summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2019-06-05 06:41:44 +0100
committerColin Watson <cjwatson@debian.org>2019-06-09 22:09:07 +0100
commit865a97e05b6aab1619e1c8eeb33ccb8f9a9e48d3 (patch)
tree7bb2128eb663180bacfabca88f26d26bf0733824 /ChangeLog
parentba627ba172d6649919baedff5ba2789610da382a (diff)
parent7d50f9e5be88179325983a1f58c9d51bb58f025a (diff)
New upstream release (8.0p1)
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog4562
1 files changed, 2599 insertions, 1963 deletions
diff --git a/ChangeLog b/ChangeLog
index 0307f62e0..fdc0a0619 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,2602 @@
1commit fd0fa130ecf06d7d092932adcd5d77f1549bfc8d
2Author: Damien Miller <djm@mindrot.org>
3Date: Thu Apr 18 08:52:57 2019 +1000
4
5 makedepend
6
7commit 5de397a876b587ba05a9169237deffdc71f273b0
8Author: Damien Miller <djm@mindrot.org>
9Date: Fri Apr 5 11:29:51 2019 -0700
10
11 second thoughts: leave README in place
12
13 A number of contrib/* files refer to the existing README so let's leave
14 it in place for release and add the new markdown version in parallel.
15
16 I'll get rid of README after release.
17
18commit 5d3127d9274519b25ed10e320f45045ba8d7f3be
19Author: Damien Miller <djm@mindrot.org>
20Date: Fri Apr 5 11:29:31 2019 -0700
21
22 Revert "rewrite README"
23
24 This reverts commit 9444d82678cb7781820da4d1c23b3c2b9fb1e12f.
25
26commit 9444d82678cb7781820da4d1c23b3c2b9fb1e12f
27Author: Damien Miller <djm@mindrot.org>
28Date: Fri Apr 5 11:21:48 2019 -0700
29
30 rewrite README
31
32 Include basic build instructions and comments on commonly-used build-
33 time flags, links to the manual pages and other resources.
34
35 Now in Markdown format for better viewing on github, etc.
36
37commit a924de0c4908902433813ba205bee1446bd1a157
38Author: Damien Miller <djm@mindrot.org>
39Date: Fri Apr 5 03:41:52 2019 +1100
40
41 update versions
42
43commit 312dcee739bca5d6878c536537b2a8a497314b75
44Author: djm@openbsd.org <djm@openbsd.org>
45Date: Wed Apr 3 15:48:45 2019 +0000
46
47 upstream: openssh-8.0
48
49 OpenBSD-Commit-ID: 5aafdf218679dab982fea20771afd643be9a127b
50
51commit 885bc114692046d55e2a170b932bdc0092fa3456
52Author: Damien Miller <djm@mindrot.org>
53Date: Thu Apr 4 02:47:40 2019 +1100
54
55 session: Do not use removed API
56
57 from Jakub Jelen
58
59commit 9d7b2882b0c9a5e9bf8312ce4075bf178e2b98be
60Author: djm@openbsd.org <djm@openbsd.org>
61Date: Fri Mar 29 11:31:40 2019 +0000
62
63 upstream: when logging/fataling on error, include a bit more detail
64
65 than just the function name and the error message
66
67 OpenBSD-Commit-ID: dd72d7eba2215fcb89be516c378f633ea5bcca9f
68
69commit 79a87d32783d6c9db40af8f35e091d9d30365ae7
70Author: Darren Tucker <dtucker@dtucker.net>
71Date: Wed Apr 3 06:27:45 2019 +1100
72
73 Remove "struct ssh" from sys_auth_record_login.
74
75 It's not needed, and is not available from the call site in loginrec.c
76 Should only affect AIX, spotted by Kevin Brott.
77
78commit 138c0d52cdc90f9895333b82fc57d81cce7a3d90
79Author: Darren Tucker <dtucker@dtucker.net>
80Date: Tue Apr 2 18:21:35 2019 +1100
81
82 Adapt custom_failed_login to new prototype.
83
84 Spotted by Kevin Brott.
85
86commit a0ca4009ab2f0b1007ec8ab6864dbf9b760a8ed5
87Author: Darren Tucker <dtucker@dtucker.net>
88Date: Mon Apr 1 20:07:23 2019 +1100
89
90 Add includes.h for compat layer.
91
92 Should fix build on AIX 7.2.
93
94commit 00991151786ce9b1d577bdad1f83a81d19c8236d
95Author: Tim Rice <tim@multitalents.net>
96Date: Sun Mar 31 22:14:22 2019 -0700
97
98 Stop USL compilers for erroring with "integral constant expression expected"
99
100commit 43f47ebbdd4037b569c23b8f4f7981f53b567f1d
101Author: Tim Rice <tim@multitalents.net>
102Date: Sun Mar 31 19:22:19 2019 -0700
103
104 Only use O_NOFOLLOW in fchownat and fchmodat if defined
105
106commit 342d6e51589b184c337cccfc4c788b60ff8b3765
107Author: Jakub Jelen <jjelen@redhat.com>
108Date: Fri Mar 29 12:29:41 2019 +0100
109
110 Adjust softhsm2 path on Fedora Linux for regress
111
112 The SoftHSM lives in Fedora in /usr/lib64/pkcs11/libsofthsm2.so
113
114commit f5abb05f8c7358dacdcb866fe2813f6d8efd5830
115Author: Darren Tucker <dtucker@dtucker.net>
116Date: Thu Mar 28 09:26:14 2019 +1100
117
118 Only use O_NOFOLLOW in utimensat if defined.
119
120 Fixes build on systems that don't have it (Solaris <=9) Found by
121 Tom G. Christensen.
122
123commit 786cd4c1837fdc3fe7b4befe54a3f37db7df8715
124Author: Corinna Vinschen <vinschen@redhat.com>
125Date: Wed Mar 27 18:18:21 2019 +0100
126
127 drop old Cygwin considerations
128
129 - Cygwin supports non-DOS characters in filenames
130 - Cygwin does not support Windows XP anymore
131
132 Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
133
134commit 21da87f439b48a85b951ef1518fe85ac0273e719
135Author: djm@openbsd.org <djm@openbsd.org>
136Date: Wed Mar 27 09:29:14 2019 +0000
137
138 upstream: fix interaction between ClientAliveInterval and RekeyLimit
139
140 that could cause connection to close incorrectly; Report and patch from Jakub
141 Jelen in bz#2757; ok dtucker@ markus@
142
143 OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb
144
145commit 4f0019a9afdb4a94d83b75e82dbbbe0cbe826c56
146Author: djm@openbsd.org <djm@openbsd.org>
147Date: Mon Mar 25 22:34:52 2019 +0000
148
149 upstream: Fix authentication failures when "AuthenticationMethods
150
151 any" in a Match block overrides a more restrictive global default.
152
153 Spotted by jmc@, ok markus@
154
155 OpenBSD-Commit-ID: a90a4fe2ab81d0eeeb8fdfc21af81f7eabda6666
156
157commit d6e5def308610f194c0ec3ef97a34a3e9630e190
158Author: djm@openbsd.org <djm@openbsd.org>
159Date: Mon Mar 25 22:33:44 2019 +0000
160
161 upstream: whitespace
162
163 OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07
164
165commit 26e0cef07b04479537c971dec898741df1290fe5
166Author: dtucker@openbsd.org <dtucker@openbsd.org>
167Date: Mon Mar 25 16:19:44 2019 +0000
168
169 upstream: Expand comment to document rationale for default key
170
171 sizes. "seems worthwhile" deraadt.
172
173 OpenBSD-Commit-ID: 72e5c0983d7da1fb72f191870f36cb58263a2456
174
175commit f47269ea67eb4ff87454bf0d2a03e55532786482
176Author: dtucker@openbsd.org <dtucker@openbsd.org>
177Date: Mon Mar 25 15:49:00 2019 +0000
178
179 upstream: Increase the default RSA key size to 3072 bits. Based on
180
181 the estimates from NIST Special Publication 800-57, 3k bits provides security
182 equivalent to 128 bits which is the smallest symmetric cipher we enable by
183 default. ok markus@ deraadt@
184
185 OpenBSD-Commit-ID: 461dd32ebe808f88f4fc3ec74749b0e6bef2276b
186
187commit 62949c5b37af28d8490d94866e314a76be683a5e
188Author: jmc@openbsd.org <jmc@openbsd.org>
189Date: Fri Mar 22 20:58:34 2019 +0000
190
191 upstream: full stop in the wrong place;
192
193 OpenBSD-Commit-ID: 478a0567c83553a2aebf95d0f1bd67ac1b1253e4
194
195commit 1b1332b5bb975d759a50b37f0e8bc8cfb07a0bb0
196Author: jmc@openbsd.org <jmc@openbsd.org>
197Date: Sat Mar 16 19:14:21 2019 +0000
198
199 upstream: benno helped me clean up the tcp forwarding section;
200
201 OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
202
203commit 2aee9a49f668092ac5c9d34e904ef7a9722e541d
204Author: markus@openbsd.org <markus@openbsd.org>
205Date: Fri Mar 8 17:24:43 2019 +0000
206
207 upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL
208
209 OpenBSD-Commit-ID: febce81cca72b71f70513fbee4ff52ca050f675c
210
211commit 9edbd7821e6837e98e7e95546cede804dac96754
212Author: Darren Tucker <dtucker@dtucker.net>
213Date: Thu Mar 14 10:17:28 2019 +1100
214
215 Fix build when configured --without-openssl.
216
217 ok djm@
218
219commit 825ab32f0d04a791e9d19d743c61ff8ed9b4d8e5
220Author: Darren Tucker <dtucker@dtucker.net>
221Date: Thu Mar 14 08:51:17 2019 +1100
222
223 On Cygwin run sshd as SYSTEM where possible.
224
225 Seteuid now creates user token using S4U. We don't create a token
226 from scratch anymore, so we don't need the "Create a process token"
227 privilege. The service can run under SYSTEM again...
228
229 ...unless Cygwin is running on Windows Vista or Windows 7 in the
230 WOW64 32 bit emulation layer. It turns out that WOW64 on these systems
231 didn't implement MsV1_0 S4U Logon so we still need the fallback
232 to NtCreateToken for these systems.
233
234 Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
235
236commit a212107bfdf4d3e870ab7a443e4d906e5b9578c3
237Author: Darren Tucker <dtucker@dtucker.net>
238Date: Wed Mar 13 10:49:16 2019 +1100
239
240 Replace alloca with xcalloc.
241
242 The latter checks for memory exhaustion and integer overflow and may be
243 at a less predictable place. Sanity check by vinschen at redhat.com, ok
244 djm@
245
246commit daa7505aadca68ba1a2c70cbdfce423208eb91ee
247Author: Darren Tucker <dtucker@dtucker.net>
248Date: Tue Mar 12 09:19:19 2019 +1100
249
250 Use Cygwin-specific matching only for users+groups.
251
252 Patch from vinschen at redhat.com, updated a little by me.
253
254commit fd10cf027b56f9aaa80c9e3844626a05066589a4
255Author: dtucker@openbsd.org <dtucker@openbsd.org>
256Date: Wed Mar 6 22:14:23 2019 +0000
257
258 upstream: Move checks for lists of users or groups into their own
259
260 function. This is a no-op on OpenBSD but will make things easier in
261 -portable, eg on systems where these checks should be case-insensitive. ok
262 djm@
263
264 OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e
265
266commit ab5fee8eb6a011002fd9e32b1597f02aa8804a25
267Author: dtucker@openbsd.org <dtucker@openbsd.org>
268Date: Wed Mar 6 21:06:59 2019 +0000
269
270 upstream: Reset last-seen time when sending a keepalive. Prevents
271
272 sending two keepalives successively and prematurely terminating connection
273 when ClientAliveCount=1. While there, collapse two similar tests into one.
274 ok markus@
275
276 OpenBSD-Commit-ID: 043670d201dfe222537a2a4bed16ce1087de5ddd
277
278commit c13b74530f9f1d9df7aeae012004b31b2de4438e
279Author: naddy@openbsd.org <naddy@openbsd.org>
280Date: Tue Mar 5 16:17:12 2019 +0000
281
282 upstream: PKCS#11 support is no longer limited to RSA; ok benno@
283
284 kn@
285
286 OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
287
288commit e9552d6043db7cd170ac6ba1b4d2c7a5eb2c3201
289Author: djm@openbsd.org <djm@openbsd.org>
290Date: Fri Mar 1 03:29:32 2019 +0000
291
292 upstream: in ssh_set_newkeys(), mention the direction that we're
293
294 keying in debug messages. Previously it would be difficult to tell which
295 direction it was talking about
296
297 OpenBSD-Commit-ID: c2b71bfcceb2a7389b9d0b497fb2122a406a522d
298
299commit 76a24b3fa193a9ca3e47a8779d497cb06500798b
300Author: djm@openbsd.org <djm@openbsd.org>
301Date: Fri Mar 1 02:32:39 2019 +0000
302
303 upstream: Fix two race conditions in sshd relating to SIGHUP:
304
305 1. Recently-forked child processes will briefly remain listening to
306 listen_socks. If the main server sshd process completes its restart
307 via execv() before these sockets are closed by the child processes
308 then it can fail to listen at the desired addresses/ports and/or
309 fail to restart.
310
311 2. When a SIGHUP is received, there may be forked child processes that
312 are awaiting their reexecution state. If the main server sshd
313 process restarts before passing this state, these child processes
314 will yield errors and use a fallback path of reading the current
315 sshd_config from the filesystem rather than use the one that sshd
316 was started with.
317
318 To fix both of these cases, we reuse the startup_pipes that are shared
319 between the main server sshd and forked children. Previously this was
320 used solely to implement tracking of pre-auth child processes for
321 MaxStartups, but this extends the messaging over these pipes to include
322 a child->parent message that the parent process is safe to restart. This
323 message is sent from the child after it has completed its preliminaries:
324 closing listen_socks and receiving its reexec state.
325
326 bz#2953, reported by Michal Koutný; ok markus@ dtucker@
327
328 OpenBSD-Commit-ID: 7df09eacfa3ce13e9a7b1e9f17276ecc924d65ab
329
330commit de817e9dfab99473017d28cdf69e60397d00ea21
331Author: djm@openbsd.org <djm@openbsd.org>
332Date: Fri Mar 1 02:16:47 2019 +0000
333
334 upstream: mention PKCS11Provide=none, reword a little and remove
335
336 mention of RSA keys only (since we support ECDSA now and might support others
337 in the future). Inspired by Jakub Jelen via bz#2974
338
339 OpenBSD-Commit-ID: a92e3686561bf624ccc64ab320c96c9e9a263aa5
340
341commit 95a8058c1a90a27acbb91392ba206854abc85226
342Author: djm@openbsd.org <djm@openbsd.org>
343Date: Fri Mar 1 02:08:50 2019 +0000
344
345 upstream: let PKCS11Provider=none do what users expect
346
347 print PKCS11Provider instead of obsolete SmartcardDevice in config dump.
348
349 bz#2974 ok dtucker@
350
351 OpenBSD-Commit-ID: c303d6f0230a33aa2dd92dc9b68843d56a64f846
352
353commit 8e7bac35aa576d2fd7560836da83733e864ce649
354Author: markus@openbsd.org <markus@openbsd.org>
355Date: Wed Feb 27 19:37:01 2019 +0000
356
357 upstream: dup stdout/in for proxycommand=-, otherwise stdout might
358
359 be redirected to /dev/null; ok djm@
360
361 OpenBSD-Commit-ID: 97dfce4c47ed4055042de8ebde85b7d88793e595
362
363commit 9b61130fbd95d196bce81ebeca94a4cb7c0d5ba0
364Author: djm@openbsd.org <djm@openbsd.org>
365Date: Sat Feb 23 08:20:43 2019 +0000
366
367 upstream: openssh-7.9 accidentally reused the server's algorithm lists
368
369 in the client for KEX, ciphers and MACs. The ciphers and MACs were identical
370 between the client and server, but the error accidentially disabled the
371 diffie-hellman-group-exchange-sha1 KEX method.
372
373 This fixes the client code to use the correct method list, but
374 because nobody complained, it also disables the
375 diffie-hellman-group-exchange-sha1 KEX method.
376
377 Reported by nuxi AT vault24.org via bz#2697; ok dtucker
378
379 OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
380
381commit 37638c752041d591371900df820f070037878a2d
382Author: Corinna Vinschen <vinschen@redhat.com>
383Date: Wed Feb 20 13:41:25 2019 +0100
384
385 Cygwin: implement case-insensitive Unicode user and group name matching
386
387 The previous revert enabled case-insensitive user names again. This
388 patch implements the case-insensitive user and group name matching.
389 To allow Unicode chars, implement the matcher using wchar_t chars in
390 Cygwin-specific code. Keep the generic code changes as small as possible.
391 Cygwin: implement case-insensitive Unicode user and group name matching
392
393 Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
394
395commit bed1d43698807a07bb4ddb93a46b0bd84b9970b3
396Author: Darren Tucker <dtucker@dtucker.net>
397Date: Fri Feb 22 15:21:21 2019 +1100
398
399 Revert unintended parts of previous commit.
400
401commit f02afa350afac1b2f2d1413259a27a4ba1e2ca24
402Author: Corinna Vinschen <vinschen@redhat.com>
403Date: Wed Feb 20 13:41:24 2019 +0100
404
405 Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"
406
407 This reverts commit acc9b29486dfd649dfda474e5c1a03b317449f1c.
408
409 Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
410
411commit 4c55b674835478eb80a1a7aeae588aa654e2a433
412Author: Corinna Vinschen <vinschen@redhat.com>
413Date: Sat Feb 16 14:13:43 2019 +0100
414
415 Add tags to .gitignore
416
417 Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
418
419commit 625b62634c33eaef4b80d07529954fe5c6435fe5
420Author: djm@openbsd.org <djm@openbsd.org>
421Date: Fri Feb 22 03:37:11 2019 +0000
422
423 upstream: perform removal of agent-forwarding directory in forward
424
425 setup error path with user's privileged. This is a no-op as this code always
426 runs with user privilege now that we no longer support running sshd with
427 privilege separation disabled, but as long as the privsep skeleton is there
428 we should follow the rules.
429 MIME-Version: 1.0
430 Content-Type: text/plain; charset=UTF-8
431 Content-Transfer-Encoding: 8bit
432
433 bz#2969 with patch from Erik Sjölund
434
435 OpenBSD-Commit-ID: 2b708401a5a8d6133c865d7698d9852210dca846
436
437commit d9ecfaba0b2f1887d20e4368230632e709ca83be
438Author: jmc@openbsd.org <jmc@openbsd.org>
439Date: Mon Feb 18 07:02:34 2019 +0000
440
441 upstream: sync the description of ~/.ssh/config with djm's updated
442
443 description in ssh.1; issue pointed out by andreas kahari
444
445 ok dtucker djm
446
447 OpenBSD-Commit-ID: 1b01ef0ae2c6328165150badae317ec92e52b01c
448
449commit 38e83e4f219c752ebb1560633b73f06f0392018b
450Author: djm@openbsd.org <djm@openbsd.org>
451Date: Tue Feb 12 23:53:10 2019 +0000
452
453 upstream: fix regression in r1.302 reported by naddy@ - only the first
454
455 public key from the agent was being attempted for use.
456
457 OpenBSD-Commit-ID: 07116aea521a04888718b2157f1ca723b2f46c8d
458
459commit 5c68ea8da790d711e6dd5f4c30d089c54032c59a
460Author: djm@openbsd.org <djm@openbsd.org>
461Date: Mon Feb 11 09:44:42 2019 +0000
462
463 upstream: cleanup GSSAPI authentication context after completion of the
464
465 authmethod. Move function-static GSSAPI state to the client Authctxt
466 structure. Make static a bunch of functions that aren't used outside this
467 file.
468
469 Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@
470
471 OpenBSD-Commit-ID: 497fb792c0ddb4f1ba631b6eed526861f115dbe5
472
473commit a8c807f1956f81a92a758d3d0237d0ff06d0be5d
474Author: benno@openbsd.org <benno@openbsd.org>
475Date: Sun Feb 10 16:35:41 2019 +0000
476
477 upstream: ssh-keygen -D pkcs11.so needs to initialize pkcs11
478
479 interactive, so it can ask for the smartcards PIN. ok markus@
480
481 OpenBSD-Commit-ID: 1be7ccf88f1876e0fc4d7c9b3f96019ac5655bab
482
483commit 3d896c157c722bc47adca51a58dca859225b5874
484Author: djm@openbsd.org <djm@openbsd.org>
485Date: Sun Feb 10 11:15:52 2019 +0000
486
487 upstream: when checking that filenames sent by the server side
488
489 match what the client requested, be prepared to handle shell-style brace
490 alternations, e.g. "{foo,bar}".
491
492 "looks good to me" millert@ + in snaps for the last week courtesy
493 deraadt@
494
495 OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
496
497commit 318e4f8548a4f5c0c913f61e27d4fc21ffb1eaae
498Author: djm@openbsd.org <djm@openbsd.org>
499Date: Sun Feb 10 11:10:57 2019 +0000
500
501 upstream: syslog when connection is dropped for attempting to run a
502
503 command when ForceCommand=internal-sftp is in effect; bz2960; ok dtucker@
504
505 OpenBSD-Commit-ID: 8c87fa66d7fc6c0fffa3a3c28e8ab5e8dde234b8
506
507commit 2ff2e19653b8c0798b8b8eff209651bdb1be2761
508Author: Damien Miller <djm@mindrot.org>
509Date: Fri Feb 8 14:53:35 2019 +1100
510
511 don't set $MAIL if UsePam=yes
512
513 PAM typically specifies the user environment if it's enabled, so don't
514 second guess. bz#2937; ok dtucker@
515
516commit 03e92dd27d491fe6d1a54e7b2f44ef1b0a916e52
517Author: Damien Miller <djm@mindrot.org>
518Date: Fri Feb 8 14:50:36 2019 +1100
519
520 use same close logic for stderr as stdout
521
522 Avoids sending SIGPIPE to child processes after their parent exits
523 if they attempt to write to stderr.
524
525 Analysis and patch from JD Paul; patch reworked by Jakub Jelen and
526 myself. bz#2071; ok dtucker@
527
528commit 8c53d409baeeaf652c0c125a9b164edc9dbeb6de
529Author: dtucker@openbsd.org <dtucker@openbsd.org>
530Date: Tue Feb 5 11:35:56 2019 +0000
531
532 upstream: Adapt code in the non-USE_PIPES codepath to the new packet
533
534 API. This code is not normally reachable since USE_PIPES is always defined.
535 bz#2961, patch from adrian.fita at gmail com.
536
537 OpenBSD-Commit-ID: 8d8428d678d1d5eb4bb21921df34e8173e6d238a
538
539commit 7a7fdca78de4b4774950be056099e579ef595414
540Author: djm@openbsd.org <djm@openbsd.org>
541Date: Mon Feb 4 23:37:54 2019 +0000
542
543 upstream: fix NULL-deref crash in PKCS#11 code when attempting
544
545 login to a token requiring a PIN; reported by benno@ fix mostly by markus@
546
547 OpenBSD-Commit-ID: 438d0b114b1b4ba25a9869733db1921209aa9a31
548
549commit cac302a4b42a988e54d32eb254b29b79b648dbf5
550Author: dtucker@openbsd.org <dtucker@openbsd.org>
551Date: Mon Feb 4 02:39:42 2019 +0000
552
553 upstream: Remove obsolete "Protocol" from commented out examples. Patch
554
555 from samy.mahmoudi at gmail com.
556
557 OpenBSD-Commit-ID: 16aede33dae299725a03abdac5dcb4d73f5d0cbf
558
559commit 483b3b638500fd498b4b529356e5a0e18cf76891
560Author: dtucker@openbsd.org <dtucker@openbsd.org>
561Date: Fri Feb 1 03:52:23 2019 +0000
562
563 upstream: Save connection timeout and restore for 2nd and
564
565 subsequent attempts, preventing them from having no timeout. bz#2918, ok
566 djm@
567
568 OpenBSD-Commit-ID: 4977f1d0521d9b6bba0c9a20d3d226cefac48292
569
570commit 5f004620fdc1b2108139300ee12f4014530fb559
571Author: markus@openbsd.org <markus@openbsd.org>
572Date: Wed Jan 30 19:51:15 2019 +0000
573
574 upstream: Add authors for public domain sntrup4591761 code;
575
576 confirmed by Daniel J. Bernstein
577
578 OpenBSD-Commit-ID: b4621f22b8b8ef13e063c852af5e54dbbfa413c1
579
580commit 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8
581Author: jmc@openbsd.org <jmc@openbsd.org>
582Date: Sun Jan 27 07:14:11 2019 +0000
583
584 upstream: add -T to usage();
585
586 OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899
587
588commit 19a0f0529d3df04118da829528cac7ceff380b24
589Author: dtucker@openbsd.org <dtucker@openbsd.org>
590Date: Mon Jan 28 03:50:39 2019 +0000
591
592 upstream: The test sshd_config in in $OBJ.
593
594 OpenBSD-Regress-ID: 1e5d908a286d8e7de3a15a0020c8857f3a7c9172
595
596commit 8fe25440206319d15b52d12b948a5dfdec14dca3
597Author: dtucker@openbsd.org <dtucker@openbsd.org>
598Date: Mon Jan 28 03:28:10 2019 +0000
599
600 upstream: Remove leftover debugging.
601
602 OpenBSD-Regress-ID: 3d86c3d4867e46b35af3fd2ac8c96df0ffdcfeb9
603
604commit e30d32364d12c351eec9e14be6c61116f9d6cc90
605Author: dtucker@openbsd.org <dtucker@openbsd.org>
606Date: Mon Jan 28 00:12:36 2019 +0000
607
608 upstream: Enable ssh-dss for the agent test. Disable it for the
609
610 certificate test.
611
612 OpenBSD-Regress-ID: 388c1e03e1def539d350f139b37d69f12334668d
613
614commit ffdde469ed56249f5dc8af98da468dde35531398
615Author: dtucker@openbsd.org <dtucker@openbsd.org>
616Date: Mon Jan 28 00:08:26 2019 +0000
617
618 upstream: Count the number of key types instead of assuming there
619
620 are only two.
621
622 OpenBSD-Regress-ID: 0998702c41235782cf0beee396ec49b5056eaed9
623
624commit 1d05b4adcba08ab068466e5c08dee2f5417ec53a
625Author: Corinna Vinschen <vinschen@redhat.com>
626Date: Sat Jan 26 23:42:40 2019 +0100
627
628 Cygwin: only tweak sshd_config file if it's new, drop creating sshd user
629
630 The sshd_config tweaks were executed even if the old file was
631 still in place. Fix that. Also disable sshd user creation.
632 It's not used on Cygwin.
633
634commit 89843de0c4c733501f6b4f988098e6e06963df37
635Author: Corinna Vinschen <vinschen@redhat.com>
636Date: Sat Jan 26 23:03:12 2019 +0100
637
638 Cygwin: Change service name to cygsshd
639
640 Microsoft hijacked the sshd service name without asking.
641
642commit 2a9b3a2ce411d16cda9c79ab713c55f65b0ec257
643Author: dtucker@openbsd.org <dtucker@openbsd.org>
644Date: Sun Jan 27 06:30:53 2019 +0000
645
646 upstream: Generate all key supported key types and enable for keyscan
647
648 test.
649
650 OpenBSD-Regress-ID: 72f72ff49946c61bc949e1692dd9e3d71370891b
651
652commit 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
653Author: djm@openbsd.org <djm@openbsd.org>
654Date: Sat Jan 26 22:41:28 2019 +0000
655
656 upstream: check in scp client that filenames sent during
657
658 remote->local directory copies satisfy the wildcard specified by the user.
659
660 This checking provides some protection against a malicious server
661 sending unexpected filenames, but it comes at a risk of rejecting wanted
662 files due to differences between client and server wildcard expansion rules.
663
664 For this reason, this also adds a new -T flag to disable the check.
665
666 reported by Harry Sintonen
667 fix approach suggested by markus@;
668 has been in snaps for ~1wk courtesy deraadt@
669
670 OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
671
672commit c2c18a39683db382a15b438632afab3f551d50ce
673Author: djm@openbsd.org <djm@openbsd.org>
674Date: Sat Jan 26 22:35:01 2019 +0000
675
676 upstream: make ssh-keyscan return a non-zero exit status if it
677
678 finds no keys. bz#2903
679
680 OpenBSD-Commit-ID: 89f1081fb81d950ebb48e6e73d21807b2723d488
681
682commit 05b9a466700b44d49492edc2aa415fc2e8913dfe
683Author: dtucker@openbsd.org <dtucker@openbsd.org>
684Date: Thu Jan 24 17:00:29 2019 +0000
685
686 upstream: Accept the host key fingerprint as a synonym for "yes"
687
688 when accepting an unknown host key. This allows you to paste a fingerprint
689 obtained out of band into the yes/no prompt and have the client do the
690 comparison for you. ok markus@ djm@
691
692 OpenBSD-Commit-ID: 3c47d10b9f43d3d345e044fd9ec09709583a2767
693
694commit bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
695Author: dtucker@openbsd.org <dtucker@openbsd.org>
696Date: Thu Jan 24 16:52:17 2019 +0000
697
698 upstream: Have progressmeter force an update at the beginning and
699
700 end of each transfer. Fixes the problem recently introduces where very quick
701 transfers do not display the progressmeter at all. Spotted by naddy@
702
703 OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
704
705commit 258e6ca003e47f944688ad8b8de087b58a7d966c
706Author: dtucker@openbsd.org <dtucker@openbsd.org>
707Date: Thu Jan 24 02:42:23 2019 +0000
708
709 upstream: Check for both EAGAIN and EWOULDBLOCK. This is a no-op
710
711 in OpenBSD (they are the same value) but makes things easier in -portable
712 where they may be distinct values. "sigh ok" deraadt@
713
714 (ID sync only, portable already had this change).
715
716 OpenBSD-Commit-ID: 91f2bc7c0ecec905915ed59fa37feb9cc90e17d7
717
718commit 281ce042579b834cdc1e74314f1fb2eeb75d2612
719Author: dtucker@openbsd.org <dtucker@openbsd.org>
720Date: Thu Jan 24 02:34:52 2019 +0000
721
722 upstream: Always initialize 2nd arg to hpdelim2. It populates that
723
724 *ONLY IF* there's a delimiter. If there's not (the common case) it checked
725 uninitialized memory, which usually passed, but if not would cause spurious
726 failures when the uninitialized memory happens to contain "/". ok deraadt.
727
728 OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3
729
730commit d05ea255678d9402beda4416cd0360f3e5dfe938
731Author: dtucker@openbsd.org <dtucker@openbsd.org>
732Date: Wed Jan 23 21:50:56 2019 +0000
733
734 upstream: Remove support for obsolete host/port syntax.
735
736 host/port was added in 2001 as an alternative to host:port syntax for
737 the benefit of IPv6 users. These days there are establised standards
738 for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
739 notation, which OpenSSH now supports for some things. Remove the slash
740 notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
741 at redhat.com, ok markus@
742
743 OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7
744
745commit 177d6c80c557a5e060cd343a0c116a2f1a7f43db
746Author: dtucker@openbsd.org <dtucker@openbsd.org>
747Date: Wed Jan 23 20:48:52 2019 +0000
748
749 upstream: Remove duplicate word. bz#2958, patch from jjelen at
750
751 redhat.com
752
753 OpenBSD-Commit-ID: cca3965a8333f2b6aae48b79ec1d72f7a830dd2c
754
755commit be3e6cba95dffe5fcf190c713525b48c837e7875
756Author: dtucker@openbsd.org <dtucker@openbsd.org>
757Date: Wed Jan 23 09:49:00 2019 +0000
758
759 upstream: Remove 3 as a guess for possible generator during moduli
760
761 generation. It's not mentioned in RFC4419 and it's not possible for
762 Sophie-Germain primes greater than 5. bz#2330, from Christian Wittenhorst ,
763 ok djm@ tb@
764
765 OpenBSD-Commit-ID: 1467652e6802ad3333b0959282d8d49dfe22c8cd
766
767commit 8976f1c4b2721c26e878151f52bdf346dfe2d54c
768Author: dtucker@openbsd.org <dtucker@openbsd.org>
769Date: Wed Jan 23 08:01:46 2019 +0000
770
771 upstream: Sanitize scp filenames via snmprintf. To do this we move
772
773 the progressmeter formatting outside of signal handler context and have the
774 atomicio callback called for EINTR too. bz#2434 with contributions from djm
775 and jjelen at redhat.com, ok djm@
776
777 OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
778
779commit 6249451f381755f792c6b9e2c2f80cdc699c14e2
780Author: Darren Tucker <dtucker@dtucker.net>
781Date: Thu Jan 24 10:00:20 2019 +1100
782
783 For broken read/readv comparisons, poll(RW).
784
785 In the cases where we can't compare to read or readv function pointers
786 for some reason we currently ifdef out the poll() used to block while
787 waiting for reads or writes, falling back to busy waiting. This restores
788 the poll() in this case, but has it always check for read or write,
789 removing an inline ifdef in the process.
790
791commit 5cb503dff4db251520e8bf7d23b9c97c06eee031
792Author: Darren Tucker <dtucker@dtucker.net>
793Date: Thu Jan 24 09:55:16 2019 +1100
794
795 Include unistd.h for strmode().
796
797commit f236ca2741f29b5c443c0b2db3aa9afb9ad9befe
798Author: Darren Tucker <dtucker@dtucker.net>
799Date: Thu Jan 24 09:50:58 2019 +1100
800
801 Also undef SIMPLEQ_FOREACH_SAFE.
802
803 Prevents macro redefinition warning on at least NetBSD 6.1.
804
805commit be063945e4e7d46b1734d973bf244c350fae172a
806Author: djm@openbsd.org <djm@openbsd.org>
807Date: Wed Jan 23 04:51:02 2019 +0000
808
809 upstream: allow auto-incrementing certificate serial number for certs
810
811 signed in a single commandline.
812
813 OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
814
815commit 851f80328931975fe68f71af363c4537cb896da2
816Author: djm@openbsd.org <djm@openbsd.org>
817Date: Wed Jan 23 04:16:22 2019 +0000
818
819 upstream: move a bunch of global flag variables to main(); make the
820
821 rest static
822
823 OpenBSD-Commit-ID: fa431d92584e81fe99f95882f4c56b43fe3242dc
824
825commit 2265402dc7d701a9aca9f8a7b7b0fd45b65c479f
826Author: Damien Miller <djm@mindrot.org>
827Date: Wed Jan 23 13:03:16 2019 +1100
828
829 depend
830
831commit 2c223878e53cc46def760add459f5f7c4fb43e35
832Author: djm@openbsd.org <djm@openbsd.org>
833Date: Wed Jan 23 02:01:10 2019 +0000
834
835 upstream: switch mainloop from select(2) to poll(2); ok deraadt@
836
837 OpenBSD-Commit-ID: 37645419a330037d297f6f0adc3b3663e7ae7b2e
838
839commit bb956eaa94757ad058ff43631c3a7d6c94d38c2f
840Author: djm@openbsd.org <djm@openbsd.org>
841Date: Wed Jan 23 00:30:41 2019 +0000
842
843 upstream: pass most arguments to the KEX hash functions as sshbuf
844
845 rather than pointer+length; ok markus@
846
847 OpenBSD-Commit-ID: ef0c89c52ccc89817a13a5205725148a28492bf7
848
849commit d691588b8e29622c66abf8932362b522cf7f4051
850Author: djm@openbsd.org <djm@openbsd.org>
851Date: Tue Jan 22 22:58:50 2019 +0000
852
853 upstream: backoff reading messages from active connections when the
854
855 input buffer is too full to read one, or if the output buffer is too full to
856 enqueue a response; feedback & ok dtucker@
857
858 OpenBSD-Commit-ID: df3c5b6d57c968975875de40d8955cbfed05a6c8
859
860commit f99ef8de967949a1fc25a5c28263ea32736e5943
861Author: djm@openbsd.org <djm@openbsd.org>
862Date: Tue Jan 22 20:48:01 2019 +0000
863
864 upstream: add -m to usage(); reminded by jmc@
865
866 OpenBSD-Commit-ID: bca476a5236e8f94210290b3e6a507af0434613e
867
868commit 41923ce06ac149453debe472238e0cca7d5a2e5f
869Author: djm@openbsd.org <djm@openbsd.org>
870Date: Tue Jan 22 12:03:58 2019 +0000
871
872 upstream: Correct some bugs in PKCS#11 token PIN handling at
873
874 initial login, the attempt at reading the PIN could be skipped in some cases
875 especially on devices with integrated PIN readers.
876
877 based on patch from Daniel Kucera in bz#2652; ok markus@
878
879 OpenBSD-Commit-ID: fad70a61c60610afe8bb0db538c90e343e75e58e
880
881commit 2162171ad517501ba511fa9f8191945d01857bb4
882Author: djm@openbsd.org <djm@openbsd.org>
883Date: Tue Jan 22 12:00:50 2019 +0000
884
885 upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE by
886
887 requring a fresh login after the C_SignInit operation.
888
889 based on patch from Jakub Jelen in bz#2638; ok markus
890
891 OpenBSD-Commit-ID: a76e66996ba7c0923b46b74d46d499b811786661
892
893commit 7a2cb18a215b2cb335da3dc99489c52a91f4925b
894Author: djm@openbsd.org <djm@openbsd.org>
895Date: Tue Jan 22 11:51:25 2019 +0000
896
897 upstream: Mention that configuration for the destination host is
898
899 not applied to any ProxyJump/-J hosts. This has confused a few people...
900
901 OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
902
903commit ecd2f33cb772db4fa76776543599f1c1ab6f9fa0
904Author: djm@openbsd.org <djm@openbsd.org>
905Date: Tue Jan 22 11:40:42 2019 +0000
906
907 upstream: Include -m in the synopsis for a few more commands that
908
909 support it
910
911 Be more explicit in the description of -m about where it may be used
912
913 Prompted by Jakub Jelen in bz2904
914
915 OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
916
917commit ff5d2cf4ca373bb4002eef395ed2cbe2ff0826c1
918Author: djm@openbsd.org <djm@openbsd.org>
919Date: Tue Jan 22 11:26:16 2019 +0000
920
921 upstream: print the full pubkey being attempted at loglevel >=
922
923 debug2; bz2939
924
925 OpenBSD-Commit-ID: ac0fe5ca1429ebf4d460bad602adc96de0d7e290
926
927commit 180b520e2bab33b566b4b0cbac7d5f9940935011
928Author: djm@openbsd.org <djm@openbsd.org>
929Date: Tue Jan 22 11:19:42 2019 +0000
930
931 upstream: clarify: ssh-keygen -e only writes public keys, never
932
933 private
934
935 OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
936
937commit c45616a199c322ca674315de88e788f1d2596e26
938Author: djm@openbsd.org <djm@openbsd.org>
939Date: Tue Jan 22 11:00:15 2019 +0000
940
941 upstream: mention the new vs. old key formats in the introduction
942
943 and give some hints on how keys may be converted or written in the old
944 format.
945
946 OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
947
948commit fd8eb1383a34c986a00ef13d745ae9bd3ea21760
949Author: jmc@openbsd.org <jmc@openbsd.org>
950Date: Tue Jan 22 06:58:31 2019 +0000
951
952 upstream: tweak previous;
953
954 OpenBSD-Commit-ID: d2a80e389da8e7ed71978643d8cbaa8605b597a8
955
956commit 68e924d5473c00057f8532af57741d258c478223
957Author: tb@openbsd.org <tb@openbsd.org>
958Date: Mon Jan 21 23:55:12 2019 +0000
959
960 upstream: Forgot to add -J to the synopsis.
961
962 OpenBSD-Commit-ID: 26d95e409a0b72526526fc56ca1caca5cc3d3c5e
963
964commit 622dedf1a884f2927a9121e672bd9955e12ba108
965Author: tb@openbsd.org <tb@openbsd.org>
966Date: Mon Jan 21 22:50:42 2019 +0000
967
968 upstream: Add a -J option as a shortcut for -o Proxyjump= to scp(1)
969
970 and sftp(1) to match ssh(1)'s interface.
971
972 ok djm
973
974 OpenBSD-Commit-ID: a75bc2d5f329caa7229a7e9fe346c4f41c2663fc
975
976commit c882d74652800150d538e22c80dd2bd3cdd5fae2
977Author: Darren Tucker <dtucker@dtucker.net>
978Date: Tue Jan 22 20:38:40 2019 +1100
979
980 Allow building against OpenSSL dev (3.x) version.
981
982commit d5520393572eb24aa0e001a1c61f49b104396e45
983Author: Damien Miller <djm@mindrot.org>
984Date: Tue Jan 22 10:50:40 2019 +1100
985
986 typo
987
988commit 2de9cec54230998ab10161576f77860a2559ccb7
989Author: Damien Miller <djm@mindrot.org>
990Date: Tue Jan 22 10:49:52 2019 +1100
991
992 add missing header
993
994commit 533cfb01e49a2a30354e191669dc3159e03e99a7
995Author: djm@openbsd.org <djm@openbsd.org>
996Date: Mon Jan 21 22:18:24 2019 +0000
997
998 upstream: switch sntrup implementation source from supercop to
999
1000 libpqcrypto; the latter is almost identical but doesn't rely on signed
1001 underflow to implement an optimised integer sort; from markus@
1002
1003 OpenBSD-Commit-ID: cd09bbf0e0fcef1bedca69fdf7990dc360567cf8
1004
1005commit d50ab3cd6fb859888a26b4d4e333239b4f6bf573
1006Author: Damien Miller <djm@mindrot.org>
1007Date: Tue Jan 22 00:02:23 2019 +1100
1008
1009 new files need includes.h
1010
1011commit c7670b091a7174760d619ef6738b4f26b2093301
1012Author: djm@openbsd.org <djm@openbsd.org>
1013Date: Mon Jan 21 12:53:35 2019 +0000
1014
1015 upstream: add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up
1016
1017 debug verbosity.
1018
1019 Make ssh-agent turn on ssh-pkcs11-helper's verbosity when it is run
1020 in debug mode ("ssh-agent -d"), so we get to see errors from the
1021 PKCS#11 code.
1022
1023 ok markus@
1024
1025 OpenBSD-Commit-ID: 0a798643c6a92a508df6bd121253ba1c8bee659d
1026
1027commit 49d8c8e214d39acf752903566b105d06c565442a
1028Author: djm@openbsd.org <djm@openbsd.org>
1029Date: Mon Jan 21 12:50:12 2019 +0000
1030
1031 upstream: adapt to changes in KEX APIs and file removals
1032
1033 OpenBSD-Regress-ID: 54d6857e7c58999c7a6d40942ab0fed3529f43ca
1034
1035commit 35ecc53a83f8e8baab2e37549addfd05c73c30f1
1036Author: djm@openbsd.org <djm@openbsd.org>
1037Date: Mon Jan 21 12:35:20 2019 +0000
1038
1039 upstream: adapt to changes in KEX API and file removals
1040
1041 OpenBSD-Regress-ID: 92cad022d3b0d11e08f3e0055d6a14b8f994c0d7
1042
1043commit 7d69aae64c35868cc4f644583ab973113a79480e
1044Author: djm@openbsd.org <djm@openbsd.org>
1045Date: Mon Jan 21 12:29:35 2019 +0000
1046
1047 upstream: adapt to bignum1 API removal and bignum2 API change
1048
1049 OpenBSD-Regress-ID: cea6ff270f3d560de86b355a87a2c95b55a5ca63
1050
1051commit beab553f0a9578ef9bffe28b2c779725e77b39ec
1052Author: djm@openbsd.org <djm@openbsd.org>
1053Date: Mon Jan 21 09:13:41 2019 +0000
1054
1055 upstream: remove hack to use non-system libcrypto
1056
1057 OpenBSD-Regress-ID: ce72487327eee4dfae1ab0212a1f33871fe0809f
1058
1059commit 4dc06bd57996f1a46b4c3bababe0d09bc89098f7
1060Author: Damien Miller <djm@mindrot.org>
1061Date: Mon Jan 21 23:14:04 2019 +1100
1062
1063 depend
1064
1065commit 70edd73edc4df54e5eee50cd27c25427b34612f8
1066Author: djm@openbsd.org <djm@openbsd.org>
1067Date: Mon Jan 21 12:08:13 2019 +0000
1068
1069 upstream: fix reversed arguments to kex_load_hostkey(); manifested as
1070
1071 errors in cert-hostkey.sh regress failures.
1072
1073 OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba
1074
1075commit f1185abbf0c9108e639297addc77f8757ee00eb3
1076Author: djm@openbsd.org <djm@openbsd.org>
1077Date: Mon Jan 21 11:22:00 2019 +0000
1078
1079 upstream: forgot to cvs add this file in previous series of commits;
1080
1081 grrr
1082
1083 OpenBSD-Commit-ID: bcff316c3e7da8fd15333e05d244442c3aaa66b0
1084
1085commit 7bef390b625bdc080f0fd4499ef03cef60fca4fa
1086Author: djm@openbsd.org <djm@openbsd.org>
1087Date: Mon Jan 21 10:44:21 2019 +0000
1088
1089 upstream: nothing shall escape this purge
1090
1091 OpenBSD-Commit-ID: 4795b0ff142b45448f7e15f3c2f77a947191b217
1092
1093commit aaca72d6f1279b842066e07bff797019efeb2c23
1094Author: djm@openbsd.org <djm@openbsd.org>
1095Date: Mon Jan 21 10:40:11 2019 +0000
1096
1097 upstream: rename kex->kem_client_pub -> kex->client_pub now that
1098
1099 KEM has been renamed to kexgen
1100
1101 from markus@ ok djm@
1102
1103 OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
1104
1105commit 70867e1ca2eb08bbd494fe9c568df4fd3b35b867
1106Author: djm@openbsd.org <djm@openbsd.org>
1107Date: Mon Jan 21 10:38:54 2019 +0000
1108
1109 upstream: merge kexkem[cs] into kexgen
1110
1111 from markus@ ok djm@
1112
1113 OpenBSD-Commit-ID: 87d886b7f1812ff9355fda1435f6ea9b71a0ac89
1114
1115commit 71e67fff946396caa110a7964da23480757258ff
1116Author: djm@openbsd.org <djm@openbsd.org>
1117Date: Mon Jan 21 10:35:09 2019 +0000
1118
1119 upstream: pass values used in KEX hash computation as sshbuf
1120
1121 rather than pointer+len
1122
1123 suggested by me; implemented by markus@ ok me
1124
1125 OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
1126
1127commit 4b83e2a2cc0c12e671a77eaba1c1245894f4e884
1128Author: djm@openbsd.org <djm@openbsd.org>
1129Date: Mon Jan 21 10:33:49 2019 +0000
1130
1131 upstream: remove kex_derive_keys_bn wrapper; no unused since the
1132
1133 DH-like KEX methods have moved to KEM
1134
1135 from markus@ ok djm@
1136
1137 OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
1138
1139commit 92dda34e373832f34a1944e5d9ebbebb184dedc1
1140Author: djm@openbsd.org <djm@openbsd.org>
1141Date: Mon Jan 21 10:29:56 2019 +0000
1142
1143 upstream: use KEM API for vanilla ECDH
1144
1145 from markus@ ok djm@
1146
1147 OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
1148
1149commit b72357217cbe510a3ae155307a7be6b9181f1d1b
1150Author: Damien Miller <djm@mindrot.org>
1151Date: Mon Jan 21 23:11:21 2019 +1100
1152
1153 fixup missing ssherr.h
1154
1155commit 9c9c97e14fe190931f341876ad98213e1e1dc19f
1156Author: djm@openbsd.org <djm@openbsd.org>
1157Date: Mon Jan 21 10:28:01 2019 +0000
1158
1159 upstream: use KEM API for vanilla DH KEX
1160
1161 from markus@ ok djm@
1162
1163 OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
1164
1165commit 2f6a9ddbbf6ca8623c53c323ff17fb6d68d66970
1166Author: djm@openbsd.org <djm@openbsd.org>
1167Date: Mon Jan 21 10:24:09 2019 +0000
1168
1169 upstream: use KEM API for vanilla c25519 KEX
1170
1171 OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
1172
1173commit dfd591618cdf2c96727ac0eb65f89cf54af0d97e
1174Author: djm@openbsd.org <djm@openbsd.org>
1175Date: Mon Jan 21 10:20:12 2019 +0000
1176
1177 upstream: Add support for a PQC KEX/KEM:
1178
1179 sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
1180 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
1181 enabled by default.
1182
1183 introduce KEM API; a simplified framework for DH-ish KEX methods.
1184
1185 from markus@ feedback & ok djm@
1186
1187 OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
1188
1189commit b1b2ff4ed559051d1035419f8f236275fa66d5d6
1190Author: djm@openbsd.org <djm@openbsd.org>
1191Date: Mon Jan 21 10:07:22 2019 +0000
1192
1193 upstream: factor out kex_verify_hostkey() - again, duplicated
1194
1195 almost exactly across client and server for several KEX methods.
1196
1197 from markus@ ok djm@
1198
1199 OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
1200
1201commit bb39bafb6dc520cc097780f4611a52da7f19c3e2
1202Author: djm@openbsd.org <djm@openbsd.org>
1203Date: Mon Jan 21 10:05:09 2019 +0000
1204
1205 upstream: factor out kex_load_hostkey() - this is duplicated in
1206
1207 both the client and server implementations for most KEX methods.
1208
1209 from markus@ ok djm@
1210
1211 OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
1212
1213commit dec5e9d33891e3bc3f1395d7db0e56fdc7f86dfc
1214Author: djm@openbsd.org <djm@openbsd.org>
1215Date: Mon Jan 21 10:03:37 2019 +0000
1216
1217 upstream: factor out kex_dh_compute_key() - it's shared between
1218
1219 plain DH KEX and DH GEX in both the client and server implementations
1220
1221 from markus@ ok djm@
1222
1223 OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
1224
1225commit e93bd98eab79b9a78f64ee8dd4dffc4d3979c7ae
1226Author: djm@openbsd.org <djm@openbsd.org>
1227Date: Mon Jan 21 10:00:23 2019 +0000
1228
1229 upstream: factor out DH keygen; it's identical between the client
1230
1231 and the server
1232
1233 from markus@ ok djm@
1234
1235 OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
1236
1237commit 5ae3f6d314465026d028af82609c1d49ad197655
1238Author: djm@openbsd.org <djm@openbsd.org>
1239Date: Mon Jan 21 09:55:52 2019 +0000
1240
1241 upstream: save the derived session id in kex_derive_keys() rather
1242
1243 than making each kex method implementation do it.
1244
1245 from markus@ ok djm@
1246
1247 OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673
1248
1249commit 7be8572b32a15d5c3dba897f252e2e04e991c307
1250Author: djm@openbsd.org <djm@openbsd.org>
1251Date: Mon Jan 21 09:54:11 2019 +0000
1252
1253 upstream: Make sshpkt_get_bignum2() allocate the bignum it is
1254
1255 parsing rather than make the caller do it. Saves a lot of boilerplate code.
1256
1257 from markus@ ok djm@
1258
1259 OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
1260
1261commit 803178bd5da7e72be94ba5b4c4c196d4b542da4d
1262Author: djm@openbsd.org <djm@openbsd.org>
1263Date: Mon Jan 21 09:52:25 2019 +0000
1264
1265 upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1
1266
1267 functions
1268
1269 from markus@ ok djm@
1270
1271 OpenBSD-Commit-ID: 0380b1b2d9de063de3c5a097481a622e6a04943e
1272
1273commit f3ebaffd8714be31d4345f90af64992de4b3bba2
1274Author: djm@openbsd.org <djm@openbsd.org>
1275Date: Mon Jan 21 09:49:37 2019 +0000
1276
1277 upstream: fix all-zero check in kexc25519_shared_key
1278
1279 from markus@ ok djm@
1280
1281 OpenBSD-Commit-ID: 60b1d364e0d9d34d1d1ef1620cb92e36cf06712d
1282
1283commit 9d1a9771d0ad3a83af733bf3d2650b53f43c269f
1284Author: jmc@openbsd.org <jmc@openbsd.org>
1285Date: Mon Jan 21 07:09:10 2019 +0000
1286
1287 upstream: - -T was added to the first synopsis by mistake - since
1288
1289 "..." denotes optional, no need to surround it in []
1290
1291 ok djm
1292
1293 OpenBSD-Commit-ID: 918f6d8eed4e0d8d9ef5eadae1b8983d796f0e25
1294
1295commit 2f0bad2bf85391dbb41315ab55032ec522660617
1296Author: Darren Tucker <dtucker@dtucker.net>
1297Date: Mon Jan 21 21:28:27 2019 +1100
1298
1299 Make --with-rpath take a flag instead of yes/no.
1300
1301 Linkers need various flags for -rpath and similar, so make --with-rpath
1302 take an optional flag argument which is passed to the linker. ok djm@
1303
1304commit 23490a6c970ea1d03581a3b4208f2eb7a675f453
1305Author: Damien Miller <djm@mindrot.org>
1306Date: Mon Jan 21 15:05:43 2019 +1100
1307
1308 fix previous test
1309
1310commit b6dd3277f2c49f9584a2097bc792e8f480397e87
1311Author: Darren Tucker <dtucker@dtucker.net>
1312Date: Mon Jan 21 13:50:17 2019 +1100
1313
1314 Wrap ECC static globals in EC_KEY_METHOD_NEW too.
1315
1316commit b2eb9db35b7191613f2f4b934d57b25938bb34b3
1317Author: Damien Miller <djm@mindrot.org>
1318Date: Mon Jan 21 12:53:40 2019 +1100
1319
1320 pass TEST_SSH_SSHPKCS11HELPER to regress tests
1321
1322commit ba58a529f45b3dae2db68607d8c54ae96e90e705
1323Author: Damien Miller <djm@mindrot.org>
1324Date: Mon Jan 21 12:31:29 2019 +1100
1325
1326 make agent-pkcs11 search harder for softhsm2.so
1327
1328commit 662be40c62339ab645113c930ce689466f028938
1329Author: djm@openbsd.org <djm@openbsd.org>
1330Date: Mon Jan 21 02:05:38 2019 +0000
1331
1332 upstream: always print the caller's error message in ossl_error(),
1333
1334 even when there are no libcrypto errors to report.
1335
1336 OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a
1337
1338commit ce46c3a077dfb4c531ccffcfff03f37775725b75
1339Author: djm@openbsd.org <djm@openbsd.org>
1340Date: Mon Jan 21 02:01:03 2019 +0000
1341
1342 upstream: get the ex_data (pkcs11_key object) back from the keys at
1343
1344 the index at which it was inserted, rather than assuming index 0
1345
1346 OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8
1347
1348commit 0a5f2ea35626022299ece3c8817a1abe8cf37b3e
1349Author: djm@openbsd.org <djm@openbsd.org>
1350Date: Mon Jan 21 01:05:00 2019 +0000
1351
1352 upstream: GSSAPI code got missed when converting to new packet API
1353
1354 OpenBSD-Commit-ID: 37e4f06ab4a0f4214430ff462ba91acba28b7851
1355
1356commit 2efcf812b4c1555ca3aff744820a3b3bccd68298
1357Author: Damien Miller <djm@mindrot.org>
1358Date: Mon Jan 21 11:57:21 2019 +1100
1359
1360 Fix -Wunused when compiling PKCS#11 without ECDSA
1361
1362commit 3c0c657ed7cd335fc05c0852d88232ca7e92a5d9
1363Author: djm@openbsd.org <djm@openbsd.org>
1364Date: Sun Jan 20 23:26:44 2019 +0000
1365
1366 upstream: allow override of ssh-pkcs11-helper binary via
1367
1368 $TEST_SSH_SSHPKCS11HELPER from markus@
1369
1370 OpenBSD-Regress-ID: 7382a3d76746f5a792d106912a5819fd5e49e469
1371
1372commit 760ae37b4505453c6fa4faf1aa39a8671ab053af
1373Author: djm@openbsd.org <djm@openbsd.org>
1374Date: Sun Jan 20 23:25:25 2019 +0000
1375
1376 upstream: adapt agent-pkcs11.sh test to softhsm2 and add support
1377
1378 for ECDSA keys
1379
1380 work by markus@, ok djm@
1381
1382 OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe
1383
1384commit b2ce8b31a1f974a13e6d12e0a0c132b50bc45115
1385Author: djm@openbsd.org <djm@openbsd.org>
1386Date: Sun Jan 20 23:24:19 2019 +0000
1387
1388 upstream: add "extra:" target to run some extra tests that are not
1389
1390 enabled by default (currently includes agent-pkcs11.sh); from markus@
1391
1392 OpenBSD-Regress-ID: 9a969e1adcd117fea174d368dcb9c61eb50a2a3c
1393
1394commit 632976418d60b7193597bbc6ac7ca33981a41aab
1395Author: djm@openbsd.org <djm@openbsd.org>
1396Date: Mon Jan 21 00:47:34 2019 +0000
1397
1398 upstream: use ECDSA_SIG_set0() instead of poking signature values into
1399
1400 structure directly; the latter works on LibreSSL but not on OpenSSL. From
1401 portable.
1402
1403 OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6
1404
1405commit 5de6ac2bad11175135d9b819b3546db0ca0b4878
1406Author: Damien Miller <djm@mindrot.org>
1407Date: Mon Jan 21 11:44:19 2019 +1100
1408
1409 remove HAVE_DLOPEN that snuck in
1410
1411 portable doesn't use this
1412
1413commit e2cb445d786f7572da2af93e3433308eaed1093a
1414Author: Damien Miller <djm@mindrot.org>
1415Date: Mon Jan 21 11:32:28 2019 +1100
1416
1417 conditionalise ECDSA PKCS#11 support
1418
1419 Require EC_KEY_METHOD support in libcrypto, evidenced by presence
1420 of EC_KEY_METHOD_new() function.
1421
1422commit fcb1b0937182d0137a3c357c89735d0dc5869d54
1423Author: djm@openbsd.org <djm@openbsd.org>
1424Date: Sun Jan 20 23:12:35 2019 +0000
1425
1426 upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
1427
1428 now, so there is no need to keep a copy of each in the pkcs11_key object.
1429
1430 work by markus@, ok djm@
1431
1432 OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa
1433
1434commit 6529409e85890cd6df7e5e81d04e393b1d2e4b0b
1435Author: djm@openbsd.org <djm@openbsd.org>
1436Date: Sun Jan 20 23:11:11 2019 +0000
1437
1438 upstream: KNF previous; from markus@
1439
1440 OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
1441
1442commit 58622a8c82f4e2aad630580543f51ba537c1f39e
1443Author: djm@openbsd.org <djm@openbsd.org>
1444Date: Sun Jan 20 23:10:33 2019 +0000
1445
1446 upstream: use OpenSSL's RSA reference counting hooks to
1447
1448 implicitly clean up pkcs11_key objects when their owning RSA object's
1449 reference count drops to zero. Simplifies the cleanup path and makes it more
1450 like ECDSA's
1451
1452 work by markus@, ok djm@
1453
1454 OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c
1455
1456commit f118542fc82a3b3ab0360955b33bc5a271ea709f
1457Author: djm@openbsd.org <djm@openbsd.org>
1458Date: Sun Jan 20 23:08:24 2019 +0000
1459
1460 upstream: make the PKCS#11 RSA code more like the new PKCS#11
1461
1462 ECDSA code: use a single custom RSA_METHOD instead of a method per key
1463
1464 suggested by me, but markus@ did all the work.
1465 ok djm@
1466
1467 OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e
1468
1469commit 445cfce49dfc904c6b8ab25afa2f43130296c1a5
1470Author: djm@openbsd.org <djm@openbsd.org>
1471Date: Sun Jan 20 23:05:52 2019 +0000
1472
1473 upstream: fix leak of ECDSA pkcs11_key objects
1474
1475 work by markus, ok djm@
1476
1477 OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
1478
1479commit 8a2467583f0b5760787273796ec929190c3f16ee
1480Author: djm@openbsd.org <djm@openbsd.org>
1481Date: Sun Jan 20 23:03:26 2019 +0000
1482
1483 upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
1484
1485 EC_KEY internals as that won't work on OpenSSL
1486
1487 work by markus@, feedback and ok djm@
1488
1489 OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700
1490
1491commit 24757c1ae309324e98d50e5935478655be04e549
1492Author: djm@openbsd.org <djm@openbsd.org>
1493Date: Sun Jan 20 23:01:59 2019 +0000
1494
1495 upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
1496
1497 object should never have a DER header
1498
1499 work by markus; feedback and ok djm@
1500
1501 OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
1502
1503commit 749aef30321595435ddacef2f31d7a8f2b289309
1504Author: djm@openbsd.org <djm@openbsd.org>
1505Date: Sun Jan 20 23:00:12 2019 +0000
1506
1507 upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
1508
1509 work by markus@, feedback and ok djm@
1510
1511 OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d
1512
1513commit 0c50992af49b562970dd0ba3f8f151f1119e260e
1514Author: djm@openbsd.org <djm@openbsd.org>
1515Date: Sun Jan 20 22:57:45 2019 +0000
1516
1517 upstream: cleanup pkcs#11 client code: use sshkey_new in instead
1518
1519 of stack- allocating a sshkey
1520
1521 work by markus@, ok djm@
1522
1523 OpenBSD-Commit-ID: a048eb6ec8aa7fa97330af927022c0da77521f91
1524
1525commit 854bd8674ee5074a239f7cadf757d55454802e41
1526Author: djm@openbsd.org <djm@openbsd.org>
1527Date: Sun Jan 20 22:54:30 2019 +0000
1528
1529 upstream: allow override of the pkcs#11 helper binary via
1530
1531 $SSH_PKCS11_HELPER; needed for regress tests.
1532
1533 work by markus@, ok me
1534
1535 OpenBSD-Commit-ID: f78d8185500bd7c37aeaf7bd27336db62f0f7a83
1536
1537commit 93f02107f44d63a016d8c23ebd2ca9205c495c48
1538Author: djm@openbsd.org <djm@openbsd.org>
1539Date: Sun Jan 20 22:51:37 2019 +0000
1540
1541 upstream: add support for ECDSA keys in PKCS#11 tokens
1542
1543 Work by markus@ and Pedro Martelletto, feedback and ok me@
1544
1545 OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
1546
1547commit aa22c20e0c36c2fc610cfcc793b0d14079c38814
1548Author: djm@openbsd.org <djm@openbsd.org>
1549Date: Sun Jan 20 22:03:29 2019 +0000
1550
1551 upstream: add option to test whether keys in an agent are usable,
1552
1553 by performing a signature and a verification using each key "ssh-add -T
1554 pubkey [...]"
1555
1556 work by markus@, ok djm@
1557
1558 OpenBSD-Commit-ID: 931b888a600b6a883f65375bd5f73a4776c6d19b
1559
1560commit a36b0b14a12971086034d53c0c3dfbad07665abe
1561Author: tb@openbsd.org <tb@openbsd.org>
1562Date: Sun Jan 20 02:01:59 2019 +0000
1563
1564 upstream: Fix BN_is_prime_* calls in SSH, the API returns -1 on
1565
1566 error.
1567
1568 Found thanks to BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd
1569 by David Benjamin.
1570
1571 ok djm, dtucker
1572
1573 OpenBSD-Commit-ID: 1ee832be3c44b1337f76b8562ec6d203f3b072f8
1574
1575commit ec4776bb01dd8d61fddc7d2a31ab10bf3d3d829a
1576Author: dtucker@openbsd.org <dtucker@openbsd.org>
1577Date: Sun Jan 20 01:12:40 2019 +0000
1578
1579 upstream: DH-GEX min value is now specified in RFC8270. ok djm@
1580
1581 OpenBSD-Commit-ID: 1229d0feb1d0ecefe05bf67a17578b263e991acc
1582
1583commit c90a7928c4191303e76a8c58b9008d464287ae1b
1584Author: Darren Tucker <dtucker@dtucker.net>
1585Date: Mon Jan 21 09:22:36 2019 +1100
1586
1587 Check for cc before gcc.
1588
1589 If cc is something other than gcc and is the system compiler prefer using
1590 that, unless otherwise told via $CC. ok djm@
1591
1592commit 9b655dc9c9a353f0a527f0c6c43a5e35653c9503
1593Author: Damien Miller <djm@mindrot.org>
1594Date: Sun Jan 20 14:55:27 2019 +1100
1595
1596 last bits of old packet API / active_state global
1597
1598commit 3f0786bbe73609ac96e5a0d91425ee21129f8e04
1599Author: Damien Miller <djm@mindrot.org>
1600Date: Sun Jan 20 10:22:18 2019 +1100
1601
1602 remove PAM dependencies on old packet API
1603
1604 Requires some caching of values, because the PAM code isn't
1605 always called with packet context.
1606
1607commit 08f66d9f17e12c1140d1f1cf5c4dce67e915d3cc
1608Author: Damien Miller <djm@mindrot.org>
1609Date: Sun Jan 20 09:58:45 2019 +1100
1610
1611 remove vestiges of old packet API from loginrec.c
1612
1613commit c327813ea1d740e3e367109c17873815aba1328e
1614Author: Damien Miller <djm@mindrot.org>
1615Date: Sun Jan 20 09:45:38 2019 +1100
1616
1617 depend
1618
1619commit 135e302cfdbe91817294317c337cc38c3ff01cba
1620Author: djm@openbsd.org <djm@openbsd.org>
1621Date: Sat Jan 19 22:30:52 2019 +0000
1622
1623 upstream: fix error in refactor: use ssh_packet_disconnect() instead of
1624
1625 sshpkt_error(). The first one logs the error and exits (what we want) instead
1626 of just logging and blundering on.
1627
1628 OpenBSD-Commit-ID: 39f51b43641dce9ce0f408ea6c0e6e077e2e91ae
1629
1630commit 245c6a0b220b58686ee35bc5fc1c359e9be2faaa
1631Author: djm@openbsd.org <djm@openbsd.org>
1632Date: Sat Jan 19 21:45:31 2019 +0000
1633
1634 upstream: remove last traces of old packet API!
1635
1636 with & ok markus@
1637
1638 OpenBSD-Commit-ID: 9bd10437026423eb8245636ad34797a20fbafd7d
1639
1640commit 04c091fc199f17dacf8921df0a06634b454e2722
1641Author: djm@openbsd.org <djm@openbsd.org>
1642Date: Sat Jan 19 21:43:56 2019 +0000
1643
1644 upstream: remove last references to active_state
1645
1646 with & ok markus@
1647
1648 OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
1649
1650commit ec00f918b8ad90295044266c433340a8adc93452
1651Author: djm@openbsd.org <djm@openbsd.org>
1652Date: Sat Jan 19 21:43:07 2019 +0000
1653
1654 upstream: convert monitor.c to new packet API
1655
1656 with & ok markus@
1657
1658 OpenBSD-Commit-ID: 61ecd154bd9804461a0cf5f495a29d919e0014d5
1659
1660commit 6350e0316981489d4205952d6904d6fedba5bfe0
1661Author: djm@openbsd.org <djm@openbsd.org>
1662Date: Sat Jan 19 21:42:30 2019 +0000
1663
1664 upstream: convert sshd.c to new packet API
1665
1666 with & ok markus@
1667
1668 OpenBSD-Commit-ID: ea569d3eaf9b5cf1bad52779fbfa5fa0b28af891
1669
1670commit a5e2ad88acff2b7d131ee6d5dc5d339b0f8c6a6d
1671Author: djm@openbsd.org <djm@openbsd.org>
1672Date: Sat Jan 19 21:41:53 2019 +0000
1673
1674 upstream: convert session.c to new packet API
1675
1676 with & ok markus@
1677
1678 OpenBSD-Commit-ID: fae817207e23099ddd248960c984f7b7f26ea68e
1679
1680commit 3a00a921590d4c4b7e96df11bb10e6f9253ad45e
1681Author: djm@openbsd.org <djm@openbsd.org>
1682Date: Sat Jan 19 21:41:18 2019 +0000
1683
1684 upstream: convert auth.c to new packet API
1685
1686 with & ok markus@
1687
1688 OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4
1689
1690commit 7ec5cb4d15ed2f2c5c9f5d00e6b361d136fc1e2d
1691Author: djm@openbsd.org <djm@openbsd.org>
1692Date: Sat Jan 19 21:40:48 2019 +0000
1693
1694 upstream: convert serverloop.c to new packet API
1695
1696 with & ok markus@
1697
1698 OpenBSD-Commit-ID: c92dd19b55457541478f95c0d6b318426d86d885
1699
1700commit 64c9598ac05332d1327cbf55334dee4172d216c4
1701Author: djm@openbsd.org <djm@openbsd.org>
1702Date: Sat Jan 19 21:40:21 2019 +0000
1703
1704 upstream: convert the remainder of sshconnect2.c to new packet
1705
1706 API
1707
1708 with & ok markus@
1709
1710 OpenBSD-Commit-ID: 0986d324f2ceb5e8a12ac21c1bb10b3b4b1e0f71
1711
1712commit bc5e1169d101d16e3a5962a928db2bc49a8ef5a3
1713Author: djm@openbsd.org <djm@openbsd.org>
1714Date: Sat Jan 19 21:39:12 2019 +0000
1715
1716 upstream: convert the remainder of clientloop.c to new packet API
1717
1718 with & ok markus@
1719
1720 OpenBSD-Commit-ID: ce2fbbacb86a290f31da1e7bf04cddf2bdae3d1e
1721
1722commit 5ebce136a6105f084db8f0d7ee41981d42daec40
1723Author: Damien Miller <djm@mindrot.org>
1724Date: Sun Jan 20 09:44:53 2019 +1100
1725
1726 upstream: convert auth2.c to new packet API
1727
1728 OpenBSD-Commit-ID: ed831bb95ad228c6791bc18b60ce7a2edef2c999
1729
1730commit 172a592a53ebe8649c4ac0d7946e6c08eb151af6
1731Author: djm@openbsd.org <djm@openbsd.org>
1732Date: Sat Jan 19 21:37:48 2019 +0000
1733
1734 upstream: convert servconf.c to new packet API
1735
1736 with & ok markus@
1737
1738 OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4
1739
1740commit 8cc7a679d29cf6ecccfa08191e688c7f81ef95c2
1741Author: djm@openbsd.org <djm@openbsd.org>
1742Date: Sat Jan 19 21:37:13 2019 +0000
1743
1744 upstream: convert channels.c to new packet API
1745
1746 with & ok markus@
1747
1748 OpenBSD-Commit-ID: 0b8279b56113cbd4011fc91315c0796b63dc862c
1749
1750commit 06232038c794c7dfcb087be0ab0b3e65b09fd396
1751Author: djm@openbsd.org <djm@openbsd.org>
1752Date: Sat Jan 19 21:36:38 2019 +0000
1753
1754 upstream: convert sshconnect.c to new packet API
1755
1756 with & ok markus@
1757
1758 OpenBSD-Commit-ID: 222337cf6c96c347f1022d976fac74b4257c061f
1759
1760commit 25b2ed667216314471bb66752442c55b95792dc3
1761Author: djm@openbsd.org <djm@openbsd.org>
1762Date: Sat Jan 19 21:36:06 2019 +0000
1763
1764 upstream: convert ssh.c to new packet API
1765
1766 with & ok markus@
1767
1768 OpenBSD-Commit-ID: eb146878b24e85c2a09ee171afa6797c166a2e21
1769
1770commit e3128b38623eef2fa8d6e7ae934d3bd08c7e973e
1771Author: djm@openbsd.org <djm@openbsd.org>
1772Date: Sat Jan 19 21:35:25 2019 +0000
1773
1774 upstream: convert mux.c to new packet API
1775
1776 with & ok markus@
1777
1778 OpenBSD-Commit-ID: 4e3893937bae66416e984b282d8f0f800aafd802
1779
1780commit ed1df7226caf3a943a36d580d4d4e9275f8a61ee
1781Author: djm@openbsd.org <djm@openbsd.org>
1782Date: Sat Jan 19 21:34:45 2019 +0000
1783
1784 upstream: convert sshconnect2.c to new packet API
1785
1786 with & ok markus@
1787
1788 OpenBSD-Commit-ID: 1cb869e0d6e03539f943235641ea070cae2ebc58
1789
1790commit 23f22a4aaa923c61ec49a99ebaa383656e87fa40
1791Author: djm@openbsd.org <djm@openbsd.org>
1792Date: Sat Jan 19 21:33:57 2019 +0000
1793
1794 upstream: convert clientloop.c to new packet API
1795
1796 with & ok markus@
1797
1798 OpenBSD-Commit-ID: 497b36500191f452a22abf283aa8d4a9abaee7fa
1799
1800commit ad60b1179c9682ca5aef0b346f99ef68cbbbc4e5
1801Author: djm@openbsd.org <djm@openbsd.org>
1802Date: Sat Jan 19 21:33:13 2019 +0000
1803
1804 upstream: allow sshpkt_fatal() to take a varargs format; we'll
1805
1806 use this to give packet-related fatal error messages more context (esp. the
1807 remote endpoint) ok markus@
1808
1809 OpenBSD-Commit-ID: de57211f9543426b515a8a10a4f481666b2b2a50
1810
1811commit 0fa174ebe129f3d0aeaf4e2d1dd8de745870d0ff
1812Author: djm@openbsd.org <djm@openbsd.org>
1813Date: Sat Jan 19 21:31:32 2019 +0000
1814
1815 upstream: begin landing remaining refactoring of packet parsing
1816
1817 API, started almost exactly six years ago.
1818
1819 This change stops including the old packet_* API by default and makes
1820 each file that requires the old API include it explicitly. We will
1821 commit file-by-file refactoring to remove the old API in consistent
1822 steps.
1823
1824 with & ok markus@
1825
1826 OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
1827
1828commit 4ae7f80dfd02f2bde912a67c9f338f61e90fa79f
1829Author: tb@openbsd.org <tb@openbsd.org>
1830Date: Sat Jan 19 04:15:56 2019 +0000
1831
1832 upstream: Print an \r in front of the password prompt so parts of
1833
1834 a password that was entered too early are likely clobbered by the prompt.
1835 Idea from doas.
1836
1837 from and ok djm
1838 "i like it" deraadt
1839
1840 OpenBSD-Commit-ID: 5fb97c68df6d8b09ab37f77bca1d84d799c4084e
1841
1842commit a6258e5dc314c7d504ac9f0fbc3be96475581dbe
1843Author: Darren Tucker <dtucker@dtucker.net>
1844Date: Fri Jan 18 11:09:01 2019 +1100
1845
1846 Add minimal fchownat and fchmodat implementations.
1847
1848 Fixes builds on at least OS X Lion, NetBSD 6 and Solaris 10.
1849
1850commit 091093d25802b87d3b2b09f2c88d9f33e1ae5562
1851Author: Darren Tucker <dtucker@dtucker.net>
1852Date: Fri Jan 18 12:11:42 2019 +1300
1853
1854 Add a minimal implementation of utimensat().
1855
1856 Some systems (eg older OS X) do not have utimensat, so provide minimal
1857 implementation in compat layer. Fixes build on at least El Capitan.
1858
1859commit 609644027dde1f82213699cb6599e584c7efcb75
1860Author: djm@openbsd.org <djm@openbsd.org>
1861Date: Tue Jan 1 22:20:16 2019 +0000
1862
1863 upstream: regress bits for banner processing refactor (this test was
1864
1865 depending on ssh returning a particular error message for banner parsing
1866 failure)
1867
1868 reminded by bluhm@
1869
1870 OpenBSD-Regress-ID: f24fc303d40931157431df589b386abf5e1be575
1871
1872commit f47d72ddad75b93d3cbc781718b0fa9046c03df8
1873Author: djm@openbsd.org <djm@openbsd.org>
1874Date: Thu Jan 17 04:45:09 2019 +0000
1875
1876 upstream: tun_fwd_ifnames variable should b
1877
1878 =?UTF-8?q?e=20extern;=20from=20Hanno=20B=C3=B6ck?=
1879 MIME-Version: 1.0
1880 Content-Type: text/plain; charset=UTF-8
1881 Content-Transfer-Encoding: 8bit
1882
1883 OpenBSD-Commit-ID: d53dede6e521161bf04d39d09947db6253a38271
1884
1885commit 943d0965263cae1c080ce5a9d0b5aa341885e55d
1886Author: djm@openbsd.org <djm@openbsd.org>
1887Date: Thu Jan 17 04:20:53 2019 +0000
1888
1889 upstream: include time.h for time(3)/nanosleep(2); from Ian
1890
1891 McKellar
1892
1893 OpenBSD-Commit-ID: 6412ccd06a88f65b207a1089345f51fa1244ea51
1894
1895commit dbb4dec6d5d671b5e9d67ef02162a610ad052068
1896Author: djm@openbsd.org <djm@openbsd.org>
1897Date: Thu Jan 17 01:50:24 2019 +0000
1898
1899 upstream: many of the global variables in this file can be made static;
1900
1901 patch from Markus Schmidt
1902
1903 OpenBSD-Commit-ID: f3db619f67beb53257b21bac0e92b4fb7d5d5737
1904
1905commit 60d8c84e0887514c99c9ce071965fafaa1c3d34a
1906Author: djm@openbsd.org <djm@openbsd.org>
1907Date: Wed Jan 16 23:23:45 2019 +0000
1908
1909 upstream: Add "-h" flag to sftp chown/chgrp/chmod commands to
1910
1911 request they do not follow symlinks. Requires recently-committed
1912 lsetstat@openssh.com extension on the server side.
1913
1914 ok markus@ dtucker@
1915
1916 OpenBSD-Commit-ID: f93bb3f6f7eb2fb7ef1e59126e72714f1626d604
1917
1918commit dbbc7e0eab7262f34b8e0cd6efecd1c77b905ed0
1919Author: djm@openbsd.org <djm@openbsd.org>
1920Date: Wed Jan 16 23:22:10 2019 +0000
1921
1922 upstream: add support for a "lsetstat@openssh.com" extension. This
1923
1924 replicates the functionality of the existing SSH2_FXP_SETSTAT operation but
1925 does not follow symlinks. Based on a patch from Bert Haverkamp in bz#2067 but
1926 with more attribute modifications supported.
1927
1928 ok markus@ dtucker@
1929
1930 OpenBSD-Commit-ID: f7234f6e90db19655d55d936a115ee4ccb6aaf80
1931
1932commit 4a526941d328fc3d97068c6a4cbd9b71b70fe5e1
1933Author: djm@openbsd.org <djm@openbsd.org>
1934Date: Fri Jan 4 03:27:50 2019 +0000
1935
1936 upstream: eliminate function-static attempt counters for
1937
1938 passwd/kbdint authmethods by moving them to the client authctxt; Patch from
1939 Markus Schmidt, ok markus@
1940
1941 OpenBSD-Commit-ID: 4df4404a5d5416eb056f68e0e2f4fa91ba3b3f7f
1942
1943commit 8a8183474c41bd6cebaa917346b549af2239ba2f
1944Author: djm@openbsd.org <djm@openbsd.org>
1945Date: Fri Jan 4 03:23:00 2019 +0000
1946
1947 upstream: fix memory leak of ciphercontext when rekeying; bz#2942
1948
1949 Patch from Markus Schmidt; ok markus@
1950
1951 OpenBSD-Commit-ID: 7877f1b82e249986f1ef98d0ae76ce987d332bdd
1952
1953commit 5bed70afce0907b6217418d0655724c99b683d93
1954Author: djm@openbsd.org <djm@openbsd.org>
1955Date: Tue Jan 1 23:10:53 2019 +0000
1956
1957 upstream: static on global vars, const on handler tables that contain
1958
1959 function pointers; from Mike Frysinger
1960
1961 OpenBSD-Commit-ID: 7ef2305e50d3caa6326286db43cf2cfaf03960e0
1962
1963commit 007a88b48c97d092ed2f501bbdcb70d9925277be
1964Author: djm@openbsd.org <djm@openbsd.org>
1965Date: Thu Dec 27 23:02:11 2018 +0000
1966
1967 upstream: Request RSA-SHA2 signatures for
1968
1969 rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
1970
1971 OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
1972
1973commit eb347d086c35428c47fe52b34588cbbc9b49d9a6
1974Author: djm@openbsd.org <djm@openbsd.org>
1975Date: Thu Dec 27 03:37:49 2018 +0000
1976
1977 upstream: ssh_packet_set_state() now frees ssh->kex implicitly, so
1978
1979 don't do explicit kex_free() beforehand
1980
1981 OpenBSD-Regress-ID: f2f73bad47f62a2040ccba0a72cadcb12eda49cf
1982
1983commit bb542f0cf6f7511a22a08c492861e256a82376a9
1984Author: tedu@openbsd.org <tedu@openbsd.org>
1985Date: Sat Dec 15 00:50:21 2018 +0000
1986
1987 upstream: remove unused and problematic sudo clean. ok espie
1988
1989 OpenBSD-Regress-ID: ca90c20a15a85b661e13e98b80c10e65cd662f7b
1990
1991commit 0a843d9a0e805f14653a555f5c7a8ba99d62c12d
1992Author: djm@openbsd.org <djm@openbsd.org>
1993Date: Thu Dec 27 03:25:24 2018 +0000
1994
1995 upstream: move client/server SSH-* banners to buffers under
1996
1997 ssh->kex and factor out the banner exchange. This eliminates some common code
1998 from the client and server.
1999
2000 Also be more strict about handling \r characters - these should only
2001 be accepted immediately before \n (pointed out by Jann Horn).
2002
2003 Inspired by a patch from Markus Schmidt.
2004 (lots of) feedback and ok markus@
2005
2006 OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
2007
2008commit 434b587afe41c19391821e7392005068fda76248
2009Author: dtucker@openbsd.org <dtucker@openbsd.org>
2010Date: Fri Dec 7 04:36:09 2018 +0000
2011
2012 upstream: Fix calculation of initial bandwidth limits. Account for
2013
2014 written bytes before the initial timer check so that the first buffer written
2015 is accounted. Set the threshold after which the timer is checked such that
2016 the limit starts being computed as soon as possible, ie after the second
2017 buffer is written. This prevents an initial burst of traffic and provides a
2018 more accurate bandwidth limit. bz#2927, ok djm.
2019
2020 OpenBSD-Commit-ID: ff3ef76e4e43040ec198c2718d5682c36b255cb6
2021
2022commit a6a0788cbbe8dfce2819ee43b09c80725742e21c
2023Author: djm@openbsd.org <djm@openbsd.org>
2024Date: Fri Dec 7 03:39:40 2018 +0000
2025
2026 upstream: only consider the ext-info-c extension during the initial
2027
2028 KEX. It shouldn't be sent in subsequent ones, but if it is present we should
2029 ignore it.
2030
2031 This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
2032 these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
2033
2034 OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
2035
2036commit 63bba57a32c5bb6158d57cf4c47022daf89c14a0
2037Author: djm@openbsd.org <djm@openbsd.org>
2038Date: Fri Dec 7 03:33:18 2018 +0000
2039
2040 upstream: fix option letter pasto in previous
2041
2042 OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39
2043
2044commit 737e4edd82406595815efadc28ed5161b8b0c01a
2045Author: djm@openbsd.org <djm@openbsd.org>
2046Date: Fri Dec 7 03:32:26 2018 +0000
2047
2048 upstream: mention that the ssh-keygen -F (find host in
2049
2050 authorized_keys) and -R (remove host from authorized_keys) options may accept
2051 either a bare hostname or a [hostname]:port combo. bz#2935
2052
2053 OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
2054
2055commit 8a22ffaa13391cfe5b40316d938fe0fb931e9296
2056Author: Damien Miller <djm@mindrot.org>
2057Date: Fri Dec 7 15:41:16 2018 +1100
2058
2059 expose $SSH_CONNECTION in the PAM environment
2060
2061 This makes the connection 4-tuple available to PAM modules that
2062 wish to use it in decision-making. bz#2741
2063
2064commit a784fa8c7a7b084d63bae82ccfea902131bb45c5
2065Author: Kevin Adler <kadler@us.ibm.com>
2066Date: Wed Dec 12 22:12:45 2018 -0600
2067
2068 Don't pass loginmsg by address now that it's an sshbuf*
2069
2070 In 120a1ec74, loginmsg was changed from the legacy Buffer type
2071 to struct sshbuf*, but it missed changing calls to
2072 sys_auth_allowed_user and sys_auth_record_login which passed
2073 loginmsg by address. Now that it's a pointer, just pass it directly.
2074
2075 This only affects AIX, unless there are out of tree users.
2076
2077commit 285310b897969a63ef224d39e7cc2b7316d86940
2078Author: djm@openbsd.org <djm@openbsd.org>
2079Date: Fri Dec 7 02:31:20 2018 +0000
2080
2081 upstream: no need to allocate channels_pre/channels_post in
2082
2083 channel_init_channels() as we do it anyway in channel_handler_init() that we
2084 call at the end of the function. Fix from Markus Schmidt via bz#2938
2085
2086 OpenBSD-Commit-ID: 74893638af49e3734f1e33a54af1b7ea533373ed
2087
2088commit 87d6cf1cbc91df6815db8fe0acc7c910bc3d18e4
2089Author: djm@openbsd.org <djm@openbsd.org>
2090Date: Fri Nov 30 02:24:52 2018 +0000
2091
2092 upstream: don't attempt to connect to empty SSH_AUTH_SOCK; bz#293
2093
2094 OpenBSD-Commit-ID: 0e8fc8f19f14b21adef7109e0faa583d87c0e929
2095
2096commit 91b19198c3f604f5eef2c56dbe36f29478243141
2097Author: djm@openbsd.org <djm@openbsd.org>
2098Date: Wed Nov 28 06:00:38 2018 +0000
2099
2100 upstream: don't truncate user or host name in "user@host's
2101
2102 OpenBSD-Commit-ID: e6ca01a8d58004b7f2cac0b1b7ce8f87e425e360
2103
2104commit dd0cf6318d9b4b3533bda1e3bc021b2cd7246b7a
2105Author: jmc@openbsd.org <jmc@openbsd.org>
2106Date: Fri Nov 23 06:58:28 2018 +0000
2107
2108 upstream: tweak previous;
2109
2110 OpenBSD-Commit-ID: 08f096922eb00c98251501c193ff9e83fbb5de4f
2111
2112commit 8a85f5458d1c802471ca899c97f89946f6666e61
2113Author: Darren Tucker <dtucker@dtucker.net>
2114Date: Sun Nov 25 21:44:05 2018 +1100
2115
2116 Include stdio.h for FILE if needed.
2117
2118commit 16fb23f25454991272bfe4598cc05d20fcd25116
2119Author: Darren Tucker <dtucker@dtucker.net>
2120Date: Sun Nov 25 14:05:57 2018 +1100
2121
2122 Reverse order of OpenSSL init functions.
2123
2124 Try the new init function (OPENSSL_init_crypto) before falling back to
2125 the old one (OpenSSL_add_all_algorithms).
2126
2127commit 98f878d2272bf8dff21f2a0265d963c29e33fed2
2128Author: Darren Tucker <dtucker@dtucker.net>
2129Date: Sun Nov 25 14:05:08 2018 +1100
2130
2131 Improve OpenSSL_add_all_algorithms check.
2132
2133 OpenSSL_add_all_algorithms() may be a macro so check for that too.
2134
2135commit 9e34e0c59ab04514f9de9934a772283f7f372afe
2136Author: djm@openbsd.org <djm@openbsd.org>
2137Date: Fri Nov 23 05:08:07 2018 +0000
2138
2139 upstream: add a ssh_config "Match final" predicate
2140
2141 Matches in same pass as "Match canonical" but doesn't require
2142 hostname canonicalisation be enabled. bz#2906 ok markus
2143
2144 OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
2145
2146commit 4da58d58736b065b1182b563d10ad6765d811c6d
2147Author: dtucker@openbsd.org <dtucker@openbsd.org>
2148Date: Fri Nov 23 02:53:57 2018 +0000
2149
2150 upstream: Remove now-unneeded ifdef SIGINFO around handler since it is
2151
2152 now always used for SIGUSR1 even when SIGINFO is not defined. This will make
2153 things simpler in -portable.
2154
2155 OpenBSD-Regress-ID: 4ff0265b335820b0646d37beb93f036ded0dc43f
2156
2157commit c721d5877509875c8515df0215fa1dab862013bc
2158Author: Darren Tucker <dtucker@dtucker.net>
2159Date: Fri Nov 23 14:11:20 2018 +1100
2160
2161 Move RANDOM_SEED_SIZE outside ifdef.
2162
2163 RANDOM_SEED_SIZE is used by both the OpenSSL and non-OpenSSL code
2164 This fixes the build with configureed --without-openssl.
2165
2166commit deb51552c3ce7ce72c8d0232e4f36f2e7c118c7d
2167Author: Darren Tucker <dtucker@dtucker.net>
2168Date: Thu Nov 22 19:59:28 2018 +1100
2169
2170 Resync with OpenBSD by pulling in an ifdef SIGINFO.
2171
2172commit 28c7b2cd050f4416bfcf3869a20e3ea138aa52fe
2173Author: Damien Miller <djm@mindrot.org>
2174Date: Fri Nov 23 10:45:20 2018 +1100
2175
2176 fix configure test for OpenSSL version
2177
2178 square brackets in case statements may be eaten by autoconf.
2179
2180 Report and fix from Filipp Gunbin; tweaked by naddy@
2181
2182commit 42c5ec4b97b6a1bae70f323952d0646af16ce710
2183Author: Damien Miller <djm@mindrot.org>
2184Date: Fri Nov 23 10:40:06 2018 +1100
2185
2186 refactor libcrypto initialisation
2187
2188 Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually
2189 supports it.
2190
2191 Move all libcrypto initialisation to a single function, and call that
2192 from seed_rng() that is called early in each tool's main().
2193
2194 Prompted by patch from Rosen Penev
2195
2196commit 5b60b6c02009547a3e2a99d4886965de2a4719da
2197Author: dtucker@openbsd.org <dtucker@openbsd.org>
2198Date: Thu Nov 22 08:59:11 2018 +0000
2199
2200 upstream: Output info on SIGUSR1 as well as
2201
2202 SIGINFO to resync with portable. (ID sync only).
2203
2204 OpenBSD-Regress-ID: 699d153e2de22dce51a1b270c40a98472d1a1b16
2205
2206commit e4ae345dc75b34fd870c2e8690d831d2c1088eb7
2207Author: dtucker@openbsd.org <dtucker@openbsd.org>
2208Date: Thu Nov 22 08:48:32 2018 +0000
2209
2210 upstream: Append pid to temp files in /var/run and set a cleanup
2211
2212 trap for them. This allows multiple instances of tests to run without
2213 colliding.
2214
2215 OpenBSD-Regress-ID: 57add105ecdfc54752d8003acdd99eb68c3e0b4c
2216
2217commit f72d0f52effca5aa20a193217346615ecd3eed53
2218Author: dtucker@openbsd.org <dtucker@openbsd.org>
2219Date: Wed Oct 31 11:09:27 2018 +0000
2220
2221 upstream: UsePrivilegeSeparation no is deprecated
2222
2223 test "yes" and "sandbox".
2224
2225 OpenBSD-Regress-ID: 80e685ed8990766527dc629b1affc09a75bfe2da
2226
2227commit 35d0e5fefc419bddcbe09d7fc163d8cd3417125b
2228Author: djm@openbsd.org <djm@openbsd.org>
2229Date: Wed Oct 17 23:28:05 2018 +0000
2230
2231 upstream: add some knobs:
2232
2233 UNITTEST_FAST?= no # Skip slow tests (e.g. less intensive fuzzing).
2234 UNITTEST_SLOW?= no # Include slower tests (e.g. more intensive fuzzing).
2235 UNITTEST_VERBOSE?= no # Verbose test output (inc. per-test names).
2236
2237 useful if you want to run the tests as a smoke test to exercise the
2238 functionality without waiting for all the fuzzers to run.
2239
2240 OpenBSD-Regress-ID: e04d82ebec86068198cd903acf1c67563c57315e
2241
2242commit c1941293d9422a14dda372b4c21895e72aa7a063
2243Author: Darren Tucker <dtucker@dtucker.net>
2244Date: Thu Nov 22 15:52:26 2018 +1100
2245
2246 Resync Makefile.inc with upstream.
2247
2248 It's unused in -portable, but having it out of sync makes other syncs
2249 fail to apply.
2250
2251commit 928f1231f65f88cd4c73e6e0edd63d2cf6295d77
2252Author: djm@openbsd.org <djm@openbsd.org>
2253Date: Mon Nov 19 04:12:32 2018 +0000
2254
2255 upstream: silence (to log level debug2) failure messages when
2256
2257 loading the default hostkeys. Hostkeys explicitly specified in the
2258 configuration or on the command-line are still reported as errors, and
2259 failure to load at least one host key remains a fatal error.
2260 MIME-Version: 1.0
2261 Content-Type: text/plain; charset=UTF-8
2262 Content-Transfer-Encoding: 8bit
2263
2264 Based on patch from Dag-Erling Smørgrav via
2265 https://github.com/openssh/openssh-portable/pull/103
2266
2267 ok markus@
2268
2269 OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
2270
2271commit 7fca94edbe8ca9f879da9fdd2afd959c4180f4c7
2272Author: dtucker@openbsd.org <dtucker@openbsd.org>
2273Date: Sun Nov 18 22:43:29 2018 +0000
2274
2275 upstream: Fix inverted logic for redirecting ProxyCommand stderr to
2276
2277 /dev/null. Fixes mosh in proxycommand mode that was broken by the previous
2278 ProxyCommand change that was reported by matthieu@. ok djm@ danj@
2279
2280 OpenBSD-Commit-ID: c6fc9641bc250221a0a81c6beb2e72d603f8add6
2281
2282commit ccef7c4faf914993b53035cd2b25ce02ab039c9d
2283Author: djm@openbsd.org <djm@openbsd.org>
2284Date: Fri Nov 16 06:17:38 2018 +0000
2285
2286 upstream: redirect stderr of ProxyCommands to /dev/null when ssh is
2287
2288 started with ControlPersist; based on patch from Steffen Prohaska
2289
2290 OpenBSD-Commit-ID: 1bcaa14a03ae80369d31021271ec75dce2597957
2291
2292commit 15182fd96845a03216d7ac5a2cf31c4e77e406e3
2293Author: djm@openbsd.org <djm@openbsd.org>
2294Date: Fri Nov 16 06:10:29 2018 +0000
2295
2296 upstream: make grandparent-parent-child sshbuf chains robust to
2297
2298 use-after-free faults if the ancestors are freed before the descendents.
2299 Nothing in OpenSSH uses this deallocation pattern. Reported by Jann Horn
2300
2301 OpenBSD-Commit-ID: d93501d1d2734245aac802a252b9bb2eccdba0f2
2302
2303commit 2a35862e664afde774d4a72497d394fe7306ccb5
2304Author: djm@openbsd.org <djm@openbsd.org>
2305Date: Fri Nov 16 03:26:01 2018 +0000
2306
2307 upstream: use path_absolute() for pathname checks; from Manoj Ampalam
2308
2309 OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2310
2311commit d0d1dfa55be1c5c0d77ab3096b198a64235f936d
2312Author: Darren Tucker <dtucker@dtucker.net>
2313Date: Fri Nov 16 14:11:44 2018 +1100
2314
2315 Test for OPENSSL_init_crypto before using.
2316
2317 Check for the presence of OPENSSL_init_crypto and all the flags we want
2318 before trying to use it (bz#2931).
2319
2320commit 6010c0303a422a9c5fa8860c061bf7105eb7f8b2
2321Author: djm@openbsd.org <djm@openbsd.org>
2322Date: Fri Nov 16 03:03:10 2018 +0000
2323
2324 upstream: disallow empty incoming filename or ones that refer to the
2325
2326 current directory; based on report/patch from Harry Sintonen
2327
2328 OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
2329
2330commit aaed635e3a401cfcc4cc97f33788179c458901c3
2331Author: djm@openbsd.org <djm@openbsd.org>
2332Date: Fri Nov 16 02:46:20 2018 +0000
2333
2334 upstream: fix bug in client that was keeping a redundant ssh-agent
2335
2336 socket around for the life of the connection; bz#2912; reported by Simon
2337 Tatham; ok dtucker@
2338
2339 OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478
2340
2341commit e76135e3007f1564427b2956c628923d8dc2f75a
2342Author: djm@openbsd.org <djm@openbsd.org>
2343Date: Fri Nov 16 02:43:56 2018 +0000
2344
2345 upstream: fix bug in HostbasedAcceptedKeyTypes and
2346
2347 PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
2348 specified, then authentication would always fail for RSA keys as the monitor
2349 checks only the base key (not the signature algorithm) type against
2350 *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
2351
2352 OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
2353
2354commit 5c1a63562cac0574c226224075b0829a50b48c9d
2355Author: djm@openbsd.org <djm@openbsd.org>
2356Date: Fri Nov 16 02:30:20 2018 +0000
2357
2358 upstream: support a prefix of '@' to suppress echo of sftp batch
2359
2360 commands; bz#2926; ok dtucker@
2361
2362 OpenBSD-Commit-ID: 9d635636bc84aeae796467e059f7634de990a79d
2363
2364commit 90ef45f7aac33eaf55ec344e101548a01e570f29
2365Author: schwarze@openbsd.org <schwarze@openbsd.org>
2366Date: Tue Nov 13 07:22:45 2018 +0000
2367
2368 upstream: fix markup error (missing blank before delimiter); from
2369
2370 Mike Frysinger <vapier at gentoo dot org>
2371
2372 OpenBSD-Commit-ID: 1bc5392f795ca86318d695e0947eaf71a5a4f6d9
2373
2374commit 960e7c672dc106f3b759c081de3edb4d1138b36e
2375Author: djm@openbsd.org <djm@openbsd.org>
2376Date: Fri Nov 9 02:57:58 2018 +0000
2377
2378 upstream: typo in error message; caught by Debian lintian, via
2379
2380 Colin Watson
2381
2382 OpenBSD-Commit-ID: bff614c7bd1f4ca491a84e9b5999f848d0d66758
2383
2384commit 81f1620c836e6c79c0823ba44acca605226a80f1
2385Author: djm@openbsd.org <djm@openbsd.org>
2386Date: Fri Nov 9 02:56:22 2018 +0000
2387
2388 upstream: correct local variable name; from yawang AT microsoft.com
2389
2390 OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87
2391
2392commit 1293740e800fa2e5ccd38842a2e4970c6f3b9831
2393Author: dtucker@openbsd.org <dtucker@openbsd.org>
2394Date: Wed Oct 31 11:20:05 2018 +0000
2395
2396 upstream: Import new moduli.
2397
2398 OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403
2399
2400commit 46925ae28e53fc9add336a4fcdb7ed4b86c3591c
2401Author: djm@openbsd.org <djm@openbsd.org>
2402Date: Fri Oct 26 01:23:03 2018 +0000
2403
2404 upstream: mention ssh-ed25519-cert-v01@openssh.com in list of cert
2405
2406 key type at start of doc
2407
2408 OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324
2409
2410commit 8d8340e2c215155637fe19cb1a837f71b2d55f7b
2411Author: Darren Tucker <dtucker@dtucker.net>
2412Date: Fri Nov 16 13:32:13 2018 +1100
2413
2414 Remove fallback check for /usr/local/ssl.
2415
2416 If configure could not find a working OpenSSL installation it would
2417 fall back to checking in /usr/local/ssl. This made sense back when
2418 systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't
2419 use that as a default any more. The fallback behaviour also meant
2420 that if you pointed --with-ssl-dir at a specific directory and it
2421 didn't work, it would silently use either the system libs or the ones
2422 in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to
2423 pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
2424
2425commit ce93472134fb22eff73edbcd173a21ae38889331
2426Author: Darren Tucker <dtucker@dtucker.net>
2427Date: Fri Nov 16 12:44:01 2018 +1100
2428
2429 Fix check for OpenSSL 1.0.1 exactly.
2430
2431 Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix
2432 compile-time check for 1.0.1 to match.
2433
2434commit f2970868f86161a22b2c377057fa3891863a692a
2435Author: Darren Tucker <dtucker@dtucker.net>
2436Date: Sun Nov 11 15:58:20 2018 +1100
2437
2438 Improve warnings in cygwin service setup.
2439
2440 bz#2922, patch from vinschen at redhat.com.
2441
2442commit bd2d54fc1eee84bf87158a1277a50e6c8a303339
2443Author: Darren Tucker <dtucker@dtucker.net>
2444Date: Sun Nov 11 15:54:54 2018 +1100
2445
2446 Remove hardcoded service name in cygwin setup.
2447
2448 bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check
2449 by vinschen at redhat.com.
2450
2451commit d0153c77bf7964e694f1d26c56c41a571b8e9466
2452Author: Dag-Erling Smørgrav <des@des.no>
2453Date: Tue Oct 9 23:03:40 2018 +0200
2454
2455 AC_CHECK_SIZEOF() no longer needs a second argument.
2456
2457commit 9b47b083ca9d866249ada9f02dbd57c87b13806e
2458Author: Manoj Ampalam <manojamp@microsoft.com>
2459Date: Thu Nov 8 22:41:59 2018 -0800
2460
2461 Fix error message w/out nistp521.
2462
2463 Correct error message when OpenSSL doesn't support certain ECDSA key
2464 lengths.
2465
2466commit 624d19ac2d56fa86a22417c35536caceb3be346f
2467Author: Eneas U de Queiroz <cote2004-github@yahoo.com>
2468Date: Tue Oct 9 16:17:42 2018 -0300
2469
2470 fix compilation with openssl built without ECC
2471
2472 ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
2473 guarded by OPENSSL_HAS_ECC
2474
2475 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2476
2477commit 1801cd11d99d05a66ab5248c0555f55909a355ce
2478Author: Darren Tucker <dtucker@dtucker.net>
2479Date: Thu Nov 8 15:03:11 2018 +1100
2480
2481 Simplify OpenSSL 1.1 function checks.
2482
2483 Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single
2484 AC_CHECK_FUNCS. ok djm@
2485
2486commit bc32f118d484e4d71d2a0828fd4eab7e4176c9af
2487Author: Darren Tucker <dtucker@dtucker.net>
2488Date: Mon Nov 5 17:31:24 2018 +1100
2489
2490 Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.
2491
2492 Prevents unnecessary redefinition. Patch from mforney at mforney.org.
2493
2494commit 3719df60c66abc4b47200d41f571d67772f293ba
2495Author: Darren Tucker <dtucker@dtucker.net>
2496Date: Wed Oct 31 22:21:03 2018 +1100
2497
2498 Import new moduli.
2499
2500commit 595605d4abede475339d6a1f07a8cc674c11d1c3
2501Author: Darren Tucker <dtucker@dtucker.net>
2502Date: Sun Oct 28 15:18:13 2018 +1100
2503
2504 Update check for minimum OpenSSL version.
2505
2506commit 6ab75aba340d827140d7ba719787aabaf39a0355
2507Author: Darren Tucker <dtucker@dtucker.net>
2508Date: Sun Oct 28 15:16:31 2018 +1100
2509
2510 Update required OpenSSL versions to match current.
2511
2512commit c801b0e38eae99427f37869370151b78f8e15c5d
2513Author: Darren Tucker <dtucker@dtucker.net>
2514Date: Sun Oct 28 14:34:12 2018 +1100
2515
2516 Use detected version functions in openssl compat.
2517
2518 Use detected functions in compat layer instead of guessing based on
2519 versions. Really fixes builds with LibreSSL, not just configure.
2520
2521commit 262d81a259d4aa1507c709ec9d5caa21c7740722
2522Author: Darren Tucker <dtucker@dtucker.net>
2523Date: Sat Oct 27 16:45:59 2018 +1100
2524
2525 Check for the existence of openssl version funcs.
2526
2527 Check for the existence of openssl version functions and use the ones
2528 detected instead of trying to guess based on the int32 version
2529 identifier. Fixes builds with LibreSSL.
2530
2531commit 406a24b25d6a2bdd70cacd16de7e899dcb2a8829
2532Author: Damien Miller <djm@mindrot.org>
2533Date: Fri Oct 26 13:43:28 2018 +1100
2534
2535 fix builds on OpenSSL <= 1.0.x
2536
2537 I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API
2538 to obtain version number, but they don't.
2539
2540commit 859754bdeb41373d372e36b5dc89c547453addb3
2541Author: Damien Miller <djm@mindrot.org>
2542Date: Tue Oct 23 17:10:41 2018 +1100
2543
2544 remove remaining references to SSLeay
2545
2546 Prompted by Rosen Penev
2547
2548commit b9fea45a68946c8dfeace72ad1f6657c18f2a98a
2549Author: Damien Miller <djm@mindrot.org>
2550Date: Tue Oct 23 17:10:35 2018 +1100
2551
2552 regen depend
2553
2554commit a65784c9f9c5d00cf1a0e235090170abc8d07c73
2555Author: djm@openbsd.org <djm@openbsd.org>
2556Date: Tue Oct 23 05:56:35 2018 +0000
2557
2558 upstream: refer to OpenSSL not SSLeay;
2559
2560 we're old, but we don't have to act it
2561
2562 OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
2563
2564commit c0a35265907533be10ca151ac797f34ae0d68969
2565Author: Damien Miller <djm@mindrot.org>
2566Date: Mon Oct 22 11:22:50 2018 +1100
2567
2568 fix compile for openssl 1.0.x w/ --with-ssl-engine
2569
2570 bz#2921, patch from cotequeiroz
2571
2572commit 31b49525168245abe16ad49d7b7f519786b53a38
2573Author: Darren Tucker <dtucker@dtucker.net>
2574Date: Mon Oct 22 20:05:18 2018 +1100
2575
2576 Include openssl compatibility.
2577
2578 Patch from rosenp at gmail.com via openssh-unix-dev.
2579
2580commit a4fc253f5f44f0e4c47aafe2a17d2c46481d3c04
2581Author: djm@openbsd.org <djm@openbsd.org>
2582Date: Fri Oct 19 03:12:42 2018 +0000
2583
2584 upstream: when printing certificate contents "ssh-keygen -Lf
2585
2586 /path/certificate", include the algorithm that the CA used to sign the cert.
2587
2588 OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
2589
2590commit 83b3d99d2b47321b7ebb8db6f6ea04f3808bc069
2591Author: florian@openbsd.org <florian@openbsd.org>
2592Date: Mon Oct 15 11:28:50 2018 +0000
2593
2594 upstream: struct sockaddr_storage is guaranteed to be large enough,
2595
2596 no need to check the size. OK kn, deraadt
2597
2598 OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
2599
1commit aede1c34243a6f7feae2fb2cb686ade5f9be6f3d 2600commit aede1c34243a6f7feae2fb2cb686ade5f9be6f3d
2Author: Damien Miller <djm@mindrot.org> 2601Author: Damien Miller <djm@mindrot.org>
3Date: Wed Oct 17 11:01:20 2018 +1100 2602Date: Wed Oct 17 11:01:20 2018 +1100
@@ -7741,1966 +10340,3 @@ Date: Mon Apr 17 11:02:31 2017 +0000
7741 -Wpointer-sign and -Wold-style-definition. 10340 -Wpointer-sign and -Wold-style-definition.
7742 10341
7743 Upstream-ID: 5cbe348aa76dc1adf55be6c0e388fafaa945439a 10342 Upstream-ID: 5cbe348aa76dc1adf55be6c0e388fafaa945439a
7744
7745commit 4d827f0d75a53d3952288ab882efbddea7ffadfe
7746Author: djm@openbsd.org <djm@openbsd.org>
7747Date: Tue Apr 4 00:24:56 2017 +0000
7748
7749 upstream commit
7750
7751 disallow creation (of empty files) in read-only mode;
7752 reported by Michal Zalewski, feedback & ok deraadt@
7753
7754 Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
7755
7756commit ef47843af0a904a21c920e619c5aec97b65dd9ac
7757Author: deraadt@openbsd.org <deraadt@openbsd.org>
7758Date: Sun Mar 26 00:18:52 2017 +0000
7759
7760 upstream commit
7761
7762 incorrect renditions of this quote bother me
7763
7764 Upstream-ID: 1662be3ebb7a71d543da088119c31d4d463a9e49
7765
7766commit d9048861bea842c4eba9c2dbbf97064cc2a5ef02
7767Author: Darren Tucker <dtucker@zip.com.au>
7768Date: Fri Mar 31 11:04:43 2017 +1100
7769
7770 Check for and use gcc's -pipe.
7771
7772 Speeds up configure and build by a couple of percent. ok djm@
7773
7774commit 282cad2240c4fbc104c2f2df86d688192cbbe4bb
7775Author: Darren Tucker <dtucker@zip.com.au>
7776Date: Wed Mar 29 16:34:44 2017 +1100
7777
7778 Import fmt_scaled.c rev 1.16 from OpenBSD.
7779
7780 Fix overly-conservative overflow checks on mulitplications and add checks
7781 on additions. This allows scan_scaled to work up to +/-LLONG_MAX (LLONG_MIN
7782 will still be flagged as a range error). ok millert@
7783
7784commit c73a229e4edf98920f395e19fd310684fc6bb951
7785Author: Darren Tucker <dtucker@zip.com.au>
7786Date: Wed Mar 29 16:34:02 2017 +1100
7787
7788 Import fmt_scaled.c rev 1.15 from OpenBSD.
7789
7790 Collapse underflow and overflow checks into a single block.
7791 ok djm@ millert@
7792
7793commit d427b73bf5a564f663d16546dbcbd84ba8b9d4af
7794Author: Darren Tucker <dtucker@zip.com.au>
7795Date: Wed Mar 29 16:32:57 2017 +1100
7796
7797 Import fmt_scaled.c rev 1.14 from OpenBSD.
7798
7799 Catch integer underflow in scan_scaled reported by Nicolas Iooss.
7800 ok deraadt@ djm@
7801
7802commit d13281f2964abc5f2e535e1613c77fc61b0c53e7
7803Author: Darren Tucker <dtucker@zip.com.au>
7804Date: Wed Mar 29 12:39:39 2017 +1100
7805
7806 Don't check privsep user or path when unprivileged
7807
7808 If running with privsep (mandatory now) as a non-privileged user, we
7809 don't chroot or change to an unprivileged user however we still checked
7810 the existence of the user and directory. Don't do those checks if we're
7811 not going to use them. Based in part on a patch from Lionel Fourquaux
7812 via Corinna Vinschen, ok djm@
7813
7814commit f2742a481fe151e493765a3fbdef200df2ea7037
7815Author: Darren Tucker <dtucker@zip.com.au>
7816Date: Wed Mar 29 10:50:31 2017 +1100
7817
7818 Remove SHA256 EVP wrapper implementation.
7819
7820 All supported versions of OpenSSL should now have SHA256 so remove our
7821 EVP wrapper implementaion. ok djm@
7822
7823commit 5346f271fc76549caf4a8e65b5fba319be422fe9
7824Author: Darren Tucker <dtucker@zip.com.au>
7825Date: Wed Mar 29 10:23:58 2017 +1100
7826
7827 Remove check for OpenSSL < 0.9.8g.
7828
7829 We no longer support OpenSSL < 1.0.1 so remove check for unreliable ECC
7830 in OpenSSL < 0.9.8g.
7831
7832commit 8fed0a5fe7b4e78a6810b133d8e91be9742ee0a1
7833Author: Darren Tucker <dtucker@zip.com.au>
7834Date: Wed Mar 29 10:16:15 2017 +1100
7835
7836 Remove compat code for OpenSSL < 0.9.7.
7837
7838 Resyncs that code with OpenBSD upstream.
7839
7840commit 608ec1f62ff22fdccc3952e51463d79c43cbd0d3
7841Author: Darren Tucker <dtucker@zip.com.au>
7842Date: Wed Mar 29 09:50:54 2017 +1100
7843
7844 Remove SSHv1 code path.
7845
7846 Server-side support for Protocol 1 has been removed so remove !compat20
7847 PAM code path.
7848
7849commit 7af27bf538cbc493d609753f9a6d43168d438f1b
7850Author: Darren Tucker <dtucker@zip.com.au>
7851Date: Fri Mar 24 09:44:56 2017 +1100
7852
7853 Enable ldns when using ldns-config.
7854
7855 Actually enable ldns when attempting to use ldns-config. bz#2697, patch
7856 from fredrik at fornwall.net.
7857
7858commit 58b8cfa2a062b72139d7229ae8de567f55776f24
7859Author: Damien Miller <djm@mindrot.org>
7860Date: Wed Mar 22 12:43:02 2017 +1100
7861
7862 Missing header on Linux/s390
7863
7864 Patch from Jakub Jelen
7865
7866commit 096fb65084593f9f3c1fc91b6d9052759a272a00
7867Author: djm@openbsd.org <djm@openbsd.org>
7868Date: Mon Mar 20 22:08:06 2017 +0000
7869
7870 upstream commit
7871
7872 remove /usr/bin/time calls around tests, makes diffing test
7873 runs harder. Based on patch from Mike Frysinger
7874
7875 Upstream-Regress-ID: 81c1083b14dcf473b23d2817882f40b346ebc95c
7876
7877commit 6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6
7878Author: Damien Miller <djm@mindrot.org>
7879Date: Tue Mar 21 08:47:55 2017 +1100
7880
7881 Fix syntax error on Linux/X32
7882
7883 Patch from Mike Frysinger
7884
7885commit d38f05dbdd291212bc95ea80648b72b7177e9f4e
7886Author: Darren Tucker <dtucker@zip.com.au>
7887Date: Mon Mar 20 13:38:27 2017 +1100
7888
7889 Add llabs() implementation.
7890
7891commit 72536316a219b7394996a74691a5d4ec197480f7
7892Author: Damien Miller <djm@mindrot.org>
7893Date: Mon Mar 20 12:23:04 2017 +1100
7894
7895 crank version numbers
7896
7897commit 3be52bc36bdfd24ded7e0f46999e7db520fb4e3f
7898Author: djm@openbsd.org <djm@openbsd.org>
7899Date: Mon Mar 20 01:18:59 2017 +0000
7900
7901 upstream commit
7902
7903 openssh-7.5
7904
7905 Upstream-ID: b8b9a4a949427c393cd868215e1724ceb3467ee5
7906
7907commit db84e52fe9cfad57f22e7e23c5fbf00092385129
7908Author: Damien Miller <djm@mindrot.org>
7909Date: Mon Mar 20 12:07:20 2017 +1100
7910
7911 I'm a doofus.
7912
7913 Unbreak obvious syntax error.
7914
7915commit 89f04852db27643717c9c3a2b0dde97ae50099ee
7916Author: Damien Miller <djm@mindrot.org>
7917Date: Mon Mar 20 11:53:34 2017 +1100
7918
7919 on Cygwin, check paths from server for backslashes
7920
7921 Pointed out by Jann Horn of Google Project Zero
7922
7923commit 7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9
7924Author: Damien Miller <djm@mindrot.org>
7925Date: Mon Mar 20 11:48:34 2017 +1100
7926
7927 Yet another synonym for ASCII: "646"
7928
7929 Used by NetBSD; this unbreaks mprintf() and friends there for the C
7930 locale (caught by dtucker@ and his menagerie of test systems).
7931
7932commit 9165abfea3f68a0c684a6ed2e575e59bc31a3a6b
7933Author: Damien Miller <djm@mindrot.org>
7934Date: Mon Mar 20 09:58:34 2017 +1100
7935
7936 create test mux socket in /tmp
7937
7938 Creating the socket in $OBJ could blow past the (quite limited)
7939 path limit for Unix domain sockets. As a bandaid for bz#2660,
7940 reported by Colin Watson; ok dtucker@
7941
7942commit 2adbe1e63bc313d03e8e84e652cc623af8ebb163
7943Author: markus@openbsd.org <markus@openbsd.org>
7944Date: Wed Mar 15 07:07:39 2017 +0000
7945
7946 upstream commit
7947
7948 disallow KEXINIT before NEWKEYS; ok djm; report by
7949 vegard.nossum at oracle.com
7950
7951 Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234
7952
7953commit 2fbf91684d76d38b9cf06550b69c9e41bca5a71c
7954Author: Darren Tucker <dtucker@zip.com.au>
7955Date: Thu Mar 16 14:05:46 2017 +1100
7956
7957 Include includes.h for compat bits.
7958
7959commit b55f634e96b9c5b0cd991e23a9ca181bec4bdbad
7960Author: Darren Tucker <dtucker@zip.com.au>
7961Date: Thu Mar 16 13:45:17 2017 +1100
7962
7963 Wrap stdint.h in #ifdef HAVE_STDINT_H
7964
7965commit 55a1117d7342a0bf8b793250cf314bab6b482b99
7966Author: Damien Miller <djm@mindrot.org>
7967Date: Thu Mar 16 11:22:42 2017 +1100
7968
7969 Adapt Cygwin config script to privsep knob removal
7970
7971 Patch from Corinna Vinschen.
7972
7973commit 1a321bfdb91defe3c4d9cca5651724ae167e5436
7974Author: deraadt@openbsd.org <deraadt@openbsd.org>
7975Date: Wed Mar 15 03:52:30 2017 +0000
7976
7977 upstream commit
7978
7979 accidents happen to the best of us; ok djm
7980
7981 Upstream-ID: b7a9dbd71011ffde95e06f6945fe7197dedd1604
7982
7983commit 25f837646be8c2017c914d34be71ca435dfc0e07
7984Author: djm@openbsd.org <djm@openbsd.org>
7985Date: Wed Mar 15 02:25:09 2017 +0000
7986
7987 upstream commit
7988
7989 fix regression in 7.4: deletion of PKCS#11-hosted keys
7990 would fail unless they were specified by full physical pathname. Report and
7991 fix from Jakub Jelen via bz#2682; ok dtucker@
7992
7993 Upstream-ID: 5b5bc20ca11cacb5d5eb29c3f93fd18425552268
7994
7995commit a8c5eeacf032a7d3408957e45dd7603cc1baf55f
7996Author: djm@openbsd.org <djm@openbsd.org>
7997Date: Wed Mar 15 02:19:09 2017 +0000
7998
7999 upstream commit
8000
8001 Fix segfault when sshd attempts to load RSA1 keys (can
8002 only happen when protocol v.1 support is enabled for the client). Reported by
8003 Jakub Jelen in bz#2686; ok dtucker
8004
8005 Upstream-ID: 8fdaec2ba4b5f65db1d094f6714ce64b25d871d7
8006
8007commit 66705948c0639a7061a0d0753266da7685badfec
8008Author: djm@openbsd.org <djm@openbsd.org>
8009Date: Tue Mar 14 07:19:07 2017 +0000
8010
8011 upstream commit
8012
8013 Mark the sshd_config UsePrivilegeSeparation option as
8014 deprecated, effectively making privsep mandatory in sandboxing mode. ok
8015 markus@ deraadt@
8016
8017 (note: this doesn't remove the !privsep code paths, though that will
8018 happen eventually).
8019
8020 Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
8021
8022commit f86586b03fe6cd8f595289bde200a94bc2c191af
8023Author: Damien Miller <djm@mindrot.org>
8024Date: Tue Mar 14 18:26:29 2017 +1100
8025
8026 Make seccomp-bpf sandbox work on Linux/X32
8027
8028 Allow clock_gettime syscall with X32 bit masked off. Apparently
8029 this is required for at least some kernel versions. bz#2142
8030 Patch mostly by Colin Watson. ok dtucker@
8031
8032commit 2429cf78dd2a9741ce27ba25ac41c535274a0af6
8033Author: Damien Miller <djm@mindrot.org>
8034Date: Tue Mar 14 18:01:52 2017 +1100
8035
8036 require OpenSSL >=1.0.1
8037
8038commit e3ea335abeab731c68f2b2141bee85a4b0bf680f
8039Author: Damien Miller <djm@mindrot.org>
8040Date: Tue Mar 14 17:48:43 2017 +1100
8041
8042 Remove macro trickery; no binary change
8043
8044 This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
8045 prepending __NR_ to the syscall number parameter and just makes
8046 them explicit in the macro invocations.
8047
8048 No binary change in stripped object file before/after.
8049
8050commit 5f1596e11d55539678c41f68aed358628d33d86f
8051Author: Damien Miller <djm@mindrot.org>
8052Date: Tue Mar 14 13:15:18 2017 +1100
8053
8054 support ioctls for ICA crypto card on Linux/s390
8055
8056 Based on patch from Eduardo Barretto; ok dtucker@
8057
8058commit b1b22dd0df2668b322dda174e501dccba2cf5c44
8059Author: Darren Tucker <dtucker@zip.com.au>
8060Date: Tue Mar 14 14:19:36 2017 +1100
8061
8062 Plumb conversion test into makefile.
8063
8064commit f57783f1ddfb4cdfbd612c6beb5ec01cb5b9a6b9
8065Author: dtucker@openbsd.org <dtucker@openbsd.org>
8066Date: Tue Mar 14 01:20:29 2017 +0000
8067
8068 upstream commit
8069
8070 Add unit test for convtime().
8071
8072 Upstream-Regress-ID: 8717bc0ca4c21120f6dd3a1d3b7a363f707c31e1
8073
8074commit 8884b7247d094cd11ff9e39c325ba928c5bdbc6c
8075Author: dtucker@openbsd.org <dtucker@openbsd.org>
8076Date: Tue Mar 14 01:10:07 2017 +0000
8077
8078 upstream commit
8079
8080 Add ASSERT_LONG_* helpers.
8081
8082 Upstream-Regress-ID: fe15beaea8f5063c7f21b0660c722648e3d76431
8083
8084commit c6774d21185220c0ba11e8fd204bf0ad1a432071
8085Author: dtucker@openbsd.org <dtucker@openbsd.org>
8086Date: Tue Mar 14 00:55:37 2017 +0000
8087
8088 upstream commit
8089
8090 Fix convtime() overflow test on boundary condition,
8091 spotted by & ok djm.
8092
8093 Upstream-ID: 51f14c507ea87a3022e63f574100613ab2ba5708
8094
8095commit f5746b40cfe6d767c8e128fe50c43274b31cd594
8096Author: dtucker@openbsd.org <dtucker@openbsd.org>
8097Date: Tue Mar 14 00:25:03 2017 +0000
8098
8099 upstream commit
8100
8101 Check for integer overflow when parsing times in
8102 convtime(). Reported by nicolas.iooss at m4x.org, ok djm@
8103
8104 Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13
8105
8106commit f5907982f42a8d88a430b8a46752cbb7859ba979
8107Author: Darren Tucker <dtucker@zip.com.au>
8108Date: Tue Mar 14 13:38:15 2017 +1100
8109
8110 Add a "unit" target to run only unit tests.
8111
8112commit 9e96b41682aed793fadbea5ccd472f862179fb02
8113Author: Damien Miller <djm@mindrot.org>
8114Date: Tue Mar 14 12:24:47 2017 +1100
8115
8116 Fix weakness in seccomp-bpf sandbox arg inspection
8117
8118 Syscall arguments are passed via an array of 64-bit values in struct
8119 seccomp_data, but we were only inspecting the bottom 32 bits and not
8120 even those correctly for BE systems.
8121
8122 Fortunately, the only case argument inspection was used was in the
8123 socketcall filtering so using this for sandbox escape seems
8124 impossible.
8125
8126 ok dtucker
8127
8128commit 8ff3fc3f2f7c13e8968717bc2b895ee32c441275
8129Author: djm@openbsd.org <djm@openbsd.org>
8130Date: Sat Mar 11 23:44:16 2017 +0000
8131
8132 upstream commit
8133
8134 regress tests for loading certificates without public keys;
8135 bz#2617 based on patch from Adam Eijdenberg; ok markus@ dtucker@
8136
8137 Upstream-Regress-ID: 0145d19328ed995b73fe2d9da33596b17429d0d0
8138
8139commit 1e24552716194db8f2f620587b876158a9ef56ad
8140Author: djm@openbsd.org <djm@openbsd.org>
8141Date: Sat Mar 11 23:40:26 2017 +0000
8142
8143 upstream commit
8144
8145 allow ssh to use certificates accompanied by a private
8146 key file but no corresponding plain *.pub public key. bz#2617 based on patch
8147 from Adam Eijdenberg; ok dtucker@ markus@
8148
8149 Upstream-ID: 295668dca2c39505281577217583ddd2bd4b00b9
8150
8151commit 0fb1a617a07b8df5de188dd5a0c8bf293d4bfc0e
8152Author: markus@openbsd.org <markus@openbsd.org>
8153Date: Sat Mar 11 13:07:35 2017 +0000
8154
8155 upstream commit
8156
8157 Don't count the initial block twice when computing how
8158 many bytes to discard for the work around for the attacks against CBC-mode.
8159 ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
8160
8161 Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
8162
8163commit ef653dd5bd5777132d9f9ee356225f9ee3379504
8164Author: dtucker@openbsd.org <dtucker@openbsd.org>
8165Date: Fri Mar 10 07:18:32 2017 +0000
8166
8167 upstream commit
8168
8169 krl.c
8170
8171 Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1
8172
8173commit d94c1dfef2ea30ca67b1204ada7c3b537c54f4d0
8174Author: Damien Miller <djm@mindrot.org>
8175Date: Sun Mar 12 10:48:14 2017 +1100
8176
8177 sync fmt_scaled.c with OpenBSD
8178
8179 revision 1.13
8180 date: 2017/03/11 23:37:23; author: djm; state: Exp; lines: +14 -1; commitid: jnFKyHkB3CEiEZ2R;
8181 fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
8182 using AFL against ssh_config. ok deraadt@ millert@
8183 ----------------------------
8184 revision 1.12
8185 date: 2013/11/29 19:00:51; author: deraadt; state: Exp; lines: +6 -5;
8186 fairly simple unsigned char casts for ctype
8187 ok krw
8188 ----------------------------
8189 revision 1.11
8190 date: 2012/11/12 14:07:20; author: halex; state: Exp; lines: +4 -2;
8191 make scan_scaled set errno to EINVAL rather than ERANGE if it encounters
8192 an invalid multiplier, like the man page says it should
8193
8194 "looks sensible" deraadt@, ok ian@
8195 ----------------------------
8196 revision 1.10
8197 date: 2009/06/20 15:00:04; author: martynas; state: Exp; lines: +4 -4;
8198 use llabs instead of the home-grown version; and some comment changes
8199 ok ian@, millert@
8200 ----------------------------
8201
8202commit 894221a63fa061e52e414ca58d47edc5fe645968
8203Author: djm@openbsd.org <djm@openbsd.org>
8204Date: Fri Mar 10 05:01:13 2017 +0000
8205
8206 upstream commit
8207
8208 When updating hostkeys, accept RSA keys if
8209 HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA
8210 keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
8211 nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
8212 dtucker@
8213
8214 Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
8215
8216commit dd3e2298663f4cc1a06bc69582d00dcfee27d73c
8217Author: djm@openbsd.org <djm@openbsd.org>
8218Date: Fri Mar 10 04:24:55 2017 +0000
8219
8220 upstream commit
8221
8222 make hostname matching really insensitive to case;
8223 bz#2685, reported by Petr Cerny; ok dtucker@
8224
8225 Upstream-ID: e467622ff154269e36ba8b6c9e3d105e1c4a9253
8226
8227commit 77a9be9446697fe8b5499fe651f4a82a71a4b51f
8228Author: djm@openbsd.org <djm@openbsd.org>
8229Date: Fri Mar 10 03:52:48 2017 +0000
8230
8231 upstream commit
8232
8233 reword a comment to make it fit 80 columns
8234
8235 Upstream-ID: 4ef509a66b96c7314bbcc87027c2af71fa9d0ba4
8236
8237commit 61b8ef6a66efaec07e023342cb94a10bdc2254dc
8238Author: djm@openbsd.org <djm@openbsd.org>
8239Date: Fri Mar 10 04:27:32 2017 +0000
8240
8241 upstream commit
8242
8243 better match sshd config parser behaviour: fatal() if
8244 line is overlong, increase line buffer to match sshd's; bz#2651 reported by
8245 Don Fong; ok dtucker@
8246
8247 Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18
8248
8249commit db2597207e69912f2592cd86a1de8e948a9d7ffb
8250Author: djm@openbsd.org <djm@openbsd.org>
8251Date: Fri Mar 10 04:26:06 2017 +0000
8252
8253 upstream commit
8254
8255 ensure hostname is lower-case before hashing it;
8256 bz#2591 reported by Griff Miller II; ok dtucker@
8257
8258 Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
8259
8260commit df9936936c695f85c1038bd706d62edf752aca4b
8261Author: djm@openbsd.org <djm@openbsd.org>
8262Date: Fri Mar 10 04:24:55 2017 +0000
8263
8264 upstream commit
8265
8266 make hostname matching really insensitive to case;
8267 bz#2685, reported by Petr Cerny; ok dtucker@
8268
8269 Upstream-ID: e632b7a9bf0d0558d5ff56dab98b7cca6c3db549
8270
8271commit 67eed24bfa7645d88fa0b883745fccb22a0e527e
8272Author: dtucker@openbsd.org <dtucker@openbsd.org>
8273Date: Fri Mar 10 04:11:00 2017 +0000
8274
8275 upstream commit
8276
8277 Remove old null check from config dumper. Patch from
8278 jjelen at redhat.com vi bz#2687, ok djm@
8279
8280 Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
8281
8282commit 183ba55aaaecca0206184b854ad6155df237adbe
8283Author: djm@openbsd.org <djm@openbsd.org>
8284Date: Fri Mar 10 04:07:20 2017 +0000
8285
8286 upstream commit
8287
8288 fix regression in 7.4 server-sig-algs, where we were
8289 accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
8290 Goncalves; ok dtucker@
8291
8292 Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
8293
8294commit 66be4fe8c4435af5bbc82998501a142a831f1181
8295Author: dtucker@openbsd.org <dtucker@openbsd.org>
8296Date: Fri Mar 10 03:53:11 2017 +0000
8297
8298 upstream commit
8299
8300 Check for NULL return value from key_new. Patch from
8301 jjelen at redhat.com via bz#2687, ok djm@
8302
8303 Upstream-ID: 059e33cd43cba88dc8caf0b1936fd4dd88fd5b8e
8304
8305commit ec2892b5c7fea199914cb3a6afb3af38f84990bf
8306Author: djm@openbsd.org <djm@openbsd.org>
8307Date: Fri Mar 10 03:52:48 2017 +0000
8308
8309 upstream commit
8310
8311 reword a comment to make it fit 80 columns
8312
8313 Upstream-ID: b4b48b4487c0821d16e812c40c9b09f03b28e349
8314
8315commit 7fadbb6da3f4122de689165651eb39985e1cba85
8316Author: dtucker@openbsd.org <dtucker@openbsd.org>
8317Date: Fri Mar 10 03:48:57 2017 +0000
8318
8319 upstream commit
8320
8321 Check for NULL argument to sshkey_read. Patch from
8322 jjelen at redhat.com via bz#2687, ok djm@
8323
8324 Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e
8325
8326commit 5a06b9e019e2b0b0f65a223422935b66f3749de3
8327Author: dtucker@openbsd.org <dtucker@openbsd.org>
8328Date: Fri Mar 10 03:45:40 2017 +0000
8329
8330 upstream commit
8331
8332 Plug some mem leaks mostly on error paths. From jjelen
8333 at redhat.com via bz#2687, ok djm@
8334
8335 Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
8336
8337commit f6edbe9febff8121f26835996b1229b5064d31b7
8338Author: dtucker@openbsd.org <dtucker@openbsd.org>
8339Date: Fri Mar 10 03:24:48 2017 +0000
8340
8341 upstream commit
8342
8343 Plug mem leak on GLOB_NOMATCH case. From jjelen at
8344 redhat.com via bz#2687, ok djm@
8345
8346 Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d
8347
8348commit 566b3a46e89a2fda2db46f04f2639e92da64a120
8349Author: dtucker@openbsd.org <dtucker@openbsd.org>
8350Date: Fri Mar 10 03:22:40 2017 +0000
8351
8352 upstream commit
8353
8354 Plug descriptor leaks of auth_sock. From jjelen at
8355 redhat.com via bz#2687, ok djm@
8356
8357 Upstream-ID: 248acb99a5ed2fdca37d1aa33c0fcee7be286d88
8358
8359commit 8a2834454c73dfc1eb96453c0e97690595f3f4c2
8360Author: djm@openbsd.org <djm@openbsd.org>
8361Date: Fri Mar 10 03:18:24 2017 +0000
8362
8363 upstream commit
8364
8365 correctly hash hosts with a port number. Reported by Josh
8366 Powers in bz#2692; ok dtucker@
8367
8368 Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
8369
8370commit 9747b9c742de409633d4753bf1a752cbd211e2d3
8371Author: djm@openbsd.org <djm@openbsd.org>
8372Date: Fri Mar 10 03:15:58 2017 +0000
8373
8374 upstream commit
8375
8376 don't truncate off \r\n from long stderr lines; bz#2688,
8377 reported by Brian Dyson; ok dtucker@
8378
8379 Upstream-ID: cdfdc4ba90639af807397ce996153c88af046ca4
8380
8381commit 4a4b75adac862029a1064577eb5af299b1580cdd
8382Author: dtucker@openbsd.org <dtucker@openbsd.org>
8383Date: Fri Mar 10 02:59:51 2017 +0000
8384
8385 upstream commit
8386
8387 Validate digest arg in ssh_digest_final; from jjelen at
8388 redhat.com via bz#2687, ok djm@
8389
8390 Upstream-ID: dbe5494dfddfe523fab341a3dab5a79e7338f878
8391
8392commit bee0167be2340d8de4bdc1ab1064ec957c85a447
8393Author: Darren Tucker <dtucker@zip.com.au>
8394Date: Fri Mar 10 13:40:18 2017 +1100
8395
8396 Check for NULL from malloc.
8397
8398 Part of bz#2687, from jjelen at redhat.com.
8399
8400commit da39b09d43b137a5a3d071b51589e3efb3701238
8401Author: Darren Tucker <dtucker@zip.com.au>
8402Date: Fri Mar 10 13:22:32 2017 +1100
8403
8404 If OSX is using launchd, remove screen no.
8405
8406 Check for socket with and without screen number. From Apple and Jakob
8407 Schlyter via bz#2341, with contributions from Ron Frederick, ok djm@
8408
8409commit 8fb15311a011517eb2394bb95a467c209b8b336c
8410Author: djm@openbsd.org <djm@openbsd.org>
8411Date: Wed Mar 8 12:07:47 2017 +0000
8412
8413 upstream commit
8414
8415 quote [host]:port in generated ProxyJump commandline; the
8416 [ / ] characters can confuse some shells (e.g. zsh). Reported by Lauri
8417 Tirkkonen via bugs@
8418
8419 Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182
8420
8421commit 18501151cf272a15b5f2c5e777f2e0933633c513
8422Author: dtucker@openbsd.org <dtucker@openbsd.org>
8423Date: Mon Mar 6 02:03:20 2017 +0000
8424
8425 upstream commit
8426
8427 Check l->hosts before dereferencing; fixes potential null
8428 pointer deref. ok djm@
8429
8430 Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
8431
8432commit d072370793f1a20f01ad827ba8fcd3b8f2c46165
8433Author: dtucker@openbsd.org <dtucker@openbsd.org>
8434Date: Mon Mar 6 00:44:51 2017 +0000
8435
8436 upstream commit
8437
8438 linenum is unsigned long so use %lu in log formats. ok
8439 deraadt@
8440
8441 Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
8442
8443commit 12d3767ba4c84c32150cbe6ff6494498780f12c9
8444Author: djm@openbsd.org <djm@openbsd.org>
8445Date: Fri Mar 3 06:13:11 2017 +0000
8446
8447 upstream commit
8448
8449 fix ssh-keygen -H accidentally corrupting known_hosts that
8450 contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
8451 hostkeys_foreach() when hostname matching is in use, so we need to look for
8452 the hash marker explicitly.
8453
8454 Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
8455
8456commit d7abb771bd5a941b26144ba400a34563a1afa589
8457Author: djm@openbsd.org <djm@openbsd.org>
8458Date: Tue Feb 28 06:10:08 2017 +0000
8459
8460 upstream commit
8461
8462 small memleak: free fd_set on connection timeout (though
8463 we are heading to exit anyway). From Tom Rix in bz#2683
8464
8465 Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
8466
8467commit 78142e3ab3887e53a968d6e199bcb18daaf2436e
8468Author: jmc@openbsd.org <jmc@openbsd.org>
8469Date: Mon Feb 27 14:30:33 2017 +0000
8470
8471 upstream commit
8472
8473 errant dot; from klemens nanni
8474
8475 Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
8476
8477commit 8071a6924c12bb51406a9a64a4b2892675112c87
8478Author: djm@openbsd.org <djm@openbsd.org>
8479Date: Fri Feb 24 03:16:34 2017 +0000
8480
8481 upstream commit
8482
8483 might as well set the listener socket CLOEXEC
8484
8485 Upstream-ID: 9c538433d6a0ca79f5f21decc5620e46fb68ab57
8486
8487commit d5499190559ebe374bcdfa8805408646ceffad64
8488Author: djm@openbsd.org <djm@openbsd.org>
8489Date: Sun Feb 19 00:11:29 2017 +0000
8490
8491 upstream commit
8492
8493 add test cases for C locale; ok schwarze@
8494
8495 Upstream-Regress-ID: 783d75de35fbc923d46e2a5e6cee30f8f381ba87
8496
8497commit 011c8ffbb0275281a0cf330054cf21be10c43e37
8498Author: djm@openbsd.org <djm@openbsd.org>
8499Date: Sun Feb 19 00:10:57 2017 +0000
8500
8501 upstream commit
8502
8503 Add a common nl_langinfo(CODESET) alias for US-ASCII
8504 "ANSI_X3.4-1968" that is used by Linux. Fixes mprintf output truncation for
8505 non-UTF-8 locales on Linux spotted by dtucker@; ok deraadt@ schwarze@
8506
8507 Upstream-ID: c6808956ebffd64066f9075d839f74ff0dd60719
8508
8509commit 0c4430a19b73058a569573492f55e4c9eeaae67b
8510Author: dtucker@openbsd.org <dtucker@openbsd.org>
8511Date: Tue Feb 7 23:03:11 2017 +0000
8512
8513 upstream commit
8514
8515 Remove deprecated SSH1 options RSAAuthentication and
8516 RhostsRSAAuthentication from regression test sshd_config.
8517
8518 Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491
8519
8520commit 3baa4cdd197c95d972ec3d07f1c0d08f2d7d9199
8521Author: dtucker@openbsd.org <dtucker@openbsd.org>
8522Date: Fri Feb 17 02:32:05 2017 +0000
8523
8524 upstream commit
8525
8526 Do not show rsa1 key type in usage when compiled without
8527 SSH1 support.
8528
8529 Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
8530
8531commit ecc35893715f969e98fee118481f404772de4132
8532Author: dtucker@openbsd.org <dtucker@openbsd.org>
8533Date: Fri Feb 17 02:31:14 2017 +0000
8534
8535 upstream commit
8536
8537 ifdef out "rsa1" from the list of supported keytypes when
8538 compiled without SSH1 support. Found by kdunlop at guralp.com, ok djm@
8539
8540 Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
8541
8542commit 10577c6d96a55b877a960b2d0b75edef1b9945af
8543Author: djm@openbsd.org <djm@openbsd.org>
8544Date: Fri Feb 17 02:04:15 2017 +0000
8545
8546 upstream commit
8547
8548 For ProxyJump/-J, surround host name with brackets to
8549 allow literal IPv6 addresses. From Dick Visser; ok dtucker@
8550
8551 Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
8552
8553commit b2afdaf1b52231aa23d2153f4a8c5a60a694dda4
8554Author: jsg@openbsd.org <jsg@openbsd.org>
8555Date: Wed Feb 15 23:38:31 2017 +0000
8556
8557 upstream commit
8558
8559 Fix memory leaks in match_filter_list() error paths.
8560
8561 ok dtucker@ markus@
8562
8563 Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e
8564
8565commit 6d5a41b38b55258213ecfaae9df7a758caa752a1
8566Author: djm@openbsd.org <djm@openbsd.org>
8567Date: Wed Feb 15 01:46:47 2017 +0000
8568
8569 upstream commit
8570
8571 fix division by zero crash in "df" output when server
8572 returns zero total filesystem blocks/inodes. Spotted by Guido Vranken; ok
8573 dtucker@
8574
8575 Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f
8576
8577commit bd5d7d239525d595ecea92765334af33a45d9d63
8578Author: Darren Tucker <dtucker@zip.com.au>
8579Date: Sun Feb 12 15:45:15 2017 +1100
8580
8581 ifdef out EVP_R_PRIVATE_KEY_DECODE_ERROR
8582
8583 EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out
8584 for the benefit of OpenSSL versions prior to that.
8585
8586commit 155d540d00ff55f063421ec182ec8ff2b7ab6cbe
8587Author: djm@openbsd.org <djm@openbsd.org>
8588Date: Fri Feb 10 04:34:50 2017 +0000
8589
8590 upstream commit
8591
8592 bring back r1.34 that was backed out for problems loading
8593 public keys:
8594
8595 translate OpenSSL error codes to something more
8596 meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
8597
8598 with additional fix from Jakub Jelen to solve the backout.
8599 bz#2525 bz#2523 re-ok dtucker@
8600
8601 Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
8602
8603commit a287c5ad1e0bf9811c7b9221979b969255076019
8604Author: djm@openbsd.org <djm@openbsd.org>
8605Date: Fri Feb 10 03:36:40 2017 +0000
8606
8607 upstream commit
8608
8609 Sanitise escape sequences in key comments sent to printf
8610 but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
8611
8612 Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
8613
8614commit e40269be388972848aafcca7060111c70aab5b87
8615Author: millert@openbsd.org <millert@openbsd.org>
8616Date: Wed Feb 8 20:32:43 2017 +0000
8617
8618 upstream commit
8619
8620 Avoid printf %s NULL. From semarie@, OK djm@
8621
8622 Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
8623
8624commit 5b90709ab8704dafdb31e5651073b259d98352bc
8625Author: djm@openbsd.org <djm@openbsd.org>
8626Date: Mon Feb 6 09:22:51 2017 +0000
8627
8628 upstream commit
8629
8630 Restore \r\n newline sequence for server ident string. The CR
8631 got lost in the flensing of SSHv1. Pointed out by Stef Bon
8632
8633 Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac
8634
8635commit 97c31c46ee2e6b46dfffdfc4f90bbbf188064cbc
8636Author: djm@openbsd.org <djm@openbsd.org>
8637Date: Fri Feb 3 23:01:42 2017 +0000
8638
8639 upstream commit
8640
8641 unit test for match_filter_list() function; still want a
8642 better name for this...
8643
8644 Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a
8645
8646commit f1a193464a7b77646f0d0cedc929068e4a413ab4
8647Author: djm@openbsd.org <djm@openbsd.org>
8648Date: Fri Feb 3 23:05:57 2017 +0000
8649
8650 upstream commit
8651
8652 use ssh_packet_set_log_preamble() to include connection
8653 username in packet log messages, e.g.
8654
8655 Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
8656
8657 ok markus@ bz#113
8658
8659 Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
8660
8661commit 07edd7e9537ab32aa52abb5fb2a915c350fcf441
8662Author: djm@openbsd.org <djm@openbsd.org>
8663Date: Fri Feb 3 23:03:33 2017 +0000
8664
8665 upstream commit
8666
8667 add ssh_packet_set_log_preamble() to allow inclusion of a
8668 preamble string in disconnect messages; ok markus@
8669
8670 Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
8671
8672commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59
8673Author: djm@openbsd.org <djm@openbsd.org>
8674Date: Fri Feb 3 23:01:19 2017 +0000
8675
8676 upstream commit
8677
8678 support =- for removing methods from algorithms lists,
8679 e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
8680 it" markus@
8681
8682 Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
8683
8684commit c924b2ef941028a1f31e6e94f54dfeeeef462a4e
8685Author: djm@openbsd.org <djm@openbsd.org>
8686Date: Fri Feb 3 05:05:56 2017 +0000
8687
8688 upstream commit
8689
8690 allow form-feed characters at EOL; bz#2431 ok dtucker@
8691
8692 Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
8693
8694commit 523db8540b720c4d21ab0ff6f928476c70c38aab
8695Author: Damien Miller <djm@mindrot.org>
8696Date: Fri Feb 3 16:01:22 2017 +1100
8697
8698 prefer to use ldns-config to find libldns
8699
8700 Should fix bz#2603 - "Build with ldns and without kerberos support
8701 fails if ldns compiled with kerberos support" by including correct
8702 cflags/libs
8703
8704 ok dtucker@
8705
8706commit c998bf0afa1a01257a53793eba57941182e9e0b7
8707Author: dtucker@openbsd.org <dtucker@openbsd.org>
8708Date: Fri Feb 3 02:56:00 2017 +0000
8709
8710 upstream commit
8711
8712 Make ssh_packet_set_rekey_limits take u32 for the number of
8713 seconds until rekeying (negative values are rejected at config parse time).
8714 This allows the removal of some casts and a signed vs unsigned comparison
8715 warning.
8716
8717 rekey_time is cast to int64 for the comparison which is a no-op
8718 on OpenBSD, but should also do the right thing in -portable on
8719 anything still using 32bit time_t (until the system time actually
8720 wraps, anyway).
8721
8722 some early guidance deraadt@, ok djm@
8723
8724 Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
8725
8726commit 3ec5fa4ba97d4c4853620daea26a33b9f1fe3422
8727Author: jsg@openbsd.org <jsg@openbsd.org>
8728Date: Thu Feb 2 10:54:25 2017 +0000
8729
8730 upstream commit
8731
8732 In vasnmprintf() return an error if malloc fails and
8733 don't set a function argument to the address of free'd memory.
8734
8735 ok djm@
8736
8737 Upstream-ID: 1efffffff2f51d53c9141f245b90ac23d33b9779
8738
8739commit 858252fb1d451ebb0969cf9749116c8f0ee42753
8740Author: dtucker@openbsd.org <dtucker@openbsd.org>
8741Date: Wed Feb 1 02:59:09 2017 +0000
8742
8743 upstream commit
8744
8745 Return true reason for port forwarding failures where
8746 feasible rather than always "administratively prohibited". bz#2674, ok djm@
8747
8748 Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
8749
8750commit 6ba9f893838489add6ec4213c7a997b425e4a9e0
8751Author: dtucker@openbsd.org <dtucker@openbsd.org>
8752Date: Mon Jan 30 23:27:39 2017 +0000
8753
8754 upstream commit
8755
8756 Small correction to the known_hosts section on when it is
8757 updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
8758 sdf.org
8759
8760 Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
8761
8762commit c61d5ec3c11e7ff9779b6127421d9f166cf10915
8763Author: Darren Tucker <dtucker@zip.com.au>
8764Date: Fri Feb 3 14:10:34 2017 +1100
8765
8766 Remove _XOPEN_SOURCE from wide char detection.
8767
8768 Having _XOPEN_SOURCE unconditionally causes problems on some platforms
8769 and configurations, notably Solaris 64-bit binaries. It was there for
8770 the benefit of Linux put the required bits in the *-*linux* section.
8771
8772 Patch from yvoinov at gmail.com.
8773
8774commit f25ee13b3e81fd80efeb871dc150fe49d7fc8afd
8775Author: djm@openbsd.org <djm@openbsd.org>
8776Date: Mon Jan 30 05:22:14 2017 +0000
8777
8778 upstream commit
8779
8780 fully unbreak: some $SSH invocations did not have -F
8781 specified and could pick up the ~/.ssh/config of the user running the tests
8782
8783 Upstream-Regress-ID: f362d1892c0d3e66212d5d3fc02d915c58ef6b89
8784
8785commit 6956e21fb26652887475fe77ea40d2efcf25908b
8786Author: djm@openbsd.org <djm@openbsd.org>
8787Date: Mon Jan 30 04:54:07 2017 +0000
8788
8789 upstream commit
8790
8791 partially unbreak: was not specifying hostname on some
8792 $SSH invocations
8793
8794 Upstream-Regress-ID: bc8a5e98e57bad0a92ef4f34ed91c1d18294e2cc
8795
8796commit 52763dd3fe0a4678dafdf7aeb32286e514130afc
8797Author: djm@openbsd.org <djm@openbsd.org>
8798Date: Mon Jan 30 01:03:00 2017 +0000
8799
8800 upstream commit
8801
8802 revise keys/principals command hang fix (bz#2655) to
8803 consume entire output, avoiding sending SIGPIPE to subprocesses early; ok
8804 dtucker@
8805
8806 Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
8807
8808commit 381a2615a154a82c4c53b787f4a564ef894fe9ac
8809Author: djm@openbsd.org <djm@openbsd.org>
8810Date: Mon Jan 30 00:38:50 2017 +0000
8811
8812 upstream commit
8813
8814 small cleanup post SSHv1 removal:
8815
8816 remove SSHv1-isms in commented examples
8817
8818 reorder token table to group deprecated and compile-time conditional tokens
8819 better
8820
8821 fix config dumping code for some compile-time conditional options that
8822 weren't being correctly skipped (SSHv1 and PKCS#11)
8823
8824 Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105
8825
8826commit 4833d01591b7eb049489d9558b65f5553387ed43
8827Author: djm@openbsd.org <djm@openbsd.org>
8828Date: Mon Jan 30 00:34:01 2017 +0000
8829
8830 upstream commit
8831
8832 some explicit NULL tests when dumping configured
8833 forwardings; from Karsten Weiss
8834
8835 Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d
8836
8837commit 326e2fae9f2e3e067b5651365eba86b35ee5a6b2
8838Author: djm@openbsd.org <djm@openbsd.org>
8839Date: Mon Jan 30 00:32:28 2017 +0000
8840
8841 upstream commit
8842
8843 misplaced braces in test; from Karsten Weiss
8844
8845 Upstream-ID: f7b794074d3aae8e35b69a91d211c599c94afaae
8846
8847commit 3e032a95e46bfaea9f9e857678ac8fa5f63997fb
8848Author: djm@openbsd.org <djm@openbsd.org>
8849Date: Mon Jan 30 00:32:03 2017 +0000
8850
8851 upstream commit
8852
8853 don't dereference authctxt before testing != NULL, it
8854 causes compilers to make assumptions; from Karsten Weiss
8855
8856 Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2
8857
8858commit 01cfaa2b1cfb84f3cdd32d1bf82b120a8d30e057
8859Author: djm@openbsd.org <djm@openbsd.org>
8860Date: Fri Jan 6 02:51:16 2017 +0000
8861
8862 upstream commit
8863
8864 use correct ssh-add program; bz#2654, from Colin Watson
8865
8866 Upstream-Regress-ID: 7042a36e1bdaec6562f6e57e9d047efe9c7a6030
8867
8868commit e5c7ec67cdc42ae2584085e0fc5cc5ee91133cf5
8869Author: dtucker@openbsd.org <dtucker@openbsd.org>
8870Date: Fri Jan 6 02:26:10 2017 +0000
8871
8872 upstream commit
8873
8874 Account for timeouts in the integrity tests as failures.
8875
8876 If the first test in a series for a given MAC happens to modify the low
8877 bytes of a packet length, then ssh will time out and this will be
8878 interpreted as a test failure. Patch from cjwatson at debian.org via
8879 bz#2658.
8880
8881 Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9
8882
8883commit dbaf599b61bd6e0f8469363a8c8e7f633b334018
8884Author: dtucker@openbsd.org <dtucker@openbsd.org>
8885Date: Fri Jan 6 02:09:25 2017 +0000
8886
8887 upstream commit
8888
8889 Make forwarding test less racy by using unix domain
8890 sockets instead of TCP ports where possible. Patch from cjwatson at
8891 debian.org via bz#2659.
8892
8893 Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9
8894
8895commit 9390b0031ebd6eb5488d3bc4d4333c528dffc0a6
8896Author: dtucker@openbsd.org <dtucker@openbsd.org>
8897Date: Sun Jan 29 21:35:23 2017 +0000
8898
8899 upstream commit
8900
8901 Fix typo in ~C error message for bad port forward
8902 cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's
8903 bugtracker.
8904
8905 Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
8906
8907commit 4ba15462ca38883b8a61a1eccc093c79462d5414
8908Author: guenther@openbsd.org <guenther@openbsd.org>
8909Date: Sat Jan 21 11:32:04 2017 +0000
8910
8911 upstream commit
8912
8913 The POSIX APIs that that sockaddrs all ignore the s*_len
8914 field in the incoming socket, so userspace doesn't need to set it unless it
8915 has its own reasons for tracking the size along with the sockaddr.
8916
8917 ok phessler@ deraadt@ florian@
8918
8919 Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437
8920
8921commit a1187bd3ef3e4940af849ca953a1b849dae78445
8922Author: jmc@openbsd.org <jmc@openbsd.org>
8923Date: Fri Jan 6 16:28:12 2017 +0000
8924
8925 upstream commit
8926
8927 keep the tokens list sorted;
8928
8929 Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
8930
8931commit b64077f9767634715402014f509e58decf1e140d
8932Author: djm@openbsd.org <djm@openbsd.org>
8933Date: Fri Jan 6 09:27:52 2017 +0000
8934
8935 upstream commit
8936
8937 fix previous
8938
8939 Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895
8940
8941commit 5e820e9ea2e949aeb93071fe31c80b0c42f2b2de
8942Author: djm@openbsd.org <djm@openbsd.org>
8943Date: Fri Jan 6 03:53:58 2017 +0000
8944
8945 upstream commit
8946
8947 show a useful error message when included config files
8948 can't be opened; bz#2653, ok dtucker@
8949
8950 Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b
8951
8952commit 13bd2e2d622d01dc85d22b94520a5b243d006049
8953Author: djm@openbsd.org <djm@openbsd.org>
8954Date: Fri Jan 6 03:45:41 2017 +0000
8955
8956 upstream commit
8957
8958 sshd_config is documented to set
8959 GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
8960 bz#2637 ok dtucker
8961
8962 Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
8963
8964commit f89b928534c9e77f608806a217d39a2960cc7fd0
8965Author: djm@openbsd.org <djm@openbsd.org>
8966Date: Fri Jan 6 03:41:58 2017 +0000
8967
8968 upstream commit
8969
8970 Avoid confusing error message when attempting to use
8971 ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583
8972
8973 Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
8974
8975commit 0999533014784579aa6f01c2d3a06e3e8804b680
8976Author: dtucker@openbsd.org <dtucker@openbsd.org>
8977Date: Fri Jan 6 02:34:54 2017 +0000
8978
8979 upstream commit
8980
8981 Re-add '%k' token for AuthorizedKeysCommand which was
8982 lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
8983
8984 Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
8985
8986commit 51045869fa084cdd016fdd721ea760417c0a3bf3
8987Author: djm@openbsd.org <djm@openbsd.org>
8988Date: Wed Jan 4 05:37:40 2017 +0000
8989
8990 upstream commit
8991
8992 unbreak Unix domain socket forwarding for root; ok
8993 markus@
8994
8995 Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
8996
8997commit 58fca12ba967ea5c768653535604e1522d177e44
8998Author: Darren Tucker <dtucker@zip.com.au>
8999Date: Mon Jan 16 09:08:32 2017 +1100
9000
9001 Remove LOGIN_PROGRAM.
9002
9003 UseLogin is gone, remove leftover. bz#2665, from cjwatson at debian.org
9004
9005commit b108ce92aae0ca0376dce9513d953be60e449ae1
9006Author: djm@openbsd.org <djm@openbsd.org>
9007Date: Wed Jan 4 02:21:43 2017 +0000
9008
9009 upstream commit
9010
9011 relax PKCS#11 whitelist a bit to allow libexec as well as
9012 lib directories.
9013
9014 Upstream-ID: cf5617958e2e2d39f8285fd3bc63b557da484702
9015
9016commit c7995f296b9222df2846f56ecf61e5ae13d7a53d
9017Author: djm@openbsd.org <djm@openbsd.org>
9018Date: Tue Jan 3 05:46:51 2017 +0000
9019
9020 upstream commit
9021
9022 check number of entries in SSH2_FXP_NAME response; avoids
9023 unreachable overflow later. Reported by Jann Horn
9024
9025 Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
9026
9027commit ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2
9028Author: djm@openbsd.org <djm@openbsd.org>
9029Date: Fri Dec 30 22:08:02 2016 +0000
9030
9031 upstream commit
9032
9033 fix deadlock when keys/principals command produces a lot of
9034 output and a key is matched early; bz#2655, patch from jboning AT gmail.com
9035
9036 Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
9037
9038commit 30eee7d1b2fec33c14870cc11910610be5d2aa6f
9039Author: Darren Tucker <dtucker@zip.com.au>
9040Date: Tue Dec 20 12:16:11 2016 +1100
9041
9042 Re-add missing "Prerequisites" header and fix typo
9043
9044 Patch from HARUYAMA Seigo <haruyama at unixuser org>.
9045
9046commit c8c60f3663165edd6a52632c6ddbfabfce1ca865
9047Author: djm@openbsd.org <djm@openbsd.org>
9048Date: Mon Dec 19 22:35:23 2016 +0000
9049
9050 upstream commit
9051
9052 use standard /bin/sh equality test; from Mike Frysinger
9053
9054 Upstream-Regress-ID: 7b6f0b63525f399844c8ac211003acb8e4b0bec2
9055
9056commit 4a354fc231174901f2629437c2a6e924a2dd6772
9057Author: Damien Miller <djm@mindrot.org>
9058Date: Mon Dec 19 15:59:26 2016 +1100
9059
9060 crank version numbers for release
9061
9062commit 5f8d0bb8413d4d909cc7aa3c616fb0538224c3c9
9063Author: djm@openbsd.org <djm@openbsd.org>
9064Date: Mon Dec 19 04:55:51 2016 +0000
9065
9066 upstream commit
9067
9068 openssh-7.4
9069
9070 Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
9071
9072commit 3a8213ea0ed843523e34e55ab9c852332bab4c7b
9073Author: djm@openbsd.org <djm@openbsd.org>
9074Date: Mon Dec 19 04:55:18 2016 +0000
9075
9076 upstream commit
9077
9078 remove testcase that depends on exact output and
9079 behaviour of snprintf(..., "%s", NULL)
9080
9081 Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
9082
9083commit eae735a82d759054f6ec7b4e887fb7a5692c66d7
9084Author: dtucker@openbsd.org <dtucker@openbsd.org>
9085Date: Mon Dec 19 03:32:57 2016 +0000
9086
9087 upstream commit
9088
9089 Use LOGNAME to get current user and fall back to whoami if
9090 not set. Mainly to benefit -portable since some platforms don't have whoami.
9091
9092 Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
9093
9094commit 0d2f88428487518eea60602bd593989013831dcf
9095Author: dtucker@openbsd.org <dtucker@openbsd.org>
9096Date: Fri Dec 16 03:51:19 2016 +0000
9097
9098 upstream commit
9099
9100 Add regression test for AllowUsers and DenyUsers. Patch from
9101 Zev Weiss <zev at bewilderbeest.net>
9102
9103 Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
9104
9105commit 3bc8180a008929f6fe98af4a56fb37d04444b417
9106Author: Darren Tucker <dtucker@zip.com.au>
9107Date: Fri Dec 16 15:02:24 2016 +1100
9108
9109 Add missing monitor.h include.
9110
9111 Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net>
9112
9113commit 410681f9015d76cc7b137dd90dac897f673244a0
9114Author: djm@openbsd.org <djm@openbsd.org>
9115Date: Fri Dec 16 02:48:55 2016 +0000
9116
9117 upstream commit
9118
9119 revert to rev1.2; the new bits in this test depend on changes
9120 to ssh that aren't yet committed
9121
9122 Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
9123
9124commit 2f2ffa4fbe4b671bbffa0611f15ba44cff64d58e
9125Author: dtucker@openbsd.org <dtucker@openbsd.org>
9126Date: Fri Dec 16 01:06:27 2016 +0000
9127
9128 upstream commit
9129
9130 Move the "stop sshd" code into its own helper function.
9131 Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@
9132
9133 Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
9134
9135commit e15e7152331e3976b35475fd4e9c72897ad0f074
9136Author: djm@openbsd.org <djm@openbsd.org>
9137Date: Fri Dec 16 01:01:07 2016 +0000
9138
9139 upstream commit
9140
9141 regression test for certificates along with private key
9142 with no public half. bz#2617, mostly from Adam Eijdenberg
9143
9144 Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
9145
9146commit 9a70ec085faf6e55db311cd1a329f1a35ad2a500
9147Author: dtucker@openbsd.org <dtucker@openbsd.org>
9148Date: Thu Dec 15 23:50:37 2016 +0000
9149
9150 upstream commit
9151
9152 Use $SUDO to read pidfile in case root's umask is
9153 restricted. From portable.
9154
9155 Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
9156
9157commit fe06b68f824f8f55670442fb31f2c03526dd326c
9158Author: dtucker@openbsd.org <dtucker@openbsd.org>
9159Date: Thu Dec 15 21:29:05 2016 +0000
9160
9161 upstream commit
9162
9163 Add missing braces in DenyUsers code. Patch from zev at
9164 bewilderbeest.net, ok deraadt@
9165
9166 Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
9167
9168commit dcc7d74242a574fd5c4afbb4224795b1644321e7
9169Author: dtucker@openbsd.org <dtucker@openbsd.org>
9170Date: Thu Dec 15 21:20:41 2016 +0000
9171
9172 upstream commit
9173
9174 Fix text in error message. Patch from zev at
9175 bewilderbeest.net.
9176
9177 Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
9178
9179commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
9180Author: djm@openbsd.org <djm@openbsd.org>
9181Date: Wed Dec 14 00:36:34 2016 +0000
9182
9183 upstream commit
9184
9185 disable Unix-domain socket forwarding when privsep is
9186 disabled
9187
9188 Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
9189
9190commit 08a1e7014d65c5b59416a0e138c1f73f417496eb
9191Author: djm@openbsd.org <djm@openbsd.org>
9192Date: Fri Dec 9 03:04:29 2016 +0000
9193
9194 upstream commit
9195
9196 log connections dropped in excess of MaxStartups at
9197 verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@
9198
9199 Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
9200
9201commit 10e290ec00964b2bf70faab15a10a5574bb80527
9202Author: Darren Tucker <dtucker@zip.com.au>
9203Date: Tue Dec 13 13:51:32 2016 +1100
9204
9205 Get default of TEST_SSH_UTF8 from environment.
9206
9207commit b9b8ba3f9ed92c6220b58d70d1e6d8aa3eea1104
9208Author: Darren Tucker <dtucker@zip.com.au>
9209Date: Tue Dec 13 12:56:40 2016 +1100
9210
9211 Remove commented-out includes.
9212
9213 These commented-out includes have "Still needed?" comments. Since
9214 they've been commented out for ~13 years I assert that they're not.
9215
9216commit 25275f1c9d5f01a0877d39444e8f90521a598ea0
9217Author: Darren Tucker <dtucker@zip.com.au>
9218Date: Tue Dec 13 12:54:23 2016 +1100
9219
9220 Add prototype for strcasestr in compat library.
9221
9222commit afec07732aa2985142f3e0b9a01eb6391f523dec
9223Author: Darren Tucker <dtucker@zip.com.au>
9224Date: Tue Dec 13 10:23:03 2016 +1100
9225
9226 Add strcasestr to compat library.
9227
9228 Fixes build on (at least) Solaris 10.
9229
9230commit dda78a03af32e7994f132d923c2046e98b7c56c8
9231Author: Damien Miller <djm@mindrot.org>
9232Date: Mon Dec 12 13:57:10 2016 +1100
9233
9234 Force Turkish locales back to C/POSIX; bz#2643
9235
9236 Turkish locales are unique in their handling of the letters 'i' and
9237 'I' (yes, they are different letters) and OpenSSH isn't remotely
9238 prepared to deal with that. For now, the best we can do is to force
9239 OpenSSH to use the C/POSIX locale and try to preserve the UTF-8
9240 encoding if possible.
9241
9242 ok dtucker@
9243
9244commit c35995048f41239fc8895aadc3374c5f75180554
9245Author: Darren Tucker <dtucker@zip.com.au>
9246Date: Fri Dec 9 12:52:02 2016 +1100
9247
9248 exit is in stdlib.h not unistd.h (that's _exit).
9249
9250commit d399a8b914aace62418c0cfa20341aa37a192f98
9251Author: Darren Tucker <dtucker@zip.com.au>
9252Date: Fri Dec 9 12:33:25 2016 +1100
9253
9254 Include <unistd.h> for exit in utf8 locale test.
9255
9256commit 47b8c99ab3221188ad3926108dd9d36da3b528ec
9257Author: Darren Tucker <dtucker@zip.com.au>
9258Date: Thu Dec 8 15:48:34 2016 +1100
9259
9260 Check for utf8 local support before testing it.
9261
9262 Check for utf8 local support and if not found, do not attempt to run the
9263 utf8 tests. Suggested by djm@
9264
9265commit 4089fc1885b3a2822204effbb02b74e3da58240d
9266Author: Darren Tucker <dtucker@zip.com.au>
9267Date: Thu Dec 8 12:57:24 2016 +1100
9268
9269 Use AC_PATH_TOOL for krb5-config.
9270
9271 This will use the host-prefixed version when cross compiling; patch from
9272 david.michael at coreos.com.
9273
9274commit b4867e0712c89b93be905220c82f0a15e6865d1e
9275Author: djm@openbsd.org <djm@openbsd.org>
9276Date: Tue Dec 6 07:48:01 2016 +0000
9277
9278 upstream commit
9279
9280 make IdentityFile successfully load and use certificates that
9281 have no corresponding bare public key. E.g. just a private id_rsa and
9282 certificate id_rsa-cert.pub (and no id_rsa.pub).
9283
9284 bz#2617 ok dtucker@
9285
9286 Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
9287
9288commit c9792783a98881eb7ed295680013ca97a958f8ac
9289Author: Damien Miller <djm@mindrot.org>
9290Date: Fri Nov 25 14:04:21 2016 +1100
9291
9292 Add a gnome-ssh-askpass3 target for GTK+3 version
9293
9294 Based on patch from Colin Watson via bz#2640
9295
9296commit 7be85ae02b9de0993ce0a1d1e978e11329f6e763
9297Author: Damien Miller <djm@mindrot.org>
9298Date: Fri Nov 25 14:03:53 2016 +1100
9299
9300 Make gnome-ssh-askpass2.c GTK+3-friendly
9301
9302 Patch from Colin Watson via bz#2640
9303
9304commit b9844a45c7f0162fd1b5465683879793d4cc4aaa
9305Author: djm@openbsd.org <djm@openbsd.org>
9306Date: Sun Dec 4 23:54:02 2016 +0000
9307
9308 upstream commit
9309
9310 Fix public key authentication when multiple
9311 authentication is in use. Instead of deleting and re-preparing the entire
9312 keys list, just reset the 'used' flags; the keys list is already in a good
9313 order (with already- tried keys at the back)
9314
9315 Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@
9316
9317 Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
9318
9319commit f2398eb774075c687b13af5bc22009eb08889abe
9320Author: dtucker@openbsd.org <dtucker@openbsd.org>
9321Date: Sun Dec 4 22:27:25 2016 +0000
9322
9323 upstream commit
9324
9325 Unlink PidFile on SIGHUP and always recreate it when the
9326 new sshd starts. Regression tests (and possibly other things) depend on the
9327 pidfile being recreated after SIGHUP, and unlinking it means it won't contain
9328 a stale pid if sshd fails to restart. ok djm@ markus@
9329
9330 Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
9331
9332commit 85aa2efeba51a96bf6834f9accf2935d96150296
9333Author: djm@openbsd.org <djm@openbsd.org>
9334Date: Wed Nov 30 03:01:33 2016 +0000
9335
9336 upstream commit
9337
9338 test new behaviour of cert force-command restriction vs.
9339 authorized_key/ principals
9340
9341 Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
9342
9343commit 5d333131cd8519d022389cfd3236280818dae1bc
9344Author: jmc@openbsd.org <jmc@openbsd.org>
9345Date: Wed Nov 30 06:54:26 2016 +0000
9346
9347 upstream commit
9348
9349 tweak previous; while here fix up FILES and AUTHORS;
9350
9351 Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
9352
9353commit 786d5994da79151180cb14a6cf157ebbba61c0cc
9354Author: djm@openbsd.org <djm@openbsd.org>
9355Date: Wed Nov 30 03:07:37 2016 +0000
9356
9357 upstream commit
9358
9359 add a whitelist of paths from which ssh-agent will load
9360 (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
9361
9362 Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
9363
9364commit 7844f357cdd90530eec81340847783f1f1da010b
9365Author: djm@openbsd.org <djm@openbsd.org>
9366Date: Wed Nov 30 03:00:05 2016 +0000
9367
9368 upstream commit
9369
9370 Add a sshd_config DisableForwaring option that disables
9371 X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
9372 anything else we might implement in the future.
9373
9374 This, like the 'restrict' authorized_keys flag, is intended to be a
9375 simple and future-proof way of restricting an account. Suggested as
9376 a complement to 'restrict' by Jann Horn; ok markus@
9377
9378 Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
9379
9380commit fd6dcef2030d23c43f986d26979f84619c10589d
9381Author: djm@openbsd.org <djm@openbsd.org>
9382Date: Wed Nov 30 02:57:40 2016 +0000
9383
9384 upstream commit
9385
9386 When a forced-command appears in both a certificate and
9387 an authorized keys/principals command= restriction, refuse to accept the
9388 certificate unless they are identical.
9389
9390 The previous (documented) behaviour of having the certificate forced-
9391 command override the other could be a bit confused and more error-prone.
9392
9393 Pointed out by Jann Horn of Project Zero; ok dtucker@
9394
9395 Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
9396
9397commit 7fc4766ac78abae81ee75b22b7550720bfa28a33
9398Author: dtucker@openbsd.org <dtucker@openbsd.org>
9399Date: Wed Nov 30 00:28:31 2016 +0000
9400
9401 upstream commit
9402
9403 On startup, check to see if sshd is already daemonized
9404 and if so, skip the call to daemon() and do not rewrite the PidFile. This
9405 means that when sshd re-execs itself on SIGHUP the process ID will no longer
9406 change. Should address bz#2641. ok djm@ markus@.
9407
9408 Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
9409
9410commit c9f880c195c65f1dddcbc4ce9d6bfea7747debcc
9411Author: Damien Miller <djm@mindrot.org>
9412Date: Wed Nov 30 13:51:49 2016 +1100
9413
9414 factor out common PRNG reseed before privdrop
9415
9416 Add a call to RAND_poll() to ensure than more than pid+time gets
9417 stirred into child processes states. Prompted by analysis from Jann
9418 Horn at Project Zero. ok dtucker@
9419
9420commit 79e4829ec81dead1b30999e1626eca589319a47f
9421Author: dtucker@openbsd.org <dtucker@openbsd.org>
9422Date: Fri Nov 25 03:02:01 2016 +0000
9423
9424 upstream commit
9425
9426 Allow PuTTY interop tests to run unattended. bz#2639,
9427 patch from cjwatson at debian.org.
9428
9429 Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
9430
9431commit 504c3a9a1bf090f6b27260fc3e8ea7d984d163dc
9432Author: dtucker@openbsd.org <dtucker@openbsd.org>
9433Date: Fri Nov 25 02:56:49 2016 +0000
9434
9435 upstream commit
9436
9437 Reverse args to sshd-log-wrapper. Matches change in
9438 portable, where it allows sshd do be optionally run under Valgrind.
9439
9440 Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
9441
9442commit bd13017736ec2f8f9ca498fe109fb0035f322733
9443Author: dtucker@openbsd.org <dtucker@openbsd.org>
9444Date: Fri Nov 25 02:49:18 2016 +0000
9445
9446 upstream commit
9447
9448 Fix typo in trace message; from portable.
9449
9450 Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
9451
9452commit 7da751d8b007c7f3e814fd5737c2351440d78b4c
9453Author: tb@openbsd.org <tb@openbsd.org>
9454Date: Tue Nov 1 13:43:27 2016 +0000
9455
9456 upstream commit
9457
9458 Clean up MALLOC_OPTIONS. For the unittests, move
9459 MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc.
9460
9461 ok otto
9462
9463 Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
9464
9465commit 36f58e68221bced35e06d1cca8d97c48807a8b71
9466Author: tb@openbsd.org <tb@openbsd.org>
9467Date: Mon Oct 31 23:45:08 2016 +0000
9468
9469 upstream commit
9470
9471 Remove the obsolete A and P flags from MALLOC_OPTIONS.
9472
9473 ok dtucker
9474
9475 Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59
9476
9477commit b0899ee26a6630883c0f2350098b6a35e647f512
9478Author: dtucker@openbsd.org <dtucker@openbsd.org>
9479Date: Tue Nov 29 03:54:50 2016 +0000
9480
9481 upstream commit
9482
9483 Factor out code to disconnect from controlling terminal
9484 into its own function. ok djm@
9485
9486 Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885
9487
9488commit 54d022026aae4f53fa74cc636e4a032d9689b64d
9489Author: djm@openbsd.org <djm@openbsd.org>
9490Date: Fri Nov 25 23:24:45 2016 +0000
9491
9492 upstream commit
9493
9494 use sshbuf_allocate() to pre-allocate the buffer used for
9495 loading keys. This avoids implicit realloc inside the buffer code, which
9496 might theoretically leave fragments of the key on the heap. This doesn't
9497 appear to happen in practice for normal sized keys, but was observed for
9498 novelty oversize ones.
9499
9500 Pointed out by Jann Horn of Project Zero; ok markus@
9501
9502 Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
9503
9504commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e
9505Author: djm@openbsd.org <djm@openbsd.org>
9506Date: Fri Nov 25 23:22:04 2016 +0000
9507
9508 upstream commit
9509
9510 split allocation out of sshbuf_reserve() into a separate
9511 sshbuf_allocate() function; ok markus@
9512
9513 Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
9514
9515commit f0ddedee460486fa0e32fefb2950548009e5026e
9516Author: markus@openbsd.org <markus@openbsd.org>
9517Date: Wed Nov 23 23:14:15 2016 +0000
9518
9519 upstream commit
9520
9521 allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
9522 djm
9523
9524 Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
9525
9526commit 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
9527Author: djm@openbsd.org <djm@openbsd.org>
9528Date: Tue Nov 8 22:04:34 2016 +0000
9529
9530 upstream commit
9531
9532 unbreak DenyUsers; reported by henning@
9533
9534 Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
9535
9536commit 010359b32659f455fddd2bd85fd7cc4d7a3b994a
9537Author: djm@openbsd.org <djm@openbsd.org>
9538Date: Sun Nov 6 05:46:37 2016 +0000
9539
9540 upstream commit
9541
9542 Validate address ranges for AllowUser/DenyUsers at
9543 configuration load time and refuse to accept bad ones. It was previously
9544 possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
9545 these would always match.
9546
9547 Thanks to Laurence Parry for a detailed bug report. ok markus (for
9548 a previous diff version)
9549
9550 Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
9551
9552commit efb494e81d1317209256b38b49f4280897c61e69
9553Author: djm@openbsd.org <djm@openbsd.org>
9554Date: Fri Oct 28 03:33:52 2016 +0000
9555
9556 upstream commit
9557
9558 Improve pkcs11_add_provider() logging: demote some
9559 excessively verbose error()s to debug()s, include PKCS#11 provider name and
9560 slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
9561
9562 Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
9563
9564commit 5ee3fb5affd7646f141749483205ade5fc54adaf
9565Author: Darren Tucker <dtucker@zip.com.au>
9566Date: Tue Nov 1 08:12:33 2016 +1100
9567
9568 Use ptrace(PT_DENY_ATTACH, ..) on OS X.
9569
9570commit 315d2a4e674d0b7115574645cb51f968420ebb34
9571Author: Damien Miller <djm@mindrot.org>
9572Date: Fri Oct 28 14:34:07 2016 +1100
9573
9574 Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL
9575
9576 ok dtucker@
9577
9578commit a9ff3950b8e80ff971b4d44bbce96df27aed28af
9579Author: Darren Tucker <dtucker@zip.com.au>
9580Date: Fri Oct 28 14:26:58 2016 +1100
9581
9582 Move OPENSSL_NO_RIPEMD160 to compat.
9583
9584 Move OPENSSL_NO_RIPEMD160 to compat and add ifdefs to mac.c around the
9585 ripemd160 MACs.
9586
9587commit bce58885160e5db2adda3054c3b81fe770f7285a
9588Author: Darren Tucker <dtucker@zip.com.au>
9589Date: Fri Oct 28 13:52:31 2016 +1100
9590
9591 Check if RIPEMD160 is disabled in OpenSSL.
9592
9593commit d924640d4c355d1b5eca1f4cc60146a9975dbbff
9594Author: Darren Tucker <dtucker@zip.com.au>
9595Date: Fri Oct 28 13:38:19 2016 +1100
9596
9597 Skip ssh1 specfic ciphers.
9598
9599 cipher-3des1.c and cipher-bf1.c are specific to sshv1 so don't even try
9600 to compile them when Protocol 1 is not enabled.
9601
9602commit 79d078e7a49caef746516d9710ec369ba45feab6
9603Author: jsg@openbsd.org <jsg@openbsd.org>
9604Date: Tue Oct 25 04:08:13 2016 +0000
9605
9606 upstream commit
9607
9608 Fix logic in add_local_forward() that inverted a test
9609 when code was refactored out into bind_permitted(). This broke ssh port
9610 forwarding for non-priv ports as a non root user.
9611
9612 ok dtucker@ 'looks good' deraadt@
9613
9614 Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
9615
9616commit a903e315dee483e555c8a3a02c2946937f9b4e5d
9617Author: dtucker@openbsd.org <dtucker@openbsd.org>
9618Date: Mon Oct 24 01:09:17 2016 +0000
9619
9620 upstream commit
9621
9622 Remove dead breaks, found via opencoverage.net. ok
9623 deraadt@
9624
9625 Upstream-ID: ad9cc655829d67fad219762810770787ba913069
9626
9627commit b4e96b4c9bea4182846e4942ba2048e6d708ee54
9628Author: Darren Tucker <dtucker@zip.com.au>
9629Date: Wed Oct 26 08:43:25 2016 +1100
9630
9631 Use !=NULL instead of >0 for getdefaultproj.
9632
9633 getdefaultproj() returns a pointer so test it for NULL inequality
9634 instead of >0. Fixes compiler warning and is more correct. Patch from
9635 David Binderman.
9636
9637commit 1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5
9638Author: dtucker@openbsd.org <dtucker@openbsd.org>
9639Date: Sun Oct 23 22:04:05 2016 +0000
9640
9641 upstream commit
9642
9643 Factor out "can bind to low ports" check into its own function. This will
9644 make it easier for Portable to support platforms with permissions models
9645 other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
9646 deraadt@.
9647
9648 Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
9649
9650commit 0b9ee623d57e5de7e83e66fd61a7ba9a5be98894
9651Author: dtucker@openbsd.org <dtucker@openbsd.org>
9652Date: Wed Oct 19 23:21:56 2016 +0000
9653
9654 upstream commit
9655
9656 When tearing down ControlMaster connecctions, don't
9657 pollute stderr when LogLevel=quiet. Patch from Tim Kuijsten via tech@.
9658
9659 Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced
9660
9661commit 09e6a7d8354224933febc08ddcbc2010f542284e
9662Author: Darren Tucker <dtucker@zip.com.au>
9663Date: Mon Oct 24 09:06:18 2016 +1100
9664
9665 Wrap stdint.h include in ifdef.
9666
9667commit 08d9e9516e587b25127545c029e5464b2e7f2919
9668Author: Darren Tucker <dtucker@zip.com.au>
9669Date: Fri Oct 21 09:46:46 2016 +1100
9670
9671 Fix formatting.
9672
9673commit 461f50e7ab8751d3a55e9158c44c13031db7ba1d
9674Author: Darren Tucker <dtucker@zip.com.au>
9675Date: Fri Oct 21 06:55:58 2016 +1100
9676
9677 Update links to https.
9678
9679 www.openssh.com now supports https and ftp.openbsd.org no longer
9680 supports ftp. Make all links to these https.
9681
9682commit dd4e7212a6141f37742de97795e79db51e4427ad
9683Author: Darren Tucker <dtucker@zip.com.au>
9684Date: Fri Oct 21 06:48:46 2016 +1100
9685
9686 Update host key generation examples.
9687
9688 Remove ssh1 host key generation, add ssh-keygen -A
9689
9690commit 6d49ae82634c67e9a4d4af882bee20b40bb8c639
9691Author: Darren Tucker <dtucker@zip.com.au>
9692Date: Fri Oct 21 05:22:55 2016 +1100
9693
9694 Update links.
9695
9696 Make links to openssh.com HTTPS now that it's supported, point release
9697 notes link to the HTML release notes page, and update a couple of other
9698 links and bits of text.
9699
9700commit fe0d1ca6ace06376625084b004ee533f2c2ea9d6
9701Author: Darren Tucker <dtucker@zip.com.au>
9702Date: Thu Oct 20 03:42:09 2016 +1100
9703
9704 Remote channels .orig and .rej files.
9705
9706 These files were incorrectly added during an OpenBSD sync.