellucci. Add a 0.1s
|
|
incrementing delay for each failed unlock attempt up to 10s. ok markus@
|
|
(earlier version), djm@
|
|
|
|
Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f
|
|
|
|
commit d028d5d3a697c71b21e4066d8672cacab3caa0a8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 5 19:10:58 2015 +1000
|
|
|
|
upstream commit
|
|
|
|
- tedu@cvs.openbsd.org 2015/01/12 03:20:04
|
|
[bcrypt_pbkdf.c]
|
|
rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,
|
|
nor are they the same size.
|
|
|
|
commit f6391d4e59b058984163ab28f4e317e7a72478f1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 5 19:10:23 2015 +1000
|
|
|
|
upstream commit
|
|
|
|
- deraadt@cvs.openbsd.org 2015/01/08 00:30:07
|
|
[bcrypt_pbkdf.c]
|
|
declare a local version of MIN(), call it MINIMUM()
|
|
|
|
commit 8ac6b13cc9113eb47cd9e86c97d7b26b4b71b77f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 5 19:09:46 2015 +1000
|
|
|
|
upstream commit
|
|
|
|
- djm@cvs.openbsd.org 2014/12/30 01:41:43
|
|
[bcrypt_pbkdf.c]
|
|
typo in comment: ouput => output
|
|
|
|
commit 1f792489d5cf86a4f4e3003e6e9177654033f0f2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 4 06:10:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove pattern length argument from match_pattern_list(), we
|
|
only ever use it for strlen(pattern).
|
|
|
|
Prompted by hanno AT hboeck.de pointing an out-of-bound read
|
|
error caused by an incorrect pattern length found using AFL
|
|
and his own tools.
|
|
|
|
ok markus@
|
|
|
|
commit 639d6bc57b1942393ed12fb48f00bc05d4e093e4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 07:10:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal()
|
|
to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
|
|
|
|
Improves error messages on TCP connection resets. bz#2257
|
|
|
|
ok dtucker@
|
|
|
|
commit 9559d7de34c572d4d3fd990ca211f8ec99f62c4d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 07:08:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
a couple of parse targets were missing activep checks,
|
|
causing them to be misapplied in match context; bz#2272 diagnosis and
|
|
original patch from Sami Hartikainen ok dtucker@
|
|
|
|
commit 7e8528cad04b2775c3b7db08abf8fb42e47e6b2a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 04:17:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make handling of AuthorizedPrincipalsFile=none more
|
|
consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
|
|
|
commit ca430d4d9cc0f62eca3b1fb1e2928395b7ce80f7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 04:03:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove failed remote forwards established by muliplexing
|
|
from the list of active forwards; bz#2363, patch mostly by Yoann Ricordel; ok
|
|
dtucker@
|
|
|
|
commit 8312cfb8ad88657517b3e23ac8c56c8e38eb9792
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 04:01:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reduce stderr spam when using ssh -S /path/mux -O forward
|
|
-R 0:... ok dtucker@
|
|
|
|
commit 179be0f5e62f1f492462571944e45a3da660d82b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 03:23:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
prevent authorized_keys options picked up on public key
|
|
tests without a corresponding private key authentication being applied to
|
|
other authentication methods. Reported by halex@, ok markus@
|
|
|
|
commit a42d67be65b719a430b7fcaba2a4e4118382723a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 03:20:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't make parsing of authorized_keys' environment=
|
|
option conditional on PermitUserEnv - always parse it, but only use the
|
|
result if the option is enabled. This prevents the syntax of authorized_keys
|
|
changing depending on which sshd_config options were enabled.
|
|
|
|
bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
|
|
|
|
commit e661a86353e11592c7ed6a847e19a83609f49e77
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 4 06:10:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove pattern length argument from match_pattern_list(), we
|
|
only ever use it for strlen(pattern).
|
|
|
|
Prompted by hanno AT hboeck.de pointing an out-of-bound read
|
|
error caused by an incorrect pattern length found using AFL
|
|
and his own tools.
|
|
|
|
ok markus@
|
|
|
|
commit 0ef1de742be2ee4b10381193fe90730925b7f027
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 23 05:01:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a simple regression test for sshd's configuration
|
|
parser. Right now, all it does is run the output of sshd -T back through
|
|
itself and ensure the output is valid and invariant.
|
|
|
|
commit 368f83c793275faa2c52f60eaa9bdac155c4254b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Apr 22 01:38:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use correct key for nested certificate test
|
|
|
|
commit 8d4d1bfddbbd7d21f545dc6997081d1ea1fbc99a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 07:11:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention that the user's shell from /etc/passwd is used
|
|
for commands too; bz#1459 ok dtucker@
|
|
|
|
commit 5ab283d0016bbc9d4d71e8e5284d011bc5a930cf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 07:29:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace
|
|
|
|
Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519
|
|
|
|
commit 8377d5008ad260048192e1e56ad7d15a56d103dd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 07:26:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554
|
|
|
|
commit c28a3436fa8737709ea88e4437f8f23a6ab50359
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 06:45:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
moar whitespace at eol
|
|
|
|
Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515
|
|
|
|
commit 2b64c490468fd4ca35ac8d5cc31c0520dc1508bb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 06:41:56 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c
|
|
|
|
commit 4e636cf201ce6e7e3b9088568218f9d4e2c51712
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 03:56:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
commit 38b8272f823dc1dd4e29dbcee83943ed48bb12fa
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon May 4 01:47:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use diff w/out -u for better portability
|
|
|
|
commit 297060f42d5189a4065ea1b6f0afdf6371fb0507
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri May 8 03:25:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use xcalloc for permitted_adm_opens instead of xmalloc to
|
|
ensure it's zeroed. Fixes post-auth crash with permitopen=none. bz#2355, ok
|
|
djm@
|
|
|
|
commit 63ebf019be863b2d90492a85e248cf55a6e87403
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 03:17:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't choke on new-format private keys encrypted with an
|
|
AEAD cipher; bz#2366, patch from Ron Frederick; ok markus@
|
|
|
|
commit f8484dac678ab3098ae522a5f03bb2530f822987
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 6 05:45:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Clarify pseudo-terminal request behaviour and use
|
|
"pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@.
|
|
|
|
commit ea139507bef8bad26e86ed99a42c7233ad115c38
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 6 04:07:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Blacklist DH-GEX for specific PuTTY versions known to
|
|
send non-RFC4419 DH-GEX messages rather than all versions of PuTTY.
|
|
According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX
|
|
messages. ok djm@
|
|
|
|
commit b58234f00ee3872eb84f6e9e572a9a34e902e36e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 5 10:17:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
WinSCP doesn't implement RFC4419 DH-GEX so flag it so we
|
|
don't offer that KEX method. ok markus@
|
|
|
|
commit d5b1507a207253b39e810e91e68f9598691b7a29
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Tue May 5 02:48:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use the sizeof the struct not the sizeof a pointer to the
|
|
struct in ssh_digest_start()
|
|
|
|
This file is only used if ssh is built with OPENSSL=no
|
|
|
|
ok markus@
|
|
|
|
commit a647b9b8e616c231594b2710c925d31b1b8afea3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri May 8 11:07:27 2015 +1000
|
|
|
|
Put brackets around mblen() compat constant.
|
|
|
|
This might help with the reported problem cross compiling for Android
|
|
("error: expected identifier or '(' before numeric constant") but
|
|
shouldn't hurt in any case.
|
|
|
|
commit d1680d36e17244d9af3843aeb5025cb8e40d6c07
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Apr 30 09:18:11 2015 +1000
|
|
|
|
xrealloc -> xreallocarray in portable code too.
|
|
|
|
commit 531a57a3893f9fcd4aaaba8c312b612bbbcc021e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Apr 29 03:48:56 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow ListenAddress, Port and AddressFamily in any
|
|
order. bz#68, ok djm@, jmc@ (for the man page bit).
|
|
|
|
commit c1d5bcf1aaf1209af02f79e48ba1cbc76a87b56f
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Tue Apr 28 13:47:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
enviroment -> environment: apologies to darren for not
|
|
spotting that first time round...
|
|
|
|
commit 43beea053db191cac47c2cd8d3dc1930158aff1a
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Apr 28 10:25:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix typo in previous
|
|
|
|
commit 85b96ef41374f3ddc9139581f87da09b2cd9199e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Apr 28 10:17:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Document that the TERM environment variable is not
|
|
subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from
|
|
jjelen at redhat, help and ok jmc@
|
|
|
|
commit 88a7c598a94ff53f76df228eeaae238d2d467565
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 27 21:42:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Make sshd default to PermitRootLogin=no; ok deraadt@
|
|
rpe@
|
|
|
|
commit 734226b4480a6c736096c729fcf6f391400599c7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 27 01:52:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix compilation with OPENSSL=no; ok dtucker@
|
|
|
|
commit a4b9d2ce1eb7703eaf0809b0c8a82ded8aa4f1c6
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Apr 27 00:37:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Include stdio.h for FILE (used in sshkey.h) so it
|
|
compiles with OPENSSL=no.
|
|
|
|
commit dbcc652f4ca11fe04e5930c7ef18a219318c6cda
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 27 00:21:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
allow "sshd -f none" to skip reading the config file,
|
|
much like "ssh -F none" does. ok dtucker
|
|
|
|
commit b7ca276fca316c952f0b90f5adb1448c8481eedc
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Apr 24 06:26:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
combine -Dd onto one line and update usage();
|
|
|
|
commit 2ea974630d7017e4c7666d14d9dc939707613e96
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 24 05:26:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add ssh-agent -D to leave ssh-agent in foreground
|
|
without enabling debug mode; bz#2381 ok dtucker@
|
|
|
|
commit 8ac2ffd7aa06042f6b924c87139f2fea5c5682f7
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Apr 24 01:36:24 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
2*len -> use xreallocarray() ok djm
|
|
|
|
commit 657a5fbc0d0aff309079ff8fb386f17e964963c2
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Apr 24 01:36:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
rename xrealloc() to xreallocarray() since it follows
|
|
that form. ok djm
|
|
|
|
commit 1108ae242fdd2c304307b68ddf46aebe43ebffaa
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 23 04:59:10 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Two small fixes for sshd -T: ListenAddress'es are added
|
|
to a list head so reverse the order when printing them to ensure the
|
|
behaviour remains the same, and print StreamLocalBindMask as octal with
|
|
leading zero. ok deraadt@
|
|
|
|
commit bd902b8473e1168f19378d5d0ae68d0c203525df
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 23 04:53:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Check for and reject missing arguments for
|
|
VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com,
|
|
ok djm@
|
|
|
|
commit ca42c1758575e592239de1d5755140e054b91a0d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Apr 22 01:24:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unknown certificate extensions are non-fatal, so don't
|
|
fatal when they are encountered; bz#2387 reported by Bob Van Zant; ok
|
|
dtucker@
|
|
|
|
commit 39bfbf7caad231cc4bda6909fb1af0705bca04d8
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Tue Apr 21 07:01:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add back a backslash removed in rev 1.42 so
|
|
KEX_SERVER_ENCRYPT will include aes again.
|
|
|
|
ok deraadt@
|
|
|
|
commit 6b0d576bb87eca3efd2b309fcfe4edfefc289f9c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:32:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
s/recommended/required/ that private keys be og-r this
|
|
wording change was made a while ago but got accidentally reverted
|
|
|
|
commit 44a8e7ce6f3ab4c2eb1ae49115c210b98e53c4df
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:25:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't try to cleanup NULL KEX proposals in
|
|
kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
|
|
|
commit 3038a191872d2882052306098c1810d14835e704
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:19:22 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use error/logit/fatal instead of fprintf(stderr, ...)
|
|
and exit(0), fix a few errors that were being printed to stdout instead of
|
|
stderr and a few non-errors that were going to stderr instead of stdout
|
|
bz#2325; ok dtucker
|
|
|
|
commit a58be33cb6cd24441fa7e634db0e5babdd56f07f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:16:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
debug log missing DISPLAY environment when X11
|
|
forwarding requested; bz#1682 ok dtucker@
|
|
|
|
commit 17d4d9d9fbc8fb80e322f94d95eecc604588a474
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 04:32:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't call record_login() in monitor when UseLogin is
|
|
enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
|
|
|
commit 40132ff87b6cbc3dc05fb5df2e9d8e3afa06aafd
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Apr 17 04:12:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add some missing options to sshd -T and fix the output
|
|
of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat
|
|
com, ok djm.
|
|
|
|
commit 6cc7cfa936afde2d829e56ee6528c7ea47a42441
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 16 23:25:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Document "none" for PidFile XAuthLocation
|
|
TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@
|
|
|
|
commit 15fdfc9b1c6808b26bc54d4d61a38b54541763ed
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Apr 15 23:23:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Plug leak of address passed to logging. bz#2373, patch
|
|
from jjelen at redhat, ok markus@
|
|
|
|
commit bb2289e2a47d465eaaaeff3dee2a6b7777b4c291
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Apr 14 04:17:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Output remote username in debug output since with Host
|
|
and Match it's not always obvious what it will be. bz#2368, ok djm@
|
|
|
|
commit 70860b6d07461906730632f9758ff1b7c98c695a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Apr 17 10:56:13 2015 +1000
|
|
|
|
Format UsePAM setting when using sshd -T.
|
|
|
|
Part of bz#2346, patch from jjelen at redhat com.
|
|
|
|
commit ee15d9c9f0720f5a8b0b34e4b10ecf21f9824814
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Apr 17 10:40:23 2015 +1000
|
|
|
|
Wrap endian.h include inside ifdef (bz#2370).
|
|
|
|
commit 408f4c2ad4a4c41baa7b9b2b7423d875abbfa70b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Apr 17 09:39:58 2015 +1000
|
|
|
|
Look for '${host}-ar' before 'ar'.
|
|
|
|
This changes configure.ac to look for '${host}-ar' as set by
|
|
AC_CANONICAL_HOST before looking for the unprefixed 'ar'.
|
|
Useful when cross-compiling when all your binutils are prefixed.
|
|
|
|
Patch from moben at exherbo org via astrand at lysator liu se and
|
|
bz#2352.
|
|
|
|
commit 673a1c16ad078d41558247ce739fe812c960acc8
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Thu Apr 16 11:40:20 2015 +1000
|
|
|
|
remove dependency on arpa/telnet.h
|
|
|
|
commit 202d443eeda1829d336595a3cfc07827e49f45ed
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Apr 15 15:59:49 2015 +1000
|
|
|
|
Remove duplicate include of pwd.h. bz#2337, patch from Mordy Ovits.
|
|
|
|
commit 597986493412c499f2bc2209420cb195f97b3668
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Thu Apr 9 10:14:48 2015 +1000
|
|
|
|
platform's with openpty don't need pty_release
|
|
|
|
commit 318be28cda1fd9108f2e6f2f86b0b7589ba2aed0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 13 02:04:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
deprecate ancient, pre-RFC4419 and undocumented
|
|
SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message; ok markus@ deraadt@ "seems
|
|
reasonable" dtucker@
|
|
|
|
commit d8f391caef62378463a0e6b36f940170dadfe605
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Apr 10 05:16:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't send hostkey advertisments
|
|
(hostkeys-00@openssh.com) to current versions of Tera Term as they can't
|
|
handle them. Newer versions should be OK. Patch from Bryan Drewery and
|
|
IWAMOTO Kouichi, ok djm@
|
|
|
|
commit 2c2cfe1a1c97eb9a08cc9817fd0678209680c636
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 10 00:08:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
include port number if a non-default one has been
|
|
specified; based on patch from Michael Handler
|
|
|
|
commit 4492a4f222da4cf1e8eab12689196322e27b08c4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Apr 7 23:00:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
treat Protocol=1,2|2,1 as Protocol=2 when compiled
|
|
without SSH1 support; ok dtucker@ millert@
|
|
|
|
commit c265e2e6e932efc6d86f6cc885dea33637a67564
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Sun Apr 5 15:43:43 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Do not use int for sig_atomic_t; spotted by
|
|
christos@netbsd; ok markus@
|
|
|
|
commit e7bf3a5eda6a1b02bef6096fed78527ee11e54cc
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Apr 7 10:48:04 2015 +1000
|
|
|
|
Use do{}while(0) for no-op functions.
|
|
|
|
From FreeBSD.
|
|
|
|
commit bb99844abae2b6447272f79e7fa84134802eb4df
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Apr 7 10:47:15 2015 +1000
|
|
|
|
Wrap blf.h include in ifdef. From FreeBSD.
|
|
|
|
commit d9b9b43656091cf0ad55c122f08fadb07dad0abd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Apr 7 09:10:00 2015 +1000
|
|
|
|
Fix misspellings of regress CONFOPTS env variables.
|
|
|
|
Patch from Bryan Drewery.
|
|
|
|
commit 3f4ea3c9ab1d32d43c9222c4351f58ca11144156
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 3 22:17:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct return value in pubkey parsing, spotted by Ben Hawkes
|
|
ok markus@
|
|
|
|
commit 7da2be0cb9601ed25460c83aa4d44052b967ba0f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:59:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt to recent hostfile.c change: when parsing
|
|
known_hosts without fully parsing the keys therein, hostkeys_foreach() will
|
|
now correctly identify KEY_RSA1 keys; ok markus@ miod@
|
|
|
|
commit 9e1777a0d1c706714b055811c12ab8cc21033e4a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:19:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use ${SSH} for -Q instead of installed ssh
|
|
|
|
commit ce1b358ea414a2cc88e4430cd5a2ea7fecd9de57
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 16 22:46:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make CLEANFILES clean up more of the tests' droppings
|
|
|
|
commit 398f9ef192d820b67beba01ec234d66faca65775
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:57:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
downgrade error() for known_hosts parse errors to debug()
|
|
to quiet warnings from ssh1 keys present when compiled !ssh1.
|
|
|
|
also identify ssh1 keys when scanning, even when compiled !ssh1
|
|
|
|
ok markus@ miod@
|
|
|
|
commit 9a47ab80030a31f2d122b8fd95bd48c408b9fcd9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:55:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fd leak for !ssh1 case; found by unittests; ok markus@
|
|
|
|
commit c9a0805a6280681901c270755a7cd630d7c5280e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:55:24 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't fatal when a !ssh1 sshd is reexeced from a w/ssh1
|
|
listener; reported by miod@; ok miod@ markus@
|
|
|
|
commit 704d8c88988cae38fb755a6243b119731d223222
|
|
Author: tobias@openbsd.org <tobias@openbsd.org>
|
|
Date: Tue Mar 31 11:06:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Comments are only supported for RSA1 keys. If a user
|
|
tried to add one and entered his passphrase, explicitly clear it before exit.
|
|
This is done in all other error paths, too.
|
|
|
|
ok djm
|
|
|
|
commit 78de1673c05ea2c33e0d4a4b64ecb5186b6ea2e9
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Mar 30 18:28:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ssh-askpass(1) is the default, overridden by SSH_ASKPASS;
|
|
diff originally from jiri b;
|
|
|
|
commit 26e0bcf766fadb4a44fb6199386fb1dcab65ad00
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 30 00:00:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix uninitialised memory read when parsing a config file
|
|
consisting of a single nul byte. Found by hanno AT hboeck.de using AFL; ok
|
|
dtucker
|
|
|
|
commit fecede00a76fbb33a349f5121c0b2f9fbc04a777
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Mar 26 19:32:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sigp and lenp are not optional in ssh_agent_sign(); ok
|
|
djm@
|
|
|
|
commit 1b0ef3813244c78669e6d4d54c624f600945327d
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Thu Mar 26 12:32:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't try to load .ssh/identity by default if SSH1 is
|
|
disabled; ok markus@
|
|
|
|
commit f9b78852379b74a2d14e6fc94fe52af30b7e9c31
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Mar 26 07:00:04 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ban all-zero curve25519 keys as recommended by latest
|
|
CFRG curves draft; ok markus
|
|
|
|
commit b8afbe2c1aaf573565e4da775261dfafc8b1ba9c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Mar 26 06:59:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
relax bits needed check to allow
|
|
diffie-hellman-group1-sha1 key exchange to complete for chacha20-poly1305 was
|
|
selected as symmetric cipher; ok markus
|
|
|
|
commit 47842f71e31da130555353c1d57a1e5a8937f1c0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Mar 25 19:29:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ignore v1 errors on ssh-add -D; only try v2 keys on
|
|
-l/-L (unless WITH_SSH1) ok djm@
|
|
|
|
commit 5f57e77f91bf2230c09eca96eb5ecec39e5f2da6
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Mar 25 19:21:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak ssh_agent_sign (lenp vs *lenp)
|
|
|
|
commit 4daeb67181054f2a377677fac919ee8f9ed3490e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:10:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't leak 'setp' on error; noted by Nicholas Lemonias;
|
|
ok djm@
|
|
|
|
commit 7d4f96f9de2a18af0d9fa75ea89a4990de0344f5
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:09:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
consistent check for NULL as noted by Nicholas
|
|
Lemonias; ok djm@
|
|
|
|
commit df100be51354e447d9345cf1ec22e6013c0eed50
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:03:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct fmt-string for size_t as noted by Nicholas
|
|
Lemonias; ok djm@
|
|
|
|
commit a22b9ef21285e81775732436f7c84a27bd3f71e0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 24 09:17:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
promote chacha20-poly1305@openssh.com to be the default
|
|
cipher; ok markus
|
|
|
|
commit 2aa9da1a3b360cf7b13e96fe1521534b91501fb5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 24 01:29:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Compile-time disable SSH protocol 1. You can turn it
|
|
back on using the Makefile.inc knob if you need it to talk to ancient
|
|
devices.
|
|
|
|
commit 53097b2022154edf96b4e8526af5666f979503f7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 24 01:11:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix double-negative error message "ssh1 is not
|
|
unsupported"
|
|
|
|
commit 5c27e3b6ec2db711dfcd40e6359c0bcdd0b62ea9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 23 06:06:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
for ssh-keygen -A, don't try (and fail) to generate ssh
|
|
v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled
|
|
without OpenSSL based on patch by Mike Frysinger; bz#2369
|
|
|
|
commit 725fd22a8c41db7de73a638539a5157b7e4424ae
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 18 01:44:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
KRL support doesn't need OpenSSL anymore, remove #ifdefs
|
|
from around call
|
|
|
|
commit b07011c18e0b2e172c5fd09d21fb159a0bf5fcc7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 16 11:09:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
#if 0 some more arrays used only for decrypting (we don't
|
|
use since we only need encrypt for AES-CTR)
|
|
|
|
commit 1cb3016635898d287e9d58b50c430995652d5358
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Wed Mar 11 00:48:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add back the changes from rev 1.206, djm reverted this by
|
|
mistake in rev 1.207
|
|
|
|
commit 4d24b3b6a4a6383e05e7da26d183b79fa8663697
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Mar 20 09:11:59 2015 +1100
|
|
|
|
remove error() accidentally inserted for debugging
|
|
|
|
pointed out by Christian Hesse
|
|
|
|
commit 9f82e5a9042f2d872e98f48a876fcab3e25dd9bb
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Mar 16 22:49:20 2015 -0700
|
|
|
|
portability fix: Solaris systems may not have a grep that understands -q
|
|
|
|
commit 8ef691f7d9ef500257a549d0906d78187490668f
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Wed Mar 11 10:35:26 2015 +1100
|
|
|
|
fix compile with clang
|
|
|
|
commit 4df590cf8dc799e8986268d62019b487a8ed63ad
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Wed Mar 11 10:02:39 2015 +1100
|
|
|
|
make unit tests work for !OPENSSH_HAS_ECC
|
|
|
|
commit 307bb40277ca2c32e97e61d70d1ed74b571fd6ba
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Mar 7 04:41:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak for w/SSH1 (default) case; ok markus@ deraadt@
|
|
|
|
commit b44ee0c998fb4c5f3c3281f2398af5ce42840b6f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Mar 5 18:39:20 2015 -0800
|
|
|
|
unbreak hostkeys test for w/ SSH1 case
|
|
|
|
commit 55e5bdeb519cb60cc18b7ba0545be581fb8598b4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Mar 6 01:40:56 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix sshkey_certify() return value for unsupported key types;
|
|
ok markus@ deraadt@
|
|
|
|
commit be8f658e550a434eac04256bfbc4289457a24e99
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 15:38:03 2015 -0800
|
|
|
|
update version numbers to match version.h
|
|
|
|
commit ac5e8acefa253eb5e5ba186e34236c0e8007afdc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 4 23:22:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make these work with !SSH1; ok markus@ deraadt@
|
|
|
|
commit 2f04af92f036b0c87a23efb259c37da98cd81fe6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 4 21:12:59 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make ssh-add -D work with !SSH1 agent
|
|
|
|
commit a05adf95d2af6abb2b7826ddaa7a0ec0cdc1726b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 00:55:48 2015 -0800
|
|
|
|
netcat needs poll.h portability goop
|
|
|
|
commit dad2b1892b4c1b7e58df483a8c5b983c4454e099
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 3 22:35:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make it possible to run tests w/o ssh1 support; ok djm@
|
|
|
|
commit d48a22601bdd3eec054794c535f4ae8d8ae4c6e2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 4 18:53:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
crank; ok markus, deraadt
|
|
|
|
commit bbffb23daa0b002dd9f296e396a9ab8a5866b339
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 3 13:50:27 2015 -0800
|
|
|
|
more --without-ssh1 fixes
|
|
|
|
commit 6c2039286f503e2012a58a1d109e389016e7a99b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 3 13:48:48 2015 -0800
|
|
|
|
fix merge both that broke --without-ssh1 compile
|
|
|
|
commit 111dfb225478a76f89ecbcd31e96eaf1311b59d3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 21:21:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add SSH1 Makefile knob to make it easier to build without
|
|
SSH1 support; ok markus@
|
|
|
|
commit 3f7f5e6c5d2aa3f6710289c1a30119e534e56c5c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 20:42:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
expand __unused to full __attribute__ for better portability
|
|
|
|
commit 2fab9b0f8720baf990c931e3f68babb0bf9949c6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 07:41:27 2015 +1100
|
|
|
|
avoid warning
|
|
|
|
commit d1bc844322461f882b4fd2277ba9a8d4966573d2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 06:31:45 2015 +1100
|
|
|
|
Revert "define __unused to nothing if not already defined"
|
|
|
|
This reverts commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908.
|
|
|
|
Some system headers have objects named __unused
|
|
|
|
commit 00797e86b2d98334d1bb808f65fa1fd47f328ff1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 05:02:45 2015 +1100
|
|
|
|
check for crypt and DES_crypt in openssl block
|
|
|
|
fixes builds on systems that use DES_crypt; based on patch
|
|
from Roumen Petrov
|
|
|
|
commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 04:59:13 2015 +1100
|
|
|
|
define __unused to nothing if not already defined
|
|
|
|
fixes builds on BSD/OS
|
|
|
|
commit d608a51daad4f14ad6ab43d7cf74ef4801cc3fe9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 17:53:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reorder logic for better portability; patch from Roumen
|
|
Petrov
|
|
|
|
commit 68d2dfc464fbcdf8d6387884260f9801f4352393
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 06:48:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow "ssh -Q protocol-version" to list supported SSH
|
|
protocol versions. Useful for detecting builds without SSH v.1 support; idea
|
|
and ok markus@
|
|
|
|
commit 39e2f1229562e1195169905607bc12290d21f021
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Sun Mar 1 15:44:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Make sure we only call getnameinfo() for AF_INET or AF_INET6
|
|
sockets. getpeername() of a Unix domain socket may return without error on
|
|
some systems without actually setting ss_family so getnameinfo() was getting
|
|
called with ss_family set to AF_UNSPEC. OK djm@
|
|
|
|
commit e47536ba9692d271b8ad89078abdecf0a1c11707
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Feb 28 08:20:11 2015 -0800
|
|
|
|
portability fixes for regress/netcat.c
|
|
|
|
Mostly avoiding "err(1, NULL)"
|
|
|
|
commit 02973ad5f6f49d8420e50a392331432b0396c100
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Feb 28 08:05:27 2015 -0800
|
|
|
|
twiddle another test for portability
|
|
|
|
from Tom G. Christensen
|
|
|
|
commit f7f3116abf2a6e2f309ab096b08c58d19613e5d0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 27 15:52:49 2015 -0800
|
|
|
|
twiddle test for portability
|
|
|
|
commit 1ad3a77cc9d5568f5437ff99d377aa7a41859b83
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 26 20:33:22 2015 -0800
|
|
|
|
make regress/netcat.c fd passing (more) portable
|
|
|
|
commit 9e1cfca7e1fe9cf8edb634fc894e43993e4da1ea
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 26 20:32:58 2015 -0800
|
|
|
|
create OBJ/valgrind-out before running unittests
|
|
|
|
commit bd58853102cee739f0e115e6d4b5334332ab1442
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Feb 25 16:58:22 2015 -0800
|
|
|
|
valgrind support
|
|
|
|
commit f43d17269194761eded9e89f17456332f4c83824
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Feb 26 20:45:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't printf NULL key comments; reported by Tom Christensen
|
|
|
|
commit 6e6458b476ec854db33e3e68ebf4f489d0ab3df8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 25 23:05:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
zero cmsgbuf before use; we initialise the bits we use
|
|
but valgrind still spams warning on it
|
|
|
|
commit a63cfa26864b93ab6afefad0b630e5358ed8edfa
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 25 19:54:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix small memory leak when UpdateHostkeys=no
|
|
|
|
commit e6b950341dd75baa8526f1862bca39e52f5b879b
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Feb 25 09:56:48 2015 -0800
|
|
|
|
Revert "Work around finicky USL linker so netcat will build."
|
|
|
|
This reverts commit d1db656021d0cd8c001a6692f772f1de29b67c8b.
|
|
|
|
No longer needed with commit 678e473e2af2e4802f24dd913985864d9ead7fb3
|
|
|
|
commit 6f621603f9cff2a5d6016a404c96cb2f8ac2dec0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 25 17:29:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't leak validity of user in "too many authentication
|
|
failures" disconnect message; reported by Sebastian Reitenbach
|
|
|
|
commit 6288e3a935494df12519164f52ca5c8c65fc3ca5
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Tue Feb 24 15:24:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add -v (show ASCII art) to -l's synopsis; ok djm@
|
|
|
|
commit 678e473e2af2e4802f24dd913985864d9ead7fb3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Feb 26 04:12:58 2015 +1100
|
|
|
|
Remove dependency on xmalloc.
|
|
|
|
Remove ssh_get_progname's dependency on xmalloc, which should reduce
|
|
link order problems. ok djm@
|
|
|
|
commit 5d5ec165c5b614b03678afdad881f10e25832e46
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 25 15:32:49 2015 +1100
|
|
|
|
Restrict ECDSA and ECDH tests.
|
|
|
|
ifdef out some more ECDSA and ECDH tests when built against an OpenSSL
|
|
that does not have eliptic curve functionality.
|
|
|
|
commit 1734e276d99b17e92d4233fac7aef3a3180aaca7
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 25 13:40:45 2015 +1100
|
|
|
|
Move definition of _NSIG.
|
|
|
|
_NSIG is only unsed in one file, so move it there prevent redefinition
|
|
warnings reported by Kevin Brott.
|
|
|
|
commit a47ead7c95cfbeb72721066c4da2312e5b1b9f3d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 25 13:17:40 2015 +1100
|
|
|
|
Add includes.h for compatibility stuff.
|
|
|
|
commit 38806bda6d2e48ad32812b461eebe17672ada771
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 16:50:06 2015 -0800
|
|
|
|
include netdb.h to look for MAXHOSTNAMELEN; ok tim
|
|
|
|
commit d1db656021d0cd8c001a6692f772f1de29b67c8b
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue Feb 24 10:42:08 2015 -0800
|
|
|
|
Work around finicky USL linker so netcat will build.
|
|
|
|
commit cb030ce25f555737e8ba97bdd7883ac43f3ff2a3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 09:23:04 2015 -0800
|
|
|
|
include includes.h to avoid build failure on AIX
|
|
|
|
commit 13af342458f5064144abbb07e5ac9bbd4eb42567
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue Feb 24 07:56:47 2015 -0800
|
|
|
|
Original portability patch from djm@ for platforms missing err.h.
|
|
Fix name space clash on Solaris 10. Still more to do for Solaris 10
|
|
to deal with msghdr structure differences. ok djm@
|
|
|
|
commit 910209203d0cd60c5083901cbcc0b7b44d9f48d2
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Feb 23 22:06:56 2015 -0800
|
|
|
|
cleaner way fix dispatch.h portion of commit
|
|
a88dd1da119052870bb2654c1a32c51971eade16
|
|
(some systems have sig_atomic_t in signal.h, some in sys/signal.h)
|
|
Sounds good to me djm@
|
|
|
|
commit 676c38d7cbe65b76bbfff796861bb6615cc6a596
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Feb 23 21:51:33 2015 -0800
|
|
|
|
portability fix: if we can't dind a better define for HOST_NAME_MAX, use 255
|
|
|
|
commit 1221b22023dce38cbc90ba77eae4c5d78c77a5e6
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Feb 23 21:50:34 2015 -0800
|
|
|
|
portablity fix: s/__inline__/inline/
|
|
|
|
commit 4c356308a88d309c796325bb75dce90ca16591d5
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 13:49:31 2015 +1100
|
|
|
|
Wrap stdint.h includes in HAVE_STDINT_H.
|
|
|
|
commit c9c88355c6a27a908e7d1e5003a2b35ea99c1614
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 13:43:57 2015 +1100
|
|
|
|
Add AI_NUMERICSERV to fake-rfc2553.
|
|
|
|
Our getaddrinfo implementation always returns numeric values already.
|
|
|
|
commit ef342ab1ce6fb9a4b30186c89c309d0ae9d0eeb4
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 13:39:57 2015 +1100
|
|
|
|
Include OpenSSL's objects.h before bn.h.
|
|
|
|
Prevents compile errors on some platforms (at least old GCCs and AIX's
|
|
XLC compilers).
|
|
|
|
commit dcc8997d116f615195aa7c9ec019fb36c28c6228
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 12:30:59 2015 +1100
|
|
|
|
Convert two macros into functions.
|
|
|
|
Convert packet_send_debug and packet_disconnect from macros to
|
|
functions. Some older GCCs (2.7.x, 2.95.x) see to have problems with
|
|
variadic macros with only one argument so we convert these two into
|
|
functions. ok djm@
|
|
|
|
commit 2285c30d51b7e2052c6526445abe7e7cc7e170a1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 22:21:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
further silence spurious error message even when -v is
|
|
specified (e.g. to get visual host keys); reported by naddy@
|
|
|
|
commit 9af21979c00652029e160295e988dea40758ece2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 09:04:32 2015 +1100
|
|
|
|
don't include stdint.h unless HAVE_STDINT_H set
|
|
|
|
commit 62f678dd51660d6f8aee1da33d3222c5de10a89e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 09:02:54 2015 +1100
|
|
|
|
nother sys/queue.h -> sys-queue.h fix
|
|
|
|
spotted by Tom Christensen
|
|
|
|
commit b3c19151cba2c0ed01b27f55de0d723ad07ca98f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 20:32:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix a race condition by using a mux socket rather than an
|
|
ineffectual wait statement
|
|
|
|
commit a88dd1da119052870bb2654c1a32c51971eade16
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 06:30:29 2015 +1100
|
|
|
|
various include fixes for portable
|
|
|
|
commit 5248429b5ec524d0a65507cff0cdd6e0cb99effd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 16:55:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add an XXX to remind me to improve sshkey_load_public
|
|
|
|
commit e94e4b07ef2eaead38b085a60535df9981cdbcdb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 16:55:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
silence a spurious error message when listing
|
|
fingerprints for known_hosts; bz#2342
|
|
|
|
commit f2293a65392b54ac721f66bc0b44462e8d1d81f8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 16:33:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix setting/clearing of TTY raw mode around
|
|
UpdateHostKeys=ask confirmation question; reported by Herb Goldman
|
|
|
|
commit f2004cd1adf34492eae0a44b1ef84e0e31b06088
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Feb 23 05:04:21 2015 +1100
|
|
|
|
Repair for non-ECC OpenSSL.
|
|
|
|
Ifdef out the ECC parts when building with an OpenSSL that doesn't have
|
|
it.
|
|
|
|
commit 37f9220db8d1a52c75894c3de1e5f2ae5bd71b6f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Feb 23 03:07:24 2015 +1100
|
|
|
|
Wrap stdint.h includes in ifdefs.
|
|
|
|
commit f81f1bbc5b892c8614ea740b1f92735652eb43f0
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Sat Feb 21 18:12:10 2015 -0800
|
|
|
|
out of tree build fix
|
|
|
|
commit 2e13a1e4d22f3b503c3bfc878562cc7386a1d1ae
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Sat Feb 21 18:08:51 2015 -0800
|
|
|
|
mkdir kex unit test directory so testing out of tree builds works
|
|
|
|
commit 1797f49b1ba31e8700231cd6b1d512d80bb50d2c
|
|
Author: halex@openbsd.org <halex@openbsd.org>
|
|
Date: Sat Feb 21 21:46:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make "ssh-add -d" properly remove a corresponding
|
|
certificate, and also not whine and fail if there is none
|
|
|
|
ok djm@
|
|
|
|
commit 7faaa32da83a609059d95dbfcb0649fdb04caaf6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Feb 22 07:57:27 2015 +1100
|
|
|
|
mkdir hostkey and bitmap unit test directories
|
|
|
|
commit bd49da2ef197efac5e38f5399263a8b47990c538
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 20 23:46:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sort options useable under Match case-insensitively; prodded
|
|
jmc@
|
|
|
|
commit 1a779a0dd6cd8b4a1a40ea33b5415ab8408128ac
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Feb 21 20:51:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct paths to configuration files being written/updated;
|
|
they live in $OBJ not cwd; some by Roumen Petrov
|
|
|
|
commit 28ba006c1acddff992ae946d0bc0b500b531ba6b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Feb 21 15:41:07 2015 +1100
|
|
|
|
More correct checking of HAVE_DECL_AI_NUMERICSERV.
|
|
|
|
commit e50e8c97a9cecae1f28febccaa6ca5ab3bc10f54
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Feb 21 15:10:33 2015 +1100
|
|
|
|
Add null declaration of AI_NUMERICINFO.
|
|
|
|
Some platforms (older FreeBSD and DragonFly versions) do have
|
|
getaddrinfo() but do not have AI_NUMERICINFO. so define it to zero
|
|
in those cases.
|
|
|
|
commit 18a208d6a460d707a45916db63a571e805f5db46
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 20 22:40:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
more options that are available under Match; bz#2353 reported
|
|
by calestyo AT scientia.net
|
|
|
|
commit 44732de06884238049f285f1455b2181baa7dc82
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 20 22:17:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
UpdateHostKeys fixes:
|
|
|
|
I accidentally changed the format of the hostkeys@openssh.com messages
|
|
last week without changing the extension name, and this has been causing
|
|
connection failures for people who are running -current. First reported
|
|
by sthen@
|
|
|
|
s/hostkeys@openssh.com/hostkeys-00@openssh.com/
|
|
Change the name of the proof message too, and reorder it a little.
|
|
|
|
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
|
|
available to read the response) so disable UpdateHostKeys if it is in
|
|
ask mode and ControlPersist is active (and document this)
|
|
|
|
commit 13a39414d25646f93e6d355521d832a03aaaffe2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Feb 17 00:14:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Regression: I broke logging of public key fingerprints in
|
|
1.46. Pointed out by Pontus Lundkvist
|
|
|
|
commit 773dda25e828c4c9a52f7bdce6e1e5924157beab
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 30 23:10:17 2015 +1100
|
|
|
|
repair --without-openssl; broken in refactor
|
|
|
|
commit e89c780886b23600de1e1c8d74aabd1ff61f43f0
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Feb 17 10:04:55 2015 +1100
|
|
|
|
hook up hostkeys unittest to portable Makefiles
|
|
|
|
commit 0abf41f99aa16ff09b263bead242d6cb2dbbcf99
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:21:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
enable hostkeys unit tests
|
|
|
|
commit 68a5d647ccf0fb6782b2f749433a1eee5bc9044b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:20:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
check string/memory compare arguments aren't NULL
|
|
|
|
commit ef575ef20d09f20722e26b45dab80b3620469687
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:18:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unit tests for hostfile.c code, just hostkeys_foreach so
|
|
far
|
|
|
|
commit 8ea3365e6aa2759ccf5c76eaea62cbc8a280b0e7
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Sat Feb 14 12:43:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
test server rekey limit
|
|
|
|
commit ce63c4b063c39b2b22d4ada449c9e3fbde788cb3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:30:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
partial backout of:
|
|
|
|
revision 1.441
|
|
date: 2015/01/31 20:30:05; author: djm; state: Exp; lines: +17 -10; commitid
|
|
: x8klYPZMJSrVlt3O;
|
|
Let sshd load public host keys even when private keys are missing.
|
|
Allows sshd to advertise additional keys for future key rotation.
|
|
Also log fingerprint of hostkeys loaded; ok markus@
|
|
|
|
hostkey updates now require access to the private key, so we can't
|
|
load public keys only. The improved log messages (fingerprints of keys
|
|
loaded) are kept.
|
|
|
|
commit 523463a3a2a9bfc6cfc5afa01bae9147f76a37cc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:13:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Revise hostkeys@openssh.com hostkey learning extension.
|
|
|
|
The client will not ask the server to prove ownership of the private
|
|
halves of any hitherto-unseen hostkeys it offers to the client.
|
|
|
|
Allow UpdateHostKeys option to take an 'ask' argument to let the
|
|
user manually review keys offered.
|
|
|
|
ok markus@
|
|
|
|
commit 6c5c949782d86a6e7d58006599c7685bfcd01685
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:08:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Refactor hostkeys_foreach() and dependent code Deal with
|
|
IP addresses (i.e. CheckHostIP) Don't clobber known_hosts when nothing
|
|
changed ok markus@ as part of larger commit
|
|
|
|
commit 51b082ccbe633dc970df1d1f4c9c0497115fe721
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Mon Feb 16 18:26:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Declare ge25519_base as extern, to prevent it from
|
|
becoming a common. Gets us rid of ``lignment 4 of symbol
|
|
`crypto_sign_ed25519_ref_ge25519_base' in mod_ge25519.o is smaller than 16 in
|
|
mod_ed25519.o'' warnings at link time.
|
|
|
|
commit 02db468bf7e3281a8e3c058ced571b38b6407c34
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Feb 13 18:57:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make rekey_limit for sshd w/privsep work; ok djm@
|
|
dtucker@
|
|
|
|
commit 8ec67d505bd23c8bf9e17b7a364b563a07a58ec8
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Feb 12 20:34:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Prevent sshd spamming syslog with
|
|
"ssh_dispatch_run_fatal: disconnected". ok markus@
|
|
|
|
commit d4c0295d1afc342057ba358237acad6be8af480b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 11 01:20:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Some packet error messages show the address of the peer,
|
|
but might be generated after the socket to the peer has suffered a TCP reset.
|
|
In these cases, getpeername() won't work so cache the address earlier.
|
|
|
|
spotted in the wild via deraadt@ and tedu@
|
|
|
|
commit 4af1709cf774475ce5d1bc3ddcc165f6c222897d
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Mon Feb 9 23:22:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix some leaks in error paths ok markus@
|
|
|
|
commit fd36834871d06a03e1ff8d69e41992efa1bbf85f
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Fri Feb 6 23:21:59 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
SIZE_MAX is standard, we should be using it in preference to
|
|
the obsolete SIZE_T_MAX. OK miod@ beck@
|
|
|
|
commit 1910a286d7771eab84c0b047f31c0a17505236fa
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Thu Feb 5 12:59:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Include stdint.h, not limits.h to get SIZE_MAX. OK guenther@
|
|
|
|
commit ce4f59b2405845584f45e0b3214760eb0008c06c
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Tue Feb 3 08:07:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
missing ; djm and mlarkin really having great
|
|
interactions recently
|
|
|
|
commit 5d34aa94938abb12b877a25be51862757f25d54b
|
|
Author: halex@openbsd.org <halex@openbsd.org>
|
|
Date: Tue Feb 3 00:34:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
slightly extend the passphrase prompt if running with -c
|
|
in order to give the user a chance to notice if unintentionally running
|
|
without it
|
|
|
|
wording tweak and ok djm@
|
|
|
|
commit cb3bde373e80902c7d5d0db429f85068d19b2918
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 2 22:48:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
handle PKCS#11 C_Login returning
|
|
CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@
|
|
|
|
commit 15ad750e5ec3cc69765b7eba1ce90060e7083399
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 2 07:41:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
turn UpdateHostkeys off by default until I figure out
|
|
mlarkin@'s warning message; requested by deraadt@
|
|
|
|
commit 3cd5103c1e1aaa59bd66f7f52f6ebbcd5deb12f9
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Mon Feb 2 01:57:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
increasing encounters with difficult DNS setups in
|
|
darknets has convinced me UseDNS off by default is better ok djm
|
|
|
|
commit 6049a548a8a68ff0bbe581ab1748ea6a59ecdc38
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jan 31 20:30:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Let sshd load public host keys even when private keys are
|
|
missing. Allows sshd to advertise additional keys for future key rotation.
|
|
Also log fingerprint of hostkeys loaded; ok markus@
|
|
|
|
commit 46347ed5968f582661e8a70a45f448e0179ca0ab
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 11:43:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a ssh_config HostbasedKeyType option to control which
|
|
host public key types are tried during hostbased authentication.
|
|
|
|
This may be used to prevent too many keys being sent to the server,
|
|
and blowing past its MaxAuthTries limit.
|
|
|
|
bz#2211 based on patch by Iain Morgan; ok markus@
|
|
|
|
commit 802660cb70453fa4d230cb0233bc1bbdf8328de1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 10:44:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
set a timeout to prevent hangs when talking to busted
|
|
servers; ok markus@
|
|
|
|
commit 86936ec245a15c7abe71a0722610998b0a28b194
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 01:11:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for 'wildcard CA' serial/key ID revocations
|
|
|
|
commit 4509b5d4a4fa645a022635bfa7e86d09b285001f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 01:13:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid more fatal/exit in the packet.c paths that
|
|
ssh-keyscan uses; feedback and "looks good" markus@
|
|
|
|
commit 669aee994348468af8b4b2ebd29b602cf2860b22
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 01:10:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
permit KRLs that revoke certificates by serial number or
|
|
key ID without scoping to a particular CA; ok markus@
|
|
|
|
commit 7a2c368477e26575d0866247d3313da4256cb2b5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 00:59:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
missing parentheses after if in do_convert_from() broke
|
|
private key conversion from other formats some time in 2010; bz#2345 reported
|
|
by jjelen AT redhat.com
|
|
|
|
commit 25f5f78d8bf5c22d9cea8b49de24ebeee648a355
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 00:22:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix ssh protocol 1, spotted by miod@
|
|
|
|
commit 9ce86c926dfa6e0635161b035e3944e611cbccf0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 22:36:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
update to new API (key_fingerprint => sshkey_fingerprint)
|
|
check sshkey_fingerprint return values; ok markus
|
|
|
|
commit 9125525c37bf73ad3ee4025520889d2ce9d10f29
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 22:05:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid fatal() calls in packet code makes ssh-keyscan more
|
|
reliable against server failures ok dtucker@ markus@
|
|
|
|
commit fae7bbe544cba7a9e5e4ab47ff6faa3d978646eb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 21:15:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid fatal() calls in packet code makes ssh-keyscan more
|
|
reliable against server failures ok dtucker@ markus@
|
|
|
|
commit 1a3d14f6b44a494037c7deab485abe6496bf2c60
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 11:07:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove obsolete comment
|
|
|
|
commit 80c25b7bc0a71d75c43a4575d9a1336f589eb639
|
|
Author: okan@openbsd.org <okan@openbsd.org>
|
|
Date: Tue Jan 27 12:54:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Since r1.2 removed the use of PRI* macros, inttypes.h is
|
|
no longer required.
|
|
|
|
ok djm@
|
|
|
|
commit 69ff64f69615c2a21c97cb5878a0996c21423257
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:07:43 2015 +1100
|
|
|
|
compile on systems without TCP_MD5SIG (e.g. OSX)
|
|
|
|
commit 358964f3082fb90b2ae15bcab07b6105cfad5a43
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:07:25 2015 +1100
|
|
|
|
use ssh-keygen under test rather than system's
|
|
|
|
commit a2c95c1bf33ea53038324d1fdd774bc953f98236
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:06:59 2015 +1100
|
|
|
|
OSX lacks HOST_NAME_MAX, has _POSIX_HOST_NAME_MAX
|
|
|
|
commit ade31d7b6f608a19b85bee29a7a00b1e636a2919
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:06:23 2015 +1100
|
|
|
|
these need active_state defined to link on OSX
|
|
|
|
temporary measure until active_state goes away entirely
|
|
|
|
commit e56aa87502f22c5844918c10190e8b4f785f067b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 27 12:01:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use printf instead of echo -n to reduce diff against
|
|
-portable
|
|
|
|
commit 9f7637f56eddfaf62ce3c0af89c25480f2cf1068
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Jan 26 13:55:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sort previous;
|
|
|
|
commit 3076ee7d530d5b16842fac7a6229706c7e5acd26
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 13:36:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
properly restore umask
|
|
|
|
commit d411d395556b73ba1b9e451516a0bd6697c4b03d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 06:12:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for host key rotation
|
|
|
|
commit fe8a3a51699afbc6407a8fae59b73349d01e49f8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 06:11:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt to sshkey API tweaks
|
|
|
|
commit 7dd355fb1f0038a3d5cdca57ebab4356c7a5b434
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Sat Jan 24 10:39:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Move -lz late in the linker commandline for things to
|
|
build on static arches.
|
|
|
|
commit 0dad3b806fddb93c475b30853b9be1a25d673a33
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Fri Jan 23 21:21:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
-Wpointer-sign is supported by gcc 4 only.
|
|
|
|
commit 2b3b1c1e4bd9577b6e780c255c278542ea66c098
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 22:58:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use SUBDIR to recuse into unit tests; makes "make obj"
|
|
actually work
|
|
|
|
commit 1d1092bff8db27080155541212b420703f8b9c92
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 12:16:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct description of UpdateHostKeys in ssh_config.5 and
|
|
add it to -o lists for ssh, scp and sftp; pointed out by jmc@
|
|
|
|
commit 5104db7cbd6cdd9c5971f4358e74414862fc1022
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 06:10:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correctly match ECDSA subtype (== curve) for
|
|
offered/recevied host keys. Fixes connection-killing host key mismatches when
|
|
a server offers multiple ECDSA keys with different curve type (an extremely
|
|
unlikely configuration).
|
|
|
|
ok markus, "looks mechanical" deraadt@
|
|
|
|
commit 8d4f87258f31cb6def9b3b55b6a7321d84728ff2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 03:04:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Host key rotation support.
|
|
|
|
Add a hostkeys@openssh.com protocol extension (global request) for
|
|
a server to inform a client of all its available host key after
|
|
authentication has completed. The client may record the keys in
|
|
known_hosts, allowing it to upgrade to better host key algorithms
|
|
and a server to gracefully rotate its keys.
|
|
|
|
The client side of this is controlled by a UpdateHostkeys config
|
|
option (default on).
|
|
|
|
ok markus@
|
|
|
|
commit 60b1825262b1f1e24fc72050b907189c92daf18e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 02:59:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
small refactor and add some convenience functions; ok
|
|
markus
|
|
|
|
commit a5a3e3328ddce91e76f71ff479022d53e35c60c9
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Thu Jan 22 21:00:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
heirarchy -> hierarchy;
|
|
|
|
commit dcff5810a11195c57e1b3343c0d6b6f2b9974c11
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Jan 22 20:24:41 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Provide a warning about chroot misuses (which sadly, seem
|
|
to have become quite popular because shiny). sshd cannot detect/manage/do
|
|
anything about these cases, best we can do is warn in the right spot in the
|
|
man page. ok markus
|
|
|
|
commit 087266ec33c76fc8d54ac5a19efacf2f4a4ca076
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Tue Jan 20 23:14:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Reduce use of <sys/param.h> and transition to <limits.h>
|
|
throughout. ok djm markus
|
|
|
|
commit 57e783c8ba2c0797f93977e83b2a8644a03065d8
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jan 20 20:16:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
kex_setup errors are fatal()
|
|
|
|
commit 1d6424a6ff94633c221297ae8f42d54e12a20912
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 08:02:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
this test would accidentally delete agent.sh if run without
|
|
obj/
|
|
|
|
commit 12b5f50777203e12575f1b08568281e447249ed3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 07:56:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make this compile with KERBEROS5 enabled
|
|
|
|
commit e2cc6bef08941256817d44d146115b3478586ad4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 07:55:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix hostkeys in agent; ok markus@
|
|
|
|
commit 1ca3e2155aa5d3801a7ae050f85c71f41fcb95b1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 20 10:11:31 2015 +1100
|
|
|
|
fix kex test
|
|
|
|
commit c78a578107c7e6dcf5d30a2f34cb6581bef14029
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:45:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
finally enable the KEX tests I wrote some years ago...
|
|
|
|
commit 31821d7217e686667d04935aeec99e1fc4a46e7e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:42:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt to new error message (SSH_ERR_MAC_INVALID)
|
|
|
|
commit d3716ca19e510e95d956ae14d5b367e364bff7f1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 19 17:31:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
this test was broken in at least two ways, such that it
|
|
wasn't checking that a KRL was not excluding valid keys
|
|
|
|
commit 3f797653748e7c2b037dacb57574c01d9ef3b4d3
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:32:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
switch ssh-keyscan from setjmp to multiple ssh transport
|
|
layer instances ok djm@
|
|
|
|
commit f582f0e917bb0017b00944783cd5f408bf4b0b5e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:30:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add experimental api for packet layer; ok djm@
|
|
|
|
commit 48b3b2ba75181f11fca7f327058a591f4426cade
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:20:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
store compat flags in struct ssh; ok djm@
|
|
|
|
commit 57d10cbe861a235dd269c74fb2fe248469ecee9d
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:16:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt kex to sshbuf and struct ssh; ok djm@
|
|
|
|
commit 3fdc88a0def4f86aa88a5846ac079dc964c0546a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:07:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
move dispatch to struct ssh; ok djm@
|
|
|
|
commit 091c302829210c41e7f57c3f094c7b9c054306f0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 19:52:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
update packet.c & isolate, introduce struct ssh a) switch
|
|
packet.c to buffer api and isolate per-connection info into struct ssh b)
|
|
(de)serialization of the state is moved from monitor to packet.c c) the old
|
|
packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
|
|
integrated into packet.c with and ok djm@
|
|
|
|
commit 4e62cc68ce4ba20245d208b252e74e91d3785b74
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 19 17:35:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix format strings in (disabled) debugging
|
|
|
|
commit d85e06245907d49a2cd0cfa0abf59150ad616f42
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 19 06:01:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
be a bit more careful in these tests to ensure that
|
|
known_hosts is clean
|
|
|
|
commit 7947810eab5fe0ad311f32a48f4d4eb1f71be6cf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 22:00:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for known_host file editing using
|
|
ssh-keygen (-H / -R / -F) after hostkeys_foreach() change; feedback and ok
|
|
markus@
|
|
|
|
commit 3a2b09d147a565d8a47edf37491e149a02c0d3a3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:54:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
more and better key tests
|
|
|
|
test signatures and verification
|
|
test certificate generation
|
|
flesh out nested cert test
|
|
|
|
removes most of the XXX todo markers
|
|
|
|
commit 589e69fd82724cfc9738f128e4771da2e6405d0d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:53:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make the signature fuzzing test much more rigorous:
|
|
ensure that the fuzzed input cases do not match the original (using new
|
|
fuzz_matches_original() function) and check that the verification fails in
|
|
each case
|
|
|
|
commit 80603c0daa2538c349c1c152405580b164d5475f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:52:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add a fuzz_matches_original() function to the fuzzer to
|
|
detect fuzz cases that are identical to the original data. Hacky
|
|
implementation, but very useful when you need the fuzz to be different, e.g.
|
|
when verifying signature
|
|
|
|
commit 87d5495bd337e358ad69c524fcb9495208c0750b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:50:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
better dumps from the fuzzer (shown on errors) -
|
|
include the original data as well as the fuzzed copy.
|
|
|
|
commit d59ec478c453a3fff05badbbfd96aa856364f2c2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:47:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
enable hostkey-agent.sh test
|
|
|
|
commit 26b3425170bf840e4b095e1c10bf25a0a3e3a105
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jan 17 18:54:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unit test for hostkeys in ssh-agent
|
|
|
|
commit 9e06a0fb23ec55d9223b26a45bb63c7649e2f2f2
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 15 23:41:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add kex unit tests
|
|
|
|
commit d2099dec6da21ae627f6289aedae6bc1d41a22ce
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Mon Jan 19 00:32:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
djm, your /usr/include tree is old
|
|
|
|
commit 2b3c3c76c30dc5076fe09d590f5b26880f148a54
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:51:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
some feedback from markus@: comment hostkeys_foreach()
|
|
context and avoid a member in it.
|
|
|
|
commit cecb30bc2ba6d594366e657d664d5c494b6c8a7f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:49:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make ssh-keygen use hostkeys_foreach(). Removes some
|
|
horrendous code; ok markus@
|
|
|
|
commit ec3d065df3a9557ea96b02d061fd821a18c1a0b9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:48:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
convert load_hostkeys() (hostkey ordering and
|
|
known_host matching) to use the new hostkey_foreach() iterator; ok markus
|
|
|
|
commit c29811cc480a260e42fd88849fc86a80c1e91038
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:40:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
introduce hostkeys_foreach() to allow iteration over a
|
|
known_hosts file or controlled subset thereof. This will allow us to pull out
|
|
some ugly and duplicated code, and will be used to implement hostkey rotation
|
|
later.
|
|
|
|
feedback and ok markus
|
|
|
|
commit f101d8291da01bbbfd6fb8c569cfd0cc61c0d346
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Sun Jan 18 14:01:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
string truncation due to sizeof(size) ok djm markus
|
|
|
|
commit 35d6022b55b7969fc10c261cb6aa78cc4a5fcc41
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 13:33:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid trailing ',' in host key algorithms
|
|
|
|
commit 7efb455789a0cb76bdcdee91c6060a3dc8f5c007
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 13:22:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
infer key length correctly when user specified a fully-
|
|
qualified key name instead of using the -b bits option; ok markus@
|
|
|
|
commit 83f8ffa6a55ccd0ce9d8a205e3e7439ec18fedf5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jan 17 18:53:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix hostkeys on ssh agent; found by unit test I'm about
|
|
to commit
|
|
|
|
commit 369d61f17657b814124268f99c033e4dc6e436c1
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Fri Jan 16 16:20:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
garbage collect empty .No macros mandoc warns about
|
|
|
|
commit bb8b442d32dbdb8521d610e10d8b248d938bd747
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 16 15:55:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression: incorrect error message on
|
|
otherwise-successful ssh-keygen -A. Reported by Dmitry Orlov, via deraadt@
|
|
|
|
commit 9010902954a40b59d0bf3df3ccbc3140a653e2bc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 16 07:19:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
when hostname canonicalisation is enabled, try to parse
|
|
hostnames as addresses before looking them up for canonicalisation. fixes
|
|
bz#2074 and avoids needless DNS lookups in some cases; ok markus
|
|
|
|
commit 2ae4f337b2a5fb2841b6b0053b49496fef844d1c
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Jan 16 06:40:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Replace <sys/param.h> with <limits.h> and other less
|
|
dirty headers where possible. Annotate <sys/param.h> lines with their
|
|
current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
|
|
LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of
|
|
MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
|
|
These are the files confirmed through binary verification. ok guenther,
|
|
millert, doug (helped with the verification protocol)
|
|
|
|
commit 3c4726f4c24118e8f1bb80bf75f1456c76df072c
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 15 21:38:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove xmalloc, switch to sshbuf
|
|
|
|
commit e17ac01f8b763e4b83976b9e521e90a280acc097
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 15 21:37:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
switch to sshbuf
|
|
|
|
commit ddef9995a1fa6c7a8ff3b38bfe6cf724bebf13d0
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Thu Jan 15 18:32:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
handle UMAC128 initialization like UMAC; ok djm@ markus@
|
|
|
|
commit f14564c1f7792446bca143580aef0e7ac25dcdae
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 11:04:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix regression reported by brad@ for passworded keys without
|
|
agent present
|
|
|
|
commit 45c0fd70bb2a88061319dfff20cb12ef7b1bc47e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 22:08:23 2015 +1100
|
|
|
|
make bitmap test compile
|
|
|
|
commit d333f89abf7179021e5c3f28673f469abe032062
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 07:36:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unit tests for KRL bitmap
|
|
|
|
commit 7613f828f49c55ff356007ae9645038ab6682556
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 09:58:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
re-add comment about full path
|
|
|
|
commit 6c43b48b307c41cd656b415621a644074579a578
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 09:54:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't reset to the installed sshd; connect before
|
|
reconfigure, too
|
|
|
|
commit 771bb47a1df8b69061f09462e78aa0b66cd594bf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 14:51:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
implement a SIGINFO handler so we can discern a stuck
|
|
fuzz test from a merely glacial one; prompted by and ok markus
|
|
|
|
commit cfaa57962f8536f3cf0fd7daf4d6a55d6f6de45f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 08:23:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use $SSH instead of installed ssh to allow override;
|
|
spotted by markus@
|
|
|
|
commit 0920553d0aee117a596b03ed5b49b280d34a32c5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 07:49:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for PubkeyAcceptedKeyTypes; ok markus@
|
|
|
|
commit 27ca1a5c0095eda151934bca39a77e391f875d17
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 20:13:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak parsing of pubkey comments; with gerhard; ok
|
|
djm/deraadt
|
|
|
|
commit 55358f0b4e0b83bc0df81c5f854c91b11e0bb4dc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 12 11:46:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fatal if soft-PKCS11 library is missing rather (rather
|
|
than continue and fail with a more cryptic error)
|
|
|
|
commit c3554cdd2a1a62434b8161017aa76fa09718a003
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 12 11:12:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
let this test all supporte key types; pointed out/ok
|
|
markus@
|
|
|
|
commit 1129dcfc5a3e508635004bcc05a3574cb7687167
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 09:40:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sync ssh-keysign, ssh-keygen and some dependencies to the
|
|
new buffer/key API; mostly mechanical, ok markus@
|
|
|
|
commit e4ebf5586452bf512da662ac277aaf6ecf0efe7c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 07:57:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove commented-out test code now that it has moved to a
|
|
proper unit test
|
|
|
|
commit e81cba066c1e9eb70aba0f6e7c0ff220611b370f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 20:54:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace
|
|
|
|
commit 141efe49542f7156cdbc2e4cd0a041d8b1aab622
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 20:05:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
move authfd.c and its tentacles to the new buffer/key
|
|
API; ok markus@
|
|
|
|
commit 0088c57af302cda278bd26d8c3ae81d5b6f7c289
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 19:33:41 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix small regression: ssh-agent would return a success
|
|
message but an empty signature if asked to sign using an unknown key; ok
|
|
markus@
|
|
|
|
commit b03ebe2c22b8166e4f64c37737f4278676e3488d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 03:08:58 2015 +1100
|
|
|
|
more --without-openssl
|
|
|
|
fix some regressions caused by upstream merges
|
|
|
|
enable KRLs now that they no longer require BIGNUMs
|
|
|
|
commit bc42cc6fe784f36df225c44c93b74830027cb5a2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 03:08:29 2015 +1100
|
|
|
|
kludge around tun API mismatch betterer
|
|
|
|
commit c332110291089b624fa0951fbf2d1ee6de525b9f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:59:51 2015 +1100
|
|
|
|
some systems lack SO_REUSEPORT
|
|
|
|
commit 83b9678a62cbdc74eb2031cf1e1e4ffd58e233ae
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:35:50 2015 +1100
|
|
|
|
fix merge botch
|
|
|
|
commit 0cdc5a3eb6fb383569a4da2a30705d9b90428d6b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:35:33 2015 +1100
|
|
|
|
unbreak across API change
|
|
|
|
commit 6e2549ac2b5e7f96cbc2d83a6e0784b120444b47
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:30:18 2015 +1100
|
|
|
|
need includes.h for portable OpenSSH
|
|
|
|
commit 72ef7c148c42db7d5632a29f137f8b87b579f2d9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:21:31 2015 +1100
|
|
|
|
support --without-openssl at configure time
|
|
|
|
Disables and removes dependency on OpenSSL. Many features don't
|
|
work and the set of crypto options is greatly restricted. This
|
|
will only work on system with native arc4random or /dev/urandom.
|
|
|
|
Considered highly experimental for now.
|
|
|
|
commit 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:28:00 2015 +1100
|
|
|
|
add files missed in last commit
|
|
|
|
commit a165bab605f7be55940bb8fae977398e8c96a46d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 15:02:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid BIGNUM in KRL code by using a simple bitmap;
|
|
feedback and ok markus
|
|
|
|
commit 7d845f4a0b7ec97887be204c3760e44de8bf1f32
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 13:54:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
update sftp client and server to new buffer API. pretty
|
|
much just mechanical changes; with & ok markus
|
|
|
|
commit 139ca81866ec1b219c717d17061e5e7ad1059e2a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 13:09:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
switch to sshbuf/sshkey; with & ok djm@
|
|
|
|
commit 81bfbd0bd35683de5d7f2238b985e5f8150a9180
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 14 21:48:18 2015 +1100
|
|
|
|
support --without-openssl at configure time
|
|
|
|
Disables and removes dependency on OpenSSL. Many features don't
|
|
work and the set of crypto options is greatly restricted. This
|
|
will only work on system with native arc4random or /dev/urandom.
|
|
|
|
Considered highly experimental for now.
|
|
|
|
commit 54924b53af15ccdcbb9f89984512b5efef641a31
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 10:46:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid an warning for the !OPENSSL case
|
|
|
|
commit ae8b463217f7c9b66655bfc3945c050ffdaeb861
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 10:30:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
swith auth-options to new sshbuf/sshkey; ok djm@
|
|
|
|
commit 540e891191b98b89ee90aacf5b14a4a68635e763
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 10:29:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make non-OpenSSL aes-ctr work on sshd w/ privsep; ok
|
|
markus@
|
|
|
|
commit 60c2c4ea5e1ad0ddfe8b2877b78ed5143be79c53
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 10:24:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove unneeded includes, sync my copyright across files
|
|
& whitespace; ok djm@
|
|
|
|
commit 128343bcdb0b60fc826f2733df8cf979ec1627b4
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jan 13 19:31:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt mac.c to ssherr.h return codes (de-fatal) and
|
|
simplify dependencies ok djm@
|
|
|
|
commit e7fd952f4ea01f09ceb068721a5431ac2fd416ed
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 19:04:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sync changes from libopenssh; prepared by markus@ mostly
|
|
debug output tweaks, a couple of error return value changes and some other
|
|
minor stuff
|
|
|
|
commit 76c0480a85675f03a1376167cb686abed01a3583
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 13 19:38:18 2015 +1100
|
|
|
|
add --without-ssh1 option to configure
|
|
|
|
Allows disabling support for SSH protocol 1.
|
|
|
|
commit 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 07:39:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add sshd_config HostbasedAcceptedKeyTypes and
|
|
PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
|
|
will be accepted. Currently defaults to all. Feedback & ok markus@
|
|
|
|
commit 816d1538c24209a93ba0560b27c4fda57c3fff65
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 20:13:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak parsing of pubkey comments; with gerhard; ok
|
|
djm/deraadt
|
|
|
|
commit 0097565f849851812df610b7b6b3c4bd414f6c62
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 19:22:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
missing error assigment on sshbuf_put_string()
|
|
|
|
commit a7f49dcb527dd17877fcb8d5c3a9a6f550e0bba5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 12 15:18:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
apparently memcpy(x, NULL, 0) is undefined behaviour
|
|
according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls
|
|
when length==0; ok markus@
|
|
|
|
commit 905fe30fca82f38213763616d0d26eb6790bde33
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 14:05:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
free->sshkey_free; ok djm@
|
|
|
|
commit f067cca2bc20c86b110174c3fef04086a7f57b13
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 13:29:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
allow WITH_OPENSSL w/o WITH_SSH1; ok djm@
|
|
|
|
commit c4bfafcc2a9300d9cfb3c15e75572d3a7d74670d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 13:10:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adjust for sshkey_load_file() API change
|
|
|
|
commit e752c6d547036c602b89e9e704851463bd160e32
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 13:44:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix ssh_config FingerprintHash evaluation order; from Petr
|
|
Lautrbach
|
|
|
|
commit ab24ab847b0fc94c8d5e419feecff0bcb6d6d1bf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 10:15:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reorder hostbased key attempts to better match the
|
|
default hostkey algorithms order in myproposal.h; ok markus@
|
|
|
|
commit 1195f4cb07ef4b0405c839293c38600b3e9bdb46
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 10:14:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
deprecate key_load_private_pem() and
|
|
sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
|
|
not require pathnames to be specified (they weren't really used).
|
|
|
|
Fixes a few other things en passant:
|
|
|
|
Makes ed25519 keys work for hostbased authentication (ssh-keysign
|
|
previously used the PEM-only routines).
|
|
|
|
Fixes key comment regression bz#2306: key pathnames were being lost as
|
|
comment fields.
|
|
|
|
ok markus@
|
|
|
|
commit febbe09e4e9aff579b0c5cc1623f756862e4757d
|
|
Author: tedu@openbsd.org <tedu@openbsd.org>
|
|
Date: Wed Jan 7 18:15:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
workaround for the Meyer, et al, Bleichenbacher Side
|
|
Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm
|
|
markus
|
|
|
|
commit 5191df927db282d3123ca2f34a04d8d96153911a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Dec 23 22:42:48 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
KNF and add a little more debug()
|
|
|
|
commit 8abd80315d3419b20e6938f74d37e2e2b547f0b7
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Dec 22 09:26:31 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
add fingerprinthash to the options list;
|
|
|
|
commit 296ef0560f60980da01d83b9f0e1a5257826536f
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Dec 22 09:24:59 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
commit 462082eacbd37778a173afb6b84c6f4d898a18b5
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Dec 30 08:16:11 2014 +1100
|
|
|
|
avoid uninitialised free of ldns_res
|
|
|
|
If an invalid rdclass was passed to getrrsetbyname() then
|
|
this would execute a free on an uninitialised pointer.
|
|
OpenSSH only ever calls this with a fixed and valid rdclass.
|
|
|
|
Reported by Joshua Rogers
|
|
|
|
commit 01b63498801053f131a0740eb9d13faf35d636c8
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Mon Dec 29 18:10:18 2014 +1100
|
|
|
|
pull updated OpenBSD BCrypt PBKDF implementation
|
|
|
|
Includes fix for 1 byte output overflow for large key length
|
|
requests (not reachable in OpenSSH).
|
|
|
|
Pointed out by Joshua Rogers
|
|
|
|
commit c528c1b4af2f06712177b3de9b30705752f7cbcb
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Dec 23 15:26:13 2014 +1100
|
|
|
|
fix variable name for IPv6 case in construct_utmpx
|
|
|
|
patch from writeonce AT midipix.org via bz#2296
|
|
|
|
commit 293cac52dcda123244b2e594d15592e5e481c55e
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Mon Dec 22 16:30:42 2014 +1100
|
|
|
|
include and use OpenBSD netcat in regress/
|
|
|
|
commit 8f6784f0cb56dc4fd00af3e81a10050a5785228d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 09:05:17 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
mention ssh -Q feature to list supported { MAC, cipher,
|
|
KEX, key } algorithms in more places and include the query string used to
|
|
list the relevant information; bz#2288
|
|
|
|
commit 449e11b4d7847079bd0a2daa6e3e7ea03d8ef700
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Dec 22 08:24:17 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
commit 4bea0ab3290c0b9dd2aa199e932de8e7e18062d6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 08:06:03 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for multiple required pubkey authentication;
|
|
ok markus@
|
|
|
|
commit f1c4d8ec52158b6f57834b8cd839605b0a33e7f2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 08:04:23 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
correct description of what will happen when a
|
|
AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd
|
|
will refuse to start)
|
|
|
|
commit 161cf419f412446635013ac49e8c660cadc36080
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 07:55:51 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
make internal handling of filename arguments of "none"
|
|
more consistent with ssh. "none" arguments are now replaced with NULL when
|
|
the configuration is finalised.
|
|
|
|
Simplifies checking later on (just need to test not-NULL rather than
|
|
that + strcmp) and cleans up some inconsistencies. ok markus@
|
|
|
|
commit f69b69b8625be447b8826b21d87713874dac25a6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 07:51:30 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
remember which public keys have been used for
|
|
authentication and refuse to accept previously-used keys.
|
|
|
|
This allows AuthenticationMethods=publickey,publickey to require
|
|
that users authenticate using two _different_ pubkeys.
|
|
|
|
ok markus@
|
|
|
|
commit 46ac2ed4677968224c4ca825bc98fc68dae183f0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 07:24:11 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
fix passing of wildcard forward bind addresses when
|
|
connection multiplexing is in use; patch from Sami Hartikainen via bz#2324;
|
|
ok dtucker@
|
|
|
|
commit 0d1b241a262e4d0a6bbfdd595489ab1b853c43a1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 06:14:29 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
make this slightly easier to diff against portable
|
|
|
|
commit 0715bcdddbf68953964058f17255bf54734b8737
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Dec 22 13:47:07 2014 +1100
|
|
|
|
add missing regress output file
|
|
|
|
commit 1e30483c8ad2c2f39445d4a4b6ab20c241e40593
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 02:15:52 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
adjust for new SHA256 key fingerprints and
|
|
slightly-different MD5 hex fingerprint format
|
|
|
|
commit 6b40567ed722df98593ad8e6a2d2448fc2b4b151
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 01:14:49 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
poll changes to netcat (usr.bin/netcat.c r1.125) broke
|
|
this test; fix it by ensuring more stdio fds are sent to devnull
|
|
|
|
commit a5375ccb970f49dddf7d0ef63c9b713ede9e7260
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sun Dec 21 23:35:14 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
commit b79efde5c3badf5ce4312fe608d8307eade533c5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Dec 21 23:12:42 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
document FingerprintHash here too
|
|
|
|
commit d16bdd8027dd116afa01324bb071a4016cdc1a75
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Dec 22 10:18:09 2014 +1100
|
|
|
|
missing include for base64 encoding
|
|
|
|
commit 56d1c83cdd1ac76f1c6bd41e01e80dad834f3994
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Dec 21 22:27:55 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Add FingerprintHash option to control algorithm used for
|
|
key fingerprints. Default changes from MD5 to SHA256 and format from hex to
|
|
base64.
|
|
|
|
Feedback and ok naddy@ markus@
|
|
|
|
commit 058f839fe15c51be8b3a844a76ab9a8db550be4f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 18 23:58:04 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
don't count partial authentication success as a failure
|
|
against MaxAuthTries; ok deraadt@
|
|
|
|
commit c7219f4f54d64d6dde66dbcf7a2699daa782d2a1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 12 00:02:17 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
revert chunk I didn't mean to commit yet; via jmc@
|
|
|
|
commit 7de5991aa3997e2981440f39c1ea01273a0a2c7b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 18 11:44:06 2014 +1100
|
|
|
|
upstream libc change
|
|
|
|
revision 1.2
|
|
date: 2014/12/08 03:45:00; author: bcook; state: Exp; lines: +2 -2; commitid: 7zWEBgJJOCZ2hvTV;
|
|
avoid left shift overflow in reallocarray.
|
|
|
|
Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting
|
|
1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with
|
|
(size_t)1 so that we get the correct constant size for the platform.
|
|
|
|
discussed with tedu@ & deraadt@
|
|
|
|
commit 2048f85a5e6da8bc6e0532efe02ecfd4e63c978c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 18 10:15:49 2014 +1100
|
|
|
|
include CFLAGS in gnome askpass targets
|
|
|
|
from Fedora
|
|
|
|
commit 48b68ce19ca42fa488960028048dec023f7899bb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 11 08:20:09 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
explicitly include sys/param.h in files that use the
|
|
howmany() macro; from portable
|
|
|
|
commit d663bea30a294d440fef4398e5cd816317bd4518
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 11 05:25:06 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
mention AuthorizedKeysCommandUser must be set for
|
|
AuthorizedKeysCommand to be run; bz#2287
|
|
|
|
commit 17bf3d81e00f2abb414a4fd271118cf4913f049f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 11 05:13:28 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
show in debug output which hostkeys are being tried when
|
|
attempting hostbased auth; patch from Iain Morgan
|
|
|
|
commit da0277e3717eadf5b15e03379fc29db133487e94
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 11 04:16:14 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Make manual reflect reality: sftp-server's -d option
|
|
accepts a "%d" option, not a "%h" one.
|
|
|
|
bz#2316; reported by Kirk Wolf
|
|
|
|
commit 4cf87f4b81fa9380bce5fcff7b0f8382ae3ad996
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Dec 10 01:24:09 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
better error value for invalid signature length
|
|
|
|
commit 4bfad14ca56f8ae04f418997816b4ba84e2cfc3c
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Dec 10 02:12:51 2014 +1100
|
|
|
|
Resync more with OpenBSD's rijndael.c, in particular "#if 0"-ing out some
|
|
unused code. Should fix compile error reported by plautrba at redhat.
|
|
|
|
commit 642652d280499691c8212ec6b79724b50008ce09
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Dec 10 01:32:23 2014 +1100
|
|
|
|
Add reallocarray to compat library
|
|
|
|
commit 3dfd8d93dfcc69261f5af99df56f3ff598581979
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 4 22:31:50 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
add tests for new client RevokedHostKeys option; refactor
|
|
to make it a bit more readable
|
|
|
|
commit a31046cad1aed16a0b55171192faa6d02665ccec
|
|
Author: krw@openbsd.org <krw@openbsd.org>
|
|
Date: Wed Nov 19 13:35:37 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Nuke yet more obvious #include duplications.
|
|
|
|
ok deraadt@
|
|
|
|
commit a7c762e5b2c1093542c0bc1df25ccec0b4cf479f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 4 20:47:36 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
key_in_file() wrapper is no longer used
|
|
|
|
commit 5e39a49930d885aac9c76af3129332b6e772cd75
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 4 02:24:32 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
add RevokedHostKeys option for the client
|
|
|
|
Allow textfile or KRL-based revocation of hostkeys.
|
|
|
|
commit 74de254bb92c684cf53461da97f52d5ba34ded80
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 4 01:49:59 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
convert KRL code to new buffer API
|
|
|
|
ok markus@
|
|
|
|
commit db995f2eed5fc432598626fa3e30654503bf7151
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Wed Nov 26 18:34:51 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Prefer setvbuf() to setlinebuf() for portability; ok
|
|
deraadt@
|
|
|
|
commit 72bba3d179ced8b425272efe6956a309202a91f3
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Mon Nov 24 03:39:22 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix crashes in the handling of the sshd config file found
|
|
with the afl fuzzer.
|
|
|
|
ok deraadt@ djm@
|
|
|
|
commit 867f49c666adcfe92bf539d9c37c1accdea08bf6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Nov 26 13:22:41 2014 +1100
|
|
|
|
Avoid Cygwin ssh-host-config reading /etc/group
|
|
|
|
Patch from Corinna Vinschen
|
|
|
|
commit 8b66f36291a721b1ba7c44f24a07fdf39235593e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Nov 26 13:20:35 2014 +1100
|
|
|
|
allow custom service name for sshd on Cygwin
|
|
|
|
Permits the use of multiple sshd running with different service names.
|
|
|
|
Patch by Florian Friesdorf via Corinna Vinschen
|
|
|
|
commit 08c0eebf55d70a9ae1964399e609288ae3186a0c
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sat Nov 22 19:21:03 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
restore word zapped in previous, and remove some useless
|
|
"No" macros;
|
|
|
|
commit a1418a0033fba43f061513e992e1cbcc3343e563
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Sat Nov 22 18:15:41 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
/dev/random has created the same effect as /dev/arandom
|
|
(and /dev/urandom) for quite some time. Mop up the last few, by using
|
|
/dev/random where we actually want it, or not even mentioning arandom where
|
|
it is irrelevant.
|
|
|
|
commit b6de5ac9ed421362f479d1ad4fa433d2e25dad5b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 21 01:00:38 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
fix NULL pointer dereference crash on invalid timestamp
|
|
|
|
found using Michal Zalewski's afl fuzzer
|
|
|
|
commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e
|
|
Author: mikeb@openbsd.org <mikeb@openbsd.org>
|
|
Date: Tue Nov 18 22:38:48 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Sync AES code to the one shipped in OpenSSL/LibreSSL.
|
|
|
|
This includes a commit made by Andy Polyakov <appro at openssl ! org>
|
|
to the OpenSSL source tree on Wed, 28 Jun 2006 with the following
|
|
message: "Mitigate cache-collision timing attack on last round."
|
|
|
|
OK naddy, miod, djm
|
|
|
|
commit 335c83d5f35d8620e16b8aa26592d4f836e09ad2
|
|
Author: krw@openbsd.org <krw@openbsd.org>
|
|
Date: Tue Nov 18 20:54:28 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Nuke more obvious #include duplications.
|
|
|
|
ok deraadt@ millert@ tedu@
|
|
|
|
commit 51b64e44121194ae4bf153dee391228dada2abcb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Nov 17 00:21:40 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
fix KRL generation when multiple CAs are in use
|
|
|
|
We would generate an invalid KRL when revoking certs by serial
|
|
number for multiple CA keys due to a section being written out
|
|
twice.
|
|
|
|
Also extend the regress test to catch this case by having it
|
|
produce a multi-CA KRL.
|
|
|
|
Reported by peter AT pean.org
|
|
|
|
commit d2d51003a623e21fb2b25567c4878d915e90aa2a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Nov 18 01:02:25 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
fix NULL pointer dereference crash in key loading
|
|
|
|
found by Michal Zalewski's AFL fuzzer
|
|
|
|
commit 9f9fad0191028edc43d100d0ded39419b6895fdf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Nov 17 00:21:40 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
fix KRL generation when multiple CAs are in use
|
|
|
|
We would generate an invalid KRL when revoking certs by serial
|
|
number for multiple CA keys due to a section being written out
|
|
twice.
|
|
|
|
Also extend the regress test to catch this case by having it
|
|
produce a multi-CA KRL.
|
|
|
|
Reported by peter AT pean.org
|
|
|
|
commit da8af83d3f7ec00099963e455010e0ed1d7d0140
|
|
Author: bentley@openbsd.org <bentley@openbsd.org>
|
|
Date: Sat Nov 15 14:41:03 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Reduce instances of `` '' in manuals.
|
|
|
|
troff displays these as typographic quotes, but nroff implementations
|
|
almost always print them literally, which rarely has the intended effect
|
|
with modern fonts, even in stock xterm.
|
|
|
|
These uses of `` '' can be replaced either with more semantic alternatives
|
|
or with Dq, which prints typographic quotes in a UTF-8 locale (but will
|
|
automatically fall back to `` '' in an ASCII locale).
|
|
|
|
improvements and ok schwarze@
|
|
|
|
commit fc302561369483bb755b17f671f70fb894aec01d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Nov 10 22:25:49 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
mux-related manual tweaks
|
|
|
|
mention ControlPersist=0 is the same as ControlPersist=yes
|
|
|
|
recommend that ControlPath sockets be placed in a og-w directory
|
|
|
|
commit 0e4cff5f35ed11102fe3783779960ef07e0cd381
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Wed Nov 5 11:01:31 2014 +1100
|
|
|
|
Prepare scripts for next Cygwin release
|
|
|
|
Makes the Cygwin-specific ssh-user-config script independent of the
|
|
existence of /etc/passwd. The next Cygwin release will allow to
|
|
generate passwd and group entries from the Windows account DBs, so the
|
|
scripts have to adapt.
|
|
|
|
from Corinna Vinschen
|
|
|
|
commit 7d0ba5336651731949762eb8877ce9e3b52df436
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 30 10:45:41 2014 +1100
|
|
|
|
include version number in OpenSSL-too-old error
|
|
|
|
commit 3bcb92e04d9207e9f78d82f7918c6d3422054ce9
|
|
Author: lteo@openbsd.org <lteo@openbsd.org>
|
|
Date: Fri Oct 24 02:01:20 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove unnecessary include: netinet/in_systm.h is not needed
|
|
by these programs.
|
|
|
|
NB. skipped for portable
|
|
|
|
ok deraadt@ millert@
|
|
|
|
commit 6fdcaeb99532e28a69f1a1599fbd540bb15b70a0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Oct 20 03:43:01 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace
|
|
|
|
commit 165bc8786299e261706ed60342985f9de93a7461
|
|
Author: daniel@openbsd.org <daniel@openbsd.org>
|
|
Date: Tue Oct 14 03:09:59 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
plug a memory leak; from Maxime Villard.
|
|
|
|
ok djm@
|
|
|
|
commit b1ba15f3885947c245c2dbfaad0a04ba050abea0
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Thu Oct 9 06:21:31 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
commit 259a02ebdf74ad90b41d116ecf70aa823fa4c6e7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Oct 13 00:38:35 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace
|
|
|
|
commit 957fbceb0f3166e41b76fdb54075ab3b9cc84cba
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Oct 8 22:20:25 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Tweak config reparsing with host canonicalisation
|
|
|
|
Make the second pass through the config files always run when
|
|
hostname canonicalisation is enabled.
|
|
|
|
Add a "Match canonical" criteria that allows ssh_config Match
|
|
blocks to trigger only in the second config pass.
|
|
|
|
Add a -G option to ssh that causes it to parse its configuration
|
|
and dump the result to stdout, similar to "sshd -T"
|
|
|
|
Allow ssh_config Port options set in the second config parse
|
|
phase to be applied (they were being ignored).
|
|
|
|
bz#2267 bz#2286; ok markus
|
|
|
|
commit 5c0dafd38bf66feeeb45fa0741a5baf5ad8039ba
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Oct 8 22:15:27 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
another -Wpointer-sign from clang
|
|
|
|
commit bb005dc815ebda9af3ae4b39ca101c4da918f835
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Oct 8 22:15:06 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
fix a few -Wpointer-sign warnings from clang
|
|
|
|
commit 3cc1fbb4fb0e804bfb873fd363cea91b27fc8188
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Oct 8 21:45:48 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
parse cert sections using nested buffers to reduce
|
|
copies; ok markus
|
|
|
|
commit 4a45922aebf99164e2fc83d34fe55b11ae1866ef
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Oct 6 00:47:15 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
correct options in usage(); from mancha1 AT zoho.com
|
|
|
|
commit 48dffd5bebae6fed0556dc5c36cece0370690618
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Sep 9 09:45:36 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
mention permissions on tun(4) devices in PermitTunnel
|
|
documentation; bz#2273
|
|
|
|
commit a5883d4eccb94b16c355987f58f86a7dee17a0c2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 3 18:55:07 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tighten permissions on pty when the "tty" group does
|
|
not exist; pointed out by Corinna Vinschen; ok markus
|
|
|
|
commit 180bcb406b58bf30723c01a6b010e48ee626dda8
|
|
Author: sobrado@openbsd.org <sobrado@openbsd.org>
|
|
Date: Sat Aug 30 16:32:25 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
typo.
|
|
|
|
commit f70b22bcdd52f6bf127047b3584371e6e5d45627
|
|
Author: sobrado@openbsd.org <sobrado@openbsd.org>
|
|
Date: Sat Aug 30 15:33:50 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
improve capitalization for the Ed25519 public-key
|
|
signature system.
|
|
|
|
ok djm@
|
|
|
|
commit 7df8818409c752cf3f0c3f8044fe9aebed8647bd
|
|
Author: doug@openbsd.org <doug@openbsd.org>
|
|
Date: Thu Aug 21 01:08:52 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Free resources on error in mkstemp and fdopen
|
|
|
|
ok djm@
|
|
|
|
commit 40ba4c9733aaed08304714faeb61529f18da144b
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Wed Aug 20 01:28:55 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
djm how did you make a typo like that...
|
|
|
|
commit 57d378ec9278ba417a726f615daad67d157de666
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 19 23:58:28 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
When dumping the server configuration (sshd -T), print
|
|
correct KEX, MAC and cipher defaults. Spotted by Iain Morgan
|
|
|
|
commit 7ff880ede5195d0b17e7f1e3b6cfbc4cb6f85240
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 19 23:57:18 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
~-expand lcd paths
|
|
|
|
commit 4460a7ad0c78d4cd67c467f6e9f4254d0404ed59
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Oct 12 12:35:48 2014 +1100
|
|
|
|
remove duplicated KEX_DH1 entry
|
|
|
|
commit c9b8426a616138d0d762176c94f51aff3faad5ff
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 9 10:34:06 2014 +1100
|
|
|
|
remove ChangeLog file
|
|
|
|
Commit logs will be generated from git at release time.
|
|
|
|
commit 81d18ff7c93a04affbf3903e0963859763219aed
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Oct 7 21:24:25 2014 +1100
|
|
|
|
delete contrib/caldera directory
|
|
|
|
commit 0ec9e87d3638206456968202f05bb5123670607a
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Oct 7 19:57:27 2014 +1100
|
|
|
|
test commit
|
|
|
|
commit 8fb65a44568701b779f3d77326bceae63412d28d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 7 09:21:49 2014 +1100
|
|
|
|
- (djm) Release OpenSSH-6.7
|
|
|
|
commit e8c9f2602c46f6781df5e52e6cd8413dab4602a3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Oct 3 09:24:56 2014 +1000
|
|
|
|
- (djm) [sshd_config.5] typo; from Iain Morgan
|
|
|
|
commit 703b98a26706f5083801d11059486d77491342ae
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 1 09:43:07 2014 +1000
|
|
|
|
- (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]
|
|
[openbsd-compat/openbsd-compat.h] Kludge around bad glibc
|
|
_FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
|
|
ok dtucker@
|
|
|
|
commit 0fa0ed061bbfedb0daa705e220748154a84c3413
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Sep 10 08:15:34 2014 +1000
|
|
|
|
- (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
|
|
patch from Felix von Leitner; ok dtucker
|
|
|
|
commit ad7d23d461c3b7e1dcb15db13aee5f4b94dc1a95
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Sep 9 12:23:10 2014 +1000
|
|
|
|
20140908
|
|
- (dtucker) [INSTALL] Update info about egd. ok djm@
|
|
|
|
commit 2a8699f37cc2515e3bc60e0c677ba060f4d48191
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Sep 4 03:46:05 2014 +1000
|
|
|
|
- (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG
|
|
|
|
commit 44988defb1f5e3afe576d86000365e1f07a1b494
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Sep 3 05:35:32 2014 +1000
|
|
|
|
- (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to
|
|
permissions/ACLs; from Corinna Vinschen
|
|
|
|
commit 23f269562b7537b2f6f5014e50a25e5dcc55a837
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Sep 3 05:33:25 2014 +1000
|
|
|
|
- (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and
|
|
conditionalise to avoid duplicate definition.
|
|
|
|
commit 41c8de2c0031cf59e7cf0c06b5bcfbf4852c1fda
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Aug 30 16:23:06 2014 +1000
|
|
|
|
- (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@
|
|
|
|
commit d7c81e216a7bd9eed6e239c970d9261bb1651947
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Aug 30 04:18:28 2014 +1000
|
|
|
|
- (djm) [openbsd-compat/openssl-compat.h] add include guard
|
|
|
|
commit 4687802dda57365b984b897fc3c8e2867ea09b22
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Aug 30 03:29:19 2014 +1000
|
|
|
|
- (djm) [misc.c] Missing newline between functions
|
|
|
|
commit 51c77e29220dee87c53be2dc47092934acab26fe
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Aug 30 02:30:30 2014 +1000
|
|
|
|
- (djm) [openbsd-compat/openssl-compat.h] add
|
|
OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
|
|
|
|
commit 3d673d103bad35afaec6e7ef73e5277216ce33a3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 27 06:32:01 2014 +1000
|
|
|
|
- (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
|
|
using memset_s() where possible; improve fallback to indirect bzero
|
|
via a volatile pointer to give it more of a chance to avoid being
|
|
optimised away.
|
|
|
|
commit 146218ac11a1eb0dcade6f793d7acdef163b5ddc
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 27 04:11:55 2014 +1000
|
|
|
|
- (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
|
|
monitor, not preauth; bz#2263
|
|
|
|
commit 1b215c098b3b37e38aa4e4c91bb908eee41183b1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 27 04:04:40 2014 +1000
|
|
|
|
- (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
|
|
[regress/unittests/sshkey/common.c]
|
|
[regress/unittests/sshkey/test_file.c]
|
|
[regress/unittests/sshkey/test_fuzz.c]
|
|
[regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
|
|
on !ECC OpenSSL systems
|
|
|
|
commit ad013944af0a19e3f612089d0099bb397cf6502d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 26 09:27:28 2014 +1000
|
|
|
|
- (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,
|
|
update OpenSSL version requirement.
|
|
|
|
commit ed126de8ee04c66640a0ea2697c4aaf36801f100
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 26 08:37:47 2014 +1000
|
|
|
|
- (djm) [bufec.c] Skip this file on !ECC OpenSSL
|
|
|
|
commit 9c1dede005746864a4fdb36a7cdf6c51296ca909
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Aug 24 03:01:06 2014 +1000
|
|
|
|
- (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not
|
|
PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
|
|
|
|
commit d244a5816fd1312a33404b436e4dd83594f1119e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Aug 23 17:06:49 2014 +1000
|
|
|
|
- (djm) [configure.ac] We now require a working vsnprintf everywhere (not
|
|
just for systems that lack asprintf); check for it always and extend
|
|
test to catch more brokenness. Fixes builds on Solaris <= 9
|
|
|
|
commit 4cec036362a358e398e6a2e6d19d8e5780558634
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Aug 23 03:11:09 2014 +1000
|
|
|
|
- (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
|
|
lastlog writing on platforms with high UIDs; bz#2263
|
|
|
|
commit 394a60f2598d28b670d934b93942a3370b779b39
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 22 18:06:20 2014 +1000
|
|
|
|
- (djm) [configure.ac] double braces to appease autoconf
|
|
|
|
commit 4d69aeabd6e60afcdc7cca177ca751708ab79a9d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 22 17:48:27 2014 +1000
|
|
|
|
- (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/
|
|
definition mismatch) and warning for broken/missing snprintf case.
|
|
|
|
commit 0c11f1ac369d2c0aeb0ab0458a7cd04c72fe5e9e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 22 17:36:56 2014 +1000
|
|
|
|
- (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC
|
|
|
|
commit 6d62784b8973340b251fea6b04890f471adf28db
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 22 17:36:19 2014 +1000
|
|
|
|
- (djm) [configure.ac] include leading zero characters in OpenSSL version
|
|
number; fixes test for unsupported versions
|
|
|
|
commit 4f1ff1ed782117f5d5204d4e91156ed5da07cbb7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Aug 21 15:54:50 2014 +1000
|
|
|
|
- (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that
|
|
don't set __progname. Diagnosed by Tom Christensen.
|
|
|
|
commit 005a64da0f457410045ef0bfa93c863c2450447d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Aug 21 10:48:41 2014 +1000
|
|
|
|
- (djm) [key.h] Fix ifdefs for no-ECC OpenSSL
|
|
|
|
commit aa6598ebb3343c7380e918388e10e8ca5852b613
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Aug 21 10:47:54 2014 +1000
|
|
|
|
- (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.
|
|
|
|
commit 54703e3cf63f0c80d4157e5ad7dbc2b363ee2c56
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 20 11:10:51 2014 +1000
|
|
|
|
- (djm) [contrib/cygwin/README] Correct build instructions; from Corinna
|
|
|
|
commit f0935698f0461f24d8d1f1107b476ee5fd4db1cb
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 20 11:06:50 2014 +1000
|
|
|
|
- (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC
|
|
|
|
commit c5089ecaec3b2c02f014f4e67518390702a4ba14
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 20 11:06:20 2014 +1000
|
|
|
|
- (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than
|
|
-L/-l; fixes linking problems on some platforms
|
|
|
|
commit 2195847e503a382f83ee969b0a8bd3dfe0e55c18
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 20 11:05:03 2014 +1000
|
|
|
|
- (djm) [configure.ac] Check OpenSSL version is supported at configure time;
|
|
suggested by Kevin Brott
|
|
|
|
commit a75aca1bbc989aa9f8b1b08489d37855f3d24d1a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 19 11:36:07 2014 +1000
|
|
|
|
- (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]
|
|
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
|
|
of TCP wrappers.
|
|
|
|
commit 3f022b5a9477abceeb1bbeab04b055f3cc7ca8f6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 19 11:32:34 2014 +1000
|
|
|
|
- (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG
|
|
|
|
commit 88137902632aceb923990e98cf5dc923bb3ef2f5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 19 11:28:11 2014 +1000
|
|
|
|
- (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.
|
|
|
|
commit 2f3d1e7fb2eabd3cfbfd8d0f7bdd2f9a1888690b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 19 11:14:36 2014 +1000
|
|
|
|
- (djm) [myproposal.h] Make curve25519 KEX dependent on
|
|
HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
|
|
|
|
commit d4e7d59d01a6c7f59e8c1f94a83c086e9a33d8aa
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 19 11:14:17 2014 +1000
|
|
|
|
- (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen
|
|
|
|
commit 9eaeea2cf2b6af5f166cfa9ad3c7a90711a147a9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Aug 10 11:35:05 2014 +1000
|
|
|
|
- (djm) [README contrib/caldera/openssh.spec]
|
|
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
|
|
|
|
commit f8988fbef0c9801d19fa2f8f4f041690412bec37
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 1 13:31:52 2014 +1000
|
|
|
|
- (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate
|
|
nc from stdin, it's more portable
|
|
|
|
commit 5b3879fd4b7a4e3d43bab8f40addda39bc1169d0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 1 12:28:31 2014 +1000
|
|
|
|
- (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin
|
|
is closed; avoid regress failures when stdin is /dev/null
|
|
|
|
commit a9c46746d266f8a1b092a72b2150682d1af8ebfc
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 1 12:26:49 2014 +1000
|
|
|
|
- (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need
|
|
a better solution, but this will have to do for now.
|
|
|
|
commit 426117b2e965e43f47015942b5be8dd88fe74b88
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 30 12:33:20 2014 +1000
|
|
|
|
- schwarze@cvs.openbsd.org 2014/07/28 15:40:08
|
|
[sftp-server.8 sshd_config.5]
|
|
some systems no longer need /dev/log;
|
|
issue noticed by jirib;
|
|
ok deraadt
|
|
|
|
commit f497794b6962eaf802ab4ac2a7b22ae591cca1d5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 30 12:32:46 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/07/25 21:22:03
|
|
[ssh-agent.c]
|
|
Clear buffer used for handling messages. This prevents keys being
|
|
left in memory after they have been expired or deleted in some cases
|
|
(but note that ssh-agent is setgid so you would still need root to
|
|
access them). Pointed out by Kevin Burns, ok deraadt
|
|
|
|
commit a8a0f65c57c8ecba94d65948e9090da54014dfef
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 30 12:32:28 2014 +1000
|
|
|
|
- OpenBSD CVS Sync
|
|
- millert@cvs.openbsd.org 2014/07/24 22:57:10
|
|
[ssh.1]
|
|
Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
|
|
|
|
commit 56b840f2b81e14a2f95c203403633a72566736f8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 25 08:11:30 2014 +1000
|
|
|
|
- (djm) [regress/multiplex.sh] restore incorrectly deleted line;
|
|
pointed out by Christian Hesse
|
|
|
|
commit dd417b60d5ca220565d1014e92b7f8f43dc081eb
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 23 10:41:21 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/07/22 23:35:38
|
|
[regress/unittests/sshkey/testdata/*]
|
|
Regenerate test keys with certs signed with ed25519 instead of ecdsa.
|
|
These can be used in -portable on platforms that don't support ECDSA.
|
|
|
|
commit 40e50211896369dba8f64f3b5e5fd58b76f5ac3f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 23 10:35:45 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/07/22 23:57:40
|
|
[regress/unittests/sshkey/mktestdata.sh]
|
|
Add $OpenBSD tag to make syncs easier
|
|
|
|
commit 07e644251e809b1d4c062cf85bd1146a7e3f5a8a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 23 10:34:26 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/07/22 23:23:22
|
|
[regress/unittests/sshkey/mktestdata.sh]
|
|
Sign test certs with ed25519 instead of ecdsa so that they'll work in
|
|
-portable on platforms that don't have ECDSA in their OpenSSL. ok djm
|
|
|
|
commit cea099a7c4eaecb01b001e5453bb4e5c25006c22
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 23 10:04:02 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/22 01:32:12
|
|
[regress/multiplex.sh]
|
|
change the test for still-open Unix domain sockets to be robust against
|
|
nc implementations that produce error messages. from -portable
|
|
(Id sync only)
|
|
|
|
commit 31eb78078d349b32ea41952ecc944b3ad6cb0d45
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 23 09:43:42 2014 +1000
|
|
|
|
- guenther@cvs.openbsd.org 2014/07/22 07:13:42
|
|
[umac.c]
|
|
Convert from <sys/endian.h> to the shiney new <endian.h>
|
|
ok dtucker@, who also confirmed that -portable handles this already
|
|
(ID sync only, includes.h pulls in endian.h if available.)
|
|
|
|
commit 820763efef2d19d965602533036c2b4badc9d465
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 23 09:40:46 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/07/22 01:18:50
|
|
[key.c]
|
|
Prevent spam from key_load_private_pem during hostbased auth. ok djm@
|
|
|
|
commit c4ee219a66f3190fa96cbd45b4d11015685c6306
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 23 04:27:50 2014 +1000
|
|
|
|
- (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa-
|
|
specific tests inside OPENSSL_HAS_ECC.
|
|
|
|
commit 04f4824940ea3edd60835416ececbae16438968a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jul 22 11:31:47 2014 +1000
|
|
|
|
- (djm) [regress/multiplex.sh] change the test for still-open Unix
|
|
domain sockets to be robust against nc implementations that produce
|
|
error messages.
|
|
|
|
commit 5ea4fe00d55453aaa44007330bb4c3181bd9b796
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jul 22 09:39:19 2014 +1000
|
|
|
|
- (djm) [regress/multiplex.sh] ssh mux master lost -N somehow;
|
|
put it back
|
|
|
|
commit 948a1774a79a85f9deba6d74db95f402dee32c69
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jul 22 01:07:11 2014 +1000
|
|
|
|
- (dtucker) [sshkey.c] ifdef out unused variable when compiling without
|
|
OPENSSL_HAS_ECC.
|
|
|
|
commit c8f610f6cc57ae129758052439d9baf13699097b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Jul 21 10:23:27 2014 +1000
|
|
|
|
- (djm) [regress/multiplex.sh] Not all netcat accept the -N option.
|
|
|
|
commit 0e4e95566cd95c887f69272499b8f3880b3ec0f5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Jul 21 09:52:54 2014 +1000
|
|
|
|
- millert@cvs.openbsd.org 2014/07/15 15:54:15
|
|
[forwarding.sh multiplex.sh]
|
|
Add support for Unix domain socket forwarding. A remote TCP port
|
|
may be forwarded to a local Unix domain socket and vice versa or
|
|
both ends may be a Unix domain socket. This is a reimplementation
|
|
of the streamlocal patches by William Ahern from:
|
|
http://www.25thandclement.com/~william/projects/streamlocal.html
|
|
OK djm@ markus@
|
|
|
|
commit 93a87ab27ecdc709169fb24411133998f81e2761
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 21 06:30:25 2014 +1000
|
|
|
|
- (dtucker) [regress/unittests/sshkey/
|
|
{common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
|
|
ifdefs.
|
|
|
|
commit 5573171352ea23df2dc6d2fe0324d023b7ba697c
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 21 02:24:59 2014 +1000
|
|
|
|
- (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits
|
|
needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
|
|
|
|
commit 74e28682711d005026c7c8f15f96aea9d3c8b5a3
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Fri Jul 18 20:00:11 2014 -0700
|
|
|
|
- (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used
|
|
in servconf.h.
|
|
|
|
commit d1a0421f8e5e933fee6fb58ee6b9a22c63c8a613
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jul 19 07:23:55 2014 +1000
|
|
|
|
- (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.
|
|
|
|
commit f0fe9ea1be62227c130b317769de3d1e736b6dc1
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jul 19 06:33:12 2014 +1000
|
|
|
|
- (dtucker) [Makefile.in] Add a t-exec target to run just the executable
|
|
tests.
|
|
|
|
commit 450bc1180d4b061434a4b733c5c8814fa30b022b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jul 19 06:23:18 2014 +1000
|
|
|
|
- (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used
|
|
in servconf.h.
|
|
|
|
commit ab2ec586baad122ed169285c31927ccf58bc7b28
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 18 15:04:47 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/18 02:46:01
|
|
[ssh-agent.c]
|
|
restore umask around listener socket creation (dropped in streamlocal patch
|
|
merge)
|
|
|
|
commit 357610d15946381ae90c271837dcdd0cdce7145f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 18 15:04:10 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/17 07:22:19
|
|
[mux.c ssh.c]
|
|
reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
|
|
previously we were always returning 0. bz#2255 reported by Brendan
|
|
Germain; ok dtucker
|
|
|
|
commit dad9a4a0b7c2b5d78605f8df28718f116524134e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 18 15:03:49 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/17 00:12:03
|
|
[key.c]
|
|
silence "incorrect passphrase" error spam; reported and ok dtucker@
|
|
|
|
commit f42f7684ecbeec6ce50e0310f80b3d6da2aaf533
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 18 15:03:27 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/17 00:10:18
|
|
[mux.c]
|
|
preserve errno across syscall
|
|
|
|
commit 1b83320628cb0733e3688b85bfe4d388a7c51909
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 18 15:03:02 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/17 00:10:56
|
|
[sandbox-systrace.c]
|
|
ifdef SYS_sendsyslog so this will compile without patching on -stable
|
|
|
|
commit 6d57656331bcd754d912950e4a18ad259d596e61
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 18 15:02:06 2014 +1000
|
|
|
|
- jmc@cvs.openbsd.org 2014/07/16 14:48:57
|
|
[ssh.1]
|
|
add the streamlocal* options to ssh's -o list; millert says they're
|
|
irrelevant for scp/sftp;
|
|
|
|
ok markus millert
|
|
|
|
commit 7acefbbcbeab725420ea07397ae35992f505f702
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 18 14:11:24 2014 +1000
|
|
|
|
- millert@cvs.openbsd.org 2014/07/15 15:54:14
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
|
|
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
|
|
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
|
|
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
|
|
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
|
|
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
|
|
[sshd_config.5 sshlogin.c]
|
|
Add support for Unix domain socket forwarding. A remote TCP port
|
|
may be forwarded to a local Unix domain socket and vice versa or
|
|
both ends may be a Unix domain socket. This is a reimplementation
|
|
of the streamlocal patches by William Ahern from:
|
|
http://www.25thandclement.com/~william/projects/streamlocal.html
|
|
OK djm@ markus@
|
|
|
|
commit 6262d760e00714523633bd989d62e273a3dca99a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 17 09:52:07 2014 +1000
|
|
|
|
- tedu@cvs.openbsd.org 2014/07/11 13:54:34
|
|
[myproposal.h]
|
|
by popular demand, add back hamc-sha1 to server proposal for better compat
|
|
with many clients still in use. ok deraadt
|
|
|
|
commit 9d69d937b46ecba17f16d923e538ceda7b705c7a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 17 09:49:37 2014 +1000
|
|
|
|
- deraadt@cvs.openbsd.org 2014/07/11 08:09:54
|
|
[sandbox-systrace.c]
|
|
Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
|
|
update your kernels and sshd soon.. libc will start using sendsyslog()
|
|
in about 4 days.
|
|
|
|
commit f6293a0b4129826fc2e37e4062f96825df43c326
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 17 09:01:25 2014 +1000
|
|
|
|
- (djm) [digest-openssl.c] Preserve array order when disabling digests.
|
|
Reported by Petr Lautrbach.
|
|
|
|
commit 00f9cd230709c04399ef5ff80492d70a55230694
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jul 15 10:41:38 2014 +1000
|
|
|
|
- (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
|
|
has been located; fixes builds agains libressl-portable
|
|
|
|
commit 1d0df3249c87019556b83306c28d4769375c2edc
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 11 09:19:04 2014 +1000
|
|
|
|
- OpenBSD CVS Sync
|
|
- benno@cvs.openbsd.org 2014/07/09 14:15:56
|
|
[ssh-add.c]
|
|
fix ssh-add crash while loading more than one key
|
|
ok markus@
|
|
|
|
commit 7a57eb3d105aa4ced15fb47001092c58811e6d9d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 9 13:22:31 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/07 08:15:26
|
|
[multiplex.sh]
|
|
remove forced-fatal that I stuck in there to test the new cleanup
|
|
logic and forgot to remove...
|
|
|
|
commit 612f965239a30fe536b11ece1834d9f470aeb029
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 9 13:22:03 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/06 07:42:03
|
|
[multiplex.sh test-exec.sh]
|
|
add a hook to the cleanup() function to kill $SSH_PID if it is set
|
|
|
|
use it to kill the mux master started in multiplex.sh (it was being left
|
|
around on fatal failures)
|
|
|
|
commit d0bb950485ba121e43a77caf434115ed6417b46f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 9 13:07:28 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/09 03:02:15
|
|
[key.c]
|
|
downgrade more error() to debug() to better match what old authfile.c
|
|
did; suppresses spurious errors with hostbased authentication enabled
|
|
|
|
commit 0070776a038655c57f57e70cd05e4c38a5de9d84
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 9 13:07:06 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/09 01:45:10
|
|
[sftp.c]
|
|
more useful error message when GLOB_NOSPACE occurs;
|
|
bz#2254, patch from Orion Poplawski
|
|
|
|
commit 079bac2a43c74ef7cf56850afbab3b1932534c50
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 9 13:06:25 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/07 08:19:12
|
|
[ssh_config.5]
|
|
mention that ProxyCommand is executed using shell "exec" to avoid
|
|
a lingering process; bz#1977
|
|
|
|
commit 3a48cc090096cf99b9de592deb5f90e444edebfb
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jul 6 09:32:49 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/05 23:11:48
|
|
[channels.c]
|
|
fix remote-forward cancel regression; ok markus@
|
|
|
|
commit 48bae3a38cb578713e676708164f6e7151cc64fa
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jul 6 09:27:06 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 23:18:35
|
|
[authfile.h]
|
|
remove leakmalloc droppings
|
|
|
|
commit 72e6b5c9ed5e72ca3a6ccc3177941b7c487a0826
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 4 09:00:04 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 22:40:43
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
|
|
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
|
|
executed, mirroring the no-user-rc authorized_keys option;
|
|
bz#2160; ok markus@
|
|
|
|
commit 602943d1179a08dfa70af94f62296ea5e3d6ebb8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 4 08:59:41 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 22:33:41
|
|
[channels.c]
|
|
allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
|
|
GatewayPorts=no; allows client to choose address family;
|
|
bz#2222 ok markus@
|
|
|
|
commit 6b37fbb7921d156b31e2c8f39d9e1b6746c34983
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 4 08:59:24 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 22:23:46
|
|
[sshconnect.c]
|
|
when rekeying, skip file/DNS lookup if it is the same as the key sent
|
|
during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
|
|
|
|
commit d2c3cd5f2e47ee24cf7093ce8e948c2e79dfc3fd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 4 08:59:01 2014 +1000
|
|
|
|
- jsing@cvs.openbsd.org 2014/07/03 12:42:16
|
|
[cipher-chachapoly.c]
|
|
Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
|
|
makes it easier to verify that chacha_encrypt_bytes() is only called once
|
|
per chacha_ivsetup() call.
|
|
ok djm@
|
|
|
|
commit 686feb560ec43a06ba04da82b50f3c183c947309
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:29:38 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 11:16:55
|
|
[auth.c auth.h auth1.c auth2.c]
|
|
make the "Too many authentication failures" message include the
|
|
user, source address, port and protocol in a format similar to the
|
|
authentication success / failure messages; bz#2199, ok dtucker
|
|
|
|
commit 0f12341402e18fd9996ec23189b9418d2722453f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:28:09 2014 +1000
|
|
|
|
- jmc@cvs.openbsd.org 2014/07/03 07:45:27
|
|
[ssh_config.5]
|
|
escape %C since groff thinks it part of an Rs/Re block;
|
|
|
|
commit 9c38643c5cd47a19db2cc28279dcc28abadc22b3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:27:46 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 06:39:19
|
|
[ssh.c ssh_config.5]
|
|
Add a %C escape sequence for LocalCommand and ControlPath that expands
|
|
to a unique identifer based on a has of the tuple of (local host,
|
|
remote user, hostname, port).
|
|
|
|
Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
|
|
control paths.
|
|
|
|
bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
|
|
|
|
commit 49d9bfe2b2f3e90cc158a215dffa7675e57e7830
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:26:42 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 05:38:17
|
|
[ssh.1]
|
|
document that -g will only work in the multiplexed case if applied to
|
|
the mux master
|
|
|
|
commit ef9f13ba4c58057b2166d1f2e790535da402fbe5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:26:21 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 05:32:36
|
|
[ssh_config.5]
|
|
mention '%%' escape sequence in HostName directives and how it may
|
|
be used to specify IPv6 link-local addresses
|
|
|
|
commit e6a407789e5432dd2e53336fb73476cc69048c54
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:25:03 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 04:36:45
|
|
[digest.h]
|
|
forward-declare struct sshbuf so consumers don't need to include sshbuf.h
|
|
|
|
commit 4a1d3d50f02d0a8a4ef95ea4749293cbfb89f919
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:24:40 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 03:47:27
|
|
[ssh-keygen.c]
|
|
When hashing or removing hosts using ssh-keygen, don't choke on
|
|
@revoked markers and don't remove @cert-authority markers;
|
|
bz#2241, reported by mlindgren AT runelind.net
|
|
|
|
commit e5c0d52ceb575c3db8c313e0b1aa3845943d7ba8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:24:19 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 03:34:09
|
|
[gss-serv.c session.c ssh-keygen.c]
|
|
standardise on NI_MAXHOST for gethostname() string lengths; about
|
|
1/2 the cases were using it already. Fixes bz#2239 en passant
|
|
|
|
commit c174a3b7c14e0d178c61219de2aa1110e209950c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:23:24 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 03:26:43
|
|
[digest-openssl.c]
|
|
use EVP_Digest() for one-shot hash instead of creating, updating,
|
|
finalising and destroying a context.
|
|
bz#2231, based on patch from Timo Teras
|
|
|
|
commit d7ca2cd31ecc4d63a055e2dcc4bf35c13f2db4c5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:23:01 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 03:15:01
|
|
[ssh-add.c]
|
|
make stdout line-buffered; saves partial output getting lost when
|
|
ssh-add fatal()s part-way through (e.g. when listing keys from an
|
|
agent that supports key types that ssh-add doesn't);
|
|
bz#2234, reported by Phil Pennock
|
|
|
|
commit b1e967c8d7c7578dd0c172d85b3046cf54ea42ba
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:22:40 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 03:11:03
|
|
[ssh-agent.c]
|
|
Only cleanup agent socket in the main agent process and not in any
|
|
subprocesses it may have started (e.g. forked askpass). Fixes
|
|
agent sockets being zapped when askpass processes fatal();
|
|
bz#2236 patch from Dmitry V. Levin
|
|
|
|
commit 61e28e55c3438d796b02ef878bcd28620d452670
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 21:22:22 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/07/03 01:45:38
|
|
[sshkey.c]
|
|
make Ed25519 keys' title fit properly in the randomart border; bz#2247
|
|
based on patch from Christian Hesse
|
|
|
|
commit 9eb4cd9a32c32d40d36450b68ed93badc6a94c68
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 13:29:50 2014 +1000
|
|
|
|
- (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;
|
|
bz#2237
|
|
|
|
commit 8da0fa24934501909408327298097b1629b89eaa
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 3 11:54:19 2014 +1000
|
|
|
|
- (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
|
|
doesn't support it.
|
|
|
|
commit 81309c857dd0dbc0a1245a16d621c490ad48cfbb
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 17:45:55 2014 +1000
|
|
|
|
- (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test
|
|
|
|
commit 82b2482ce68654815ee049b9bf021bb362a35ff2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 17:43:41 2014 +1000
|
|
|
|
- (djm) [sshkey.c] Conditionalise inclusion of util.h
|
|
|
|
commit dd8b1dd7933eb6f5652641b0cdced34a387f2e80
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 17:38:31 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/24 01:14:17
|
|
[Makefile.in regress/Makefile regress/unittests/Makefile]
|
|
[regress/unittests/sshkey/Makefile]
|
|
[regress/unittests/sshkey/common.c]
|
|
[regress/unittests/sshkey/common.h]
|
|
[regress/unittests/sshkey/mktestdata.sh]
|
|
[regress/unittests/sshkey/test_file.c]
|
|
[regress/unittests/sshkey/test_fuzz.c]
|
|
[regress/unittests/sshkey/test_sshkey.c]
|
|
[regress/unittests/sshkey/tests.c]
|
|
[regress/unittests/sshkey/testdata/dsa_1]
|
|
[regress/unittests/sshkey/testdata/dsa_1-cert.fp]
|
|
[regress/unittests/sshkey/testdata/dsa_1-cert.pub]
|
|
[regress/unittests/sshkey/testdata/dsa_1.fp]
|
|
[regress/unittests/sshkey/testdata/dsa_1.fp.bb]
|
|
[regress/unittests/sshkey/testdata/dsa_1.param.g]
|
|
[regress/unittests/sshkey/testdata/dsa_1.param.priv]
|
|
[regress/unittests/sshkey/testdata/dsa_1.param.pub]
|
|
[regress/unittests/sshkey/testdata/dsa_1.pub]
|
|
[regress/unittests/sshkey/testdata/dsa_1_pw]
|
|
[regress/unittests/sshkey/testdata/dsa_2]
|
|
[regress/unittests/sshkey/testdata/dsa_2.fp]
|
|
[regress/unittests/sshkey/testdata/dsa_2.fp.bb]
|
|
[regress/unittests/sshkey/testdata/dsa_2.pub]
|
|
[regress/unittests/sshkey/testdata/dsa_n]
|
|
[regress/unittests/sshkey/testdata/dsa_n_pw]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1-cert.fp]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1-cert.pub]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1.fp]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1.fp.bb]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1.param.curve]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1.param.priv]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1.param.pub]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1.pub]
|
|
[regress/unittests/sshkey/testdata/ecdsa_1_pw]
|
|
[regress/unittests/sshkey/testdata/ecdsa_2]
|
|
[regress/unittests/sshkey/testdata/ecdsa_2.fp]
|
|
[regress/unittests/sshkey/testdata/ecdsa_2.fp.bb]
|
|
[regress/unittests/sshkey/testdata/ecdsa_2.param.curve]
|
|
[regress/unittests/sshkey/testdata/ecdsa_2.param.priv]
|
|
[regress/unittests/sshkey/testdata/ecdsa_2.param.pub]
|
|
[regress/unittests/sshkey/testdata/ecdsa_2.pub]
|
|
[regress/unittests/sshkey/testdata/ecdsa_n]
|
|
[regress/unittests/sshkey/testdata/ecdsa_n_pw]
|
|
[regress/unittests/sshkey/testdata/ed25519_1]
|
|
[regress/unittests/sshkey/testdata/ed25519_1-cert.fp]
|
|
[regress/unittests/sshkey/testdata/ed25519_1-cert.pub]
|
|
[regress/unittests/sshkey/testdata/ed25519_1.fp]
|
|
[regress/unittests/sshkey/testdata/ed25519_1.fp.bb]
|
|
[regress/unittests/sshkey/testdata/ed25519_1.pub]
|
|
[regress/unittests/sshkey/testdata/ed25519_1_pw]
|
|
[regress/unittests/sshkey/testdata/ed25519_2]
|
|
[regress/unittests/sshkey/testdata/ed25519_2.fp]
|
|
[regress/unittests/sshkey/testdata/ed25519_2.fp.bb]
|
|
[regress/unittests/sshkey/testdata/ed25519_2.pub]
|
|
[regress/unittests/sshkey/testdata/pw]
|
|
[regress/unittests/sshkey/testdata/rsa1_1]
|
|
[regress/unittests/sshkey/testdata/rsa1_1.fp]
|
|
[regress/unittests/sshkey/testdata/rsa1_1.fp.bb]
|
|
[regress/unittests/sshkey/testdata/rsa1_1.param.n]
|
|
[regress/unittests/sshkey/testdata/rsa1_1.pub]
|
|
[regress/unittests/sshkey/testdata/rsa1_1_pw]
|
|
[regress/unittests/sshkey/testdata/rsa1_2]
|
|
[regress/unittests/sshkey/testdata/rsa1_2.fp]
|
|
[regress/unittests/sshkey/testdata/rsa1_2.fp.bb]
|
|
[regress/unittests/sshkey/testdata/rsa1_2.param.n]
|
|
[regress/unittests/sshkey/testdata/rsa1_2.pub]
|
|
[regress/unittests/sshkey/testdata/rsa_1]
|
|
[regress/unittests/sshkey/testdata/rsa_1-cert.fp]
|
|
[regress/unittests/sshkey/testdata/rsa_1-cert.pub]
|
|
[regress/unittests/sshkey/testdata/rsa_1.fp]
|
|
[regress/unittests/sshkey/testdata/rsa_1.fp.bb]
|
|
[regress/unittests/sshkey/testdata/rsa_1.param.n]
|
|
[regress/unittests/sshkey/testdata/rsa_1.param.p]
|
|
[regress/unittests/sshkey/testdata/rsa_1.param.q]
|
|
[regress/unittests/sshkey/testdata/rsa_1.pub]
|
|
[regress/unittests/sshkey/testdata/rsa_1_pw]
|
|
[regress/unittests/sshkey/testdata/rsa_2]
|
|
[regress/unittests/sshkey/testdata/rsa_2.fp]
|
|
[regress/unittests/sshkey/testdata/rsa_2.fp.bb]
|
|
[regress/unittests/sshkey/testdata/rsa_2.param.n]
|
|
[regress/unittests/sshkey/testdata/rsa_2.param.p]
|
|
[regress/unittests/sshkey/testdata/rsa_2.param.q]
|
|
[regress/unittests/sshkey/testdata/rsa_2.pub]
|
|
[regress/unittests/sshkey/testdata/rsa_n]
|
|
[regress/unittests/sshkey/testdata/rsa_n_pw]
|
|
unit and fuzz tests for new key API
|
|
|
|
commit c1dc24b71f087f385b92652b9673f52af64e0428
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 17:02:03 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/24 01:04:43
|
|
[regress/krl.sh]
|
|
regress test for broken consecutive revoked serial number ranges
|
|
|
|
commit 43d3ed2dd3feca6d0326c7dc82588d2faa115e92
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 17:01:08 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/05/21 07:04:21
|
|
[regress/integrity.sh]
|
|
when failing because of unexpected output, show the offending output
|
|
|
|
commit 5a96707ffc8d227c2e7d94fa6b0317f8a152cf4e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:38:05 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/30 05:32:00
|
|
[regress/Makefile]
|
|
unit tests for new buffer API; including basic fuzz testing
|
|
NB. Id sync only.
|
|
|
|
commit 3ff92ba756aee48e4ae3e0aeff7293517b3dd185
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:33:09 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/30 12:54:39
|
|
[key.c]
|
|
suppress spurious error message when loading key with a passphrase;
|
|
reported by kettenis@ ok markus@
|
|
- djm@cvs.openbsd.org 2014/07/02 04:59:06
|
|
[cipher-3des1.c]
|
|
fix ssh protocol 1 on the server that regressed with the sshkey change
|
|
(sometimes fatal() after auth completed), make file return useful status
|
|
codes.
|
|
NB. Id sync only for these two. They were bundled into the sshkey merge
|
|
above, since it was easier to sync the entire file and then apply
|
|
portable-specific changed atop it.
|
|
|
|
commit ec3d0e24a1e46873d80507f5cd8ee6d0d03ac5dc
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:30:00 2014 +1000
|
|
|
|
- markus@cvs.openbsd.org 2014/06/27 18:50:39
|
|
[ssh-add.c]
|
|
fix loading of private keys
|
|
|
|
commit 4b3ed647d5b328cf68e6a8ffbee490d8e0683e82
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:29:40 2014 +1000
|
|
|
|
- markus@cvs.openbsd.org 2014/06/27 16:41:56
|
|
[channels.c channels.h clientloop.c ssh.c]
|
|
fix remote fwding with same listen port but different listen address
|
|
with gerhard@, ok djm@
|
|
|
|
commit 9e01ff28664921ce9b6500681333e42fb133b4d0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:29:21 2014 +1000
|
|
|
|
- deraadt@cvs.openbsd.org 2014/06/25 14:16:09
|
|
[sshbuf.c]
|
|
unblock SIGSEGV before raising it
|
|
ok djm
|
|
|
|
commit 1845fe6bda0729e52f4c645137f4fc3070b5438a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:29:01 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/24 02:21:01
|
|
[scp.c]
|
|
when copying local->remote fails during read, don't send uninitialised
|
|
heap to the remote end. Reported by Jann Horn
|
|
|
|
commit 19439e9a2a0ac0b4b3b1210e89695418beb1c883
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:28:40 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/24 02:19:48
|
|
[ssh.c]
|
|
don't fatal() when hostname canonicalisation fails with a
|
|
ProxyCommand in use; continue and allow the ProxyCommand to
|
|
connect anyway (e.g. to a host with a name outside the DNS
|
|
behind a bastion)
|
|
|
|
commit 8668706d0f52654fe64c0ca41a96113aeab8d2b8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 15:28:02 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/24 01:13:21
|
|
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
|
|
[auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
|
|
[cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
|
|
[digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
|
|
[hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
|
|
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
|
|
[ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
|
|
[ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
|
|
[sshconnect2.c sshd.c sshkey.c sshkey.h
|
|
[openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
|
|
New key API: refactor key-related functions to be more library-like,
|
|
existing API is offered as a set of wrappers.
|
|
|
|
with and ok markus@
|
|
|
|
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
|
|
Dempsky and Ron Bowes for a detailed review a few months ago.
|
|
|
|
NB. This commit also removes portable OpenSSH support for OpenSSL
|
|
<0.9.8e.
|
|
|
|
commit 2cd7929250cf9e9f658d70dcd452f529ba08c942
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 12:48:30 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/24 00:52:02
|
|
[krl.c]
|
|
fix bug in KRL generation: multiple consecutive revoked certificate
|
|
serial number ranges could be serialised to an invalid format.
|
|
|
|
Readers of a broken KRL caused by this bug will fail closed, so no
|
|
should-have-been-revoked key will be accepted.
|
|
|
|
commit 99db840ee8dbbd2b3fbc6c45d0ee2f6a65e96898
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 12:48:04 2014 +1000
|
|
|
|
- naddy@cvs.openbsd.org 2014/06/18 15:42:09
|
|
[sshbuf-getput-crypto.c]
|
|
The ssh_get_bignum functions must accept the same range of bignums
|
|
the corresponding ssh_put_bignum functions create. This fixes the
|
|
use of 16384-bit RSA keys (bug reported by Eivind Evensen).
|
|
ok djm@
|
|
|
|
commit 84a89161a9629239b64171ef3e22ef6a3e462d51
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 12:47:48 2014 +1000
|
|
|
|
- matthew@cvs.openbsd.org 2014/06/18 02:59:13
|
|
[sandbox-systrace.c]
|
|
Now that we have a dedicated getentropy(2) system call for
|
|
arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
|
|
sandbox.
|
|
|
|
ok djm
|
|
|
|
commit 51504ceec627c0ad57b9f75585c7b3d277f326be
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 2 12:47:25 2014 +1000
|
|
|
|
- deraadt@cvs.openbsd.org 2014/06/13 08:26:29
|
|
[sandbox-systrace.c]
|
|
permit SYS_getentropy
|
|
from matthew
|
|
|
|
commit a261b8df59117f7dc52abb3a34b35a40c2c9fa88
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Jun 18 16:17:28 2014 -0700
|
|
|
|
- (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
|
|
|
|
commit 316fac6f18f87262a315c79bcf68b9f92c9337e4
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jun 17 23:06:07 2014 +1000
|
|
|
|
- (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
|
|
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
|
|
Move the OpenSSL header/library version test into its own function and add
|
|
tests for it. Fix it to allow fix version upgrades (but not downgrades).
|
|
Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
|
|
ok djm@ chl@
|
|
|
|
commit af665bb7b092a59104db1e65577851cf35b86e32
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jun 16 22:50:55 2014 +1000
|
|
|
|
- (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via
|
|
OpenSMTPD and chl@
|
|
|
|
commit f9696566fb41320820f3b257ab564fa321bb3751
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jun 13 11:06:04 2014 +1000
|
|
|
|
- (dtucker) [configure.ac] Remove tcpwrappers support, support has already
|
|
been removed from sshd.c.
|
|
|
|
commit 5e2b8894b0b24af4ad0a2f7aa33ebf255df7a8bc
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Jun 11 18:31:10 2014 -0700
|
|
|
|
- (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for
|
|
u_intXX_t types.
|
|
|
|
commit 985ee2cbc3e43bc65827c3c0d4df3faa99160c37
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jun 12 05:32:29 2014 +1000
|
|
|
|
- (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*]
|
|
Wrap stdlib.h include an ifdef for platforms that don't have it.
|
|
|
|
commit cf5392c2db2bb1dbef9818511d34056404436109
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jun 12 05:22:49 2014 +1000
|
|
|
|
- (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
|
|
openbsd-compat/bsd-asprintf.c.
|
|
|
|
commit 58538d795e0b662f2f4e5a7193f1204bbe992ddd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 13:39:24 2014 +1000
|
|
|
|
- (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for
|
|
compat stuff, specifically whether or not OpenSSL has ECC.
|
|
|
|
commit eb012ac581fd0abc16ee86ee3a68cf07c8ce4d08
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 13:10:00 2014 +1000
|
|
|
|
- (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an
|
|
assigment that might get optimized out. ok djm@
|
|
|
|
commit b9609fd86c623d6d440e630f5f9a63295f7aea20
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 08:04:02 2014 +1000
|
|
|
|
- (dtucker) [sshbuf.h] Only declare ECC functions if building without
|
|
OpenSSL or if OpenSSL has ECC.
|
|
|
|
commit a54a040f66944c6e8913df8635a01a2327219be9
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 07:58:35 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/06/10 21:46:11
|
|
[sshbuf.h]
|
|
Group ECC functions together to make things a little easier in -portable.
|
|
"doesn't bother me" deraadt@
|
|
|
|
commit 9f92c53bad04a89067756be8198d4ec2d8a08875
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 07:57:58 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/06/05 22:17:50
|
|
[sshconnect2.c]
|
|
fix inverted test that caused PKCS#11 keys that were explicitly listed
|
|
not to be preferred. Reported by Dirk-Willem van Gulik
|
|
|
|
commit 15c254a25394f96643da2ad0f674acdc51e89856
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 07:38:49 2014 +1000
|
|
|
|
- (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef
|
|
ECC variable too.
|
|
|
|
commit d7af0cc5bf273eeed0897a99420bc26841d07d8f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 07:37:25 2014 +1000
|
|
|
|
- (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
|
|
the proposal if the version of OpenSSL we're using doesn't support ECC.
|
|
|
|
commit 67508ac2563c33d582be181a3e777c65f549d22f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 11 06:27:16 2014 +1000
|
|
|
|
- (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
|
|
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256
|
|
curve tests if OpenSSL has them.
|
|
|
|
commit 6482d90a65459a88c18c925368525855832272b3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 27 14:34:42 2014 +1000
|
|
|
|
- (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c]
|
|
[openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
|
|
separation user at runtime, since it may need to be a domain account.
|
|
Patch from Corinna Vinschen.
|
|
|
|
commit f9eb5e0734f7a7f6e975809eb54684d2a06a7ffc
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 27 14:31:58 2014 +1000
|
|
|
|
- (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config
|
|
from Corinna Vinschen, fixing a number of bugs and preparing for
|
|
Cygwin 1.7.30.
|
|
|
|
commit eae88744662e6b149f43ef071657727f1a157d95
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 27 14:27:02 2014 +1000
|
|
|
|
- (djm) [cipher.c] Fix merge botch.
|
|
|
|
commit 564b5e253c1d95c26a00e8288f0089a2571661c3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 22 08:23:59 2014 +1000
|
|
|
|
- (djm) [Makefile.in] typo in path
|
|
|
|
commit e84d10302aeaf7a1acb05c451f8718143656856a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed May 21 17:13:36 2014 +1000
|
|
|
|
revert a diff I didn't mean to commit
|
|
|
|
commit 795b86313f1f1aab9691666c4f2d5dae6e4acd50
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed May 21 17:12:53 2014 +1000
|
|
|
|
- (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC
|
|
when it is available. It takes into account time spent suspended,
|
|
thereby ensuring timeouts (e.g. for expiring agent keys) fire
|
|
correctly. bz#2228 reported by John Haxby
|
|
|
|
commit 18912775cb97c0b1e75e838d3c7d4b56648137b5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed May 21 17:06:46 2014 +1000
|
|
|
|
- (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use
|
|
vhangup on Linux. It doens't work for non-root users, and for them
|
|
it just messes up the tty settings.
|
|
|
|
commit 7f1c264d3049cd95234e91970ccb5406e1d15b27
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 18:01:52 2014 +1000
|
|
|
|
- (djm) [sshbuf.c] need __predict_false
|
|
|
|
commit e7429f2be8643e1100380a8a7389d85cc286c8fe
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 18:01:01 2014 +1000
|
|
|
|
- (djm) [regress/Makefile Makefile.in]
|
|
[regress/unittests/sshbuf/test_sshbuf.c
|
|
[regress/unittests/sshbuf/test_sshbuf_fixed.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_fuzz.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_misc.c]
|
|
[regress/unittests/sshbuf/tests.c]
|
|
[regress/unittests/test_helper/fuzz.c]
|
|
[regress/unittests/test_helper/test_helper.c]
|
|
Hook new unit tests into the build and "make tests"
|
|
|
|
commit def1de086707b0e6b046fe7e115c60aca0227a99
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 15:17:15 2014 +1000
|
|
|
|
- (djm) [regress/unittests/Makefile]
|
|
[regress/unittests/Makefile.inc]
|
|
[regress/unittests/sshbuf/Makefile]
|
|
[regress/unittests/sshbuf/test_sshbuf.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_fixed.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_fuzz.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
|
|
[regress/unittests/sshbuf/test_sshbuf_misc.c]
|
|
[regress/unittests/sshbuf/tests.c]
|
|
[regress/unittests/test_helper/Makefile]
|
|
[regress/unittests/test_helper/fuzz.c]
|
|
[regress/unittests/test_helper/test_helper.c]
|
|
[regress/unittests/test_helper/test_helper.h]
|
|
Import new unit tests from OpenBSD; not yet hooked up to build.
|
|
|
|
commit 167685756fde8bc213a8df2c8e1848e312db0f46
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 15:08:40 2014 +1000
|
|
|
|
- logan@cvs.openbsd.org 2014/05/04 10:40:59
|
|
[connect-privsep.sh]
|
|
Remove the Z flag from the list of malloc options as it
|
|
was removed from malloc.c 10 days ago.
|
|
|
|
OK from miod@
|
|
|
|
commit d0b69fe90466920d69c96069312e24b581771bd7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 15:08:19 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/05/03 18:46:14
|
|
[proxy-connect.sh]
|
|
Add tests for with and without compression, with and without privsep.
|
|
|
|
commit edb1af50441d19fb2dd9ccb4d75bf14473fca584
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 15:07:53 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/21 22:15:37
|
|
[dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
|
|
repair regress tests broken by server-side default cipher/kex/mac changes
|
|
by ensuring that the option under test is included in the server's
|
|
algorithm list
|
|
|
|
commit 54343e95c70994695f8842fb22836321350198d3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 15:07:33 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/03/13 20:44:49
|
|
[login-timeout.sh]
|
|
this test is a sorry mess of race conditions; add another sleep
|
|
to avoid a failure on slow machines (at least until I find a
|
|
better way)
|
|
|
|
commit e5b9f0f2ee6e133894307e44e862b66426990733
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:58:07 2014 +1000
|
|
|
|
- (djm) [Makefile.in configure.ac sshbuf-getput-basic.c]
|
|
[sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes
|
|
|
|
commit b9c566788a9ebd6a9d466f47a532124f111f0542
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:43:37 2014 +1000
|
|
|
|
- (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write
|
|
portability glue to support building without libcrypto
|
|
|
|
commit 3dc27178b42234b653a32f7a87292d7994045ee3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:37:59 2014 +1000
|
|
|
|
- logan@cvs.openbsd.org 2014/05/05 07:02:30
|
|
[sftp.c]
|
|
Zap extra whitespace.
|
|
|
|
OK from djm@ and dtucker@
|
|
|
|
commit c31a0cd5b31961f01c5b731f62a6cb9d4f767472
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:37:39 2014 +1000
|
|
|
|
- markus@cvs.openbsd.org 2014/05/03 17:20:34
|
|
[monitor.c packet.c packet.h]
|
|
unbreak compression, by re-init-ing the compression code in the
|
|
post-auth child. the new buffer code is more strict, and requires
|
|
buffer_init() while the old code was happy after a bzero();
|
|
originally from djm@
|
|
|
|
commit 686c7d9ee6f44b2be4128d7860b6b37adaeba733
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:37:03 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/05/02 03:27:54
|
|
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
|
|
[misc.h poly1305.h ssh-pkcs11.c defines.h]
|
|
revert __bounded change; it causes way more problems for portable than
|
|
it solves; pointed out by dtucker@
|
|
|
|
commit 294c58a007cfb2f3bddc4fc3217e255857ffb9bf
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:35:03 2014 +1000
|
|
|
|
- naddy@cvs.openbsd.org 2014/04/30 19:07:48
|
|
[mac.c myproposal.h umac.c]
|
|
UMAC can use our local fallback implementation of AES when OpenSSL isn't
|
|
available. Glue code straight from Ted Krovetz's original umac.c.
|
|
ok markus@
|
|
|
|
commit 05e82c3b963c33048128baf72a6f6b3a1c10b4c1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:33:43 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/30 05:29:56
|
|
[bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c]
|
|
[sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c]
|
|
[ssherr.h]
|
|
New buffer API; the first installment of the conversion/replacement
|
|
of OpenSSH's internals to make them usable as a standalone library.
|
|
|
|
This includes a set of wrappers to make it compatible with the
|
|
existing buffer API so replacement can occur incrementally.
|
|
|
|
With and ok markus@
|
|
|
|
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
|
|
Dempsky and Ron Bowes for a detailed review.
|
|
|
|
commit 380948180f847a26f2d0c85b4dad3dca2ed2fd8b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:25:18 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/04/29 20:36:51
|
|
[sftp.c]
|
|
Don't attempt to append a nul quote char to the filename. Should prevent
|
|
fatal'ing with "el_insertstr failed" when there's a single quote char
|
|
somewhere in the string. bz#2238, ok markus@
|
|
|
|
commit d7fd8bedd4619a2ec7fd02aae4c4e1db4431ad9f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:24:59 2014 +1000
|
|
|
|
- dtucker@cvs.openbsd.org 2014/04/29 19:58:50
|
|
[sftp.c]
|
|
Move nulling of variable next to where it's freed. ok markus@
|
|
|
|
commit 1f0311c7c7d10c94ff7f823de9c5b2ed79368b14
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 14:24:09 2014 +1000
|
|
|
|
- markus@cvs.openbsd.org 2014/04/29 18:01:49
|
|
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
|
|
[kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
|
|
[roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
|
|
[ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
|
|
make compiling against OpenSSL optional (make OPENSSL=no);
|
|
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
|
|
allows us to explore further options; with and ok djm
|
|
|
|
commit c5893785564498cea73cb60d2cf199490483e080
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:48:49 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/29 13:10:30
|
|
[clientloop.c serverloop.c]
|
|
bz#1818 - don't send channel success/failre replies on channels that
|
|
have sent a close already; analysis and patch from Simon Tatham;
|
|
ok markus@
|
|
|
|
commit 633de33b192d808d87537834c316dc8b75fe1880
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:48:26 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/28 03:09:18
|
|
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
|
|
[ssh-keygen.c]
|
|
buffer_get_string_ptr's return should be const to remind
|
|
callers that futzing with it will futz with the actual buffer
|
|
contents
|
|
|
|
commit 15271907843e4ae50dcfc83b3594014cf5e9607b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:47:56 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/23 12:42:34
|
|
[readconf.c]
|
|
don't record duplicate IdentityFiles
|
|
|
|
commit 798a02568b13a2e46efebd81f08c8f4bb33a6dc7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:47:37 2014 +1000
|
|
|
|
- jmc@cvs.openbsd.org 2014/04/22 14:16:30
|
|
[sftp.1]
|
|
zap eol whitespace;
|
|
|
|
commit d875ff78d2b8436807381051de112f0ebf9b9ae1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:47:15 2014 +1000
|
|
|
|
- logan@cvs.openbsd.org 2014/04/22 12:42:04
|
|
[sftp.1]
|
|
Document sftp upload resume.
|
|
OK from djm@, with feedback from okan@.
|
|
|
|
commit b15cd7bb097fd80dc99520f45290ef775da1ef19
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:46:52 2014 +1000
|
|
|
|
- logan@cvs.openbsd.org 2014/04/22 10:07:12
|
|
[sftp.c]
|
|
Sort the sftp command list.
|
|
OK from djm@
|
|
|
|
commit d8accc0aa72656ba63d50937165c5ae49db1dcd6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:46:25 2014 +1000
|
|
|
|
- logan@cvs.openbsd.org 2014/04/21 14:36:16
|
|
[sftp-client.c sftp-client.h sftp.c]
|
|
Implement sftp upload resume support.
|
|
OK from djm@, with input from guenther@, mlarkin@ and
|
|
okan@
|
|
|
|
commit 16cd3928a87d20c77b13592a74b60b08621d3ce6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:45:58 2014 +1000
|
|
|
|
- logan@cvs.openbsd.org 2014/04/20 09:24:26
|
|
[dns.c dns.h ssh-keygen.c]
|
|
Add support for SSHFP DNS records for ED25519 key types.
|
|
OK from djm@
|
|
|
|
commit ec0b67eb3b4e12f296ced1fafa01860c374f7eea
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 15 13:45:26 2014 +1000
|
|
|
|
- (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
|
|
OpenBSD
|
|
|
|
commit f028460d0b2e5a584355321015cde69bf6fd933e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu May 1 02:24:35 2014 +1000
|
|
|
|
- (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
|
|
have it. Only attempt to use __attribute__(__bounded__) for gcc.
|
|
|
|
commit b628cc4c3e4a842bab5e4584d18c2bc5fa4d0edf
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:33:58 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/20 02:49:32
|
|
[compat.c]
|
|
add a canonical 6.6 + curve25519 bignum fix fake version that I can
|
|
recommend people use ahead of the openssh-6.7 release
|
|
|
|
commit 888566913933a802f3a329ace123ebcb7154cf78
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:33:19 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/20 02:30:25
|
|
[misc.c misc.h umac.c]
|
|
use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
|
|
strict-alignment architectures; reported by and ok stsp@
|
|
|
|
commit 16f85cbc7e5139950e6a38317e7c8b368beafa5d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:29:28 2014 +1000
|
|
|
|
- tedu@cvs.openbsd.org 2014/04/19 18:42:19
|
|
[ssh.1]
|
|
delete .xr to hosts.equiv. there's still an unfortunate amount of
|
|
documentation referring to rhosts equivalency in here.
|
|
|
|
commit 69cb24b7356ec3f0fc5ff04a68f98f2c55c766f4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:29:06 2014 +1000
|
|
|
|
- tedu@cvs.openbsd.org 2014/04/19 18:15:16
|
|
[sshd.8]
|
|
remove some really old rsh references
|
|
|
|
commit 84c1e7bca8c4ceaccf4d5557e39a833585a3c77e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:27:53 2014 +1000
|
|
|
|
- tedu@cvs.openbsd.org 2014/04/19 14:53:48
|
|
[ssh-keysign.c sshd.c]
|
|
Delete futile calls to RAND_seed. ok djm
|
|
NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
|
|
|
|
commit 0e6b67423b8662f9ca4c92750309e144fd637ef1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:27:01 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/19 05:54:59
|
|
[compat.c]
|
|
missing wildcard; pointed out by naddy@
|
|
|
|
commit 9395b28223334826837c15e8c1bb4dfb3b0d2ca5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:25:30 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/18 23:52:25
|
|
[compat.c compat.h sshconnect2.c sshd.c version.h]
|
|
OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
|
|
using the curve25519-sha256@libssh.org KEX exchange method to fail
|
|
when connecting with something that implements the spec properly.
|
|
|
|
Disable this KEX method when speaking to one of the affected
|
|
versions.
|
|
|
|
reported by Aris Adamantiadis; ok markus@
|
|
|
|
commit 8c492da58f8ceb85cf5f7066f23e26fb813a963d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:25:09 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/16 23:28:12
|
|
[ssh-agent.1]
|
|
remove the identity files from this manpage - ssh-agent doesn't deal
|
|
with them at all and the same information is duplicated in ssh-add.1
|
|
(which does deal with them); prodded by deraadt@
|
|
|
|
commit adbfdbbdccc70c9bd70d81ae096db115445c6e26
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:24:49 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/16 23:22:45
|
|
[bufaux.c]
|
|
skip leading zero bytes in buffer_put_bignum2_from_string();
|
|
reported by jan AT mojzis.com; ok markus@
|
|
|
|
commit 75c62728dc87af6805696eeb520b9748faa136c8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:24:31 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/12 04:55:53
|
|
[sshd.c]
|
|
avoid crash at exit: check that pmonitor!=NULL before dereferencing;
|
|
bz#2225, patch from kavi AT juniper.net
|
|
|
|
commit 2a328437fb1b0976f2f4522d8645803d5a5d0967
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:24:01 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/01 05:32:57
|
|
[packet.c]
|
|
demote a debug3 to PACKET_DEBUG; ok markus@
|
|
|
|
commit 7d6a9fb660c808882d064e152d6070ffc3844c3f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:23:43 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/01 03:34:10
|
|
[sshconnect.c]
|
|
When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
|
|
certificate keys to plain keys and attempt SSHFP resolution.
|
|
|
|
Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
|
dialog by offering only certificate keys.
|
|
|
|
Reported by mcv21 AT cam.ac.uk
|
|
|
|
commit fcd62c0b66b8415405ed0af29c236329eb88cc0f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:23:21 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/04/01 02:05:27
|
|
[ssh-keysign.c]
|
|
include fingerprint of key not found
|
|
use arc4random_buf() instead of loop+arc4random()
|
|
|
|
commit 43b156cf72f900f88065b0a1c1ebd09ab733ca46
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:23:03 2014 +1000
|
|
|
|
- jmc@cvs.openbsd.org 2014/03/31 13:39:34
|
|
[ssh-keygen.1]
|
|
the text for the -K option was inserted in the wrong place in -r1.108;
|
|
fix From: Matthew Clarke
|
|
|
|
commit c1621c84f2dc1279065ab9fde2aa9327af418900
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:22:46 2014 +1000
|
|
|
|
- naddy@cvs.openbsd.org 2014/03/28 05:17:11
|
|
[ssh_config.5 sshd_config.5]
|
|
sync available and default algorithms, improve algorithm list formatting
|
|
help from jmc@ and schwarze@, ok deraadt@
|
|
|
|
commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:22:18 2014 +1000
|
|
|
|
- tedu@cvs.openbsd.org 2014/03/26 19:58:37
|
|
[sshd.8 sshd.c]
|
|
remove libwrap support. ok deraadt djm mfriedl
|
|
|
|
commit 4f40209aa4060b9c066a2f0d9332ace7b8dfb391
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:21:22 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/03/26 04:55:35
|
|
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
|
|
[misc.h poly1305.h ssh-pkcs11.c]
|
|
use __bounded(...) attribute recently added to sys/cdefs.h instead of
|
|
longform __attribute__(__bounded(...));
|
|
|
|
for brevity and a warning free compilation with llvm/clang
|
|
|
|
commit 9235a030ad1b16903fb495d81544e0f7c7449523
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:17:20 2014 +1000
|
|
|
|
Three commits in one (since they touch the same heavily-diverged file
|
|
repeatedly):
|
|
|
|
- markus@cvs.openbsd.org 2014/03/25 09:40:03
|
|
[myproposal.h]
|
|
trimm default proposals.
|
|
|
|
This commit removes the weaker pre-SHA2 hashes, the broken ciphers
|
|
(arcfour), and the broken modes (CBC) from the default configuration
|
|
(the patch only changes the default, all the modes are still available
|
|
for the config files).
|
|
|
|
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
|
- deraadt@cvs.openbsd.org 2014/03/26 17:16:26
|
|
[myproposal.h]
|
|
The current sharing of myproposal[] between both client and server code
|
|
makes the previous diff highly unpallatable. We want to go in that
|
|
direction for the server, but not for the client. Sigh.
|
|
Brought up by naddy.
|
|
- markus@cvs.openbsd.org 2014/03/27 23:01:27
|
|
[myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
|
|
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
|
|
|
commit 6e1777f592f15f4559728c78204617537b1ac076
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:02:58 2014 +1000
|
|
|
|
- tedu@cvs.openbsd.org 2014/03/19 14:42:44
|
|
[scp.1]
|
|
there is no need for rcp anymore
|
|
ok deraadt millert
|
|
|
|
commit eb1b7c514d2a7b1802ccee8cd50e565a4d419887
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:02:26 2014 +1000
|
|
|
|
- tedu@cvs.openbsd.org 2014/03/17 19:44:10
|
|
[ssh.1]
|
|
old descriptions of des and blowfish are old. maybe ok deraadt
|
|
|
|
commit f0858de6e1324ec730752387074b111b8551081e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:01:30 2014 +1000
|
|
|
|
- deraadt@cvs.openbsd.org 2014/03/15 17:28:26
|
|
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
|
|
Improve usage() and documentation towards the standard form.
|
|
In particular, this line saves a lot of man page reading time.
|
|
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
|
|
[-N new_passphrase] [-C comment] [-f output_keyfile]
|
|
ok schwarze jmc
|
|
|
|
commit 94bfe0fbd6e91a56b5b0ab94ac955d2a67d101aa
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:00:51 2014 +1000
|
|
|
|
- naddy@cvs.openbsd.org 2014/03/12 13:06:59
|
|
[ssh-keyscan.1]
|
|
scan for Ed25519 keys by default too
|
|
|
|
commit 3819519288b2b3928c6882f5883b0f55148f4fc0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:00:28 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/03/12 04:51:12
|
|
[authfile.c]
|
|
correct test that kdf name is not "none" or "bcrypt"
|
|
|
|
commit 8f9cd709c7cf0655d414306a0ed28306b33802be
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 13:00:11 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/03/12 04:50:32
|
|
[auth-bsdauth.c ssh-keygen.c]
|
|
don't count on things that accept arguments by reference to clear
|
|
things for us on error; most things do, but it's unsafe form.
|
|
|
|
commit 1c7ef4be83f6dec84509a312518b9df00ab491d9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 12:59:46 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/03/12 04:44:58
|
|
[ssh-keyscan.c]
|
|
scan for Ed25519 keys by default too
|
|
|
|
commit c10bf4d051c97939b30a1616c0499310057d07da
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Apr 20 12:58:04 2014 +1000
|
|
|
|
- djm@cvs.openbsd.org 2014/03/03 22:22:30
|
|
[session.c]
|
|
ignore enviornment variables with embedded '=' or '\0' characters;
|
|
spotted by Jann Horn; ok deraadt@
|
|
Id sync only - portable already has this.
|
|
|
|
commit c2e49062faccbcd7135c40d1c78c5c329c58fc2e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Apr 1 14:42:46 2014 +1100
|
|
|
|
- (djm) Use full release (e.g. 6.5p1) in debug output rather than just
|
|
version. From des@des.no
|
|
|
|
commit 14928b7492abec82afa4c2b778fc03f78cd419b6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Apr 1 14:38:07 2014 +1100
|
|
|
|
- (djm) On platforms that support it, use prctl() to prevent sftp-server
|
|
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
|
|
|
|
commit 48abc47e60048461fe9117e108a7e99ea1ac2bb8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Mar 17 14:45:56 2014 +1100
|
|
|
|
- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
|
|
remind myself to add sandbox violation logging via the log socket.
|
|
|
|
commit 9c36698ca2f554ec221dc7ef29c7a89e97c88705
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Fri Mar 14 12:45:01 2014 -0700
|
|
|
|
20140314
|
|
- (tim) [opensshd.init.in] Add support for ed25519
|
|
|
|
commit 19158b2447e35838d69b2b735fb640d1e86061ea
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Mar 13 13:14:21 2014 +1100
|
|
|
|
- (djm) Release OpenSSH 6.6
|
|
|
|
commit 8569eba5d7f7348ce3955eeeb399f66f25c52ece
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 4 09:35:17 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/03/03 22:22:30
|
|
[session.c]
|
|
ignore enviornment variables with embedded '=' or '\0' characters;
|
|
spotted by Jann Horn; ok deraadt@
|
|
|
|
commit 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Mar 2 04:01:00 2014 +1100
|
|
|
|
- (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
|
|
no moduli file exists at the expected location.
|
|
|
|
commit c83fdf30e9db865575b2521b1fe46315cf4c70ae
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:34:03 2014 +1100
|
|
|
|
- (djm) [regress/host-expand.sh] Add RCS Id
|
|
|
|
commit 834aeac3555e53f7d29a6fcf3db010dfb99681c7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:25:16 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/27 21:21:25
|
|
[agent-ptrace.sh agent.sh]
|
|
keep return values that are printed in error messages;
|
|
from portable
|
|
(Id sync only)
|
|
|
|
commit 4f7f1a9a0de24410c30952c7e16d433240422182
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:24:11 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/27 20:04:16
|
|
[login-timeout.sh]
|
|
remove any existing LoginGraceTime from sshd_config before adding
|
|
a specific one for the test back in
|
|
|
|
commit d705d987c27f68080c8798eeb5262adbdd6b4ffd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:23:26 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/26 10:49:17
|
|
[scp-ssh-wrapper.sh scp.sh]
|
|
make sure $SCP is tested on the remote end rather than whichever one
|
|
happens to be in $PATH; from portable
|
|
(Id sync only)
|
|
|
|
commit 624a3ca376e3955a4b9d936c9e899e241b65d357
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:22:37 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/26 10:22:10
|
|
[regress/cert-hostkey.sh]
|
|
automatically generate revoked keys from listed keys rather than
|
|
manually specifying each type; from portable
|
|
(Id sync only)
|
|
|
|
commit b84392328425e4b9a71f8bde5fe6a4a4c48d3ec4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:21:26 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/25 04:35:32
|
|
[regress/Makefile regress/dhgex.sh]
|
|
Add a test for DH GEX sizes
|
|
|
|
commit 1e2aa3d90472293ea19008f02336d6d68aa05793
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:19:51 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/20 00:00:30
|
|
[sftp-chroot.sh]
|
|
append to rather than truncating the log file
|
|
|
|
commit f483cc16fe7314e24a37aa3a4422b03c013c3213
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:19:11 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/19 23:43:02
|
|
[regress/sftp-chroot.sh]
|
|
Don't use -q on sftp as it suppresses logging, instead redirect the
|
|
output to the regress logfile.
|
|
|
|
commit 6486f16f1c0ebd6f39286f6ab5e08286d90a994a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:03:52 2014 +1100
|
|
|
|
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
|
|
[contrib/suse/openssh.spec] Crank version numbers
|
|
|
|
commit 92cf5adea194140380e6af6ec32751f9ad540794
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:01:53 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/27 22:57:40
|
|
[version.h]
|
|
openssh-6.6
|
|
|
|
commit fc5d6759aba71eb205b296b5f148010ffc828583
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:01:28 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/27 22:47:07
|
|
[sshd_config.5]
|
|
bz#2184 clarify behaviour of a keyword that appears in multiple
|
|
matching Match blocks; ok dtucker@
|
|
|
|
commit 172ec7e0af1a5f1d682f6a2dca335c6c186153d5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:00:57 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/27 08:25:09
|
|
[bufbn.c]
|
|
off by one in range check
|
|
|
|
commit f9a9aaba437c2787e40cf7cc928281950e161678
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 28 10:00:27 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/27 00:41:49
|
|
[bufbn.c]
|
|
fix unsigned overflow that could lead to reading a short ssh protocol
|
|
1 bignum value; found by Ben Hawkes; ok deraadt@
|
|
|
|
commit fb3423b612713d9cde67c8a75f6f51188d6a3de3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 27 10:20:07 2014 +1100
|
|
|
|
- markus@cvs.openbsd.org 2014/02/26 21:53:37
|
|
[sshd.c]
|
|
ssh_gssapi_prepare_supported_oids needs GSSAPI
|
|
|
|
commit 1348129a34f0f7728c34d86c100a32dcc8d1f922
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 27 10:18:32 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/26 20:29:29
|
|
[channels.c]
|
|
don't assume that the socks4 username is \0 terminated;
|
|
spotted by Ben Hawkes; ok markus@
|
|
|
|
commit e6a74aeeacd01d885262ff8e50eb28faee8c8039
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 27 10:17:49 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/26 20:28:44
|
|
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
|
|
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
|
|
sandboxing, as running this code in the sandbox can cause violations;
|
|
ok markus@
|
|
|
|
commit 08b57c67f3609340ff703fe2782d7058acf2529e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 27 10:17:13 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/26 20:18:37
|
|
[ssh.c]
|
|
bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
|
|
ok dtucker@ markus@
|
|
|
|
commit 13f97b2286142fd0b8eab94e4ce84fe124eeb752
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Feb 24 15:57:55 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/23 20:11:36
|
|
[readconf.c readconf.h ssh.c ssh_config.5]
|
|
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
|
|
the hostname. This allows users to write configurations that always
|
|
refer to canonical hostnames, e.g.
|
|
|
|
CanonicalizeHostname yes
|
|
CanonicalDomains int.example.org example.org
|
|
CanonicalizeFallbackLocal no
|
|
|
|
Host *.int.example.org
|
|
Compression off
|
|
Host *.example.org
|
|
User djm
|
|
|
|
ok markus@
|
|
|
|
commit bee3a234f3d1ad4244952bcff1b4b7c525330dc2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Feb 24 15:57:22 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/23 20:03:42
|
|
[ssh-ed25519.c]
|
|
check for unsigned overflow; not reachable in OpenSSH but others might
|
|
copy our code...
|
|
|
|
commit 0628780abe61e7e50cba48cdafb1837f49ff23b2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Feb 24 15:56:45 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/22 01:32:19
|
|
[readconf.c]
|
|
when processing Match blocks, skip 'exec' clauses if previous predicates
|
|
failed to match; ok markus@
|
|
|
|
commit 0890dc8191bb201eb01c3429feec0300a9d3a930
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Feb 24 15:56:07 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/15 23:05:36
|
|
[channels.c]
|
|
avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
|
|
bz#2200, debian#738692 via Colin Watson; ok dtucker@
|
|
|
|
commit d3cf67e1117c25d151d0f86396e77ee3a827045a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Feb 24 15:55:36 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/07 06:55:54
|
|
[cipher.c mac.c]
|
|
remove some logging that makes ssh debugging output very verbose;
|
|
ok markus
|
|
|
|
commit 03ae081aeaa118361c81ece76eb7cc1aaa2b40c5
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Fri Feb 21 09:09:34 2014 -0800
|
|
|
|
20140221
|
|
- (tim) [configure.ac] Fix cut-and-paste error. Patch from Bryan Drewery.
|
|
|
|
commit 4a20959d2e3c90e9d66897c0b4032c785672d815
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Feb 13 16:38:32 2014 +1100
|
|
|
|
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat
|
|
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
|
|
|
|
commit d1a7a9c0fd1ac2e3314cceb2891959fd2cd9eabb
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 7 09:24:33 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/06 22:21:01
|
|
[sshconnect.c]
|
|
in ssh_create_socket(), only do the getaddrinfo for BindAddress when
|
|
BindAddress is actually specified. Fixes regression in 6.5 for
|
|
UsePrivilegedPort=yes; patch from Corinna Vinschen
|
|
|
|
commit 6ce35b6cc4ead1bf98abec34cb2e2d6ca0abb15e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 7 09:24:14 2014 +1100
|
|
|
|
- naddy@cvs.openbsd.org 2014/02/05 20:13:25
|
|
[ssh-keygen.1 ssh-keygen.c]
|
|
tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
|
|
while here, fix ordering in usage(); requested by jmc@
|
|
|
|
commit 6434cb2cfbbf0a46375d2d22f2ff9927feb5e478
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 6 11:17:50 2014 +1100
|
|
|
|
- (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
|
|
__NR_shutdown; some go via the socketcall(2) multiplexer.
|
|
|
|
commit 8d36f9ac71eff2e9f5770c0518b73d875f270647
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Feb 6 10:44:13 2014 +1100
|
|
|
|
- (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
|
|
before freeing since free(NULL) is a no-op. ok djm.
|
|
|
|
commit a0959da3680b4ce8cf911caf3293a6d90f88eeb7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Feb 5 10:33:45 2014 +1100
|
|
|
|
- (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
|
|
headers/libc but not supported by the kernel. Patch from Loganaden
|
|
Velvindron @ AfriNIC
|
|
|
|
commit 9c449bc183b256c84d8f740727b0bc54d247b15e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:38:28 2014 +1100
|
|
|
|
- (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
|
|
|
|
commit bf7e0f03be661b6f5b3bfe325135ce19391f9c4d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:37:50 2014 +1100
|
|
|
|
- (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
|
|
|
|
commit eb6d870a0ea8661299bb2ea8f013d3ace04e2024
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:26:34 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/04 00:24:29
|
|
[ssh.c]
|
|
delay lowercasing of hostname until right before hostname
|
|
canonicalisation to unbreak case-sensitive matching of ssh_config;
|
|
reported by Ike Devolder; ok markus@
|
|
|
|
commit d56b44d2dfa093883a5c4e91be3f72d99946b170
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:26:04 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/04 00:24:29
|
|
[ssh.c]
|
|
delay lowercasing of hostname until right before hostname
|
|
canonicalisation to unbreak case-sensitive matching of ssh_config;
|
|
reported by Ike Devolder; ok markus@
|
|
|
|
commit db3c595ea74ea9ccd5aa644d7e1f8dc675710731
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:25:45 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/02 03:44:31
|
|
[digest-libc.c digest-openssl.c]
|
|
convert memset of potentially-private data to explicit_bzero()
|
|
|
|
commit aae07e2e2000dd318418fd7fd4597760904cae32
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:20:40 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/03 23:28:00
|
|
[ssh-ecdsa.c]
|
|
fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
|
|
DSA_SIG_new. Reported by Batz Spear; ok markus@
|
|
|
|
commit a5103f413bde6f31bff85d6e1fd29799c647d765
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:20:14 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/02/02 03:44:32
|
|
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
|
|
[buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
|
|
[kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
|
|
[monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
|
|
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
|
|
[ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
|
|
[sshd.c]
|
|
convert memset of potentially-private data to explicit_bzero()
|
|
|
|
commit 1d2c4564265ee827147af246a16f3777741411ed
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:18:20 2014 +1100
|
|
|
|
- tedu@cvs.openbsd.org 2014/01/31 16:39:19
|
|
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
|
|
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
|
|
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
|
|
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
|
|
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
|
|
replace most bzero with explicit_bzero, except a few that cna be memset
|
|
ok djm dtucker
|
|
|
|
commit 3928de067c286683a95fbdbdb5fdb3c78a0e5efd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:13:54 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/30 22:26:14
|
|
[sandbox-systrace.c]
|
|
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
|
|
from portable
|
|
(Id sync only; change is already in portable)
|
|
|
|
commit e1e480aee8a9af6cfbe7188667b7b940d6b57f9f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:13:17 2014 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2014/01/29 14:04:51
|
|
[sshd_config.5]
|
|
document kbdinteractiveauthentication;
|
|
requested From: Ross L Richardson
|
|
|
|
dtucker/markus helped explain its workings;
|
|
|
|
commit 7cc194f70d4a5ec9a82d19422eaf18db4a6624c6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:12:56 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/29 06:18:35
|
|
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
|
|
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
|
|
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
|
|
remove experimental, never-enabled JPAKE code; ok markus@
|
|
|
|
commit b0f26544cf6f4feeb1a4f6db09fca834f5c9867d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:10:01 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/29 00:19:26
|
|
[sshd.c]
|
|
use kill(0, ...) instead of killpg(0, ...); on most operating systems
|
|
they are equivalent, but SUSv2 describes the latter as having undefined
|
|
behaviour; from portable; ok dtucker
|
|
(Id sync only; change is already in portable)
|
|
|
|
commit f8f35bc471500348bb262039fb1fc43175d251b0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:09:12 2014 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2014/01/28 14:13:39
|
|
[ssh-keyscan.1]
|
|
kill some bad Pa;
|
|
From: Jan Stary
|
|
|
|
commit 0ba85d696ae9daf66002c2e4ab0d6bb111e1a787
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:08:38 2014 +1100
|
|
|
|
ignore a few more regress droppings
|
|
|
|
commit ec93d15170b7a6ddf63fd654bd0f6a752acc19dd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:07:13 2014 +1100
|
|
|
|
- markus@cvs.openbsd.org 2014/01/27 20:13:46
|
|
[digest.c digest-openssl.c digest-libc.c Makefile.in]
|
|
rename digest.c to digest-openssl.c and add libc variant; ok djm@
|
|
|
|
commit 4a1c7aa640fb97d3472d51b215b6a0ec0fd025c7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:03:36 2014 +1100
|
|
|
|
- markus@cvs.openbsd.org 2014/01/27 19:18:54
|
|
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
|
|
replace openssl MD5 with our ssh_digest_*; ok djm@
|
|
|
|
commit 4e8d937af79ce4e253f77ec93489d098b25becc3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 4 11:02:42 2014 +1100
|
|
|
|
- markus@cvs.openbsd.org 2014/01/27 18:58:14
|
|
[Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
|
|
replace openssl HMAC with an implementation based on our ssh_digest_*
|
|
ok and feedback djm@
|
|
|
|
commit 69d0d09f76bab5aec86fbf78489169f63bd16475
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Fri Jan 31 14:25:18 2014 -0800
|
|
|
|
- (tim) [Makefile.in] build regress/setuid-allow.
|
|
|
|
commit 0eeafcd76b972a3d159f3118227c149a4d7817fe
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 31 14:18:51 2014 +1100
|
|
|
|
- (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros. Fixes
|
|
build with HP-UX's compiler. Patch from Kevin Brott.
|
|
|
|
commit 7e5cec6070673e9f9785ffc749837ada22fbe99f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 31 09:25:34 2014 +1100
|
|
|
|
- (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
|
|
syscall from sandboxes; it may be called by packet_close.
|
|
|
|
commit cdb6c90811caa5df2df856be9b0b16db020fe31d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 30 12:50:17 2014 +1100
|
|
|
|
- (djm) Release openssh-6.5p1
|
|
|
|
commit 996ea80b1884b676a901439f1f2681eb6ff68501
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 30 12:49:55 2014 +1100
|
|
|
|
trim entries prior to openssh-6.0p1
|
|
|
|
commit f5bbd3b657b6340551c8a95f74a70857ff8fac79
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 30 11:26:46 2014 +1100
|
|
|
|
- (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
|
|
different symbols for 'read' when various compiler flags are
|
|
in use, causing atomicio.c comparisons against it to break and
|
|
read/write operations to hang; ok dtucker
|
|
|
|
commit c2868192ddc4e1420a50389e18c05db20b0b1f32
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 30 10:21:19 2014 +1100
|
|
|
|
- (djm) [configure.ac] Only check for width-specified integer types
|
|
in headers that actually exist. patch from Tom G. Christensen;
|
|
ok dtucker@
|
|
|
|
commit c161fc90fc86e2035710570238a9e1ca7a68d2a5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 29 21:01:33 2014 +1100
|
|
|
|
- (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
|
|
Tom G. Christensen
|
|
|
|
commit 6f917ad376481995ab7d29fb53b08ec8d507eb9e
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue Jan 28 10:26:25 2014 -0800
|
|
|
|
- (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
|
|
when used as an error message inside an if statement so we display the
|
|
correct into. agent.sh patch from Petr Lautrbach.
|
|
|
|
commit ab16ef4152914d44ce6f76e48167d26d22f66a06
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 28 15:08:12 2014 +1100
|
|
|
|
- (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
|
|
latter being specified to have undefined behaviour in SUSv3;
|
|
ok dtucker
|
|
|
|
commit ab0394905884dc6e58c3721211c6b38fb8fc2ca8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 28 15:07:10 2014 +1100
|
|
|
|
- (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
|
|
ok dtucker
|
|
|
|
commit 4ab20a82d4d4168d62318923f62382f6ef242fcd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jan 27 17:35:04 2014 +1100
|
|
|
|
- (dtucker) [Makefile.in] Remove trailing backslash which some make
|
|
implementations (eg older Solaris) do not cope with.
|
|
|
|
commit e7e8b3cfe9f8665faaf0e68b33df5bbb431bd129
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jan 27 17:32:50 2014 +1100
|
|
|
|
Welcome to 2014
|
|
|
|
commit 5b447c0aac0dd444251e276f6bb3bbbe1c05331c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jan 26 09:46:53 2014 +1100
|
|
|
|
- (djm) [configure.ac] correct AC_DEFINE for previous.
|
|
|
|
commit 2035b2236d3b1f76c749c642a43e03c85eae76e6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jan 26 09:39:53 2014 +1100
|
|
|
|
- (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
|
|
RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
|
|
libc will attempt to open additional file descriptors for crypto
|
|
offload and crash if they cannot be opened.
|
|
|
|
commit a92ac7410475fbb00383c7402aa954dc0a75ae19
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jan 26 09:38:03 2014 +1100
|
|
|
|
- markus@cvs.openbsd.org 2014/01/25 20:35:37
|
|
[kex.c]
|
|
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
|
|
ok dtucker@, noted by mancha
|
|
|
|
commit 76eea4ab4e658670ca6e76dd1e6d17f262208b57
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jan 26 09:37:25 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/25 10:12:50
|
|
[cipher.c cipher.h kex.c kex.h kexgexc.c]
|
|
Add a special case for the DH group size for 3des-cbc, which has an
|
|
effective strength much lower than the key size. This causes problems
|
|
with some cryptlib implementations, which don't support group sizes larger
|
|
than 4k but also don't use the largest group size it does support as
|
|
specified in the RFC. Based on a patch from Petr Lautrbach at Redhat,
|
|
reduced by me with input from Markus. ok djm@ markus@
|
|
|
|
commit 603b8f47f1cd9ed95a2017447db8e60ca6704594
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Jan 25 13:16:59 2014 +1100
|
|
|
|
- (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test
|
|
against the correct thing.
|
|
|
|
commit c96d85376d779b6ac61525b5440010d344d2f23f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Jan 25 13:12:28 2014 +1100
|
|
|
|
- (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
|
|
sys/capability.h exists and cap_rights_limit is in libc. Fixes
|
|
build on FreeBSD9x which provides the header but not the libc
|
|
support.
|
|
|
|
commit f62ecef9939cb3dbeb10602fd705d4db3976d822
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Jan 25 12:34:38 2014 +1100
|
|
|
|
- (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
|
|
|
|
commit b0e0f760b861676a3fe5c40133b270713d5321a9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 24 14:27:04 2014 +1100
|
|
|
|
- (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make
|
|
the scp regress test actually test the built scp rather than the one
|
|
in $PATH. ok dtucker@
|
|
|
|
commit 42a092530159637da9cb7f9e1b5f4679e34a85e6
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jan 23 23:14:39 2014 +1100
|
|
|
|
- (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously
|
|
incompatible with OpenBSD's despite post-dating it by more than a decade.
|
|
Declare it as broken, and document FreeBSD's as the same. ok djm@
|
|
|
|
commit 617da33c20cb59f9ea6c99c881d92493371ef7b8
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Jan 22 19:16:10 2014 -0800
|
|
|
|
- (tim) [session.c] Improve error reporting on set_id().
|
|
|
|
commit 5c2ff5e31f57d303ebb414d84a934c02728fa568
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 22 21:30:12 2014 +1100
|
|
|
|
- (djm) [configure.ac aclocal.m4] More tests to detect fallout from
|
|
platform hardening options: include some long long int arithmatic
|
|
to detect missing support functions for -ftrapv in libgcc and
|
|
equivalents, actually test linking when -ftrapv is supplied and
|
|
set either both -pie/-fPIE or neither. feedback and ok dtucker@
|
|
|
|
commit 852472a54b8a0dc3e53786b313baaa86850a4273
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 22 16:31:18 2014 +1100
|
|
|
|
- (djm) [configure.ac] Unless specifically requested, only attempt
|
|
to build Position Independent Executables on gcc >= 4.x; ok dtucker
|
|
|
|
commit ee87838786cef0194db36ae0675b3e7c4e8ec661
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 22 16:30:15 2014 +1100
|
|
|
|
- (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a
|
|
platform that is expected to use the reuse-argv style setproctitle
|
|
hack surprises us by providing a setproctitle in libc; ok dtucker
|
|
|
|
commit 5c96a154c7940fa67b1f11c421e390dbbc159f27
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 21 13:10:26 2014 +1100
|
|
|
|
- (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE
|
|
and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of
|
|
detecting toolchain-related problems; ok dtucker
|
|
|
|
commit 9464ba6fb34bb42eb3501ec3c5143662e75674bf
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Jan 20 17:59:28 2014 -0800
|
|
|
|
- (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced
|
|
with sftp chroot support. Move set_id call after chroot.
|
|
|
|
commit a6d573caa14d490e6c42fb991bcb5c6860ec704b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jan 21 12:50:46 2014 +1100
|
|
|
|
- (dtucker) [aclocal.m4] Differentiate between compile-time and link-time
|
|
tests in the configure output. ok djm.
|
|
|
|
commit 096118dc73ab14810b3c12785c0b5acb01ad6123
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jan 21 12:48:51 2014 +1100
|
|
|
|
- (dtucker) [configure.ac] Make PIE a configure-time option which defaults
|
|
to on platforms where it's known to be reliably detected and off elsewhere.
|
|
Works around platforms such as FreeBSD 9.1 where it does not interop with
|
|
-ftrapv (it seems to work but fails when trying to link ssh). ok djm@
|
|
|
|
commit f9df7f6f477792254eab33cdef71a6d66488cb88
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Jan 20 20:07:15 2014 +1100
|
|
|
|
- (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that
|
|
skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
|
|
|
|
commit c74e70eb52ccc0082bd5a70b5798bb01c114d138
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jan 20 13:18:09 2014 +1100
|
|
|
|
- (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos
|
|
implementation does not have krb5_cc_new_unique, similar to what we do
|
|
in auth-krb5.c.
|
|
|
|
commit 3510979e83b6a18ec8773c64c3fa04aa08b2e783
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Jan 20 12:41:53 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/20 00:08:48
|
|
[digest.c]
|
|
memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
|
|
|
|
commit 7eee358d7a6580479bee5cd7e52810ebfd03e5b2
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Jan 19 22:37:02 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/19 11:21:51
|
|
[addrmatch.c]
|
|
Cast the sizeof to socklen_t so it'll work even if the supplied len is
|
|
negative. Suggested by and ok djm, ok deraadt.
|
|
|
|
commit b7e01c09b56ab26e8fac56bbce0fd25e36d12bb0
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Jan 19 22:36:13 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/19 04:48:08
|
|
[ssh_config.5]
|
|
fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
|
|
|
|
commit 7b1ded04adce42efa25ada7c3a39818d3109b724
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Jan 19 15:30:02 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/19 04:17:29
|
|
[canohost.c addrmatch.c]
|
|
Cast socklen_t when comparing to size_t and use socklen_t to iterate over
|
|
the ip options, both to prevent signed/unsigned comparison warnings.
|
|
Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
|
|
|
|
commit 293ee3c9f0796d99ebb033735f0e315f2e0180bf
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Jan 19 15:28:01 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/18 09:36:26
|
|
[session.c]
|
|
explicitly define USE_PIPES to 1 to prevent redefinition warnings in
|
|
portable on platforms that use pipes for everything. From redhat @
|
|
redhat.
|
|
|
|
commit 2aca159d05f9e7880d1d8f1ce49a218840057f53
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Jan 19 15:25:34 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/17 06:23:24
|
|
[sftp-server.c]
|
|
fix log message statvfs. ok djm
|
|
|
|
commit 841f7da89ae8b367bb502d61c5c41916c6e7ae4c
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jan 18 22:12:15 2014 +1100
|
|
|
|
- (dtucker) [sandbox-capsicum.c] Correct some error messages and make the
|
|
return value check for cap_enter() consistent with the other uses in
|
|
FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140.
|
|
|
|
commit fdce3731660699b2429e93e822f2ccbaccd163ae
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jan 18 21:12:42 2014 +1100
|
|
|
|
- (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,
|
|
optind) are defined in getopt.h already. Unfortunately they are defined as
|
|
"declspec(dllimport)" for historical reasons, because the GNU linker didn't
|
|
allow auto-import on PE/COFF targets way back when. The problem is the
|
|
dllexport attributes collide with the definitions in the various source
|
|
files in OpenSSH, which obviousy define the variables without
|
|
declspec(dllimport). The least intrusive way to get rid of these warnings
|
|
is to disable warnings for GCC compiler attributes when building on Cygwin.
|
|
Patch from vinschen at redhat.com.
|
|
|
|
commit 1411c9263f46e1ee49d0d302bf7258ebe69ce827
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jan 18 21:03:59 2014 +1100
|
|
|
|
- (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function
|
|
declarations that stopped being included when we stopped including
|
|
<windows.h> from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at
|
|
redhat.com.
|
|
|
|
commit 89c532d843c95a085777c66365067d64d1937eb9
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jan 18 20:43:49 2014 +1100
|
|
|
|
- (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch
|
|
from vinschen at redhat.com
|
|
|
|
commit 355f861022be7b23d3009fae8f3c9f6f7fc685f7
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jan 18 00:12:38 2014 +1100
|
|
|
|
- (dtucker) [defines.h] Move our definitions of uintXX_t types down to after
|
|
they're defined if we have to define them ourselves. Fixes builds on old
|
|
AIX.
|
|
|
|
commit a3357661ee1d5d553294f36e4940e8285c7f1332
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jan 18 00:03:57 2014 +1100
|
|
|
|
- (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building on
|
|
Solaris.
|
|
|
|
commit 9edcbff46ff01c8d5dee9c1aa843f09e9ad8a80e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 21:54:32 2014 +1100
|
|
|
|
- (dtucker) [configure.ac] Have --without-toolchain-hardening not turn off
|
|
stack-protector since that has a separate flag that's been around a while.
|
|
|
|
commit 6d725687c490d4ba957a1bbc0ba0a2956c09fa69
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 19:17:34 2014 +1100
|
|
|
|
- (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.
|
|
|
|
commit 5055699c7f7c7ef21703a443ec73117da392f6ae
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 18:48:22 2014 +1100
|
|
|
|
- (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we
|
|
need them to cut down on the name collisions.
|
|
|
|
commit a5cf1e220def07290260e4125e74f41ac75cf88d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 18:10:58 2014 +1100
|
|
|
|
- (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c
|
|
openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
|
|
to be useful (and for the regression tests to pass) on platforms that
|
|
have statfs and fstatfs. ok djm@
|
|
|
|
commit 1357d71d7b6d269969520aaa3e84d312ec971d5b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 18:00:40 2014 +1100
|
|
|
|
- (dtucker) Fix typo in #ifndef.
|
|
|
|
commit d23a91ffb289d3553a58b7a60cec39fba9f0f506
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 17:32:30 2014 +1100
|
|
|
|
- (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c
|
|
openbsd-compat/openssl-compat.h] Add compatibility layer for older
|
|
openssl versions. ok djm@
|
|
|
|
commit 868ea1ea1c1bfdbee5dbad78f81999c5983ecf31
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 17 16:47:04 2014 +1100
|
|
|
|
- (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
|
|
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
|
|
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
|
|
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
|
|
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
|
|
|
|
commit a9d186a8b50d18869a10e9203abf71c83ddb1f79
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 16:30:49 2014 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2014/01/17 05:26:41
|
|
[digest.c]
|
|
remove unused includes. ok djm@
|
|
|
|
commit 5f1c57a7a7eb39c0e4fee3367712337dbcaef024
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 16:29:45 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/17 00:21:06
|
|
[sftp-client.c]
|
|
signed/unsigned comparison warning fix; from portable (Id sync only)
|
|
|
|
commit c548722361d89fb12c108528f96b306a26477b18
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 15:12:16 2014 +1100
|
|
|
|
- (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into
|
|
separate lines and alphabetize for easier diffing of changes.
|
|
|
|
commit acad351a5b1c37de9130c9c1710445cc45a7f6b9
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 14:20:05 2014 +1100
|
|
|
|
- (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that
|
|
don't have them.
|
|
|
|
commit c3ed065ce8417aaa46490836648c173a5010f226
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 14:18:45 2014 +1100
|
|
|
|
- (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside
|
|
#ifdef HAVE_STDINT_H.
|
|
|
|
commit f45f78ae437062c7d9506c5f475b7215f486be44
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 12:43:43 2014 +1100
|
|
|
|
- (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include
|
|
includes.h to pull in all of the compatibility stuff.
|
|
|
|
commit 99df369d0340caac145d57f700d830147ff18b87
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 12:42:17 2014 +1100
|
|
|
|
- (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
|
|
|
|
commit ac413b62ea1957e80c711acbe0c11b908273fc01
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 12:31:33 2014 +1100
|
|
|
|
- (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
|
|
|
|
commit 1c4a011e9c939e74815346a560843e1862c300b8
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 12:23:23 2014 +1100
|
|
|
|
- (dtucker) [loginrec.c] Cast to the types specfied in the format
|
|
specification to prevent warnings.
|
|
|
|
commit c3d483f9a8275be1113535a1e0d0e384f605f3c4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 17 11:20:26 2014 +1100
|
|
|
|
- (djm) [sftp-client.c] signed/unsigned comparison fix
|
|
|
|
commit fd994379dd972417d0491767f7cd9b5bf23f4975
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jan 17 09:53:24 2014 +1100
|
|
|
|
- (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain
|
|
hardening flags including -fstack-protector-strong. These default to on
|
|
if the toolchain supports them, but there is a configure-time knob
|
|
(--without-hardening) to disable them if necessary. ok djm@
|
|
|
|
commit 366224d21768ee8ec28cfbcc5fbade1b32582d58
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 16 18:51:44 2014 +1100
|
|
|
|
- (djm) [README] update release notes URL.
|
|
|
|
commit 2ae77e64f8fa82cbf25c9755e8e847709b978b40
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 16 18:51:07 2014 +1100
|
|
|
|
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
|
|
[contrib/suse/openssh.spec] Crank RPM spec version numbers.
|
|
|
|
commit 0fa29e6d777c73a1b4ddd3b996b06ee20022ae8a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 16 18:42:31 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/16 07:32:00
|
|
[version.h]
|
|
openssh-6.5
|
|
|
|
commit 52c371cd6d2598cc73d4e633811b3012119c47e2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 16 18:42:10 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/16 07:31:09
|
|
[sftp-client.c]
|
|
needless and incorrect cast to size_t can break resumption of
|
|
large download; patch from tobias@
|
|
|
|
commit 91b580e4bec55118bf96ab3cdbe5a50839e75d0a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jan 12 19:21:22 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/12 08:13:13
|
|
[bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
|
|
[kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
|
|
avoid use of OpenSSL BIGNUM type and functions for KEX with
|
|
Curve25519 by adding a buffer_put_bignum2_from_string() that stores
|
|
a string using the bignum encoding rules. Will make it easier to
|
|
build a reduced-feature OpenSSH without OpenSSL in the future;
|
|
ok markus@
|
|
|
|
commit af5d4481f4c7c8c3c746e68b961bb85ef907800e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jan 12 19:20:47 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/10 05:59:19
|
|
[sshd_config]
|
|
the /etc/ssh/ssh_host_ed25519_key is loaded by default too
|
|
|
|
commit 58cd63bc63038acddfb4051ed14e11179d8f4941
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 10 10:59:24 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/09 23:26:48
|
|
[sshconnect.c sshd.c]
|
|
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
|
|
deranged and might make some attacks on KEX easier; ok markus@
|
|
|
|
commit b3051d01e505c9c2dc00faab472a0d06fa6b0e65
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 10 10:58:53 2014 +1100
|
|
|
|
- djm@cvs.openbsd.org 2014/01/09 23:20:00
|
|
[digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
|
|
[kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
|
|
[kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
|
|
[schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
|
|
Introduce digest API and use it to perform all hashing operations
|
|
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
|
|
to build a reduced-feature OpenSSH without OpenSSL in future;
|
|
feedback, ok markus@
|
|
|
|
commit e00e413dd16eb747fb2c15a099971d91c13cf70f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 10 10:40:45 2014 +1100
|
|
|
|
- guenther@cvs.openbsd.org 2014/01/09 03:26:00
|
|
[sftp-common.c]
|
|
When formating the time for "ls -l"-style output, show dates in the future
|
|
with the year, and rearrange a comparison to avoid a potentional signed
|
|
arithmetic overflow that would give the wrong result.
|
|
|
|
ok djm@
|
|
|
|
commit 3e49853650448883685cfa32fa382d0ba6d51d48
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 10 10:37:05 2014 +1100
|
|
|
|
- tedu@cvs.openbsd.org 2014/01/04 17:50:55
|
|
[mac.c monitor_mm.c monitor_mm.h xmalloc.c]
|
|
use standard types and formats for size_t like variables. ok dtucker
|
|
|
|
commit a9c1e500ef609795cbc662848edb1a1dca279c81
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 8 16:13:12 2014 +1100
|
|
|
|
- (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
|
|
|
|
commit 324541e5264e1489ca0babfaf2b39612eb80dfb3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Dec 31 12:25:40 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/30 23:52:28
|
|
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
|
|
[sshconnect.c sshconnect2.c sshd.c]
|
|
refuse RSA keys from old proprietary clients/servers that use the
|
|
obsolete RSA+MD5 signature scheme. it will still be possible to connect
|
|
with these clients/servers but only DSA keys will be accepted, and we'll
|
|
deprecate them entirely in a future release. ok markus@
|
|
|
|
commit 9f4c8e797ea002a883307ca906f1f1f815010e78
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:57:46 2013 +1100
|
|
|
|
- (djm) [regress/Makefile] Add some generated files for cleaning
|
|
|
|
commit 106bf1ca3c7a5fdc34f9fd7a1fe651ca53085bc5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:54:03 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 05:57:02
|
|
[sshconnect.c]
|
|
when showing other hostkeys, don't forget Ed25519 keys
|
|
|
|
commit 0fa47cfb32c239117632cab41e4db7d3e6de5e91
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:53:39 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 05:42:16
|
|
[ssh.c]
|
|
don't forget to load Ed25519 certs too
|
|
|
|
commit b9a95490daa04cc307589897f95bfaff324ad2c9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:50:15 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 04:35:50
|
|
[authfile.c]
|
|
don't refuse to load Ed25519 certificates
|
|
|
|
commit f72cdde6e6fabc51d2a62f4e75b8b926d9d7ee89
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:49:55 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 04:29:25
|
|
[authfd.c]
|
|
allow deletion of ed25519 keys from the agent
|
|
|
|
commit 29ace1cb68cc378a464c72c0fd67aa5f9acd6b5b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:49:31 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 04:20:04
|
|
[key.c]
|
|
to make sure we don't omit any key types as valid CA keys again,
|
|
factor the valid key type check into a key_type_is_valid_ca()
|
|
function
|
|
|
|
commit 9de4fcdc5a9cff48d49a3e2f6194d3fb2d7ae34d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:49:13 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 02:49:52
|
|
[key.c]
|
|
correct comment for key_drop_cert()
|
|
|
|
commit 5baeacf8a80f054af40731c6f92435f9164b8e02
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:48:55 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 02:37:04
|
|
[key.c]
|
|
correct comment for key_to_certified()
|
|
|
|
commit 83f2fe26cb19330712c952eddbd3c0b621674adc
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:48:38 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/29 02:28:10
|
|
[key.c]
|
|
allow ed25519 keys to appear as certificate authorities
|
|
|
|
commit 06122e9a74bb488b0fe0a8f64e1135de870f9cc0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:48:15 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/27 22:37:18
|
|
[ssh-rsa.c]
|
|
correct comment
|
|
|
|
commit 3e19295c3a253c8dc8660cf45baad7f45fccb969
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:47:50 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/27 22:30:17
|
|
[ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
|
|
make the original RSA and DSA signing/verification code look more like
|
|
the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
|
|
rather than tediously listing all variants, use __func__ for debug/
|
|
error messages
|
|
|
|
commit 137977180be6254639e2c90245763e6965f8d815
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:47:14 2013 +1100
|
|
|
|
- tedu@cvs.openbsd.org 2013/12/21 07:10:47
|
|
[ssh-keygen.1]
|
|
small typo
|
|
|
|
commit 339a48fe7ffb3186d22bbaa9efbbc3a053e602fd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:46:49 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/19 22:57:13
|
|
[poly1305.c poly1305.h]
|
|
use full name for author, with his permission
|
|
|
|
commit 0b36c83148976c7c8268f4f41497359e2fb26251
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:45:51 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/19 01:19:41
|
|
[ssh-agent.c]
|
|
bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
|
|
that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
|
|
ok dtucker
|
|
|
|
commit 4def184e9b6c36be6d965a9705632fc4c0c2a8af
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:45:26 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/19 01:04:36
|
|
[channels.c]
|
|
bz#2147: fix multiple remote forwardings with dynamically assigned
|
|
listen ports. In the s->c message to open the channel we were sending
|
|
zero (the magic number to request a dynamic port) instead of the actual
|
|
listen port. The client therefore had no way of discriminating between
|
|
them.
|
|
|
|
Diagnosis and fix by ronf AT timeheart.net
|
|
|
|
commit bf25d114e23a803f8feca8926281b1aaedb6191b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:44:56 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/19 00:27:57
|
|
[auth-options.c]
|
|
simplify freeing of source-address certificate restriction
|
|
|
|
commit bb3dafe7024a5b4e851252e65ee35d45b965e4a8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:44:29 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/12/19 00:19:12
|
|
[serverloop.c]
|
|
Cast client_alive_interval to u_int64_t before assinging to
|
|
max_time_milliseconds to avoid potential integer overflow in the timeout.
|
|
bz#2170, patch from Loganaden Velvindron, ok djm@
|
|
|
|
commit ef275ead3dcadde4db1efe7a0aa02b5e618ed40c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:44:07 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/19 00:10:30
|
|
[ssh-add.c]
|
|
skip requesting smartcard PIN when removing keys from agent; bz#2187
|
|
patch from jay AT slushpupie.com; ok dtucker
|
|
|
|
commit 7d97fd9a1cae778c3eacf16e09f5da3689d616c6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 29 17:40:18 2013 +1100
|
|
|
|
- (djm) [loginrec.c] Check for username truncation when looking up lastlog
|
|
entries
|
|
|
|
commit 77244afe3b6d013b485e0952eaab89b9db83380f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Dec 21 17:02:39 2013 +1100
|
|
|
|
20131221
|
|
- (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
|
|
|
|
commit 53f8e784dc431a82d31c9b0e95b144507f9330e9
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Dec 19 11:31:44 2013 +1100
|
|
|
|
- (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
|
|
Patch from Loganaden Velvindron.
|
|
|
|
commit 1fcec9d4f265e38af248c4c845986ca8c174bd68
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Dec 19 11:00:12 2013 +1100
|
|
|
|
- (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions
|
|
greater than 11 either rather than just 11. Patch from Tomas Kuthan.
|
|
|
|
commit 6674eb9683afd1ea4eb35670b5e66815543a759e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:50:39 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/12/17 10:36:38
|
|
[crypto_api.h]
|
|
I've assempled the header file by cut&pasting from generated headers
|
|
and the source files.
|
|
|
|
commit d58a5964426ee014384d67d775d16712e93057f3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:50:13 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/15 21:42:35
|
|
[cipher-chachapoly.c]
|
|
add some comments and constify a constant
|
|
|
|
commit 059321d19af24d87420de3193f79dfab23556078
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:49:48 2013 +1100
|
|
|
|
- pascal@cvs.openbsd.org 2013/12/15 18:17:26
|
|
[ssh-add.c]
|
|
Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page.
|
|
ok markus@
|
|
|
|
commit 155b5a5bf158767f989215479ded2a57f331e1c6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:48:32 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/12/09 11:08:17
|
|
[crypto_api.h]
|
|
remove unused defines
|
|
|
|
commit 8a56dc2b6b48b05590810e7f4c3567508410000c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:48:11 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/12/09 11:03:45
|
|
[blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
|
|
[ge25519_base.data hash.c sc25519.c sc25519.h verify.c]
|
|
Add Authors for the public domain ed25519/nacl code.
|
|
see also http://nacl.cr.yp.to/features.html
|
|
All of the NaCl software is in the public domain.
|
|
and http://ed25519.cr.yp.to/software.html
|
|
The Ed25519 software is in the public domain.
|
|
|
|
commit 6575c3acf31fca117352f31f37b16ae46e664837
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:47:02 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/12/08 09:53:27
|
|
[sshd_config.5]
|
|
Use a literal for the default value of KEXAlgorithms. ok deraadt jmc
|
|
|
|
commit 8ba0ead6985ea14999265136b14ffd5aeec516f9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:46:27 2013 +1100
|
|
|
|
- naddy@cvs.openbsd.org 2013/12/07 11:58:46
|
|
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
|
|
[ssh_config.5 sshd.8 sshd_config.5]
|
|
add missing mentions of ed25519; ok djm@
|
|
|
|
commit 4f752cf71cf44bf4bc777541156c2bf56daf9ce9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 18 17:45:35 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/07 08:08:26
|
|
[ssh-keygen.1]
|
|
document -a and -o wrt new key format
|
|
|
|
commit 6d6fcd14e23a9053198342bb379815b15e504084
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 8 15:53:28 2013 +1100
|
|
|
|
- (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh]
|
|
[regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid
|
|
filesystem before running agent-ptrace.sh; ok dtucker
|
|
|
|
commit 7e6e42fb532c7dafd7078ef5e9e2d3e47fcf6752
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Dec 8 08:23:08 2013 +1100
|
|
|
|
- (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
|
|
Vinschen
|
|
|
|
commit da3ca351b49d52ae85db2e3998265dc3c6617068
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 21:43:46 2013 +1100
|
|
|
|
- (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from
|
|
Loganaden Velvindron @ AfriNIC in bz#2179
|
|
|
|
commit eb401585bb8336cbf81fe4fc58eb9f7cac3ab874
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 17:07:15 2013 +1100
|
|
|
|
- (djm) [regress/cert-hostkey.sh] Fix merge botch
|
|
|
|
commit f54542af3ad07532188b10136ae302314ec69ed6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 16:32:44 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/12/06 13:52:46
|
|
[regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
|
|
[regress/cert-userkey.sh regress/keytype.sh]
|
|
test ed25519 support; from djm@
|
|
|
|
commit f104da263de995f66b6861b4f3368264ee483d7f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 12:37:53 2013 +1100
|
|
|
|
- (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in]
|
|
[openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on
|
|
Linux
|
|
|
|
commit 1ff130dac9b7aea0628f4ad30683431fe35e0020
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 11:51:51 2013 +1100
|
|
|
|
- [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c]
|
|
[openbsd-compat/blf.h openbsd-compat/blowfish.c]
|
|
[openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in
|
|
portable.
|
|
|
|
commit 4260828a2958ebe8c96f66d8301dac53f4cde556
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 11:38:03 2013 +1100
|
|
|
|
- [authfile.c] Conditionalise inclusion of util.h
|
|
|
|
commit a913442bac8a26fd296a3add51293f8f6f9b3b4c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 11:35:36 2013 +1100
|
|
|
|
- [Makefile.in] Add ed25519 sources
|
|
|
|
commit ca570a519cb846da61d002c7f46fa92e39c83e45
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 11:29:09 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/07 00:19:15
|
|
[key.c]
|
|
set k->cert = NULL after freeing it
|
|
|
|
commit 3cccc0e155229a2f2d86b6df40bd4559b4f960ff
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 11:27:47 2013 +1100
|
|
|
|
- [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
|
|
[ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
|
|
|
|
commit a7827c11b3f0380b7e593664bd62013ff9c131db
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 11:24:30 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/12/06 15:29:07
|
|
[sshd.8]
|
|
missing comma;
|
|
|
|
commit 5be9d9e3cbd9c66f24745d25bf2e809c1d158ee0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 11:24:01 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/12/06 13:39:49
|
|
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
|
|
[servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
|
|
[ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
|
|
[sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
|
|
[fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
|
|
support ed25519 keys (hostkeys and user identities) using the public
|
|
domain ed25519 reference code from SUPERCOP, see
|
|
http://ed25519.cr.yp.to/software.html
|
|
feedback, help & ok djm@
|
|
|
|
commit bcd00abd8451f36142ae2ee10cc657202149201e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 10:41:55 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/12/06 13:34:54
|
|
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
|
|
[ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
|
|
default; details in PROTOCOL.key; feedback and lots help from djm;
|
|
ok djm@
|
|
|
|
commit f0e9060d236c0e38bec2fa1c6579fb0a2ea6458d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 10:40:26 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/12/06 13:30:08
|
|
[authfd.c key.c key.h ssh-agent.c]
|
|
move private key (de)serialization to key.c; ok djm
|
|
|
|
commit 0f8536da23a6ef26e6495177c0d8a4242b710289
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 10:31:37 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/06 03:40:51
|
|
[ssh-keygen.c]
|
|
remove duplicated character ('g') in getopt() string;
|
|
document the (few) remaining option characters so we don't have to
|
|
rummage next time.
|
|
|
|
commit 393920745fd328d3fe07f739a3cf7e1e6db45b60
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Dec 7 10:31:08 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/05 22:59:45
|
|
[sftp-client.c]
|
|
fix memory leak in error path in do_readdir(); pointed out by
|
|
Loganaden Velvindron @ AfriNIC in bz#2163
|
|
|
|
commit 534b2ccadea5e5e9a8b27226e6faac3ed5552e97
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 14:07:27 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/05 01:16:41
|
|
[servconf.c servconf.h]
|
|
bz#2161 - fix AuthorizedKeysCommand inside a Match block and
|
|
rearrange things so the same error is harder to make next time;
|
|
with and ok dtucker@
|
|
|
|
commit 8369c8e61a3408ec6bb75755fad4ffce29b5fdbe
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Dec 5 11:00:16 2013 +1100
|
|
|
|
- (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
|
|
-L location for libedit. Patch from Serge van den Boom.
|
|
|
|
commit 9275df3e0a2a3bc3897f7d664ea86a425c8a092d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:26:32 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/04 04:20:01
|
|
[sftp-client.c]
|
|
bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
|
|
AfriNIC
|
|
|
|
commit 960f6a2b5254e4da082d8aa3700302ed12dc769a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:26:14 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/02 03:13:14
|
|
[cipher.c]
|
|
correct bzero of chacha20+poly1305 key context. bz#2177 from
|
|
Loganaden Velvindron @ AfriNIC
|
|
|
|
Also make it a memset for consistency with the rest of cipher.c
|
|
|
|
commit f7e8a8796d661c9d6692ab837e1effd4f5ada1c2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:25:51 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/02 03:09:22
|
|
[key.c]
|
|
make key_to_blob() return a NULL blob on failure; part of
|
|
bz#2175 from Loganaden Velvindron @ AfriNIC
|
|
|
|
commit f1e44ea9d9a6d4c1a95a0024132e603bd1778c9c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:23:21 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/02 02:56:17
|
|
[ssh-pkcs11-helper.c]
|
|
use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
|
|
|
|
commit 114e540b15d57618f9ebf624264298f80bbd8c77
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:22:57 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/02 02:50:27
|
|
[PROTOCOL.chacha20poly1305]
|
|
typo; from Jon Cave
|
|
|
|
commit e4870c090629e32f2cb649dc16d575eeb693f4a8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:22:39 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/12/01 23:19:05
|
|
[PROTOCOL]
|
|
mention curve25519-sha256@libssh.org key exchange algorithm
|
|
|
|
commit 1d2f8804a6d33a4e908b876b2e1266b8260ec76b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:22:03 2013 +1100
|
|
|
|
- deraadt@cvs.openbsd.org 2013/11/26 19:15:09
|
|
[pkcs11.h]
|
|
cleanup 1 << 31 idioms. Resurrection of this issue pointed out by
|
|
Eitan Adler ok markus for ssh, implies same change in kerberosV
|
|
|
|
commit bdb352a54f82df94a548e3874b22f2d6ae90328d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:20:52 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/11/26 12:14:54
|
|
[ssh.1 ssh.c]
|
|
- put -Q in the right place
|
|
- Ar was a poor choice for the arguments to -Q. i've chosen an
|
|
admittedly equally poor Cm, at least consistent with the rest
|
|
of the docs. also no need for multiple instances
|
|
- zap a now redundant Nm
|
|
- usage() sync
|
|
|
|
commit d937dc084a087090f1cf5395822c3ac958d33759
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:19:54 2013 +1100
|
|
|
|
- deraadt@cvs.openbsd.org 2013/11/25 18:04:21
|
|
[ssh.1 ssh.c]
|
|
improve -Q usage and such. One usage change is that the option is now
|
|
case-sensitive
|
|
ok dtucker markus djm
|
|
|
|
commit dec0393f7ee8aabc7d9d0fc2c5fddb4bc649112e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Dec 5 10:18:43 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/11/21 08:05:09
|
|
[ssh_config.5 sshd_config.5]
|
|
no need for .Pp before displays;
|
|
|
|
commit 8a073cf57940aabf85e49799f89f5d5e9b072c1b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 14:26:18 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/21 03:18:51
|
|
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
|
|
[regress/try-ciphers.sh]
|
|
use new "ssh -Q cipher-auth" query to obtain lists of authenticated
|
|
encryption ciphers instead of specifying them manually; ensures that
|
|
the new chacha20poly1305@openssh.com mode is tested;
|
|
|
|
ok markus@ and naddy@ as part of the diff to add
|
|
chacha20poly1305@openssh.com
|
|
|
|
commit ea61b2179f63d48968dd2c9617621002bb658bfe
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 14:25:15 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/21 03:16:47
|
|
[regress/modpipe.c]
|
|
use unsigned long long instead of u_int64_t here to avoid warnings
|
|
on some systems portable OpenSSH is built on.
|
|
|
|
commit 36aba25b0409d2db6afc84d54bc47a2532d38424
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 14:24:42 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/21 03:15:46
|
|
[regress/krl.sh]
|
|
add some reminders for additional tests that I'd like to implement
|
|
|
|
commit fa7a20bc289f09b334808d988746bc260a2f60c9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 14:24:08 2013 +1100
|
|
|
|
- naddy@cvs.openbsd.org 2013/11/18 05:09:32
|
|
[regress/forward-control.sh]
|
|
bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164)
|
|
to successfully run this; ok djm@
|
|
(ID sync only; our timeouts are already longer)
|
|
|
|
commit 0fde8acdad78a4d20cadae974376cc0165f645ee
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 14:12:23 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/21 00:45:44
|
|
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
|
|
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
|
|
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
|
|
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
|
|
cipher "chacha20-poly1305@openssh.com" that combines Daniel
|
|
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
|
|
authenticated encryption mode.
|
|
|
|
Inspired by and similar to Adam Langley's proposal for TLS:
|
|
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
|
|
but differs in layout used for the MAC calculation and the use of a
|
|
second ChaCha20 instance to separately encrypt packet lengths.
|
|
Details are in the PROTOCOL.chacha20poly1305 file.
|
|
|
|
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
|
|
ok markus@ naddy@
|
|
|
|
commit fdb2306acdc3eb2bc46b6dfdaaf6005c650af22a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 13:57:15 2013 +1100
|
|
|
|
- deraadt@cvs.openbsd.org 2013/11/20 20:54:10
|
|
[canohost.c clientloop.c match.c readconf.c sftp.c]
|
|
unsigned casts for ctype macros where neccessary
|
|
ok guenther millert markus
|
|
|
|
commit e00167307e4d3692695441e9bd712f25950cb894
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 13:56:49 2013 +1100
|
|
|
|
- deraadt@cvs.openbsd.org 2013/11/20 20:53:10
|
|
[scp.c]
|
|
unsigned casts for ctype macros where neccessary
|
|
ok guenther millert markus
|
|
|
|
commit 23e00aa6ba9eee0e0c218f2026bf405ad4625832
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 13:56:28 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/20 02:19:01
|
|
[sshd.c]
|
|
delay closure of in/out fds until after "Bad protocol version
|
|
identification..." message, as get_remote_ipaddr/get_remote_port
|
|
require them open.
|
|
|
|
commit 867e6934be6521f87f04a5ab86702e2d1b314245
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 13:56:06 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/13 13:48:20
|
|
[ssh-pkcs11.c]
|
|
add missing braces found by pedro
|
|
|
|
commit 0600c7020f4fe68a780bd7cf21ff541a8d4b568a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 21 13:55:43 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/08 11:15:19
|
|
[bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
|
|
[uidswap.c] Include stdlib.h for free() as per the man page.
|
|
|
|
commit b6a75b0b93b8faa6f79c3a395ab6c71f3f880b80
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Nov 10 20:25:22 2013 +1100
|
|
|
|
- (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
|
|
querying the ones that are compiled in.
|
|
|
|
commit 2c89430119367eb1bc96ea5ee55de83357e4c926
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Nov 10 12:38:42 2013 +1100
|
|
|
|
- (dtucker) [key.c] Check for the correct defines for NID_secp521r1.
|
|
|
|
commit dd5264db5f641dbd03186f9e5e83e4b14b3d0003
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Nov 9 22:32:51 2013 +1100
|
|
|
|
- (dtucker) [configure.ac] Add missing "test".
|
|
|
|
commit 95cb2d4eb08117be061f3ff076adef3e9a5372c3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Nov 9 22:02:31 2013 +1100
|
|
|
|
- (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test.
|
|
|
|
commit 37bcef51b3d9d496caecea6394814d2f49a1357f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Nov 9 18:39:25 2013 +1100
|
|
|
|
- (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
|
|
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
|
|
latter actually works before using it. Fedora (at least) has NID_secp521r1
|
|
that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
|
|
|
|
commit 6e2fe81f926d995bae4be4a6b5b3c88c1c525187
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Nov 9 16:55:03 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/09 05:41:34
|
|
[regress/test-exec.sh regress/rekey.sh]
|
|
Use smaller test data files to speed up tests. Grow test datafiles
|
|
where necessary for a specific test.
|
|
|
|
commit aff7ef1bb8b7c1eeb1f4812129091c5adbf51848
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Nov 9 00:19:22 2013 +1100
|
|
|
|
- (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
|
|
rather than testing and generating each key, call ssh-keygen -A.
|
|
Patch from vinschen at redhat.com.
|
|
|
|
commit 882abfd3fb3c98cfe70b4fc79224770468b570a5
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Nov 9 00:17:41 2013 +1100
|
|
|
|
- (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
|
|
and pass in TEST_ENV. Unknown options cause stderr to get polluted
|
|
and the stderr-data test to fail.
|
|
|
|
commit 8c333ec23bdf7da917aa20ac6803a2cdd79182c5
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Nov 8 21:12:58 2013 +1100
|
|
|
|
- (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile
|
|
warnings.
|
|
|
|
commit d94240b2f6b376b6e9de187e4a0cd4b89dfc48cb
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Nov 8 21:10:04 2013 +1100
|
|
|
|
- (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.
|
|
|
|
commit 1c8ce34909886288a3932dce770deec5449f7bb5
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Nov 8 19:50:32 2013 +1100
|
|
|
|
- (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have
|
|
EVP_sha256.
|
|
|
|
commit ccdb9bec46bcc88549b26a94aa0bae2b9f51031c
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Nov 8 18:54:38 2013 +1100
|
|
|
|
- (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
|
|
arc4random_stir for platforms that have arc4random but don't have
|
|
arc4random_stir (right now this is only OpenBSD -current).
|
|
|
|
commit 3420a50169b52cc8d2775d51316f9f866c73398f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Nov 8 16:48:13 2013 +1100
|
|
|
|
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
|
|
[contrib/suse/openssh.spec] Update version numbers following release.
|
|
|
|
commit 3ac4a234df842fd8c94d9cb0ad198e1fe84b895b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Nov 8 12:39:49 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/08 01:38:11
|
|
[version.h]
|
|
openssh-6.4
|
|
|
|
commit 6c81fee693038de7d4a5559043350391db2a2761
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Nov 8 12:19:55 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/08 00:39:15
|
|
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
|
|
[clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
|
|
[sftp-client.c sftp-glob.c]
|
|
use calloc for all structure allocations; from markus@
|
|
|
|
commit 690d989008e18af3603a5e03f1276c9bad090370
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Nov 8 12:16:49 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/07 11:58:27
|
|
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
|
|
Output the effective values of Ciphers, MACs and KexAlgorithms when
|
|
the default has not been overridden. ok markus@
|
|
|
|
commit 08998c5fb9c7c1d248caa73b76e02ca0482e6d85
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Nov 8 12:11:46 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/08 01:06:14
|
|
[regress/rekey.sh]
|
|
Rekey less frequently during tests to speed them up
|
|
|
|
commit 4bf7e50e533aa956366df7402c132f202e841a48
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 22:33:48 2013 +1100
|
|
|
|
- (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
|
|
variable. It's no longer used now that we get the supported MACs from
|
|
ssh -Q.
|
|
|
|
commit 6e9d6f411288374d1dee4b7debbfa90bc7e73035
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 15:32:37 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/07 04:26:56
|
|
[regress/kextype.sh]
|
|
trailing space
|
|
|
|
commit 74cbc22529f3e5de756e1b7677b7624efb28f62c
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 15:26:12 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/07 03:55:41
|
|
[regress/kextype.sh]
|
|
Use ssh -Q to get kex types instead of a static list.
|
|
|
|
commit a955041c930e63405159ff7d25ef14272f36eab3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 15:21:19 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/07 02:48:38
|
|
[regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
|
|
Use ssh -Q instead of hardcoding lists of ciphers or MACs.
|
|
|
|
commit 06595d639577577bc15d359e037a31eb83563269
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 15:08:02 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/07 01:12:51
|
|
[regress/rekey.sh]
|
|
Factor out the data transfer rekey tests
|
|
|
|
commit 651dc8b2592202dac6b16ee3b82ce5b331be7da3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 15:04:44 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/07 00:12:05
|
|
[regress/rekey.sh]
|
|
Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
|
|
the GCM ciphers.
|
|
|
|
commit 234557762ba1096a867ca6ebdec07efebddb5153
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 15:00:51 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/11/04 12:27:42
|
|
[regress/rekey.sh]
|
|
Test rekeying with all KexAlgorithms.
|
|
|
|
commit bbfb9b0f386aab0c3e19d11f136199ef1b9ad0ef
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 14:56:43 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/02 22:39:53
|
|
[regress/kextype.sh]
|
|
add curve25519-sha256@libssh.org
|
|
|
|
commit aa19548a98c0f89283ebd7354abd746ca6bc4fdf
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Nov 7 14:50:09 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/09 23:44:14
|
|
[regress/Makefile] (ID sync only)
|
|
regression test for sftp request white/blacklisting and readonly mode.
|
|
|
|
commit c8908aabff252f5da772d4e679479c2b7d18cac1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 7 13:38:35 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/06 23:05:59
|
|
[ssh-pkcs11.c]
|
|
from portable: s/true/true_val/ to avoid name collisions on dump platforms
|
|
RCSID sync only
|
|
|
|
commit 49c145c5e89b9d7d48e84328d6347d5ad640b567
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 7 13:35:39 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/06 16:52:11
|
|
[monitor_wrap.c]
|
|
fix rekeying for AES-GCM modes; ok deraadt
|
|
|
|
commit 67a8800f290b39fd60e379988c700656ae3f2539
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 7 13:32:51 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/04 11:51:16
|
|
[monitor.c]
|
|
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
|
RCSID sync only; I thought this was a merge botch and fixed it already
|
|
|
|
commit df8b030b15fcec7baf38ec7944f309f9ca8cc9a7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 7 13:28:16 2013 +1100
|
|
|
|
- (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms
|
|
that lack it but have arc4random_uniform()
|
|
|
|
commit a6fd1d3c38a562709374a70fa76423859160aa90
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 7 12:03:26 2013 +1100
|
|
|
|
- (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these
|
|
|
|
commit c98319750b0bbdd0d1794420ec97d65dd9244613
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 7 12:00:23 2013 +1100
|
|
|
|
- (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff
|
|
|
|
commit 61c5c2319e84a58210810d39b062c8b8e3321160
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Nov 7 11:34:14 2013 +1100
|
|
|
|
- (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
|
|
that got lost in recent merge.
|
|
|
|
commit 094003f5454a9f5a607674b2739824a7e91835f4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 22:59:27 2013 +1100
|
|
|
|
- (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
|
|
KEX/curve25519 change
|
|
|
|
commit ca67a7eaf8766499ba67801d0be8cdaa550b9a50
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 09:05:17 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/11/03 10:37:19
|
|
[roaming_common.c]
|
|
fix a couple of function definitions foo() -> foo(void)
|
|
(-Wold-style-definition)
|
|
|
|
commit 0bd8f1519d51af8d4229be81e8f2f4903a1d440b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 08:55:43 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/02 22:39:19
|
|
[ssh_config.5 sshd_config.5]
|
|
the default kex is now curve25519-sha256@libssh.org
|
|
|
|
commit 4c3ba0767fbe4a8a2a748df4035aaf86651f6b30
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 08:40:13 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/02 22:34:01
|
|
[auth-options.c]
|
|
no need to include monitor_wrap.h and ssh-gss.h
|
|
|
|
commit 660621b2106b987b874c2f120218bec249d0f6ba
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 08:37:51 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/02 22:24:24
|
|
[kexdhs.c kexecdhs.c]
|
|
no need to include ssh-gss.h
|
|
|
|
commit abdca986decfbbc008c895195b85e879ed460ada
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 08:30:05 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/02 22:10:15
|
|
[kexdhs.c kexecdhs.c]
|
|
no need to include monitor_wrap.h
|
|
|
|
commit 1e1242604eb0fd510fe93f81245c529237ffc513
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 08:26:52 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/02 21:59:15
|
|
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
|
|
use curve25519 for default key exchange (curve25519-sha256@libssh.org);
|
|
initial patch from Aris Adamantiadis; ok djm@
|
|
|
|
commit d2252c79191d069372ed6effce7c7a2de93448cd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 4 07:41:48 2013 +1100
|
|
|
|
- markus@cvs.openbsd.org 2013/11/02 20:03:54
|
|
[ssh-pkcs11.c]
|
|
support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
|
|
fixes bz#1908; based on patch from Laurent Barbe; ok djm
|
|
|
|
commit 007e3b357e880caa974d5adf9669298ba0751c78
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Nov 3 18:43:55 2013 +1100
|
|
|
|
- (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t
|
|
for platforms that don't have them.
|
|
|
|
commit 710f3747352fb93a63e5b69b12379da37f5b3fa9
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Nov 3 17:20:34 2013 +1100
|
|
|
|
- (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd
|
|
vsnprintf. From eric at openbsd via chl@.
|
|
|
|
commit d52770452308e5c2e99f4da6edaaa77ef078b610
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Nov 3 16:30:46 2013 +1100
|
|
|
|
- (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
|
|
From OpenSMTPD where it prevents "implicit declaration" warnings (it's
|
|
a no-op in OpenSSH). From chl at openbsd.
|
|
|
|
commit 63857c9340d3482746a5622ffdacc756751f6448
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 30 22:31:06 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/10/29 18:49:32
|
|
[sshd_config.5]
|
|
pty(4), not pty(7);
|
|
|
|
commit 5ff30c6b68adeee767dd29bf2369763c6a13c0b3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 30 22:21:50 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/29 09:48:02
|
|
[servconf.c servconf.h session.c sshd_config sshd_config.5]
|
|
shd_config PermitTTY to disallow TTY allocation, mirroring the
|
|
longstanding no-pty authorized_keys option;
|
|
bz#2070, patch from Teran McKinney; ok markus@
|
|
|
|
commit 4a3a9d4bbf8048473f5cc202cd8db7164d5e6b8d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 30 22:19:47 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/29 09:42:11
|
|
[key.c key.h]
|
|
fix potential stack exhaustion caused by nested certificates;
|
|
report by Mateusz Kocielski; ok dtucker@ markus@
|
|
|
|
commit 28631ceaa7acd9bc500f924614431542893c6a21
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Oct 26 10:07:56 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/25 23:04:51
|
|
[ssh.c]
|
|
fix crash when using ProxyCommand caused by previous commit - was calling
|
|
freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
|
|
|
|
commit 26506ad29350c5681815745cc90b3952a84cf118
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Oct 26 10:05:46 2013 +1100
|
|
|
|
- (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
|
|
unnecessary arc4random_stir() calls. The only ones left are to ensure
|
|
that the PRNG gets a different state after fork() for platforms that
|
|
have broken the API.
|
|
|
|
commit bd43e8872325e9bbb3319c89da593614709f317c
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Thu Oct 24 12:22:49 2013 -0700
|
|
|
|
- (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd"
|
|
|
|
commit a90c0338083ee0e4064c4bdf61f497293a699be0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 24 21:03:17 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/24 08:19:36
|
|
[ssh.c]
|
|
fix bug introduced in hostname canonicalisation commit: don't try to
|
|
resolve hostnames when a ProxyCommand is set unless the user has forced
|
|
canonicalisation; spotted by Iain Morgan
|
|
|
|
commit cf31f3863425453ffcda540fbefa9df80088c8d1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 24 21:02:56 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/10/24 00:51:48
|
|
[readconf.c servconf.c ssh_config.5 sshd_config.5]
|
|
Disallow empty Match statements and add "Match all" which matches
|
|
everything. ok djm, man page help jmc@
|
|
|
|
commit 4bedd4032a09ce87322ae5ea80f193f109e5c607
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 24 21:02:26 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/10/24 00:49:49
|
|
[moduli.c]
|
|
Periodically print progress and, if possible, expected time to completion
|
|
when screening moduli for DH groups. ok deraadt djm
|
|
|
|
commit 5ecb41629860687b145be63b8877fabb6bae5eda
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 24 21:02:02 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/23 23:35:32
|
|
[sshd.c]
|
|
include local address and port in "Connection from ..." message (only
|
|
shown at loglevel>=verbose)
|
|
|
|
commit 03bf2e61ad6ac59a362a1f11b105586cb755c147
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 24 21:01:26 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/10/23 05:40:58
|
|
[servconf.c]
|
|
fix comment
|
|
|
|
commit 8f1873191478847773906af961c8984d02a49dd6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 24 10:53:02 2013 +1100
|
|
|
|
- (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
|
|
rather than full client name which may be of form user@REALM;
|
|
patch from Miguel Sanders; ok dtucker@
|
|
|
|
commit 5b01b0dcb417eb615df77e7ce1b59319bf04342c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 23 16:31:31 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/23 04:16:22
|
|
[ssh-keygen.c]
|
|
Make code match documentation: relative-specified certificate expiry time
|
|
should be relative to current time and not the validity start time.
|
|
Reported by Petr Lautrbach; ok deraadt@
|
|
|
|
commit eff5cada589f25793dbe63a76aba9da39837a148
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 23 16:31:10 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/23 03:05:19
|
|
[readconf.c ssh.c]
|
|
comment
|
|
|
|
commit 084bcd24e9fe874020e4df4e073e7408e1b17fb7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 23 16:30:51 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/23 03:03:07
|
|
[readconf.c]
|
|
Hostname may have %h sequences that should be expanded prior to Match
|
|
evaluation; spotted by Iain Morgan
|
|
|
|
commit 8e5a67f46916def40b2758bb7755350dd2eee843
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 23 16:30:25 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/10/20 18:00:13
|
|
[ssh_config.5]
|
|
tweak the "exec" description, as worded by djm;
|
|
|
|
commit c0049bd0bca02890cd792babc594771c563f91f2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 23 16:29:59 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/20 09:51:26
|
|
[scp.1 sftp.1]
|
|
add canonicalisation options to -o lists
|
|
|
|
commit 8a04be795fc28514a09e55a54b2e67968f2e1b3a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 23 16:29:40 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/20 06:19:28
|
|
[readconf.c ssh_config.5]
|
|
rename "command" subclause of the recently-added "Match" keyword to
|
|
"exec"; it's shorter, clearer in intent and we might want to add the
|
|
ability to match against the command being executed at the remote end in
|
|
the future.
|
|
|
|
commit 5c86ebdf83b636b6741db4b03569ef4a53b89a58
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 23 16:29:12 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/20 04:39:28
|
|
[ssh_config.5]
|
|
document % expansions performed by "Match command ..."
|
|
|
|
commit 4502f88774edc56194707167443f94026d3c7cfa
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Oct 18 10:17:36 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/17 22:08:04
|
|
[sshd.c]
|
|
include remote port in bad banner message; bz#2162
|
|
|
|
commit 1edcbf65ebd2febeaf10a836468f35e519eed7ca
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Oct 18 10:17:17 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/10/17 07:35:48
|
|
[sftp.1 sftp.c]
|
|
tweak previous;
|
|
|
|
commit a176e1823013dd8533a20235b3a5131f0626f46b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Oct 18 09:05:41 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/09 23:44:14
|
|
[regress/Makefile regress/sftp-perm.sh]
|
|
regression test for sftp request white/blacklisting and readonly mode.
|
|
|
|
commit e3ea09494dcfe7ba76536e95765c8328ecfc18fb
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:57:23 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/17 00:46:49
|
|
[ssh.c]
|
|
rearrange check to reduce diff against -portable
|
|
(Id sync only)
|
|
|
|
commit f29238e67471a7f1088a99c3c3dbafce76b790cf
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:48:52 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/17 00:30:13
|
|
[PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c]
|
|
fsync@openssh.com protocol extension for sftp-server
|
|
client support to allow calling fsync() faster successful transfer
|
|
patch mostly by imorgan AT nas.nasa.gov; bz#1798
|
|
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@
|
|
|
|
commit 51682faa599550a69d8120e5e2bdbdc0625ef4be
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:48:31 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/16 22:58:01
|
|
[ssh.c ssh_config.5]
|
|
one I missed in previous: s/isation/ization/
|
|
|
|
commit 3850559be93f1a442ae9ed370e8c389889dd5f72
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:48:13 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/16 22:49:39
|
|
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
|
|
s/canonicalise/canonicalize/ for consistency with existing spelling,
|
|
e.g. authorized_keys; pointed out by naddy@
|
|
|
|
commit 607af3434b75acc7199a5d99d5a9c11068c01f27
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:47:51 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/10/16 06:42:25
|
|
[ssh_config.5]
|
|
tweak previous;
|
|
|
|
commit 0faf747e2f77f0f7083bcd59cbed30c4b5448444
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:47:23 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/16 02:31:47
|
|
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
|
|
[sshconnect.c sshconnect.h]
|
|
Implement client-side hostname canonicalisation to allow an explicit
|
|
search path of domain suffixes to use to convert unqualified host names
|
|
to fully-qualified ones for host key matching.
|
|
This is particularly useful for host certificates, which would otherwise
|
|
need to list unqualified names alongside fully-qualified ones (and this
|
|
causes a number of problems).
|
|
"looks fine" markus@
|
|
|
|
commit d77b81f856e078714ec6b0f86f61c20249b7ead4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:39:00 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/10/15 14:10:25
|
|
[ssh.1 ssh_config.5]
|
|
tweak previous;
|
|
|
|
commit dcd39f29ce3308dc74a0ff27a9056205a932ce05
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 17 11:31:40 2013 +1100
|
|
|
|
- [ssh.c] g/c unused variable.
|
|
|
|
commit 5359a628ce3763408da25d83271a8eddec597a0c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:20:37 2013 +1100
|
|
|
|
- [ssh.c] g/c unused variable.
|
|
|
|
commit 386feab0c4736b054585ee8ee372865d5cde8d69
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:14:49 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/14 23:31:01
|
|
[ssh.c]
|
|
whitespace at EOL; pointed out by markus@
|
|
|
|
commit e9fc72edd6c313b670558cd5219601c38a949b67
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:14:12 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/14 23:28:23
|
|
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
|
|
refactor client config code a little:
|
|
add multistate option partsing to readconf.c, similar to servconf.c's
|
|
existing code.
|
|
move checking of options that accept "none" as an argument to readconf.c
|
|
add a lowercase() function and use it instead of explicit tolower() in
|
|
loops
|
|
part of a larger diff that was ok markus@
|
|
|
|
commit 194fd904d8597a274b93e075b2047afdf5a175d4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:13:05 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/14 22:22:05
|
|
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
|
|
add a "Match" keyword to ssh_config that allows matching on hostname,
|
|
user and result of arbitrary commands. "nice work" markus@
|
|
|
|
commit 71df752de2a04f423b1cd18d961a79f4fbccbcee
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:12:02 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/14 21:20:52
|
|
[session.c session.h]
|
|
Add logging of session starts in a useful format; ok markus@ feedback and
|
|
ok dtucker@
|
|
|
|
commit 6efab27109b82820e8d32a5d811adb7bfc354f65
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:07:05 2013 +1100
|
|
|
|
- jmc@cvs.openbsd.org 2013/10/14 14:18:56
|
|
[sftp-server.8 sftp-server.c]
|
|
tweak previous;
|
|
ok djm
|
|
|
|
commit 61c7de8a94156f6d7e9718ded9be8c65bb902b66
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:06:45 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/11 02:53:45
|
|
[sftp-client.h]
|
|
obsolete comment
|
|
|
|
commit 2f93d0556e4892208c9b072624caa8cc5ddd839d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:06:27 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/11 02:52:23
|
|
[sftp-client.c]
|
|
missed one arg reorder
|
|
|
|
commit bda5c8445713ae592d969a5105ed1a65da22bc96
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 12:05:58 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/11 02:45:36
|
|
[sftp-client.c]
|
|
rename flag arguments to be more clear and consistent.
|
|
reorder some internal function arguments to make adding additional flags
|
|
easier.
|
|
no functional change
|
|
|
|
commit 61ee4d68ca0fcc793a826fc7ec70f3b8ffd12ab6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 11:56:47 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/10 01:43:03
|
|
[sshd.c]
|
|
bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly
|
|
updated; ok dtucker@
|
|
|
|
commit 73600e51af9ee734a19767e0c084bbbc5eb5b8da
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 11:56:25 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/10 00:53:25
|
|
[sftp-server.c]
|
|
add -Q, -P and -p to usage() before jmc@ catches me
|
|
|
|
commit 6eaeebf27d92f39a38c772aa3f20c2250af2dd29
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Oct 15 11:55:57 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/10/09 23:42:17
|
|
[sftp-server.8 sftp-server.c]
|
|
Add ability to whitelist and/or blacklist sftp protocol requests by name.
|
|
Refactor dispatch loop and consolidate read-only mode checks.
|
|
Make global variables static, since sftp-server is linked into sshd(8).
|
|
ok dtucker@
|
|
|
|
commit df62d71e64d29d1054e7a53d1a801075ef70335f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 10 10:32:39 2013 +1100
|
|
|
|
- dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
|
[dh.c dh.h]
|
|
Increase the size of the Diffie-Hellman groups requested for a each
|
|
symmetric key size. New values from NIST Special Publication 800-57 with
|
|
the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
|
|
djm@.
|
|
|
|
commit e6e52f8c5dc89a6767702e65bb595aaf7bc8991c
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 10 10:28:07 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/09/19 01:26:29
|
|
[sshconnect.c]
|
|
bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from
|
|
swp AT swp.pp.ru; ok dtucker@
|
|
|
|
commit 71152bc9911bc34a98810b2398dac20df3fe8de3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 10 10:27:21 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/09/19 01:24:46
|
|
[channels.c]
|
|
bz#1297 - tell the client (via packet_send_debug) when their preferred
|
|
listen address has been overridden by the server's GatewayPorts;
|
|
ok dtucker@
|
|
|
|
commit b59aaf3c4f3f449a4b86d8528668bd979be9aa5f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 10 10:26:21 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/09/19 00:49:12
|
|
[sftp-client.c]
|
|
fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan
|
|
|
|
commit 5d80e4522d6238bdefe9d0c634f0e6d35a241e41
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 10 10:25:09 2013 +1100
|
|
|
|
- djm@cvs.openbsd.org 2013/09/19 00:24:52
|
|
[progressmeter.c]
|
|
store the initial file offset so the progress meter doesn't freak out
|
|
when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@
|
|
|
|
commit ad92df7e5ed26fea85adfb3f95352d6cd8e86344
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 10 10:24:11 2013 +1100
|
|
|
|
- sthen@cvs.openbsd.org 2013/09/16 11:35:43
|
|
[ssh_config]
|
|
Remove gssapi config parts from ssh_config, as was already done for
|
|
sshd_config. Req by/ok ajacoutot@
|
|
ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
|
|
|
|
commit 720711960b130d36dfdd3d50eb25ef482bdd000e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 9 10:44:47 2013 +1100
|
|
|
|
- (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
|
|
[openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
|
|
implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
|
|
tested tim@
|
|
|
|
commit 9159310087a218e28940a592896808b8eb76a039
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 9 10:42:32 2013 +1100
|
|
|
|
- (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull
|
|
in OpenBSD implementation of arc4random, shortly to replace the existing
|
|
bsd-arc4random.c
|
|
|
|
commit 67f1d557a68d6fa8966a327d7b6dee3408cf0e72
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 9 09:33:08 2013 +1100
|
|
|
|
correct incorrect years in datestamps; from des
|
|
|
|
commit f2bf36c3eb4d969f85ec8aa342e9aecb61cc8bb1
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sun Sep 22 19:02:40 2013 +1000
|
|
|
|
- (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj
|
|
setting when handling SIGHUP to maintain behaviour over retart. Patch
|
|
from Matthew Ife.
|
|
|
|
commit e90a06ae570fd259a2f5ced873c7f17390f535a5
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Sep 18 15:09:38 2013 +1000
|
|
|
|
- (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu.
|
|
|
|
commit 13840e0103946982cee2a05c40697be7e57dca41
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:49:43 2013 +1000
|
|
|
|
- djm@cvs.openbsd.org 2013/09/13 06:54:34
|
|
[channels.c]
|
|
avoid unaligned access in code that reused a buffer to send a
|
|
struct in_addr in a reply; simpler just use use buffer_put_int();
|
|
from portable; spotted by and ok dtucker@
|
|
|
|
commit 70182522a47d283513a010338cd028cb80dac2ab
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:49:19 2013 +1000
|
|
|
|
- djm@cvs.openbsd.org 2013/09/12 01:41:12
|
|
[clientloop.c]
|
|
fix connection crash when sending break (~B) on ControlPersist'd session;
|
|
ok dtucker@
|
|
|
|
commit ff9d6c2a4171ee32e8fe28fc3b86eb33bd5c845b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:48:55 2013 +1000
|
|
|
|
- sthen@cvs.openbsd.org 2013/09/07 13:53:11
|
|
[sshd_config]
|
|
Remove commented-out kerberos/gssapi config options from sample config,
|
|
kerberos support is currently not enabled in ssh in OpenBSD. Discussed with
|
|
various people; ok deraadt@
|
|
ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
|
|
|
|
commit 8bab5e7b5ff6721d926b5ebf05a3a24489889c58
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:47:00 2013 +1000
|
|
|
|
- deraadt@cvs.openbsd.org 2013/09/02 22:00:34
|
|
[ssh-keygen.c sshconnect1.c sshd.c]
|
|
All the instances of arc4random_stir() are bogus, since arc4random()
|
|
does this itself, inside itself, and has for a very long time.. Actually,
|
|
this was probably reducing the entropy available.
|
|
ok djm
|
|
ID SYNC ONLY for portable; we don't trust other arc4random implementations
|
|
to do this right.
|
|
|
|
commit 61353b3208d548fab863e0e0ac5d2400ee5bb340
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:45:32 2013 +1000
|
|
|
|
- djm@cvs.openbsd.org 2013/08/31 00:13:54
|
|
[sftp.c]
|
|
make ^w match ksh behaviour (delete previous word instead of entire line)
|
|
|
|
commit 660854859cad31d234edb9353fb7ca2780df8128
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:45:03 2013 +1000
|
|
|
|
- mikeb@cvs.openbsd.org 2013/08/28 12:34:27
|
|
[ssh-keygen.c]
|
|
improve batch processing a bit by making use of the quite flag a bit
|
|
more often and exit with a non zero code if asked to find a hostname
|
|
in a known_hosts file and it wasn't there;
|
|
originally from reyk@, ok djm
|
|
|
|
commit 045bda5cb8acf0eb9d71c275ee1247e3154fc9e5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:44:37 2013 +1000
|
|
|
|
- djm@cvs.openbsd.org 2013/08/22 19:02:21
|
|
[sshd.c]
|
|
Stir PRNG after post-accept fork. The child gets a different PRNG state
|
|
anyway via rexec and explicit privsep reseeds, but it's good to be sure.
|
|
ok markus@
|
|
|
|
commit ed4af412da60a084891b20412433a27966613fb8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Sep 14 09:40:51 2013 +1000
|
|
|
|
add marker for 6.3p1 release at the point of the last included change
|
|
|
|
commit 43968a8e66a0aa1afefb11665bf96f86b113f5d9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 28 14:00:54 2013 +1000
|
|
|
|
- (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits
|
|
until we have configure support.
|
|
|
|
commit 04be8b9e53f8388c94b531ebc5d1bd6e10e930d1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 28 12:49:43 2013 +1000
|
|
|
|
- (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the
|
|
'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
|
|
start to use them in the future.
|