summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-03-29 01:35:00 +0100
committerColin Watson <cjwatson@debian.org>2017-03-29 01:35:00 +0100
commit6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (patch)
treeb4377d09196e24e2c6f2c2128f66f92cf7891105 /ChangeLog
parent971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
parentd38f05dbdd291212bc95ea80648b72b7177e9f4e (diff)
Import openssh_7.5p1.orig.tar.gz
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog3214
1 files changed, 1171 insertions, 2043 deletions
diff --git a/ChangeLog b/ChangeLog
index d48aba33c..48f648d78 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,1174 @@
1commit d38f05dbdd291212bc95ea80648b72b7177e9f4e
2Author: Darren Tucker <dtucker@zip.com.au>
3Date: Mon Mar 20 13:38:27 2017 +1100
4
5 Add llabs() implementation.
6
7commit 72536316a219b7394996a74691a5d4ec197480f7
8Author: Damien Miller <djm@mindrot.org>
9Date: Mon Mar 20 12:23:04 2017 +1100
10
11 crank version numbers
12
13commit 3be52bc36bdfd24ded7e0f46999e7db520fb4e3f
14Author: djm@openbsd.org <djm@openbsd.org>
15Date: Mon Mar 20 01:18:59 2017 +0000
16
17 upstream commit
18
19 openssh-7.5
20
21 Upstream-ID: b8b9a4a949427c393cd868215e1724ceb3467ee5
22
23commit db84e52fe9cfad57f22e7e23c5fbf00092385129
24Author: Damien Miller <djm@mindrot.org>
25Date: Mon Mar 20 12:07:20 2017 +1100
26
27 I'm a doofus.
28
29 Unbreak obvious syntax error.
30
31commit 89f04852db27643717c9c3a2b0dde97ae50099ee
32Author: Damien Miller <djm@mindrot.org>
33Date: Mon Mar 20 11:53:34 2017 +1100
34
35 on Cygwin, check paths from server for backslashes
36
37 Pointed out by Jann Horn of Google Project Zero
38
39commit 7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9
40Author: Damien Miller <djm@mindrot.org>
41Date: Mon Mar 20 11:48:34 2017 +1100
42
43 Yet another synonym for ASCII: "646"
44
45 Used by NetBSD; this unbreaks mprintf() and friends there for the C
46 locale (caught by dtucker@ and his menagerie of test systems).
47
48commit 9165abfea3f68a0c684a6ed2e575e59bc31a3a6b
49Author: Damien Miller <djm@mindrot.org>
50Date: Mon Mar 20 09:58:34 2017 +1100
51
52 create test mux socket in /tmp
53
54 Creating the socket in $OBJ could blow past the (quite limited)
55 path limit for Unix domain sockets. As a bandaid for bz#2660,
56 reported by Colin Watson; ok dtucker@
57
58commit 2adbe1e63bc313d03e8e84e652cc623af8ebb163
59Author: markus@openbsd.org <markus@openbsd.org>
60Date: Wed Mar 15 07:07:39 2017 +0000
61
62 upstream commit
63
64 disallow KEXINIT before NEWKEYS; ok djm; report by
65 vegard.nossum at oracle.com
66
67 Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234
68
69commit 2fbf91684d76d38b9cf06550b69c9e41bca5a71c
70Author: Darren Tucker <dtucker@zip.com.au>
71Date: Thu Mar 16 14:05:46 2017 +1100
72
73 Include includes.h for compat bits.
74
75commit b55f634e96b9c5b0cd991e23a9ca181bec4bdbad
76Author: Darren Tucker <dtucker@zip.com.au>
77Date: Thu Mar 16 13:45:17 2017 +1100
78
79 Wrap stdint.h in #ifdef HAVE_STDINT_H
80
81commit 55a1117d7342a0bf8b793250cf314bab6b482b99
82Author: Damien Miller <djm@mindrot.org>
83Date: Thu Mar 16 11:22:42 2017 +1100
84
85 Adapt Cygwin config script to privsep knob removal
86
87 Patch from Corinna Vinschen.
88
89commit 1a321bfdb91defe3c4d9cca5651724ae167e5436
90Author: deraadt@openbsd.org <deraadt@openbsd.org>
91Date: Wed Mar 15 03:52:30 2017 +0000
92
93 upstream commit
94
95 accidents happen to the best of us; ok djm
96
97 Upstream-ID: b7a9dbd71011ffde95e06f6945fe7197dedd1604
98
99commit 25f837646be8c2017c914d34be71ca435dfc0e07
100Author: djm@openbsd.org <djm@openbsd.org>
101Date: Wed Mar 15 02:25:09 2017 +0000
102
103 upstream commit
104
105 fix regression in 7.4: deletion of PKCS#11-hosted keys
106 would fail unless they were specified by full physical pathname. Report and
107 fix from Jakub Jelen via bz#2682; ok dtucker@
108
109 Upstream-ID: 5b5bc20ca11cacb5d5eb29c3f93fd18425552268
110
111commit a8c5eeacf032a7d3408957e45dd7603cc1baf55f
112Author: djm@openbsd.org <djm@openbsd.org>
113Date: Wed Mar 15 02:19:09 2017 +0000
114
115 upstream commit
116
117 Fix segfault when sshd attempts to load RSA1 keys (can
118 only happen when protocol v.1 support is enabled for the client). Reported by
119 Jakub Jelen in bz#2686; ok dtucker
120
121 Upstream-ID: 8fdaec2ba4b5f65db1d094f6714ce64b25d871d7
122
123commit 66705948c0639a7061a0d0753266da7685badfec
124Author: djm@openbsd.org <djm@openbsd.org>
125Date: Tue Mar 14 07:19:07 2017 +0000
126
127 upstream commit
128
129 Mark the sshd_config UsePrivilegeSeparation option as
130 deprecated, effectively making privsep mandatory in sandboxing mode. ok
131 markus@ deraadt@
132
133 (note: this doesn't remove the !privsep code paths, though that will
134 happen eventually).
135
136 Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
137
138commit f86586b03fe6cd8f595289bde200a94bc2c191af
139Author: Damien Miller <djm@mindrot.org>
140Date: Tue Mar 14 18:26:29 2017 +1100
141
142 Make seccomp-bpf sandbox work on Linux/X32
143
144 Allow clock_gettime syscall with X32 bit masked off. Apparently
145 this is required for at least some kernel versions. bz#2142
146 Patch mostly by Colin Watson. ok dtucker@
147
148commit 2429cf78dd2a9741ce27ba25ac41c535274a0af6
149Author: Damien Miller <djm@mindrot.org>
150Date: Tue Mar 14 18:01:52 2017 +1100
151
152 require OpenSSL >=1.0.1
153
154commit e3ea335abeab731c68f2b2141bee85a4b0bf680f
155Author: Damien Miller <djm@mindrot.org>
156Date: Tue Mar 14 17:48:43 2017 +1100
157
158 Remove macro trickery; no binary change
159
160 This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
161 prepending __NR_ to the syscall number parameter and just makes
162 them explicit in the macro invocations.
163
164 No binary change in stripped object file before/after.
165
166commit 5f1596e11d55539678c41f68aed358628d33d86f
167Author: Damien Miller <djm@mindrot.org>
168Date: Tue Mar 14 13:15:18 2017 +1100
169
170 support ioctls for ICA crypto card on Linux/s390
171
172 Based on patch from Eduardo Barretto; ok dtucker@
173
174commit b1b22dd0df2668b322dda174e501dccba2cf5c44
175Author: Darren Tucker <dtucker@zip.com.au>
176Date: Tue Mar 14 14:19:36 2017 +1100
177
178 Plumb conversion test into makefile.
179
180commit f57783f1ddfb4cdfbd612c6beb5ec01cb5b9a6b9
181Author: dtucker@openbsd.org <dtucker@openbsd.org>
182Date: Tue Mar 14 01:20:29 2017 +0000
183
184 upstream commit
185
186 Add unit test for convtime().
187
188 Upstream-Regress-ID: 8717bc0ca4c21120f6dd3a1d3b7a363f707c31e1
189
190commit 8884b7247d094cd11ff9e39c325ba928c5bdbc6c
191Author: dtucker@openbsd.org <dtucker@openbsd.org>
192Date: Tue Mar 14 01:10:07 2017 +0000
193
194 upstream commit
195
196 Add ASSERT_LONG_* helpers.
197
198 Upstream-Regress-ID: fe15beaea8f5063c7f21b0660c722648e3d76431
199
200commit c6774d21185220c0ba11e8fd204bf0ad1a432071
201Author: dtucker@openbsd.org <dtucker@openbsd.org>
202Date: Tue Mar 14 00:55:37 2017 +0000
203
204 upstream commit
205
206 Fix convtime() overflow test on boundary condition,
207 spotted by & ok djm.
208
209 Upstream-ID: 51f14c507ea87a3022e63f574100613ab2ba5708
210
211commit f5746b40cfe6d767c8e128fe50c43274b31cd594
212Author: dtucker@openbsd.org <dtucker@openbsd.org>
213Date: Tue Mar 14 00:25:03 2017 +0000
214
215 upstream commit
216
217 Check for integer overflow when parsing times in
218 convtime(). Reported by nicolas.iooss at m4x.org, ok djm@
219
220 Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13
221
222commit f5907982f42a8d88a430b8a46752cbb7859ba979
223Author: Darren Tucker <dtucker@zip.com.au>
224Date: Tue Mar 14 13:38:15 2017 +1100
225
226 Add a "unit" target to run only unit tests.
227
228commit 9e96b41682aed793fadbea5ccd472f862179fb02
229Author: Damien Miller <djm@mindrot.org>
230Date: Tue Mar 14 12:24:47 2017 +1100
231
232 Fix weakness in seccomp-bpf sandbox arg inspection
233
234 Syscall arguments are passed via an array of 64-bit values in struct
235 seccomp_data, but we were only inspecting the bottom 32 bits and not
236 even those correctly for BE systems.
237
238 Fortunately, the only case argument inspection was used was in the
239 socketcall filtering so using this for sandbox escape seems
240 impossible.
241
242 ok dtucker
243
244commit 8ff3fc3f2f7c13e8968717bc2b895ee32c441275
245Author: djm@openbsd.org <djm@openbsd.org>
246Date: Sat Mar 11 23:44:16 2017 +0000
247
248 upstream commit
249
250 regress tests for loading certificates without public keys;
251 bz#2617 based on patch from Adam Eijdenberg; ok markus@ dtucker@
252
253 Upstream-Regress-ID: 0145d19328ed995b73fe2d9da33596b17429d0d0
254
255commit 1e24552716194db8f2f620587b876158a9ef56ad
256Author: djm@openbsd.org <djm@openbsd.org>
257Date: Sat Mar 11 23:40:26 2017 +0000
258
259 upstream commit
260
261 allow ssh to use certificates accompanied by a private
262 key file but no corresponding plain *.pub public key. bz#2617 based on patch
263 from Adam Eijdenberg; ok dtucker@ markus@
264
265 Upstream-ID: 295668dca2c39505281577217583ddd2bd4b00b9
266
267commit 0fb1a617a07b8df5de188dd5a0c8bf293d4bfc0e
268Author: markus@openbsd.org <markus@openbsd.org>
269Date: Sat Mar 11 13:07:35 2017 +0000
270
271 upstream commit
272
273 Don't count the initial block twice when computing how
274 many bytes to discard for the work around for the attacks against CBC-mode.
275 ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
276
277 Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
278
279commit ef653dd5bd5777132d9f9ee356225f9ee3379504
280Author: dtucker@openbsd.org <dtucker@openbsd.org>
281Date: Fri Mar 10 07:18:32 2017 +0000
282
283 upstream commit
284
285 krl.c
286
287 Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1
288
289commit d94c1dfef2ea30ca67b1204ada7c3b537c54f4d0
290Author: Damien Miller <djm@mindrot.org>
291Date: Sun Mar 12 10:48:14 2017 +1100
292
293 sync fmt_scaled.c with OpenBSD
294
295 revision 1.13
296 date: 2017/03/11 23:37:23; author: djm; state: Exp; lines: +14 -1; commitid: jnFKyHkB3CEiEZ2R;
297 fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
298 using AFL against ssh_config. ok deraadt@ millert@
299 ----------------------------
300 revision 1.12
301 date: 2013/11/29 19:00:51; author: deraadt; state: Exp; lines: +6 -5;
302 fairly simple unsigned char casts for ctype
303 ok krw
304 ----------------------------
305 revision 1.11
306 date: 2012/11/12 14:07:20; author: halex; state: Exp; lines: +4 -2;
307 make scan_scaled set errno to EINVAL rather than ERANGE if it encounters
308 an invalid multiplier, like the man page says it should
309
310 "looks sensible" deraadt@, ok ian@
311 ----------------------------
312 revision 1.10
313 date: 2009/06/20 15:00:04; author: martynas; state: Exp; lines: +4 -4;
314 use llabs instead of the home-grown version; and some comment changes
315 ok ian@, millert@
316 ----------------------------
317
318commit 894221a63fa061e52e414ca58d47edc5fe645968
319Author: djm@openbsd.org <djm@openbsd.org>
320Date: Fri Mar 10 05:01:13 2017 +0000
321
322 upstream commit
323
324 When updating hostkeys, accept RSA keys if
325 HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA
326 keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
327 nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
328 dtucker@
329
330 Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
331
332commit dd3e2298663f4cc1a06bc69582d00dcfee27d73c
333Author: djm@openbsd.org <djm@openbsd.org>
334Date: Fri Mar 10 04:24:55 2017 +0000
335
336 upstream commit
337
338 make hostname matching really insensitive to case;
339 bz#2685, reported by Petr Cerny; ok dtucker@
340
341 Upstream-ID: e467622ff154269e36ba8b6c9e3d105e1c4a9253
342
343commit 77a9be9446697fe8b5499fe651f4a82a71a4b51f
344Author: djm@openbsd.org <djm@openbsd.org>
345Date: Fri Mar 10 03:52:48 2017 +0000
346
347 upstream commit
348
349 reword a comment to make it fit 80 columns
350
351 Upstream-ID: 4ef509a66b96c7314bbcc87027c2af71fa9d0ba4
352
353commit 61b8ef6a66efaec07e023342cb94a10bdc2254dc
354Author: djm@openbsd.org <djm@openbsd.org>
355Date: Fri Mar 10 04:27:32 2017 +0000
356
357 upstream commit
358
359 better match sshd config parser behaviour: fatal() if
360 line is overlong, increase line buffer to match sshd's; bz#2651 reported by
361 Don Fong; ok dtucker@
362
363 Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18
364
365commit db2597207e69912f2592cd86a1de8e948a9d7ffb
366Author: djm@openbsd.org <djm@openbsd.org>
367Date: Fri Mar 10 04:26:06 2017 +0000
368
369 upstream commit
370
371 ensure hostname is lower-case before hashing it;
372 bz#2591 reported by Griff Miller II; ok dtucker@
373
374 Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
375
376commit df9936936c695f85c1038bd706d62edf752aca4b
377Author: djm@openbsd.org <djm@openbsd.org>
378Date: Fri Mar 10 04:24:55 2017 +0000
379
380 upstream commit
381
382 make hostname matching really insensitive to case;
383 bz#2685, reported by Petr Cerny; ok dtucker@
384
385 Upstream-ID: e632b7a9bf0d0558d5ff56dab98b7cca6c3db549
386
387commit 67eed24bfa7645d88fa0b883745fccb22a0e527e
388Author: dtucker@openbsd.org <dtucker@openbsd.org>
389Date: Fri Mar 10 04:11:00 2017 +0000
390
391 upstream commit
392
393 Remove old null check from config dumper. Patch from
394 jjelen at redhat.com vi bz#2687, ok djm@
395
396 Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
397
398commit 183ba55aaaecca0206184b854ad6155df237adbe
399Author: djm@openbsd.org <djm@openbsd.org>
400Date: Fri Mar 10 04:07:20 2017 +0000
401
402 upstream commit
403
404 fix regression in 7.4 server-sig-algs, where we were
405 accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
406 Goncalves; ok dtucker@
407
408 Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
409
410commit 66be4fe8c4435af5bbc82998501a142a831f1181
411Author: dtucker@openbsd.org <dtucker@openbsd.org>
412Date: Fri Mar 10 03:53:11 2017 +0000
413
414 upstream commit
415
416 Check for NULL return value from key_new. Patch from
417 jjelen at redhat.com via bz#2687, ok djm@
418
419 Upstream-ID: 059e33cd43cba88dc8caf0b1936fd4dd88fd5b8e
420
421commit ec2892b5c7fea199914cb3a6afb3af38f84990bf
422Author: djm@openbsd.org <djm@openbsd.org>
423Date: Fri Mar 10 03:52:48 2017 +0000
424
425 upstream commit
426
427 reword a comment to make it fit 80 columns
428
429 Upstream-ID: b4b48b4487c0821d16e812c40c9b09f03b28e349
430
431commit 7fadbb6da3f4122de689165651eb39985e1cba85
432Author: dtucker@openbsd.org <dtucker@openbsd.org>
433Date: Fri Mar 10 03:48:57 2017 +0000
434
435 upstream commit
436
437 Check for NULL argument to sshkey_read. Patch from
438 jjelen at redhat.com via bz#2687, ok djm@
439
440 Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e
441
442commit 5a06b9e019e2b0b0f65a223422935b66f3749de3
443Author: dtucker@openbsd.org <dtucker@openbsd.org>
444Date: Fri Mar 10 03:45:40 2017 +0000
445
446 upstream commit
447
448 Plug some mem leaks mostly on error paths. From jjelen
449 at redhat.com via bz#2687, ok djm@
450
451 Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
452
453commit f6edbe9febff8121f26835996b1229b5064d31b7
454Author: dtucker@openbsd.org <dtucker@openbsd.org>
455Date: Fri Mar 10 03:24:48 2017 +0000
456
457 upstream commit
458
459 Plug mem leak on GLOB_NOMATCH case. From jjelen at
460 redhat.com via bz#2687, ok djm@
461
462 Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d
463
464commit 566b3a46e89a2fda2db46f04f2639e92da64a120
465Author: dtucker@openbsd.org <dtucker@openbsd.org>
466Date: Fri Mar 10 03:22:40 2017 +0000
467
468 upstream commit
469
470 Plug descriptor leaks of auth_sock. From jjelen at
471 redhat.com via bz#2687, ok djm@
472
473 Upstream-ID: 248acb99a5ed2fdca37d1aa33c0fcee7be286d88
474
475commit 8a2834454c73dfc1eb96453c0e97690595f3f4c2
476Author: djm@openbsd.org <djm@openbsd.org>
477Date: Fri Mar 10 03:18:24 2017 +0000
478
479 upstream commit
480
481 correctly hash hosts with a port number. Reported by Josh
482 Powers in bz#2692; ok dtucker@
483
484 Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
485
486commit 9747b9c742de409633d4753bf1a752cbd211e2d3
487Author: djm@openbsd.org <djm@openbsd.org>
488Date: Fri Mar 10 03:15:58 2017 +0000
489
490 upstream commit
491
492 don't truncate off \r\n from long stderr lines; bz#2688,
493 reported by Brian Dyson; ok dtucker@
494
495 Upstream-ID: cdfdc4ba90639af807397ce996153c88af046ca4
496
497commit 4a4b75adac862029a1064577eb5af299b1580cdd
498Author: dtucker@openbsd.org <dtucker@openbsd.org>
499Date: Fri Mar 10 02:59:51 2017 +0000
500
501 upstream commit
502
503 Validate digest arg in ssh_digest_final; from jjelen at
504 redhat.com via bz#2687, ok djm@
505
506 Upstream-ID: dbe5494dfddfe523fab341a3dab5a79e7338f878
507
508commit bee0167be2340d8de4bdc1ab1064ec957c85a447
509Author: Darren Tucker <dtucker@zip.com.au>
510Date: Fri Mar 10 13:40:18 2017 +1100
511
512 Check for NULL from malloc.
513
514 Part of bz#2687, from jjelen at redhat.com.
515
516commit da39b09d43b137a5a3d071b51589e3efb3701238
517Author: Darren Tucker <dtucker@zip.com.au>
518Date: Fri Mar 10 13:22:32 2017 +1100
519
520 If OSX is using launchd, remove screen no.
521
522 Check for socket with and without screen number. From Apple and Jakob
523 Schlyter via bz#2341, with contributions from Ron Frederick, ok djm@
524
525commit 8fb15311a011517eb2394bb95a467c209b8b336c
526Author: djm@openbsd.org <djm@openbsd.org>
527Date: Wed Mar 8 12:07:47 2017 +0000
528
529 upstream commit
530
531 quote [host]:port in generated ProxyJump commandline; the
532 [ / ] characters can confuse some shells (e.g. zsh). Reported by Lauri
533 Tirkkonen via bugs@
534
535 Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182
536
537commit 18501151cf272a15b5f2c5e777f2e0933633c513
538Author: dtucker@openbsd.org <dtucker@openbsd.org>
539Date: Mon Mar 6 02:03:20 2017 +0000
540
541 upstream commit
542
543 Check l->hosts before dereferencing; fixes potential null
544 pointer deref. ok djm@
545
546 Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
547
548commit d072370793f1a20f01ad827ba8fcd3b8f2c46165
549Author: dtucker@openbsd.org <dtucker@openbsd.org>
550Date: Mon Mar 6 00:44:51 2017 +0000
551
552 upstream commit
553
554 linenum is unsigned long so use %lu in log formats. ok
555 deraadt@
556
557 Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
558
559commit 12d3767ba4c84c32150cbe6ff6494498780f12c9
560Author: djm@openbsd.org <djm@openbsd.org>
561Date: Fri Mar 3 06:13:11 2017 +0000
562
563 upstream commit
564
565 fix ssh-keygen -H accidentally corrupting known_hosts that
566 contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
567 hostkeys_foreach() when hostname matching is in use, so we need to look for
568 the hash marker explicitly.
569
570 Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
571
572commit d7abb771bd5a941b26144ba400a34563a1afa589
573Author: djm@openbsd.org <djm@openbsd.org>
574Date: Tue Feb 28 06:10:08 2017 +0000
575
576 upstream commit
577
578 small memleak: free fd_set on connection timeout (though
579 we are heading to exit anyway). From Tom Rix in bz#2683
580
581 Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
582
583commit 78142e3ab3887e53a968d6e199bcb18daaf2436e
584Author: jmc@openbsd.org <jmc@openbsd.org>
585Date: Mon Feb 27 14:30:33 2017 +0000
586
587 upstream commit
588
589 errant dot; from klemens nanni
590
591 Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
592
593commit 8071a6924c12bb51406a9a64a4b2892675112c87
594Author: djm@openbsd.org <djm@openbsd.org>
595Date: Fri Feb 24 03:16:34 2017 +0000
596
597 upstream commit
598
599 might as well set the listener socket CLOEXEC
600
601 Upstream-ID: 9c538433d6a0ca79f5f21decc5620e46fb68ab57
602
603commit d5499190559ebe374bcdfa8805408646ceffad64
604Author: djm@openbsd.org <djm@openbsd.org>
605Date: Sun Feb 19 00:11:29 2017 +0000
606
607 upstream commit
608
609 add test cases for C locale; ok schwarze@
610
611 Upstream-Regress-ID: 783d75de35fbc923d46e2a5e6cee30f8f381ba87
612
613commit 011c8ffbb0275281a0cf330054cf21be10c43e37
614Author: djm@openbsd.org <djm@openbsd.org>
615Date: Sun Feb 19 00:10:57 2017 +0000
616
617 upstream commit
618
619 Add a common nl_langinfo(CODESET) alias for US-ASCII
620 "ANSI_X3.4-1968" that is used by Linux. Fixes mprintf output truncation for
621 non-UTF-8 locales on Linux spotted by dtucker@; ok deraadt@ schwarze@
622
623 Upstream-ID: c6808956ebffd64066f9075d839f74ff0dd60719
624
625commit 0c4430a19b73058a569573492f55e4c9eeaae67b
626Author: dtucker@openbsd.org <dtucker@openbsd.org>
627Date: Tue Feb 7 23:03:11 2017 +0000
628
629 upstream commit
630
631 Remove deprecated SSH1 options RSAAuthentication and
632 RhostsRSAAuthentication from regression test sshd_config.
633
634 Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491
635
636commit 3baa4cdd197c95d972ec3d07f1c0d08f2d7d9199
637Author: dtucker@openbsd.org <dtucker@openbsd.org>
638Date: Fri Feb 17 02:32:05 2017 +0000
639
640 upstream commit
641
642 Do not show rsa1 key type in usage when compiled without
643 SSH1 support.
644
645 Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
646
647commit ecc35893715f969e98fee118481f404772de4132
648Author: dtucker@openbsd.org <dtucker@openbsd.org>
649Date: Fri Feb 17 02:31:14 2017 +0000
650
651 upstream commit
652
653 ifdef out "rsa1" from the list of supported keytypes when
654 compiled without SSH1 support. Found by kdunlop at guralp.com, ok djm@
655
656 Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
657
658commit 10577c6d96a55b877a960b2d0b75edef1b9945af
659Author: djm@openbsd.org <djm@openbsd.org>
660Date: Fri Feb 17 02:04:15 2017 +0000
661
662 upstream commit
663
664 For ProxyJump/-J, surround host name with brackets to
665 allow literal IPv6 addresses. From Dick Visser; ok dtucker@
666
667 Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
668
669commit b2afdaf1b52231aa23d2153f4a8c5a60a694dda4
670Author: jsg@openbsd.org <jsg@openbsd.org>
671Date: Wed Feb 15 23:38:31 2017 +0000
672
673 upstream commit
674
675 Fix memory leaks in match_filter_list() error paths.
676
677 ok dtucker@ markus@
678
679 Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e
680
681commit 6d5a41b38b55258213ecfaae9df7a758caa752a1
682Author: djm@openbsd.org <djm@openbsd.org>
683Date: Wed Feb 15 01:46:47 2017 +0000
684
685 upstream commit
686
687 fix division by zero crash in "df" output when server
688 returns zero total filesystem blocks/inodes. Spotted by Guido Vranken; ok
689 dtucker@
690
691 Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f
692
693commit bd5d7d239525d595ecea92765334af33a45d9d63
694Author: Darren Tucker <dtucker@zip.com.au>
695Date: Sun Feb 12 15:45:15 2017 +1100
696
697 ifdef out EVP_R_PRIVATE_KEY_DECODE_ERROR
698
699 EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out
700 for the benefit of OpenSSL versions prior to that.
701
702commit 155d540d00ff55f063421ec182ec8ff2b7ab6cbe
703Author: djm@openbsd.org <djm@openbsd.org>
704Date: Fri Feb 10 04:34:50 2017 +0000
705
706 upstream commit
707
708 bring back r1.34 that was backed out for problems loading
709 public keys:
710
711 translate OpenSSL error codes to something more
712 meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
713
714 with additional fix from Jakub Jelen to solve the backout.
715 bz#2525 bz#2523 re-ok dtucker@
716
717 Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
718
719commit a287c5ad1e0bf9811c7b9221979b969255076019
720Author: djm@openbsd.org <djm@openbsd.org>
721Date: Fri Feb 10 03:36:40 2017 +0000
722
723 upstream commit
724
725 Sanitise escape sequences in key comments sent to printf
726 but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
727
728 Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
729
730commit e40269be388972848aafcca7060111c70aab5b87
731Author: millert@openbsd.org <millert@openbsd.org>
732Date: Wed Feb 8 20:32:43 2017 +0000
733
734 upstream commit
735
736 Avoid printf %s NULL. From semarie@, OK djm@
737
738 Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
739
740commit 5b90709ab8704dafdb31e5651073b259d98352bc
741Author: djm@openbsd.org <djm@openbsd.org>
742Date: Mon Feb 6 09:22:51 2017 +0000
743
744 upstream commit
745
746 Restore \r\n newline sequence for server ident string. The CR
747 got lost in the flensing of SSHv1. Pointed out by Stef Bon
748
749 Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac
750
751commit 97c31c46ee2e6b46dfffdfc4f90bbbf188064cbc
752Author: djm@openbsd.org <djm@openbsd.org>
753Date: Fri Feb 3 23:01:42 2017 +0000
754
755 upstream commit
756
757 unit test for match_filter_list() function; still want a
758 better name for this...
759
760 Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a
761
762commit f1a193464a7b77646f0d0cedc929068e4a413ab4
763Author: djm@openbsd.org <djm@openbsd.org>
764Date: Fri Feb 3 23:05:57 2017 +0000
765
766 upstream commit
767
768 use ssh_packet_set_log_preamble() to include connection
769 username in packet log messages, e.g.
770
771 Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
772
773 ok markus@ bz#113
774
775 Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
776
777commit 07edd7e9537ab32aa52abb5fb2a915c350fcf441
778Author: djm@openbsd.org <djm@openbsd.org>
779Date: Fri Feb 3 23:03:33 2017 +0000
780
781 upstream commit
782
783 add ssh_packet_set_log_preamble() to allow inclusion of a
784 preamble string in disconnect messages; ok markus@
785
786 Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
787
788commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59
789Author: djm@openbsd.org <djm@openbsd.org>
790Date: Fri Feb 3 23:01:19 2017 +0000
791
792 upstream commit
793
794 support =- for removing methods from algorithms lists,
795 e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
796 it" markus@
797
798 Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
799
800commit c924b2ef941028a1f31e6e94f54dfeeeef462a4e
801Author: djm@openbsd.org <djm@openbsd.org>
802Date: Fri Feb 3 05:05:56 2017 +0000
803
804 upstream commit
805
806 allow form-feed characters at EOL; bz#2431 ok dtucker@
807
808 Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
809
810commit 523db8540b720c4d21ab0ff6f928476c70c38aab
811Author: Damien Miller <djm@mindrot.org>
812Date: Fri Feb 3 16:01:22 2017 +1100
813
814 prefer to use ldns-config to find libldns
815
816 Should fix bz#2603 - "Build with ldns and without kerberos support
817 fails if ldns compiled with kerberos support" by including correct
818 cflags/libs
819
820 ok dtucker@
821
822commit c998bf0afa1a01257a53793eba57941182e9e0b7
823Author: dtucker@openbsd.org <dtucker@openbsd.org>
824Date: Fri Feb 3 02:56:00 2017 +0000
825
826 upstream commit
827
828 Make ssh_packet_set_rekey_limits take u32 for the number of
829 seconds until rekeying (negative values are rejected at config parse time).
830 This allows the removal of some casts and a signed vs unsigned comparison
831 warning.
832
833 rekey_time is cast to int64 for the comparison which is a no-op
834 on OpenBSD, but should also do the right thing in -portable on
835 anything still using 32bit time_t (until the system time actually
836 wraps, anyway).
837
838 some early guidance deraadt@, ok djm@
839
840 Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
841
842commit 3ec5fa4ba97d4c4853620daea26a33b9f1fe3422
843Author: jsg@openbsd.org <jsg@openbsd.org>
844Date: Thu Feb 2 10:54:25 2017 +0000
845
846 upstream commit
847
848 In vasnmprintf() return an error if malloc fails and
849 don't set a function argument to the address of free'd memory.
850
851 ok djm@
852
853 Upstream-ID: 1efffffff2f51d53c9141f245b90ac23d33b9779
854
855commit 858252fb1d451ebb0969cf9749116c8f0ee42753
856Author: dtucker@openbsd.org <dtucker@openbsd.org>
857Date: Wed Feb 1 02:59:09 2017 +0000
858
859 upstream commit
860
861 Return true reason for port forwarding failures where
862 feasible rather than always "administratively prohibited". bz#2674, ok djm@
863
864 Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
865
866commit 6ba9f893838489add6ec4213c7a997b425e4a9e0
867Author: dtucker@openbsd.org <dtucker@openbsd.org>
868Date: Mon Jan 30 23:27:39 2017 +0000
869
870 upstream commit
871
872 Small correction to the known_hosts section on when it is
873 updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
874 sdf.org
875
876 Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
877
878commit c61d5ec3c11e7ff9779b6127421d9f166cf10915
879Author: Darren Tucker <dtucker@zip.com.au>
880Date: Fri Feb 3 14:10:34 2017 +1100
881
882 Remove _XOPEN_SOURCE from wide char detection.
883
884 Having _XOPEN_SOURCE unconditionally causes problems on some platforms
885 and configurations, notably Solaris 64-bit binaries. It was there for
886 the benefit of Linux put the required bits in the *-*linux* section.
887
888 Patch from yvoinov at gmail.com.
889
890commit f25ee13b3e81fd80efeb871dc150fe49d7fc8afd
891Author: djm@openbsd.org <djm@openbsd.org>
892Date: Mon Jan 30 05:22:14 2017 +0000
893
894 upstream commit
895
896 fully unbreak: some $SSH invocations did not have -F
897 specified and could pick up the ~/.ssh/config of the user running the tests
898
899 Upstream-Regress-ID: f362d1892c0d3e66212d5d3fc02d915c58ef6b89
900
901commit 6956e21fb26652887475fe77ea40d2efcf25908b
902Author: djm@openbsd.org <djm@openbsd.org>
903Date: Mon Jan 30 04:54:07 2017 +0000
904
905 upstream commit
906
907 partially unbreak: was not specifying hostname on some
908 $SSH invocations
909
910 Upstream-Regress-ID: bc8a5e98e57bad0a92ef4f34ed91c1d18294e2cc
911
912commit 52763dd3fe0a4678dafdf7aeb32286e514130afc
913Author: djm@openbsd.org <djm@openbsd.org>
914Date: Mon Jan 30 01:03:00 2017 +0000
915
916 upstream commit
917
918 revise keys/principals command hang fix (bz#2655) to
919 consume entire output, avoiding sending SIGPIPE to subprocesses early; ok
920 dtucker@
921
922 Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
923
924commit 381a2615a154a82c4c53b787f4a564ef894fe9ac
925Author: djm@openbsd.org <djm@openbsd.org>
926Date: Mon Jan 30 00:38:50 2017 +0000
927
928 upstream commit
929
930 small cleanup post SSHv1 removal:
931
932 remove SSHv1-isms in commented examples
933
934 reorder token table to group deprecated and compile-time conditional tokens
935 better
936
937 fix config dumping code for some compile-time conditional options that
938 weren't being correctly skipped (SSHv1 and PKCS#11)
939
940 Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105
941
942commit 4833d01591b7eb049489d9558b65f5553387ed43
943Author: djm@openbsd.org <djm@openbsd.org>
944Date: Mon Jan 30 00:34:01 2017 +0000
945
946 upstream commit
947
948 some explicit NULL tests when dumping configured
949 forwardings; from Karsten Weiss
950
951 Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d
952
953commit 326e2fae9f2e3e067b5651365eba86b35ee5a6b2
954Author: djm@openbsd.org <djm@openbsd.org>
955Date: Mon Jan 30 00:32:28 2017 +0000
956
957 upstream commit
958
959 misplaced braces in test; from Karsten Weiss
960
961 Upstream-ID: f7b794074d3aae8e35b69a91d211c599c94afaae
962
963commit 3e032a95e46bfaea9f9e857678ac8fa5f63997fb
964Author: djm@openbsd.org <djm@openbsd.org>
965Date: Mon Jan 30 00:32:03 2017 +0000
966
967 upstream commit
968
969 don't dereference authctxt before testing != NULL, it
970 causes compilers to make assumptions; from Karsten Weiss
971
972 Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2
973
974commit 01cfaa2b1cfb84f3cdd32d1bf82b120a8d30e057
975Author: djm@openbsd.org <djm@openbsd.org>
976Date: Fri Jan 6 02:51:16 2017 +0000
977
978 upstream commit
979
980 use correct ssh-add program; bz#2654, from Colin Watson
981
982 Upstream-Regress-ID: 7042a36e1bdaec6562f6e57e9d047efe9c7a6030
983
984commit e5c7ec67cdc42ae2584085e0fc5cc5ee91133cf5
985Author: dtucker@openbsd.org <dtucker@openbsd.org>
986Date: Fri Jan 6 02:26:10 2017 +0000
987
988 upstream commit
989
990 Account for timeouts in the integrity tests as failures.
991
992 If the first test in a series for a given MAC happens to modify the low
993 bytes of a packet length, then ssh will time out and this will be
994 interpreted as a test failure. Patch from cjwatson at debian.org via
995 bz#2658.
996
997 Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9
998
999commit dbaf599b61bd6e0f8469363a8c8e7f633b334018
1000Author: dtucker@openbsd.org <dtucker@openbsd.org>
1001Date: Fri Jan 6 02:09:25 2017 +0000
1002
1003 upstream commit
1004
1005 Make forwarding test less racy by using unix domain
1006 sockets instead of TCP ports where possible. Patch from cjwatson at
1007 debian.org via bz#2659.
1008
1009 Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9
1010
1011commit 9390b0031ebd6eb5488d3bc4d4333c528dffc0a6
1012Author: dtucker@openbsd.org <dtucker@openbsd.org>
1013Date: Sun Jan 29 21:35:23 2017 +0000
1014
1015 upstream commit
1016
1017 Fix typo in ~C error message for bad port forward
1018 cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's
1019 bugtracker.
1020
1021 Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
1022
1023commit 4ba15462ca38883b8a61a1eccc093c79462d5414
1024Author: guenther@openbsd.org <guenther@openbsd.org>
1025Date: Sat Jan 21 11:32:04 2017 +0000
1026
1027 upstream commit
1028
1029 The POSIX APIs that that sockaddrs all ignore the s*_len
1030 field in the incoming socket, so userspace doesn't need to set it unless it
1031 has its own reasons for tracking the size along with the sockaddr.
1032
1033 ok phessler@ deraadt@ florian@
1034
1035 Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437
1036
1037commit a1187bd3ef3e4940af849ca953a1b849dae78445
1038Author: jmc@openbsd.org <jmc@openbsd.org>
1039Date: Fri Jan 6 16:28:12 2017 +0000
1040
1041 upstream commit
1042
1043 keep the tokens list sorted;
1044
1045 Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
1046
1047commit b64077f9767634715402014f509e58decf1e140d
1048Author: djm@openbsd.org <djm@openbsd.org>
1049Date: Fri Jan 6 09:27:52 2017 +0000
1050
1051 upstream commit
1052
1053 fix previous
1054
1055 Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895
1056
1057commit 5e820e9ea2e949aeb93071fe31c80b0c42f2b2de
1058Author: djm@openbsd.org <djm@openbsd.org>
1059Date: Fri Jan 6 03:53:58 2017 +0000
1060
1061 upstream commit
1062
1063 show a useful error message when included config files
1064 can't be opened; bz#2653, ok dtucker@
1065
1066 Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b
1067
1068commit 13bd2e2d622d01dc85d22b94520a5b243d006049
1069Author: djm@openbsd.org <djm@openbsd.org>
1070Date: Fri Jan 6 03:45:41 2017 +0000
1071
1072 upstream commit
1073
1074 sshd_config is documented to set
1075 GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
1076 bz#2637 ok dtucker
1077
1078 Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
1079
1080commit f89b928534c9e77f608806a217d39a2960cc7fd0
1081Author: djm@openbsd.org <djm@openbsd.org>
1082Date: Fri Jan 6 03:41:58 2017 +0000
1083
1084 upstream commit
1085
1086 Avoid confusing error message when attempting to use
1087 ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583
1088
1089 Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
1090
1091commit 0999533014784579aa6f01c2d3a06e3e8804b680
1092Author: dtucker@openbsd.org <dtucker@openbsd.org>
1093Date: Fri Jan 6 02:34:54 2017 +0000
1094
1095 upstream commit
1096
1097 Re-add '%k' token for AuthorizedKeysCommand which was
1098 lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
1099
1100 Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
1101
1102commit 51045869fa084cdd016fdd721ea760417c0a3bf3
1103Author: djm@openbsd.org <djm@openbsd.org>
1104Date: Wed Jan 4 05:37:40 2017 +0000
1105
1106 upstream commit
1107
1108 unbreak Unix domain socket forwarding for root; ok
1109 markus@
1110
1111 Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
1112
1113commit 58fca12ba967ea5c768653535604e1522d177e44
1114Author: Darren Tucker <dtucker@zip.com.au>
1115Date: Mon Jan 16 09:08:32 2017 +1100
1116
1117 Remove LOGIN_PROGRAM.
1118
1119 UseLogin is gone, remove leftover. bz#2665, from cjwatson at debian.org
1120
1121commit b108ce92aae0ca0376dce9513d953be60e449ae1
1122Author: djm@openbsd.org <djm@openbsd.org>
1123Date: Wed Jan 4 02:21:43 2017 +0000
1124
1125 upstream commit
1126
1127 relax PKCS#11 whitelist a bit to allow libexec as well as
1128 lib directories.
1129
1130 Upstream-ID: cf5617958e2e2d39f8285fd3bc63b557da484702
1131
1132commit c7995f296b9222df2846f56ecf61e5ae13d7a53d
1133Author: djm@openbsd.org <djm@openbsd.org>
1134Date: Tue Jan 3 05:46:51 2017 +0000
1135
1136 upstream commit
1137
1138 check number of entries in SSH2_FXP_NAME response; avoids
1139 unreachable overflow later. Reported by Jann Horn
1140
1141 Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
1142
1143commit ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2
1144Author: djm@openbsd.org <djm@openbsd.org>
1145Date: Fri Dec 30 22:08:02 2016 +0000
1146
1147 upstream commit
1148
1149 fix deadlock when keys/principals command produces a lot of
1150 output and a key is matched early; bz#2655, patch from jboning AT gmail.com
1151
1152 Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
1153
1154commit 30eee7d1b2fec33c14870cc11910610be5d2aa6f
1155Author: Darren Tucker <dtucker@zip.com.au>
1156Date: Tue Dec 20 12:16:11 2016 +1100
1157
1158 Re-add missing "Prerequisites" header and fix typo
1159
1160 Patch from HARUYAMA Seigo <haruyama at unixuser org>.
1161
1162commit c8c60f3663165edd6a52632c6ddbfabfce1ca865
1163Author: djm@openbsd.org <djm@openbsd.org>
1164Date: Mon Dec 19 22:35:23 2016 +0000
1165
1166 upstream commit
1167
1168 use standard /bin/sh equality test; from Mike Frysinger
1169
1170 Upstream-Regress-ID: 7b6f0b63525f399844c8ac211003acb8e4b0bec2
1171
1commit 4a354fc231174901f2629437c2a6e924a2dd6772 1172commit 4a354fc231174901f2629437c2a6e924a2dd6772
2Author: Damien Miller <djm@mindrot.org> 1173Author: Damien Miller <djm@mindrot.org>
3Date: Mon Dec 19 15:59:26 2016 +1100 1174Date: Mon Dec 19 15:59:26 2016 +1100
@@ -8221,2046 +9392,3 @@ Date: Wed Mar 11 00:48:39 2015 +0000
8221 9392
8222 add back the changes from rev 1.206, djm reverted this by 9393 add back the changes from rev 1.206, djm reverted this by
8223 mistake in rev 1.207 9394 mistake in rev 1.207
8224
8225commit 4d24b3b6a4a6383e05e7da26d183b79fa8663697
8226Author: Damien Miller <djm@mindrot.org>
8227Date: Fri Mar 20 09:11:59 2015 +1100
8228
8229 remove error() accidentally inserted for debugging
8230
8231 pointed out by Christian Hesse
8232
8233commit 9f82e5a9042f2d872e98f48a876fcab3e25dd9bb
8234Author: Tim Rice <tim@multitalents.net>
8235Date: Mon Mar 16 22:49:20 2015 -0700
8236
8237 portability fix: Solaris systems may not have a grep that understands -q
8238
8239commit 8ef691f7d9ef500257a549d0906d78187490668f
8240Author: Damien Miller <djm@google.com>
8241Date: Wed Mar 11 10:35:26 2015 +1100
8242
8243 fix compile with clang
8244
8245commit 4df590cf8dc799e8986268d62019b487a8ed63ad
8246Author: Damien Miller <djm@google.com>
8247Date: Wed Mar 11 10:02:39 2015 +1100
8248
8249 make unit tests work for !OPENSSH_HAS_ECC
8250
8251commit 307bb40277ca2c32e97e61d70d1ed74b571fd6ba
8252Author: djm@openbsd.org <djm@openbsd.org>
8253Date: Sat Mar 7 04:41:48 2015 +0000
8254
8255 upstream commit
8256
8257 unbreak for w/SSH1 (default) case; ok markus@ deraadt@
8258
8259commit b44ee0c998fb4c5f3c3281f2398af5ce42840b6f
8260Author: Damien Miller <djm@mindrot.org>
8261Date: Thu Mar 5 18:39:20 2015 -0800
8262
8263 unbreak hostkeys test for w/ SSH1 case
8264
8265commit 55e5bdeb519cb60cc18b7ba0545be581fb8598b4
8266Author: djm@openbsd.org <djm@openbsd.org>
8267Date: Fri Mar 6 01:40:56 2015 +0000
8268
8269 upstream commit
8270
8271 fix sshkey_certify() return value for unsupported key types;
8272 ok markus@ deraadt@
8273
8274commit be8f658e550a434eac04256bfbc4289457a24e99
8275Author: Damien Miller <djm@mindrot.org>
8276Date: Wed Mar 4 15:38:03 2015 -0800
8277
8278 update version numbers to match version.h
8279
8280commit ac5e8acefa253eb5e5ba186e34236c0e8007afdc
8281Author: djm@openbsd.org <djm@openbsd.org>
8282Date: Wed Mar 4 23:22:35 2015 +0000
8283
8284 upstream commit
8285
8286 make these work with !SSH1; ok markus@ deraadt@
8287
8288commit 2f04af92f036b0c87a23efb259c37da98cd81fe6
8289Author: djm@openbsd.org <djm@openbsd.org>
8290Date: Wed Mar 4 21:12:59 2015 +0000
8291
8292 upstream commit
8293
8294 make ssh-add -D work with !SSH1 agent
8295
8296commit a05adf95d2af6abb2b7826ddaa7a0ec0cdc1726b
8297Author: Damien Miller <djm@mindrot.org>
8298Date: Wed Mar 4 00:55:48 2015 -0800
8299
8300 netcat needs poll.h portability goop
8301
8302commit dad2b1892b4c1b7e58df483a8c5b983c4454e099
8303Author: markus@openbsd.org <markus@openbsd.org>
8304Date: Tue Mar 3 22:35:19 2015 +0000
8305
8306 upstream commit
8307
8308 make it possible to run tests w/o ssh1 support; ok djm@
8309
8310commit d48a22601bdd3eec054794c535f4ae8d8ae4c6e2
8311Author: djm@openbsd.org <djm@openbsd.org>
8312Date: Wed Mar 4 18:53:53 2015 +0000
8313
8314 upstream commit
8315
8316 crank; ok markus, deraadt
8317
8318commit bbffb23daa0b002dd9f296e396a9ab8a5866b339
8319Author: Damien Miller <djm@mindrot.org>
8320Date: Tue Mar 3 13:50:27 2015 -0800
8321
8322 more --without-ssh1 fixes
8323
8324commit 6c2039286f503e2012a58a1d109e389016e7a99b
8325Author: Damien Miller <djm@mindrot.org>
8326Date: Tue Mar 3 13:48:48 2015 -0800
8327
8328 fix merge both that broke --without-ssh1 compile
8329
8330commit 111dfb225478a76f89ecbcd31e96eaf1311b59d3
8331Author: djm@openbsd.org <djm@openbsd.org>
8332Date: Tue Mar 3 21:21:13 2015 +0000
8333
8334 upstream commit
8335
8336 add SSH1 Makefile knob to make it easier to build without
8337 SSH1 support; ok markus@
8338
8339commit 3f7f5e6c5d2aa3f6710289c1a30119e534e56c5c
8340Author: djm@openbsd.org <djm@openbsd.org>
8341Date: Tue Mar 3 20:42:49 2015 +0000
8342
8343 upstream commit
8344
8345 expand __unused to full __attribute__ for better portability
8346
8347commit 2fab9b0f8720baf990c931e3f68babb0bf9949c6
8348Author: Damien Miller <djm@mindrot.org>
8349Date: Wed Mar 4 07:41:27 2015 +1100
8350
8351 avoid warning
8352
8353commit d1bc844322461f882b4fd2277ba9a8d4966573d2
8354Author: Damien Miller <djm@mindrot.org>
8355Date: Wed Mar 4 06:31:45 2015 +1100
8356
8357 Revert "define __unused to nothing if not already defined"
8358
8359 This reverts commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908.
8360
8361 Some system headers have objects named __unused
8362
8363commit 00797e86b2d98334d1bb808f65fa1fd47f328ff1
8364Author: Damien Miller <djm@mindrot.org>
8365Date: Wed Mar 4 05:02:45 2015 +1100
8366
8367 check for crypt and DES_crypt in openssl block
8368
8369 fixes builds on systems that use DES_crypt; based on patch
8370 from Roumen Petrov
8371
8372commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908
8373Author: Damien Miller <djm@mindrot.org>
8374Date: Wed Mar 4 04:59:13 2015 +1100
8375
8376 define __unused to nothing if not already defined
8377
8378 fixes builds on BSD/OS
8379
8380commit d608a51daad4f14ad6ab43d7cf74ef4801cc3fe9
8381Author: djm@openbsd.org <djm@openbsd.org>
8382Date: Tue Mar 3 17:53:40 2015 +0000
8383
8384 upstream commit
8385
8386 reorder logic for better portability; patch from Roumen
8387 Petrov
8388
8389commit 68d2dfc464fbcdf8d6387884260f9801f4352393
8390Author: djm@openbsd.org <djm@openbsd.org>
8391Date: Tue Mar 3 06:48:58 2015 +0000
8392
8393 upstream commit
8394
8395 Allow "ssh -Q protocol-version" to list supported SSH
8396 protocol versions. Useful for detecting builds without SSH v.1 support; idea
8397 and ok markus@
8398
8399commit 39e2f1229562e1195169905607bc12290d21f021
8400Author: millert@openbsd.org <millert@openbsd.org>
8401Date: Sun Mar 1 15:44:40 2015 +0000
8402
8403 upstream commit
8404
8405 Make sure we only call getnameinfo() for AF_INET or AF_INET6
8406 sockets. getpeername() of a Unix domain socket may return without error on
8407 some systems without actually setting ss_family so getnameinfo() was getting
8408 called with ss_family set to AF_UNSPEC. OK djm@
8409
8410commit e47536ba9692d271b8ad89078abdecf0a1c11707
8411Author: Damien Miller <djm@mindrot.org>
8412Date: Sat Feb 28 08:20:11 2015 -0800
8413
8414 portability fixes for regress/netcat.c
8415
8416 Mostly avoiding "err(1, NULL)"
8417
8418commit 02973ad5f6f49d8420e50a392331432b0396c100
8419Author: Damien Miller <djm@mindrot.org>
8420Date: Sat Feb 28 08:05:27 2015 -0800
8421
8422 twiddle another test for portability
8423
8424 from Tom G. Christensen
8425
8426commit f7f3116abf2a6e2f309ab096b08c58d19613e5d0
8427Author: Damien Miller <djm@mindrot.org>
8428Date: Fri Feb 27 15:52:49 2015 -0800
8429
8430 twiddle test for portability
8431
8432commit 1ad3a77cc9d5568f5437ff99d377aa7a41859b83
8433Author: Damien Miller <djm@mindrot.org>
8434Date: Thu Feb 26 20:33:22 2015 -0800
8435
8436 make regress/netcat.c fd passing (more) portable
8437
8438commit 9e1cfca7e1fe9cf8edb634fc894e43993e4da1ea
8439Author: Damien Miller <djm@mindrot.org>
8440Date: Thu Feb 26 20:32:58 2015 -0800
8441
8442 create OBJ/valgrind-out before running unittests
8443
8444commit bd58853102cee739f0e115e6d4b5334332ab1442
8445Author: Damien Miller <djm@mindrot.org>
8446Date: Wed Feb 25 16:58:22 2015 -0800
8447
8448 valgrind support
8449
8450commit f43d17269194761eded9e89f17456332f4c83824
8451Author: djm@openbsd.org <djm@openbsd.org>
8452Date: Thu Feb 26 20:45:47 2015 +0000
8453
8454 upstream commit
8455
8456 don't printf NULL key comments; reported by Tom Christensen
8457
8458commit 6e6458b476ec854db33e3e68ebf4f489d0ab3df8
8459Author: djm@openbsd.org <djm@openbsd.org>
8460Date: Wed Feb 25 23:05:47 2015 +0000
8461
8462 upstream commit
8463
8464 zero cmsgbuf before use; we initialise the bits we use
8465 but valgrind still spams warning on it
8466
8467commit a63cfa26864b93ab6afefad0b630e5358ed8edfa
8468Author: djm@openbsd.org <djm@openbsd.org>
8469Date: Wed Feb 25 19:54:02 2015 +0000
8470
8471 upstream commit
8472
8473 fix small memory leak when UpdateHostkeys=no
8474
8475commit e6b950341dd75baa8526f1862bca39e52f5b879b
8476Author: Tim Rice <tim@multitalents.net>
8477Date: Wed Feb 25 09:56:48 2015 -0800
8478
8479 Revert "Work around finicky USL linker so netcat will build."
8480
8481 This reverts commit d1db656021d0cd8c001a6692f772f1de29b67c8b.
8482
8483 No longer needed with commit 678e473e2af2e4802f24dd913985864d9ead7fb3
8484
8485commit 6f621603f9cff2a5d6016a404c96cb2f8ac2dec0
8486Author: djm@openbsd.org <djm@openbsd.org>
8487Date: Wed Feb 25 17:29:38 2015 +0000
8488
8489 upstream commit
8490
8491 don't leak validity of user in "too many authentication
8492 failures" disconnect message; reported by Sebastian Reitenbach
8493
8494commit 6288e3a935494df12519164f52ca5c8c65fc3ca5
8495Author: naddy@openbsd.org <naddy@openbsd.org>
8496Date: Tue Feb 24 15:24:05 2015 +0000
8497
8498 upstream commit
8499
8500 add -v (show ASCII art) to -l's synopsis; ok djm@
8501
8502commit 678e473e2af2e4802f24dd913985864d9ead7fb3
8503Author: Darren Tucker <dtucker@zip.com.au>
8504Date: Thu Feb 26 04:12:58 2015 +1100
8505
8506 Remove dependency on xmalloc.
8507
8508 Remove ssh_get_progname's dependency on xmalloc, which should reduce
8509 link order problems. ok djm@
8510
8511commit 5d5ec165c5b614b03678afdad881f10e25832e46
8512Author: Darren Tucker <dtucker@zip.com.au>
8513Date: Wed Feb 25 15:32:49 2015 +1100
8514
8515 Restrict ECDSA and ECDH tests.
8516
8517 ifdef out some more ECDSA and ECDH tests when built against an OpenSSL
8518 that does not have eliptic curve functionality.
8519
8520commit 1734e276d99b17e92d4233fac7aef3a3180aaca7
8521Author: Darren Tucker <dtucker@zip.com.au>
8522Date: Wed Feb 25 13:40:45 2015 +1100
8523
8524 Move definition of _NSIG.
8525
8526 _NSIG is only unsed in one file, so move it there prevent redefinition
8527 warnings reported by Kevin Brott.
8528
8529commit a47ead7c95cfbeb72721066c4da2312e5b1b9f3d
8530Author: Darren Tucker <dtucker@zip.com.au>
8531Date: Wed Feb 25 13:17:40 2015 +1100
8532
8533 Add includes.h for compatibility stuff.
8534
8535commit 38806bda6d2e48ad32812b461eebe17672ada771
8536Author: Damien Miller <djm@mindrot.org>
8537Date: Tue Feb 24 16:50:06 2015 -0800
8538
8539 include netdb.h to look for MAXHOSTNAMELEN; ok tim
8540
8541commit d1db656021d0cd8c001a6692f772f1de29b67c8b
8542Author: Tim Rice <tim@multitalents.net>
8543Date: Tue Feb 24 10:42:08 2015 -0800
8544
8545 Work around finicky USL linker so netcat will build.
8546
8547commit cb030ce25f555737e8ba97bdd7883ac43f3ff2a3
8548Author: Damien Miller <djm@mindrot.org>
8549Date: Tue Feb 24 09:23:04 2015 -0800
8550
8551 include includes.h to avoid build failure on AIX
8552
8553commit 13af342458f5064144abbb07e5ac9bbd4eb42567
8554Author: Tim Rice <tim@multitalents.net>
8555Date: Tue Feb 24 07:56:47 2015 -0800
8556
8557 Original portability patch from djm@ for platforms missing err.h.
8558 Fix name space clash on Solaris 10. Still more to do for Solaris 10
8559 to deal with msghdr structure differences. ok djm@
8560
8561commit 910209203d0cd60c5083901cbcc0b7b44d9f48d2
8562Author: Tim Rice <tim@multitalents.net>
8563Date: Mon Feb 23 22:06:56 2015 -0800
8564
8565 cleaner way fix dispatch.h portion of commit
8566 a88dd1da119052870bb2654c1a32c51971eade16
8567 (some systems have sig_atomic_t in signal.h, some in sys/signal.h)
8568 Sounds good to me djm@
8569
8570commit 676c38d7cbe65b76bbfff796861bb6615cc6a596
8571Author: Tim Rice <tim@multitalents.net>
8572Date: Mon Feb 23 21:51:33 2015 -0800
8573
8574 portability fix: if we can't dind a better define for HOST_NAME_MAX, use 255
8575
8576commit 1221b22023dce38cbc90ba77eae4c5d78c77a5e6
8577Author: Tim Rice <tim@multitalents.net>
8578Date: Mon Feb 23 21:50:34 2015 -0800
8579
8580 portablity fix: s/__inline__/inline/
8581
8582commit 4c356308a88d309c796325bb75dce90ca16591d5
8583Author: Darren Tucker <dtucker@zip.com.au>
8584Date: Tue Feb 24 13:49:31 2015 +1100
8585
8586 Wrap stdint.h includes in HAVE_STDINT_H.
8587
8588commit c9c88355c6a27a908e7d1e5003a2b35ea99c1614
8589Author: Darren Tucker <dtucker@zip.com.au>
8590Date: Tue Feb 24 13:43:57 2015 +1100
8591
8592 Add AI_NUMERICSERV to fake-rfc2553.
8593
8594 Our getaddrinfo implementation always returns numeric values already.
8595
8596commit ef342ab1ce6fb9a4b30186c89c309d0ae9d0eeb4
8597Author: Darren Tucker <dtucker@zip.com.au>
8598Date: Tue Feb 24 13:39:57 2015 +1100
8599
8600 Include OpenSSL's objects.h before bn.h.
8601
8602 Prevents compile errors on some platforms (at least old GCCs and AIX's
8603 XLC compilers).
8604
8605commit dcc8997d116f615195aa7c9ec019fb36c28c6228
8606Author: Darren Tucker <dtucker@zip.com.au>
8607Date: Tue Feb 24 12:30:59 2015 +1100
8608
8609 Convert two macros into functions.
8610
8611 Convert packet_send_debug and packet_disconnect from macros to
8612 functions. Some older GCCs (2.7.x, 2.95.x) see to have problems with
8613 variadic macros with only one argument so we convert these two into
8614 functions. ok djm@
8615
8616commit 2285c30d51b7e2052c6526445abe7e7cc7e170a1
8617Author: djm@openbsd.org <djm@openbsd.org>
8618Date: Mon Feb 23 22:21:21 2015 +0000
8619
8620 upstream commit
8621
8622 further silence spurious error message even when -v is
8623 specified (e.g. to get visual host keys); reported by naddy@
8624
8625commit 9af21979c00652029e160295e988dea40758ece2
8626Author: Damien Miller <djm@mindrot.org>
8627Date: Tue Feb 24 09:04:32 2015 +1100
8628
8629 don't include stdint.h unless HAVE_STDINT_H set
8630
8631commit 62f678dd51660d6f8aee1da33d3222c5de10a89e
8632Author: Damien Miller <djm@mindrot.org>
8633Date: Tue Feb 24 09:02:54 2015 +1100
8634
8635 nother sys/queue.h -> sys-queue.h fix
8636
8637 spotted by Tom Christensen
8638
8639commit b3c19151cba2c0ed01b27f55de0d723ad07ca98f
8640Author: djm@openbsd.org <djm@openbsd.org>
8641Date: Mon Feb 23 20:32:15 2015 +0000
8642
8643 upstream commit
8644
8645 fix a race condition by using a mux socket rather than an
8646 ineffectual wait statement
8647
8648commit a88dd1da119052870bb2654c1a32c51971eade16
8649Author: Damien Miller <djm@mindrot.org>
8650Date: Tue Feb 24 06:30:29 2015 +1100
8651
8652 various include fixes for portable
8653
8654commit 5248429b5ec524d0a65507cff0cdd6e0cb99effd
8655Author: djm@openbsd.org <djm@openbsd.org>
8656Date: Mon Feb 23 16:55:51 2015 +0000
8657
8658 upstream commit
8659
8660 add an XXX to remind me to improve sshkey_load_public
8661
8662commit e94e4b07ef2eaead38b085a60535df9981cdbcdb
8663Author: djm@openbsd.org <djm@openbsd.org>
8664Date: Mon Feb 23 16:55:31 2015 +0000
8665
8666 upstream commit
8667
8668 silence a spurious error message when listing
8669 fingerprints for known_hosts; bz#2342
8670
8671commit f2293a65392b54ac721f66bc0b44462e8d1d81f8
8672Author: djm@openbsd.org <djm@openbsd.org>
8673Date: Mon Feb 23 16:33:25 2015 +0000
8674
8675 upstream commit
8676
8677 fix setting/clearing of TTY raw mode around
8678 UpdateHostKeys=ask confirmation question; reported by Herb Goldman
8679
8680commit f2004cd1adf34492eae0a44b1ef84e0e31b06088
8681Author: Darren Tucker <dtucker@zip.com.au>
8682Date: Mon Feb 23 05:04:21 2015 +1100
8683
8684 Repair for non-ECC OpenSSL.
8685
8686 Ifdef out the ECC parts when building with an OpenSSL that doesn't have
8687 it.
8688
8689commit 37f9220db8d1a52c75894c3de1e5f2ae5bd71b6f
8690Author: Darren Tucker <dtucker@zip.com.au>
8691Date: Mon Feb 23 03:07:24 2015 +1100
8692
8693 Wrap stdint.h includes in ifdefs.
8694
8695commit f81f1bbc5b892c8614ea740b1f92735652eb43f0
8696Author: Tim Rice <tim@multitalents.net>
8697Date: Sat Feb 21 18:12:10 2015 -0800
8698
8699 out of tree build fix
8700
8701commit 2e13a1e4d22f3b503c3bfc878562cc7386a1d1ae
8702Author: Tim Rice <tim@multitalents.net>
8703Date: Sat Feb 21 18:08:51 2015 -0800
8704
8705 mkdir kex unit test directory so testing out of tree builds works
8706
8707commit 1797f49b1ba31e8700231cd6b1d512d80bb50d2c
8708Author: halex@openbsd.org <halex@openbsd.org>
8709Date: Sat Feb 21 21:46:57 2015 +0000
8710
8711 upstream commit
8712
8713 make "ssh-add -d" properly remove a corresponding
8714 certificate, and also not whine and fail if there is none
8715
8716 ok djm@
8717
8718commit 7faaa32da83a609059d95dbfcb0649fdb04caaf6
8719Author: Damien Miller <djm@mindrot.org>
8720Date: Sun Feb 22 07:57:27 2015 +1100
8721
8722 mkdir hostkey and bitmap unit test directories
8723
8724commit bd49da2ef197efac5e38f5399263a8b47990c538
8725Author: djm@openbsd.org <djm@openbsd.org>
8726Date: Fri Feb 20 23:46:01 2015 +0000
8727
8728 upstream commit
8729
8730 sort options useable under Match case-insensitively; prodded
8731 jmc@
8732
8733commit 1a779a0dd6cd8b4a1a40ea33b5415ab8408128ac
8734Author: djm@openbsd.org <djm@openbsd.org>
8735Date: Sat Feb 21 20:51:02 2015 +0000
8736
8737 upstream commit
8738
8739 correct paths to configuration files being written/updated;
8740 they live in $OBJ not cwd; some by Roumen Petrov
8741
8742commit 28ba006c1acddff992ae946d0bc0b500b531ba6b
8743Author: Darren Tucker <dtucker@zip.com.au>
8744Date: Sat Feb 21 15:41:07 2015 +1100
8745
8746 More correct checking of HAVE_DECL_AI_NUMERICSERV.
8747
8748commit e50e8c97a9cecae1f28febccaa6ca5ab3bc10f54
8749Author: Darren Tucker <dtucker@zip.com.au>
8750Date: Sat Feb 21 15:10:33 2015 +1100
8751
8752 Add null declaration of AI_NUMERICINFO.
8753
8754 Some platforms (older FreeBSD and DragonFly versions) do have
8755 getaddrinfo() but do not have AI_NUMERICINFO. so define it to zero
8756 in those cases.
8757
8758commit 18a208d6a460d707a45916db63a571e805f5db46
8759Author: djm@openbsd.org <djm@openbsd.org>
8760Date: Fri Feb 20 22:40:32 2015 +0000
8761
8762 upstream commit
8763
8764 more options that are available under Match; bz#2353 reported
8765 by calestyo AT scientia.net
8766
8767commit 44732de06884238049f285f1455b2181baa7dc82
8768Author: djm@openbsd.org <djm@openbsd.org>
8769Date: Fri Feb 20 22:17:21 2015 +0000
8770
8771 upstream commit
8772
8773 UpdateHostKeys fixes:
8774
8775 I accidentally changed the format of the hostkeys@openssh.com messages
8776 last week without changing the extension name, and this has been causing
8777 connection failures for people who are running -current. First reported
8778 by sthen@
8779
8780 s/hostkeys@openssh.com/hostkeys-00@openssh.com/
8781 Change the name of the proof message too, and reorder it a little.
8782
8783 Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
8784 available to read the response) so disable UpdateHostKeys if it is in
8785 ask mode and ControlPersist is active (and document this)
8786
8787commit 13a39414d25646f93e6d355521d832a03aaaffe2
8788Author: djm@openbsd.org <djm@openbsd.org>
8789Date: Tue Feb 17 00:14:05 2015 +0000
8790
8791 upstream commit
8792
8793 Regression: I broke logging of public key fingerprints in
8794 1.46. Pointed out by Pontus Lundkvist
8795
8796commit 773dda25e828c4c9a52f7bdce6e1e5924157beab
8797Author: Damien Miller <djm@mindrot.org>
8798Date: Fri Jan 30 23:10:17 2015 +1100
8799
8800 repair --without-openssl; broken in refactor
8801
8802commit e89c780886b23600de1e1c8d74aabd1ff61f43f0
8803Author: Damien Miller <djm@google.com>
8804Date: Tue Feb 17 10:04:55 2015 +1100
8805
8806 hook up hostkeys unittest to portable Makefiles
8807
8808commit 0abf41f99aa16ff09b263bead242d6cb2dbbcf99
8809Author: djm@openbsd.org <djm@openbsd.org>
8810Date: Mon Feb 16 22:21:03 2015 +0000
8811
8812 upstream commit
8813
8814 enable hostkeys unit tests
8815
8816commit 68a5d647ccf0fb6782b2f749433a1eee5bc9044b
8817Author: djm@openbsd.org <djm@openbsd.org>
8818Date: Mon Feb 16 22:20:50 2015 +0000
8819
8820 upstream commit
8821
8822 check string/memory compare arguments aren't NULL
8823
8824commit ef575ef20d09f20722e26b45dab80b3620469687
8825Author: djm@openbsd.org <djm@openbsd.org>
8826Date: Mon Feb 16 22:18:34 2015 +0000
8827
8828 upstream commit
8829
8830 unit tests for hostfile.c code, just hostkeys_foreach so
8831 far
8832
8833commit 8ea3365e6aa2759ccf5c76eaea62cbc8a280b0e7
8834Author: markus@openbsd.org <markus@openbsd.org>
8835Date: Sat Feb 14 12:43:16 2015 +0000
8836
8837 upstream commit
8838
8839 test server rekey limit
8840
8841commit ce63c4b063c39b2b22d4ada449c9e3fbde788cb3
8842Author: djm@openbsd.org <djm@openbsd.org>
8843Date: Mon Feb 16 22:30:03 2015 +0000
8844
8845 upstream commit
8846
8847 partial backout of:
8848
8849 revision 1.441
8850 date: 2015/01/31 20:30:05; author: djm; state: Exp; lines: +17 -10; commitid
8851 : x8klYPZMJSrVlt3O;
8852 Let sshd load public host keys even when private keys are missing.
8853 Allows sshd to advertise additional keys for future key rotation.
8854 Also log fingerprint of hostkeys loaded; ok markus@
8855
8856 hostkey updates now require access to the private key, so we can't
8857 load public keys only. The improved log messages (fingerprints of keys
8858 loaded) are kept.
8859
8860commit 523463a3a2a9bfc6cfc5afa01bae9147f76a37cc
8861Author: djm@openbsd.org <djm@openbsd.org>
8862Date: Mon Feb 16 22:13:32 2015 +0000
8863
8864 upstream commit
8865
8866 Revise hostkeys@openssh.com hostkey learning extension.
8867
8868 The client will not ask the server to prove ownership of the private
8869 halves of any hitherto-unseen hostkeys it offers to the client.
8870
8871 Allow UpdateHostKeys option to take an 'ask' argument to let the
8872 user manually review keys offered.
8873
8874 ok markus@
8875
8876commit 6c5c949782d86a6e7d58006599c7685bfcd01685
8877Author: djm@openbsd.org <djm@openbsd.org>
8878Date: Mon Feb 16 22:08:57 2015 +0000
8879
8880 upstream commit
8881
8882 Refactor hostkeys_foreach() and dependent code Deal with
8883 IP addresses (i.e. CheckHostIP) Don't clobber known_hosts when nothing
8884 changed ok markus@ as part of larger commit
8885
8886commit 51b082ccbe633dc970df1d1f4c9c0497115fe721
8887Author: miod@openbsd.org <miod@openbsd.org>
8888Date: Mon Feb 16 18:26:26 2015 +0000
8889
8890 upstream commit
8891
8892 Declare ge25519_base as extern, to prevent it from
8893 becoming a common. Gets us rid of ``lignment 4 of symbol
8894 `crypto_sign_ed25519_ref_ge25519_base' in mod_ge25519.o is smaller than 16 in
8895 mod_ed25519.o'' warnings at link time.
8896
8897commit 02db468bf7e3281a8e3c058ced571b38b6407c34
8898Author: markus@openbsd.org <markus@openbsd.org>
8899Date: Fri Feb 13 18:57:00 2015 +0000
8900
8901 upstream commit
8902
8903 make rekey_limit for sshd w/privsep work; ok djm@
8904 dtucker@
8905
8906commit 8ec67d505bd23c8bf9e17b7a364b563a07a58ec8
8907Author: dtucker@openbsd.org <dtucker@openbsd.org>
8908Date: Thu Feb 12 20:34:19 2015 +0000
8909
8910 upstream commit
8911
8912 Prevent sshd spamming syslog with
8913 "ssh_dispatch_run_fatal: disconnected". ok markus@
8914
8915commit d4c0295d1afc342057ba358237acad6be8af480b
8916Author: djm@openbsd.org <djm@openbsd.org>
8917Date: Wed Feb 11 01:20:38 2015 +0000
8918
8919 upstream commit
8920
8921 Some packet error messages show the address of the peer,
8922 but might be generated after the socket to the peer has suffered a TCP reset.
8923 In these cases, getpeername() won't work so cache the address earlier.
8924
8925 spotted in the wild via deraadt@ and tedu@
8926
8927commit 4af1709cf774475ce5d1bc3ddcc165f6c222897d
8928Author: jsg@openbsd.org <jsg@openbsd.org>
8929Date: Mon Feb 9 23:22:37 2015 +0000
8930
8931 upstream commit
8932
8933 fix some leaks in error paths ok markus@
8934
8935commit fd36834871d06a03e1ff8d69e41992efa1bbf85f
8936Author: millert@openbsd.org <millert@openbsd.org>
8937Date: Fri Feb 6 23:21:59 2015 +0000
8938
8939 upstream commit
8940
8941 SIZE_MAX is standard, we should be using it in preference to
8942 the obsolete SIZE_T_MAX. OK miod@ beck@
8943
8944commit 1910a286d7771eab84c0b047f31c0a17505236fa
8945Author: millert@openbsd.org <millert@openbsd.org>
8946Date: Thu Feb 5 12:59:57 2015 +0000
8947
8948 upstream commit
8949
8950 Include stdint.h, not limits.h to get SIZE_MAX. OK guenther@
8951
8952commit ce4f59b2405845584f45e0b3214760eb0008c06c
8953Author: deraadt@openbsd.org <deraadt@openbsd.org>
8954Date: Tue Feb 3 08:07:20 2015 +0000
8955
8956 upstream commit
8957
8958 missing ; djm and mlarkin really having great
8959 interactions recently
8960
8961commit 5d34aa94938abb12b877a25be51862757f25d54b
8962Author: halex@openbsd.org <halex@openbsd.org>
8963Date: Tue Feb 3 00:34:14 2015 +0000
8964
8965 upstream commit
8966
8967 slightly extend the passphrase prompt if running with -c
8968 in order to give the user a chance to notice if unintentionally running
8969 without it
8970
8971 wording tweak and ok djm@
8972
8973commit cb3bde373e80902c7d5d0db429f85068d19b2918
8974Author: djm@openbsd.org <djm@openbsd.org>
8975Date: Mon Feb 2 22:48:53 2015 +0000
8976
8977 upstream commit
8978
8979 handle PKCS#11 C_Login returning
8980 CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@
8981
8982commit 15ad750e5ec3cc69765b7eba1ce90060e7083399
8983Author: djm@openbsd.org <djm@openbsd.org>
8984Date: Mon Feb 2 07:41:40 2015 +0000
8985
8986 upstream commit
8987
8988 turn UpdateHostkeys off by default until I figure out
8989 mlarkin@'s warning message; requested by deraadt@
8990
8991commit 3cd5103c1e1aaa59bd66f7f52f6ebbcd5deb12f9
8992Author: deraadt@openbsd.org <deraadt@openbsd.org>
8993Date: Mon Feb 2 01:57:44 2015 +0000
8994
8995 upstream commit
8996
8997 increasing encounters with difficult DNS setups in
8998 darknets has convinced me UseDNS off by default is better ok djm
8999
9000commit 6049a548a8a68ff0bbe581ab1748ea6a59ecdc38
9001Author: djm@openbsd.org <djm@openbsd.org>
9002Date: Sat Jan 31 20:30:05 2015 +0000
9003
9004 upstream commit
9005
9006 Let sshd load public host keys even when private keys are
9007 missing. Allows sshd to advertise additional keys for future key rotation.
9008 Also log fingerprint of hostkeys loaded; ok markus@
9009
9010commit 46347ed5968f582661e8a70a45f448e0179ca0ab
9011Author: djm@openbsd.org <djm@openbsd.org>
9012Date: Fri Jan 30 11:43:14 2015 +0000
9013
9014 upstream commit
9015
9016 Add a ssh_config HostbasedKeyType option to control which
9017 host public key types are tried during hostbased authentication.
9018
9019 This may be used to prevent too many keys being sent to the server,
9020 and blowing past its MaxAuthTries limit.
9021
9022 bz#2211 based on patch by Iain Morgan; ok markus@
9023
9024commit 802660cb70453fa4d230cb0233bc1bbdf8328de1
9025Author: djm@openbsd.org <djm@openbsd.org>
9026Date: Fri Jan 30 10:44:49 2015 +0000
9027
9028 upstream commit
9029
9030 set a timeout to prevent hangs when talking to busted
9031 servers; ok markus@
9032
9033commit 86936ec245a15c7abe71a0722610998b0a28b194
9034Author: djm@openbsd.org <djm@openbsd.org>
9035Date: Fri Jan 30 01:11:39 2015 +0000
9036
9037 upstream commit
9038
9039 regression test for 'wildcard CA' serial/key ID revocations
9040
9041commit 4509b5d4a4fa645a022635bfa7e86d09b285001f
9042Author: djm@openbsd.org <djm@openbsd.org>
9043Date: Fri Jan 30 01:13:33 2015 +0000
9044
9045 upstream commit
9046
9047 avoid more fatal/exit in the packet.c paths that
9048 ssh-keyscan uses; feedback and "looks good" markus@
9049
9050commit 669aee994348468af8b4b2ebd29b602cf2860b22
9051Author: djm@openbsd.org <djm@openbsd.org>
9052Date: Fri Jan 30 01:10:33 2015 +0000
9053
9054 upstream commit
9055
9056 permit KRLs that revoke certificates by serial number or
9057 key ID without scoping to a particular CA; ok markus@
9058
9059commit 7a2c368477e26575d0866247d3313da4256cb2b5
9060Author: djm@openbsd.org <djm@openbsd.org>
9061Date: Fri Jan 30 00:59:19 2015 +0000
9062
9063 upstream commit
9064
9065 missing parentheses after if in do_convert_from() broke
9066 private key conversion from other formats some time in 2010; bz#2345 reported
9067 by jjelen AT redhat.com
9068
9069commit 25f5f78d8bf5c22d9cea8b49de24ebeee648a355
9070Author: djm@openbsd.org <djm@openbsd.org>
9071Date: Fri Jan 30 00:22:25 2015 +0000
9072
9073 upstream commit
9074
9075 fix ssh protocol 1, spotted by miod@
9076
9077commit 9ce86c926dfa6e0635161b035e3944e611cbccf0
9078Author: djm@openbsd.org <djm@openbsd.org>
9079Date: Wed Jan 28 22:36:00 2015 +0000
9080
9081 upstream commit
9082
9083 update to new API (key_fingerprint => sshkey_fingerprint)
9084 check sshkey_fingerprint return values; ok markus
9085
9086commit 9125525c37bf73ad3ee4025520889d2ce9d10f29
9087Author: djm@openbsd.org <djm@openbsd.org>
9088Date: Wed Jan 28 22:05:31 2015 +0000
9089
9090 upstream commit
9091
9092 avoid fatal() calls in packet code makes ssh-keyscan more
9093 reliable against server failures ok dtucker@ markus@
9094
9095commit fae7bbe544cba7a9e5e4ab47ff6faa3d978646eb
9096Author: djm@openbsd.org <djm@openbsd.org>
9097Date: Wed Jan 28 21:15:47 2015 +0000
9098
9099 upstream commit
9100
9101 avoid fatal() calls in packet code makes ssh-keyscan more
9102 reliable against server failures ok dtucker@ markus@
9103
9104commit 1a3d14f6b44a494037c7deab485abe6496bf2c60
9105Author: djm@openbsd.org <djm@openbsd.org>
9106Date: Wed Jan 28 11:07:25 2015 +0000
9107
9108 upstream commit
9109
9110 remove obsolete comment
9111
9112commit 80c25b7bc0a71d75c43a4575d9a1336f589eb639
9113Author: okan@openbsd.org <okan@openbsd.org>
9114Date: Tue Jan 27 12:54:06 2015 +0000
9115
9116 upstream commit
9117
9118 Since r1.2 removed the use of PRI* macros, inttypes.h is
9119 no longer required.
9120
9121 ok djm@
9122
9123commit 69ff64f69615c2a21c97cb5878a0996c21423257
9124Author: Damien Miller <djm@mindrot.org>
9125Date: Tue Jan 27 23:07:43 2015 +1100
9126
9127 compile on systems without TCP_MD5SIG (e.g. OSX)
9128
9129commit 358964f3082fb90b2ae15bcab07b6105cfad5a43
9130Author: Damien Miller <djm@mindrot.org>
9131Date: Tue Jan 27 23:07:25 2015 +1100
9132
9133 use ssh-keygen under test rather than system's
9134
9135commit a2c95c1bf33ea53038324d1fdd774bc953f98236
9136Author: Damien Miller <djm@mindrot.org>
9137Date: Tue Jan 27 23:06:59 2015 +1100
9138
9139 OSX lacks HOST_NAME_MAX, has _POSIX_HOST_NAME_MAX
9140
9141commit ade31d7b6f608a19b85bee29a7a00b1e636a2919
9142Author: Damien Miller <djm@mindrot.org>
9143Date: Tue Jan 27 23:06:23 2015 +1100
9144
9145 these need active_state defined to link on OSX
9146
9147 temporary measure until active_state goes away entirely
9148
9149commit e56aa87502f22c5844918c10190e8b4f785f067b
9150Author: djm@openbsd.org <djm@openbsd.org>
9151Date: Tue Jan 27 12:01:36 2015 +0000
9152
9153 upstream commit
9154
9155 use printf instead of echo -n to reduce diff against
9156 -portable
9157
9158commit 9f7637f56eddfaf62ce3c0af89c25480f2cf1068
9159Author: jmc@openbsd.org <jmc@openbsd.org>
9160Date: Mon Jan 26 13:55:29 2015 +0000
9161
9162 upstream commit
9163
9164 sort previous;
9165
9166commit 3076ee7d530d5b16842fac7a6229706c7e5acd26
9167Author: djm@openbsd.org <djm@openbsd.org>
9168Date: Mon Jan 26 13:36:53 2015 +0000
9169
9170 upstream commit
9171
9172 properly restore umask
9173
9174commit d411d395556b73ba1b9e451516a0bd6697c4b03d
9175Author: djm@openbsd.org <djm@openbsd.org>
9176Date: Mon Jan 26 06:12:18 2015 +0000
9177
9178 upstream commit
9179
9180 regression test for host key rotation
9181
9182commit fe8a3a51699afbc6407a8fae59b73349d01e49f8
9183Author: djm@openbsd.org <djm@openbsd.org>
9184Date: Mon Jan 26 06:11:28 2015 +0000
9185
9186 upstream commit
9187
9188 adapt to sshkey API tweaks
9189
9190commit 7dd355fb1f0038a3d5cdca57ebab4356c7a5b434
9191Author: miod@openbsd.org <miod@openbsd.org>
9192Date: Sat Jan 24 10:39:21 2015 +0000
9193
9194 upstream commit
9195
9196 Move -lz late in the linker commandline for things to
9197 build on static arches.
9198
9199commit 0dad3b806fddb93c475b30853b9be1a25d673a33
9200Author: miod@openbsd.org <miod@openbsd.org>
9201Date: Fri Jan 23 21:21:23 2015 +0000
9202
9203 upstream commit
9204
9205 -Wpointer-sign is supported by gcc 4 only.
9206
9207commit 2b3b1c1e4bd9577b6e780c255c278542ea66c098
9208Author: djm@openbsd.org <djm@openbsd.org>
9209Date: Tue Jan 20 22:58:57 2015 +0000
9210
9211 upstream commit
9212
9213 use SUBDIR to recuse into unit tests; makes "make obj"
9214 actually work
9215
9216commit 1d1092bff8db27080155541212b420703f8b9c92
9217Author: djm@openbsd.org <djm@openbsd.org>
9218Date: Mon Jan 26 12:16:36 2015 +0000
9219
9220 upstream commit
9221
9222 correct description of UpdateHostKeys in ssh_config.5 and
9223 add it to -o lists for ssh, scp and sftp; pointed out by jmc@
9224
9225commit 5104db7cbd6cdd9c5971f4358e74414862fc1022
9226Author: djm@openbsd.org <djm@openbsd.org>
9227Date: Mon Jan 26 06:10:03 2015 +0000
9228
9229 upstream commit
9230
9231 correctly match ECDSA subtype (== curve) for
9232 offered/recevied host keys. Fixes connection-killing host key mismatches when
9233 a server offers multiple ECDSA keys with different curve type (an extremely
9234 unlikely configuration).
9235
9236 ok markus, "looks mechanical" deraadt@
9237
9238commit 8d4f87258f31cb6def9b3b55b6a7321d84728ff2
9239Author: djm@openbsd.org <djm@openbsd.org>
9240Date: Mon Jan 26 03:04:45 2015 +0000
9241
9242 upstream commit
9243
9244 Host key rotation support.
9245
9246 Add a hostkeys@openssh.com protocol extension (global request) for
9247 a server to inform a client of all its available host key after
9248 authentication has completed. The client may record the keys in
9249 known_hosts, allowing it to upgrade to better host key algorithms
9250 and a server to gracefully rotate its keys.
9251
9252 The client side of this is controlled by a UpdateHostkeys config
9253 option (default on).
9254
9255 ok markus@
9256
9257commit 60b1825262b1f1e24fc72050b907189c92daf18e
9258Author: djm@openbsd.org <djm@openbsd.org>
9259Date: Mon Jan 26 02:59:11 2015 +0000
9260
9261 upstream commit
9262
9263 small refactor and add some convenience functions; ok
9264 markus
9265
9266commit a5a3e3328ddce91e76f71ff479022d53e35c60c9
9267Author: jmc@openbsd.org <jmc@openbsd.org>
9268Date: Thu Jan 22 21:00:42 2015 +0000
9269
9270 upstream commit
9271
9272 heirarchy -> hierarchy;
9273
9274commit dcff5810a11195c57e1b3343c0d6b6f2b9974c11
9275Author: deraadt@openbsd.org <deraadt@openbsd.org>
9276Date: Thu Jan 22 20:24:41 2015 +0000
9277
9278 upstream commit
9279
9280 Provide a warning about chroot misuses (which sadly, seem
9281 to have become quite popular because shiny). sshd cannot detect/manage/do
9282 anything about these cases, best we can do is warn in the right spot in the
9283 man page. ok markus
9284
9285commit 087266ec33c76fc8d54ac5a19efacf2f4a4ca076
9286Author: deraadt@openbsd.org <deraadt@openbsd.org>
9287Date: Tue Jan 20 23:14:00 2015 +0000
9288
9289 upstream commit
9290
9291 Reduce use of <sys/param.h> and transition to <limits.h>
9292 throughout. ok djm markus
9293
9294commit 57e783c8ba2c0797f93977e83b2a8644a03065d8
9295Author: markus@openbsd.org <markus@openbsd.org>
9296Date: Tue Jan 20 20:16:21 2015 +0000
9297
9298 upstream commit
9299
9300 kex_setup errors are fatal()
9301
9302commit 1d6424a6ff94633c221297ae8f42d54e12a20912
9303Author: djm@openbsd.org <djm@openbsd.org>
9304Date: Tue Jan 20 08:02:33 2015 +0000
9305
9306 upstream commit
9307
9308 this test would accidentally delete agent.sh if run without
9309 obj/
9310
9311commit 12b5f50777203e12575f1b08568281e447249ed3
9312Author: djm@openbsd.org <djm@openbsd.org>
9313Date: Tue Jan 20 07:56:44 2015 +0000
9314
9315 upstream commit
9316
9317 make this compile with KERBEROS5 enabled
9318
9319commit e2cc6bef08941256817d44d146115b3478586ad4
9320Author: djm@openbsd.org <djm@openbsd.org>
9321Date: Tue Jan 20 07:55:33 2015 +0000
9322
9323 upstream commit
9324
9325 fix hostkeys in agent; ok markus@
9326
9327commit 1ca3e2155aa5d3801a7ae050f85c71f41fcb95b1
9328Author: Damien Miller <djm@mindrot.org>
9329Date: Tue Jan 20 10:11:31 2015 +1100
9330
9331 fix kex test
9332
9333commit c78a578107c7e6dcf5d30a2f34cb6581bef14029
9334Author: markus@openbsd.org <markus@openbsd.org>
9335Date: Mon Jan 19 20:45:25 2015 +0000
9336
9337 upstream commit
9338
9339 finally enable the KEX tests I wrote some years ago...
9340
9341commit 31821d7217e686667d04935aeec99e1fc4a46e7e
9342Author: markus@openbsd.org <markus@openbsd.org>
9343Date: Mon Jan 19 20:42:31 2015 +0000
9344
9345 upstream commit
9346
9347 adapt to new error message (SSH_ERR_MAC_INVALID)
9348
9349commit d3716ca19e510e95d956ae14d5b367e364bff7f1
9350Author: djm@openbsd.org <djm@openbsd.org>
9351Date: Mon Jan 19 17:31:13 2015 +0000
9352
9353 upstream commit
9354
9355 this test was broken in at least two ways, such that it
9356 wasn't checking that a KRL was not excluding valid keys
9357
9358commit 3f797653748e7c2b037dacb57574c01d9ef3b4d3
9359Author: markus@openbsd.org <markus@openbsd.org>
9360Date: Mon Jan 19 20:32:39 2015 +0000
9361
9362 upstream commit
9363
9364 switch ssh-keyscan from setjmp to multiple ssh transport
9365 layer instances ok djm@
9366
9367commit f582f0e917bb0017b00944783cd5f408bf4b0b5e
9368Author: markus@openbsd.org <markus@openbsd.org>
9369Date: Mon Jan 19 20:30:23 2015 +0000
9370
9371 upstream commit
9372
9373 add experimental api for packet layer; ok djm@
9374
9375commit 48b3b2ba75181f11fca7f327058a591f4426cade
9376Author: markus@openbsd.org <markus@openbsd.org>
9377Date: Mon Jan 19 20:20:20 2015 +0000
9378
9379 upstream commit
9380
9381 store compat flags in struct ssh; ok djm@
9382
9383commit 57d10cbe861a235dd269c74fb2fe248469ecee9d
9384Author: markus@openbsd.org <markus@openbsd.org>
9385Date: Mon Jan 19 20:16:15 2015 +0000
9386
9387 upstream commit
9388
9389 adapt kex to sshbuf and struct ssh; ok djm@
9390
9391commit 3fdc88a0def4f86aa88a5846ac079dc964c0546a
9392Author: markus@openbsd.org <markus@openbsd.org>
9393Date: Mon Jan 19 20:07:45 2015 +0000
9394
9395 upstream commit
9396
9397 move dispatch to struct ssh; ok djm@
9398
9399commit 091c302829210c41e7f57c3f094c7b9c054306f0
9400Author: markus@openbsd.org <markus@openbsd.org>
9401Date: Mon Jan 19 19:52:16 2015 +0000
9402
9403 upstream commit
9404
9405 update packet.c & isolate, introduce struct ssh a) switch
9406 packet.c to buffer api and isolate per-connection info into struct ssh b)
9407 (de)serialization of the state is moved from monitor to packet.c c) the old
9408 packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
9409 integrated into packet.c with and ok djm@
9410
9411commit 4e62cc68ce4ba20245d208b252e74e91d3785b74
9412Author: djm@openbsd.org <djm@openbsd.org>
9413Date: Mon Jan 19 17:35:48 2015 +0000
9414
9415 upstream commit
9416
9417 fix format strings in (disabled) debugging
9418
9419commit d85e06245907d49a2cd0cfa0abf59150ad616f42
9420Author: djm@openbsd.org <djm@openbsd.org>
9421Date: Mon Jan 19 06:01:32 2015 +0000
9422
9423 upstream commit
9424
9425 be a bit more careful in these tests to ensure that
9426 known_hosts is clean
9427
9428commit 7947810eab5fe0ad311f32a48f4d4eb1f71be6cf
9429Author: djm@openbsd.org <djm@openbsd.org>
9430Date: Sun Jan 18 22:00:18 2015 +0000
9431
9432 upstream commit
9433
9434 regression test for known_host file editing using
9435 ssh-keygen (-H / -R / -F) after hostkeys_foreach() change; feedback and ok
9436 markus@
9437
9438commit 3a2b09d147a565d8a47edf37491e149a02c0d3a3
9439Author: djm@openbsd.org <djm@openbsd.org>
9440Date: Sun Jan 18 19:54:46 2015 +0000
9441
9442 upstream commit
9443
9444 more and better key tests
9445
9446 test signatures and verification
9447 test certificate generation
9448 flesh out nested cert test
9449
9450 removes most of the XXX todo markers
9451
9452commit 589e69fd82724cfc9738f128e4771da2e6405d0d
9453Author: djm@openbsd.org <djm@openbsd.org>
9454Date: Sun Jan 18 19:53:58 2015 +0000
9455
9456 upstream commit
9457
9458 make the signature fuzzing test much more rigorous:
9459 ensure that the fuzzed input cases do not match the original (using new
9460 fuzz_matches_original() function) and check that the verification fails in
9461 each case
9462
9463commit 80603c0daa2538c349c1c152405580b164d5475f
9464Author: djm@openbsd.org <djm@openbsd.org>
9465Date: Sun Jan 18 19:52:44 2015 +0000
9466
9467 upstream commit
9468
9469 add a fuzz_matches_original() function to the fuzzer to
9470 detect fuzz cases that are identical to the original data. Hacky
9471 implementation, but very useful when you need the fuzz to be different, e.g.
9472 when verifying signature
9473
9474commit 87d5495bd337e358ad69c524fcb9495208c0750b
9475Author: djm@openbsd.org <djm@openbsd.org>
9476Date: Sun Jan 18 19:50:55 2015 +0000
9477
9478 upstream commit
9479
9480 better dumps from the fuzzer (shown on errors) -
9481 include the original data as well as the fuzzed copy.
9482
9483commit d59ec478c453a3fff05badbbfd96aa856364f2c2
9484Author: djm@openbsd.org <djm@openbsd.org>
9485Date: Sun Jan 18 19:47:55 2015 +0000
9486
9487 upstream commit
9488
9489 enable hostkey-agent.sh test
9490
9491commit 26b3425170bf840e4b095e1c10bf25a0a3e3a105
9492Author: djm@openbsd.org <djm@openbsd.org>
9493Date: Sat Jan 17 18:54:30 2015 +0000
9494
9495 upstream commit
9496
9497 unit test for hostkeys in ssh-agent
9498
9499commit 9e06a0fb23ec55d9223b26a45bb63c7649e2f2f2
9500Author: markus@openbsd.org <markus@openbsd.org>
9501Date: Thu Jan 15 23:41:29 2015 +0000
9502
9503 upstream commit
9504
9505 add kex unit tests
9506
9507commit d2099dec6da21ae627f6289aedae6bc1d41a22ce
9508Author: deraadt@openbsd.org <deraadt@openbsd.org>
9509Date: Mon Jan 19 00:32:54 2015 +0000
9510
9511 upstream commit
9512
9513 djm, your /usr/include tree is old
9514
9515commit 2b3c3c76c30dc5076fe09d590f5b26880f148a54
9516Author: djm@openbsd.org <djm@openbsd.org>
9517Date: Sun Jan 18 21:51:19 2015 +0000
9518
9519 upstream commit
9520
9521 some feedback from markus@: comment hostkeys_foreach()
9522 context and avoid a member in it.
9523
9524commit cecb30bc2ba6d594366e657d664d5c494b6c8a7f
9525Author: djm@openbsd.org <djm@openbsd.org>
9526Date: Sun Jan 18 21:49:42 2015 +0000
9527
9528 upstream commit
9529
9530 make ssh-keygen use hostkeys_foreach(). Removes some
9531 horrendous code; ok markus@
9532
9533commit ec3d065df3a9557ea96b02d061fd821a18c1a0b9
9534Author: djm@openbsd.org <djm@openbsd.org>
9535Date: Sun Jan 18 21:48:09 2015 +0000
9536
9537 upstream commit
9538
9539 convert load_hostkeys() (hostkey ordering and
9540 known_host matching) to use the new hostkey_foreach() iterator; ok markus
9541
9542commit c29811cc480a260e42fd88849fc86a80c1e91038
9543Author: djm@openbsd.org <djm@openbsd.org>
9544Date: Sun Jan 18 21:40:23 2015 +0000
9545
9546 upstream commit
9547
9548 introduce hostkeys_foreach() to allow iteration over a
9549 known_hosts file or controlled subset thereof. This will allow us to pull out
9550 some ugly and duplicated code, and will be used to implement hostkey rotation
9551 later.
9552
9553 feedback and ok markus
9554
9555commit f101d8291da01bbbfd6fb8c569cfd0cc61c0d346
9556Author: deraadt@openbsd.org <deraadt@openbsd.org>
9557Date: Sun Jan 18 14:01:00 2015 +0000
9558
9559 upstream commit
9560
9561 string truncation due to sizeof(size) ok djm markus
9562
9563commit 35d6022b55b7969fc10c261cb6aa78cc4a5fcc41
9564Author: djm@openbsd.org <djm@openbsd.org>
9565Date: Sun Jan 18 13:33:34 2015 +0000
9566
9567 upstream commit
9568
9569 avoid trailing ',' in host key algorithms
9570
9571commit 7efb455789a0cb76bdcdee91c6060a3dc8f5c007
9572Author: djm@openbsd.org <djm@openbsd.org>
9573Date: Sun Jan 18 13:22:28 2015 +0000
9574
9575 upstream commit
9576
9577 infer key length correctly when user specified a fully-
9578 qualified key name instead of using the -b bits option; ok markus@
9579
9580commit 83f8ffa6a55ccd0ce9d8a205e3e7439ec18fedf5
9581Author: djm@openbsd.org <djm@openbsd.org>
9582Date: Sat Jan 17 18:53:34 2015 +0000
9583
9584 upstream commit
9585
9586 fix hostkeys on ssh agent; found by unit test I'm about
9587 to commit
9588
9589commit 369d61f17657b814124268f99c033e4dc6e436c1
9590Author: schwarze@openbsd.org <schwarze@openbsd.org>
9591Date: Fri Jan 16 16:20:23 2015 +0000
9592
9593 upstream commit
9594
9595 garbage collect empty .No macros mandoc warns about
9596
9597commit bb8b442d32dbdb8521d610e10d8b248d938bd747
9598Author: djm@openbsd.org <djm@openbsd.org>
9599Date: Fri Jan 16 15:55:07 2015 +0000
9600
9601 upstream commit
9602
9603 regression: incorrect error message on
9604 otherwise-successful ssh-keygen -A. Reported by Dmitry Orlov, via deraadt@
9605
9606commit 9010902954a40b59d0bf3df3ccbc3140a653e2bc
9607Author: djm@openbsd.org <djm@openbsd.org>
9608Date: Fri Jan 16 07:19:48 2015 +0000
9609
9610 upstream commit
9611
9612 when hostname canonicalisation is enabled, try to parse
9613 hostnames as addresses before looking them up for canonicalisation. fixes
9614 bz#2074 and avoids needless DNS lookups in some cases; ok markus
9615
9616commit 2ae4f337b2a5fb2841b6b0053b49496fef844d1c
9617Author: deraadt@openbsd.org <deraadt@openbsd.org>
9618Date: Fri Jan 16 06:40:12 2015 +0000
9619
9620 upstream commit
9621
9622 Replace <sys/param.h> with <limits.h> and other less
9623 dirty headers where possible. Annotate <sys/param.h> lines with their
9624 current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
9625 LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of
9626 MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
9627 These are the files confirmed through binary verification. ok guenther,
9628 millert, doug (helped with the verification protocol)
9629
9630commit 3c4726f4c24118e8f1bb80bf75f1456c76df072c
9631Author: markus@openbsd.org <markus@openbsd.org>
9632Date: Thu Jan 15 21:38:50 2015 +0000
9633
9634 upstream commit
9635
9636 remove xmalloc, switch to sshbuf
9637
9638commit e17ac01f8b763e4b83976b9e521e90a280acc097
9639Author: markus@openbsd.org <markus@openbsd.org>
9640Date: Thu Jan 15 21:37:14 2015 +0000
9641
9642 upstream commit
9643
9644 switch to sshbuf
9645
9646commit ddef9995a1fa6c7a8ff3b38bfe6cf724bebf13d0
9647Author: naddy@openbsd.org <naddy@openbsd.org>
9648Date: Thu Jan 15 18:32:54 2015 +0000
9649
9650 upstream commit
9651
9652 handle UMAC128 initialization like UMAC; ok djm@ markus@
9653
9654commit f14564c1f7792446bca143580aef0e7ac25dcdae
9655Author: djm@openbsd.org <djm@openbsd.org>
9656Date: Thu Jan 15 11:04:36 2015 +0000
9657
9658 upstream commit
9659
9660 fix regression reported by brad@ for passworded keys without
9661 agent present
9662
9663commit 45c0fd70bb2a88061319dfff20cb12ef7b1bc47e
9664Author: Damien Miller <djm@mindrot.org>
9665Date: Thu Jan 15 22:08:23 2015 +1100
9666
9667 make bitmap test compile
9668
9669commit d333f89abf7179021e5c3f28673f469abe032062
9670Author: djm@openbsd.org <djm@openbsd.org>
9671Date: Thu Jan 15 07:36:28 2015 +0000
9672
9673 upstream commit
9674
9675 unit tests for KRL bitmap
9676
9677commit 7613f828f49c55ff356007ae9645038ab6682556
9678Author: markus@openbsd.org <markus@openbsd.org>
9679Date: Wed Jan 14 09:58:21 2015 +0000
9680
9681 upstream commit
9682
9683 re-add comment about full path
9684
9685commit 6c43b48b307c41cd656b415621a644074579a578
9686Author: markus@openbsd.org <markus@openbsd.org>
9687Date: Wed Jan 14 09:54:38 2015 +0000
9688
9689 upstream commit
9690
9691 don't reset to the installed sshd; connect before
9692 reconfigure, too
9693
9694commit 771bb47a1df8b69061f09462e78aa0b66cd594bf
9695Author: djm@openbsd.org <djm@openbsd.org>
9696Date: Tue Jan 13 14:51:51 2015 +0000
9697
9698 upstream commit
9699
9700 implement a SIGINFO handler so we can discern a stuck
9701 fuzz test from a merely glacial one; prompted by and ok markus
9702
9703commit cfaa57962f8536f3cf0fd7daf4d6a55d6f6de45f
9704Author: djm@openbsd.org <djm@openbsd.org>
9705Date: Tue Jan 13 08:23:26 2015 +0000
9706
9707 upstream commit
9708
9709 use $SSH instead of installed ssh to allow override;
9710 spotted by markus@
9711
9712commit 0920553d0aee117a596b03ed5b49b280d34a32c5
9713Author: djm@openbsd.org <djm@openbsd.org>
9714Date: Tue Jan 13 07:49:49 2015 +0000
9715
9716 upstream commit
9717
9718 regress test for PubkeyAcceptedKeyTypes; ok markus@
9719
9720commit 27ca1a5c0095eda151934bca39a77e391f875d17
9721Author: markus@openbsd.org <markus@openbsd.org>
9722Date: Mon Jan 12 20:13:27 2015 +0000
9723
9724 upstream commit
9725
9726 unbreak parsing of pubkey comments; with gerhard; ok
9727 djm/deraadt
9728
9729commit 55358f0b4e0b83bc0df81c5f854c91b11e0bb4dc
9730Author: djm@openbsd.org <djm@openbsd.org>
9731Date: Mon Jan 12 11:46:32 2015 +0000
9732
9733 upstream commit
9734
9735 fatal if soft-PKCS11 library is missing rather (rather
9736 than continue and fail with a more cryptic error)
9737
9738commit c3554cdd2a1a62434b8161017aa76fa09718a003
9739Author: djm@openbsd.org <djm@openbsd.org>
9740Date: Mon Jan 12 11:12:38 2015 +0000
9741
9742 upstream commit
9743
9744 let this test all supporte key types; pointed out/ok
9745 markus@
9746
9747commit 1129dcfc5a3e508635004bcc05a3574cb7687167
9748Author: djm@openbsd.org <djm@openbsd.org>
9749Date: Thu Jan 15 09:40:00 2015 +0000
9750
9751 upstream commit
9752
9753 sync ssh-keysign, ssh-keygen and some dependencies to the
9754 new buffer/key API; mostly mechanical, ok markus@
9755
9756commit e4ebf5586452bf512da662ac277aaf6ecf0efe7c
9757Author: djm@openbsd.org <djm@openbsd.org>
9758Date: Thu Jan 15 07:57:08 2015 +0000
9759
9760 upstream commit
9761
9762 remove commented-out test code now that it has moved to a
9763 proper unit test
9764
9765commit e81cba066c1e9eb70aba0f6e7c0ff220611b370f
9766Author: djm@openbsd.org <djm@openbsd.org>
9767Date: Wed Jan 14 20:54:29 2015 +0000
9768
9769 upstream commit
9770
9771 whitespace
9772
9773commit 141efe49542f7156cdbc2e4cd0a041d8b1aab622
9774Author: djm@openbsd.org <djm@openbsd.org>
9775Date: Wed Jan 14 20:05:27 2015 +0000
9776
9777 upstream commit
9778
9779 move authfd.c and its tentacles to the new buffer/key
9780 API; ok markus@
9781
9782commit 0088c57af302cda278bd26d8c3ae81d5b6f7c289
9783Author: djm@openbsd.org <djm@openbsd.org>
9784Date: Wed Jan 14 19:33:41 2015 +0000
9785
9786 upstream commit
9787
9788 fix small regression: ssh-agent would return a success
9789 message but an empty signature if asked to sign using an unknown key; ok
9790 markus@
9791
9792commit b03ebe2c22b8166e4f64c37737f4278676e3488d
9793Author: Damien Miller <djm@mindrot.org>
9794Date: Thu Jan 15 03:08:58 2015 +1100
9795
9796 more --without-openssl
9797
9798 fix some regressions caused by upstream merges
9799
9800 enable KRLs now that they no longer require BIGNUMs
9801
9802commit bc42cc6fe784f36df225c44c93b74830027cb5a2
9803Author: Damien Miller <djm@mindrot.org>
9804Date: Thu Jan 15 03:08:29 2015 +1100
9805
9806 kludge around tun API mismatch betterer
9807
9808commit c332110291089b624fa0951fbf2d1ee6de525b9f
9809Author: Damien Miller <djm@mindrot.org>
9810Date: Thu Jan 15 02:59:51 2015 +1100
9811
9812 some systems lack SO_REUSEPORT
9813
9814commit 83b9678a62cbdc74eb2031cf1e1e4ffd58e233ae
9815Author: Damien Miller <djm@mindrot.org>
9816Date: Thu Jan 15 02:35:50 2015 +1100
9817
9818 fix merge botch
9819
9820commit 0cdc5a3eb6fb383569a4da2a30705d9b90428d6b
9821Author: Damien Miller <djm@mindrot.org>
9822Date: Thu Jan 15 02:35:33 2015 +1100
9823
9824 unbreak across API change
9825
9826commit 6e2549ac2b5e7f96cbc2d83a6e0784b120444b47
9827Author: Damien Miller <djm@mindrot.org>
9828Date: Thu Jan 15 02:30:18 2015 +1100
9829
9830 need includes.h for portable OpenSSH
9831
9832commit 72ef7c148c42db7d5632a29f137f8b87b579f2d9
9833Author: Damien Miller <djm@mindrot.org>
9834Date: Thu Jan 15 02:21:31 2015 +1100
9835
9836 support --without-openssl at configure time
9837
9838 Disables and removes dependency on OpenSSL. Many features don't
9839 work and the set of crypto options is greatly restricted. This
9840 will only work on system with native arc4random or /dev/urandom.
9841
9842 Considered highly experimental for now.
9843
9844commit 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9
9845Author: Damien Miller <djm@mindrot.org>
9846Date: Thu Jan 15 02:28:00 2015 +1100
9847
9848 add files missed in last commit
9849
9850commit a165bab605f7be55940bb8fae977398e8c96a46d
9851Author: djm@openbsd.org <djm@openbsd.org>
9852Date: Wed Jan 14 15:02:39 2015 +0000
9853
9854 upstream commit
9855
9856 avoid BIGNUM in KRL code by using a simple bitmap;
9857 feedback and ok markus
9858
9859commit 7d845f4a0b7ec97887be204c3760e44de8bf1f32
9860Author: djm@openbsd.org <djm@openbsd.org>
9861Date: Wed Jan 14 13:54:13 2015 +0000
9862
9863 upstream commit
9864
9865 update sftp client and server to new buffer API. pretty
9866 much just mechanical changes; with & ok markus
9867
9868commit 139ca81866ec1b219c717d17061e5e7ad1059e2a
9869Author: markus@openbsd.org <markus@openbsd.org>
9870Date: Wed Jan 14 13:09:09 2015 +0000
9871
9872 upstream commit
9873
9874 switch to sshbuf/sshkey; with & ok djm@
9875
9876commit 81bfbd0bd35683de5d7f2238b985e5f8150a9180
9877Author: Damien Miller <djm@mindrot.org>
9878Date: Wed Jan 14 21:48:18 2015 +1100
9879
9880 support --without-openssl at configure time
9881
9882 Disables and removes dependency on OpenSSL. Many features don't
9883 work and the set of crypto options is greatly restricted. This
9884 will only work on system with native arc4random or /dev/urandom.
9885
9886 Considered highly experimental for now.
9887
9888commit 54924b53af15ccdcbb9f89984512b5efef641a31
9889Author: djm@openbsd.org <djm@openbsd.org>
9890Date: Wed Jan 14 10:46:28 2015 +0000
9891
9892 upstream commit
9893
9894 avoid an warning for the !OPENSSL case
9895
9896commit ae8b463217f7c9b66655bfc3945c050ffdaeb861
9897Author: markus@openbsd.org <markus@openbsd.org>
9898Date: Wed Jan 14 10:30:34 2015 +0000
9899
9900 upstream commit
9901
9902 swith auth-options to new sshbuf/sshkey; ok djm@
9903
9904commit 540e891191b98b89ee90aacf5b14a4a68635e763
9905Author: djm@openbsd.org <djm@openbsd.org>
9906Date: Wed Jan 14 10:29:45 2015 +0000
9907
9908 upstream commit
9909
9910 make non-OpenSSL aes-ctr work on sshd w/ privsep; ok
9911 markus@
9912
9913commit 60c2c4ea5e1ad0ddfe8b2877b78ed5143be79c53
9914Author: markus@openbsd.org <markus@openbsd.org>
9915Date: Wed Jan 14 10:24:42 2015 +0000
9916
9917 upstream commit
9918
9919 remove unneeded includes, sync my copyright across files
9920 & whitespace; ok djm@
9921
9922commit 128343bcdb0b60fc826f2733df8cf979ec1627b4
9923Author: markus@openbsd.org <markus@openbsd.org>
9924Date: Tue Jan 13 19:31:40 2015 +0000
9925
9926 upstream commit
9927
9928 adapt mac.c to ssherr.h return codes (de-fatal) and
9929 simplify dependencies ok djm@
9930
9931commit e7fd952f4ea01f09ceb068721a5431ac2fd416ed
9932Author: djm@openbsd.org <djm@openbsd.org>
9933Date: Tue Jan 13 19:04:35 2015 +0000
9934
9935 upstream commit
9936
9937 sync changes from libopenssh; prepared by markus@ mostly
9938 debug output tweaks, a couple of error return value changes and some other
9939 minor stuff
9940
9941commit 76c0480a85675f03a1376167cb686abed01a3583
9942Author: Damien Miller <djm@mindrot.org>
9943Date: Tue Jan 13 19:38:18 2015 +1100
9944
9945 add --without-ssh1 option to configure
9946
9947 Allows disabling support for SSH protocol 1.
9948
9949commit 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03
9950Author: djm@openbsd.org <djm@openbsd.org>
9951Date: Tue Jan 13 07:39:19 2015 +0000
9952
9953 upstream commit
9954
9955 add sshd_config HostbasedAcceptedKeyTypes and
9956 PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
9957 will be accepted. Currently defaults to all. Feedback & ok markus@
9958
9959commit 816d1538c24209a93ba0560b27c4fda57c3fff65
9960Author: markus@openbsd.org <markus@openbsd.org>
9961Date: Mon Jan 12 20:13:27 2015 +0000
9962
9963 upstream commit
9964
9965 unbreak parsing of pubkey comments; with gerhard; ok
9966 djm/deraadt
9967
9968commit 0097565f849851812df610b7b6b3c4bd414f6c62
9969Author: markus@openbsd.org <markus@openbsd.org>
9970Date: Mon Jan 12 19:22:46 2015 +0000
9971
9972 upstream commit
9973
9974 missing error assigment on sshbuf_put_string()
9975
9976commit a7f49dcb527dd17877fcb8d5c3a9a6f550e0bba5
9977Author: djm@openbsd.org <djm@openbsd.org>
9978Date: Mon Jan 12 15:18:07 2015 +0000
9979
9980 upstream commit
9981
9982 apparently memcpy(x, NULL, 0) is undefined behaviour
9983 according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls
9984 when length==0; ok markus@
9985
9986commit 905fe30fca82f38213763616d0d26eb6790bde33
9987Author: markus@openbsd.org <markus@openbsd.org>
9988Date: Mon Jan 12 14:05:19 2015 +0000
9989
9990 upstream commit
9991
9992 free->sshkey_free; ok djm@
9993
9994commit f067cca2bc20c86b110174c3fef04086a7f57b13
9995Author: markus@openbsd.org <markus@openbsd.org>
9996Date: Mon Jan 12 13:29:27 2015 +0000
9997
9998 upstream commit
9999
10000 allow WITH_OPENSSL w/o WITH_SSH1; ok djm@
10001
10002commit c4bfafcc2a9300d9cfb3c15e75572d3a7d74670d
10003Author: djm@openbsd.org <djm@openbsd.org>
10004Date: Thu Jan 8 13:10:58 2015 +0000
10005
10006 upstream commit
10007
10008 adjust for sshkey_load_file() API change
10009
10010commit e752c6d547036c602b89e9e704851463bd160e32
10011Author: djm@openbsd.org <djm@openbsd.org>
10012Date: Thu Jan 8 13:44:36 2015 +0000
10013
10014 upstream commit
10015
10016 fix ssh_config FingerprintHash evaluation order; from Petr
10017 Lautrbach
10018
10019commit ab24ab847b0fc94c8d5e419feecff0bcb6d6d1bf
10020Author: djm@openbsd.org <djm@openbsd.org>
10021Date: Thu Jan 8 10:15:45 2015 +0000
10022
10023 upstream commit
10024
10025 reorder hostbased key attempts to better match the
10026 default hostkey algorithms order in myproposal.h; ok markus@
10027
10028commit 1195f4cb07ef4b0405c839293c38600b3e9bdb46
10029Author: djm@openbsd.org <djm@openbsd.org>
10030Date: Thu Jan 8 10:14:08 2015 +0000
10031
10032 upstream commit
10033
10034 deprecate key_load_private_pem() and
10035 sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
10036 not require pathnames to be specified (they weren't really used).
10037
10038 Fixes a few other things en passant:
10039
10040 Makes ed25519 keys work for hostbased authentication (ssh-keysign
10041 previously used the PEM-only routines).
10042
10043 Fixes key comment regression bz#2306: key pathnames were being lost as
10044 comment fields.
10045
10046 ok markus@
10047
10048commit febbe09e4e9aff579b0c5cc1623f756862e4757d
10049Author: tedu@openbsd.org <tedu@openbsd.org>
10050Date: Wed Jan 7 18:15:07 2015 +0000
10051
10052 upstream commit
10053
10054 workaround for the Meyer, et al, Bleichenbacher Side
10055 Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm
10056 markus
10057
10058commit 5191df927db282d3123ca2f34a04d8d96153911a
10059Author: djm@openbsd.org <djm@openbsd.org>
10060Date: Tue Dec 23 22:42:48 2014 +0000
10061
10062 upstream commit
10063
10064 KNF and add a little more debug()
10065
10066commit 8abd80315d3419b20e6938f74d37e2e2b547f0b7
10067Author: jmc@openbsd.org <jmc@openbsd.org>
10068Date: Mon Dec 22 09:26:31 2014 +0000
10069
10070 upstream commit
10071
10072 add fingerprinthash to the options list;
10073
10074commit 296ef0560f60980da01d83b9f0e1a5257826536f
10075Author: jmc@openbsd.org <jmc@openbsd.org>
10076Date: Mon Dec 22 09:24:59 2014 +0000
10077
10078 upstream commit
10079
10080 tweak previous;
10081
10082commit 462082eacbd37778a173afb6b84c6f4d898a18b5
10083Author: Damien Miller <djm@google.com>
10084Date: Tue Dec 30 08:16:11 2014 +1100
10085
10086 avoid uninitialised free of ldns_res
10087
10088 If an invalid rdclass was passed to getrrsetbyname() then
10089 this would execute a free on an uninitialised pointer.
10090 OpenSSH only ever calls this with a fixed and valid rdclass.
10091
10092 Reported by Joshua Rogers
10093
10094commit 01b63498801053f131a0740eb9d13faf35d636c8
10095Author: Damien Miller <djm@google.com>
10096Date: Mon Dec 29 18:10:18 2014 +1100
10097
10098 pull updated OpenBSD BCrypt PBKDF implementation
10099
10100 Includes fix for 1 byte output overflow for large key length
10101 requests (not reachable in OpenSSH).
10102
10103 Pointed out by Joshua Rogers
10104
10105commit c528c1b4af2f06712177b3de9b30705752f7cbcb
10106Author: Damien Miller <djm@google.com>
10107Date: Tue Dec 23 15:26:13 2014 +1100
10108
10109 fix variable name for IPv6 case in construct_utmpx
10110
10111 patch from writeonce AT midipix.org via bz#2296
10112
10113commit 293cac52dcda123244b2e594d15592e5e481c55e
10114Author: Damien Miller <djm@google.com>
10115Date: Mon Dec 22 16:30:42 2014 +1100
10116
10117 include and use OpenBSD netcat in regress/
10118
10119commit 8f6784f0cb56dc4fd00af3e81a10050a5785228d
10120Author: djm@openbsd.org <djm@openbsd.org>
10121Date: Mon Dec 22 09:05:17 2014 +0000
10122
10123 upstream commit
10124
10125 mention ssh -Q feature to list supported { MAC, cipher,
10126 KEX, key } algorithms in more places and include the query string used to
10127 list the relevant information; bz#2288
10128
10129commit 449e11b4d7847079bd0a2daa6e3e7ea03d8ef700
10130Author: jmc@openbsd.org <jmc@openbsd.org>
10131Date: Mon Dec 22 08:24:17 2014 +0000
10132
10133 upstream commit
10134
10135 tweak previous;
10136
10137commit 4bea0ab3290c0b9dd2aa199e932de8e7e18062d6
10138Author: djm@openbsd.org <djm@openbsd.org>
10139Date: Mon Dec 22 08:06:03 2014 +0000
10140
10141 upstream commit
10142
10143 regression test for multiple required pubkey authentication;
10144 ok markus@
10145
10146commit f1c4d8ec52158b6f57834b8cd839605b0a33e7f2
10147Author: djm@openbsd.org <djm@openbsd.org>
10148Date: Mon Dec 22 08:04:23 2014 +0000
10149
10150 upstream commit
10151
10152 correct description of what will happen when a
10153 AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd
10154 will refuse to start)
10155
10156commit 161cf419f412446635013ac49e8c660cadc36080
10157Author: djm@openbsd.org <djm@openbsd.org>
10158Date: Mon Dec 22 07:55:51 2014 +0000
10159
10160 upstream commit
10161
10162 make internal handling of filename arguments of "none"
10163 more consistent with ssh. "none" arguments are now replaced with NULL when
10164 the configuration is finalised.
10165
10166 Simplifies checking later on (just need to test not-NULL rather than
10167 that + strcmp) and cleans up some inconsistencies. ok markus@
10168
10169commit f69b69b8625be447b8826b21d87713874dac25a6
10170Author: djm@openbsd.org <djm@openbsd.org>
10171Date: Mon Dec 22 07:51:30 2014 +0000
10172
10173 upstream commit
10174
10175 remember which public keys have been used for
10176 authentication and refuse to accept previously-used keys.
10177
10178 This allows AuthenticationMethods=publickey,publickey to require
10179 that users authenticate using two _different_ pubkeys.
10180
10181 ok markus@
10182
10183commit 46ac2ed4677968224c4ca825bc98fc68dae183f0
10184Author: djm@openbsd.org <djm@openbsd.org>
10185Date: Mon Dec 22 07:24:11 2014 +0000
10186
10187 upstream commit
10188
10189 fix passing of wildcard forward bind addresses when
10190 connection multiplexing is in use; patch from Sami Hartikainen via bz#2324;
10191 ok dtucker@
10192
10193commit 0d1b241a262e4d0a6bbfdd595489ab1b853c43a1
10194Author: djm@openbsd.org <djm@openbsd.org>
10195Date: Mon Dec 22 06:14:29 2014 +0000
10196
10197 upstream commit
10198
10199 make this slightly easier to diff against portable
10200
10201commit 0715bcdddbf68953964058f17255bf54734b8737
10202Author: Damien Miller <djm@mindrot.org>
10203Date: Mon Dec 22 13:47:07 2014 +1100
10204
10205 add missing regress output file
10206
10207commit 1e30483c8ad2c2f39445d4a4b6ab20c241e40593
10208Author: djm@openbsd.org <djm@openbsd.org>
10209Date: Mon Dec 22 02:15:52 2014 +0000
10210
10211 upstream commit
10212
10213 adjust for new SHA256 key fingerprints and
10214 slightly-different MD5 hex fingerprint format
10215
10216commit 6b40567ed722df98593ad8e6a2d2448fc2b4b151
10217Author: djm@openbsd.org <djm@openbsd.org>
10218Date: Mon Dec 22 01:14:49 2014 +0000
10219
10220 upstream commit
10221
10222 poll changes to netcat (usr.bin/netcat.c r1.125) broke
10223 this test; fix it by ensuring more stdio fds are sent to devnull
10224
10225commit a5375ccb970f49dddf7d0ef63c9b713ede9e7260
10226Author: jmc@openbsd.org <jmc@openbsd.org>
10227Date: Sun Dec 21 23:35:14 2014 +0000
10228
10229 upstream commit
10230
10231 tweak previous;
10232
10233commit b79efde5c3badf5ce4312fe608d8307eade533c5
10234Author: djm@openbsd.org <djm@openbsd.org>
10235Date: Sun Dec 21 23:12:42 2014 +0000
10236
10237 upstream commit
10238
10239 document FingerprintHash here too
10240
10241commit d16bdd8027dd116afa01324bb071a4016cdc1a75
10242Author: Damien Miller <djm@mindrot.org>
10243Date: Mon Dec 22 10:18:09 2014 +1100
10244
10245 missing include for base64 encoding
10246
10247commit 56d1c83cdd1ac76f1c6bd41e01e80dad834f3994
10248Author: djm@openbsd.org <djm@openbsd.org>
10249Date: Sun Dec 21 22:27:55 2014 +0000
10250
10251 upstream commit
10252
10253 Add FingerprintHash option to control algorithm used for
10254 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
10255 base64.
10256
10257 Feedback and ok naddy@ markus@
10258
10259commit 058f839fe15c51be8b3a844a76ab9a8db550be4f
10260Author: djm@openbsd.org <djm@openbsd.org>
10261Date: Thu Dec 18 23:58:04 2014 +0000
10262
10263 upstream commit
10264
10265 don't count partial authentication success as a failure
10266 against MaxAuthTries; ok deraadt@