diff options
46 files changed, 191 insertions, 1727 deletions
@@ -1,3 +1,86 @@ | |||
1 | commit c88ac102f0eb89f2eaa314cb2e2e0ca3c890c443 | ||
2 | Author: Damien Miller <djm@mindrot.org> | ||
3 | Date: Thu Jan 14 11:08:19 2016 +1100 | ||
4 | |||
5 | bump version numbers | ||
6 | |||
7 | commit 302bc21e6fadacb04b665868cd69b625ef69df90 | ||
8 | Author: Damien Miller <djm@mindrot.org> | ||
9 | Date: Thu Jan 14 11:04:04 2016 +1100 | ||
10 | |||
11 | openssh-7.1p2 | ||
12 | |||
13 | commit 6b33763242c063e4e0593877e835eeb1fd1b60aa | ||
14 | Author: Damien Miller <djm@mindrot.org> | ||
15 | Date: Thu Jan 14 11:02:58 2016 +1100 | ||
16 | |||
17 | forcibly disable roaming support in the client | ||
18 | |||
19 | commit 34d364f0d2e1e30a444009f0e04299bb7c94ba13 | ||
20 | Author: djm@openbsd.org <djm@openbsd.org> | ||
21 | Date: Mon Oct 5 17:11:21 2015 +0000 | ||
22 | |||
23 | upstream commit | ||
24 | |||
25 | some more bzero->explicit_bzero, from Michael McConville | ||
26 | |||
27 | Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0 | ||
28 | |||
29 | commit 8f5b93026797b9f7fba90d0c717570421ccebbd3 | ||
30 | Author: guenther@openbsd.org <guenther@openbsd.org> | ||
31 | Date: Fri Sep 11 08:50:04 2015 +0000 | ||
32 | |||
33 | upstream commit | ||
34 | |||
35 | Use explicit_bzero() when zeroing before free() | ||
36 | |||
37 | from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu) | ||
38 | ok millert@ djm@ | ||
39 | |||
40 | Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50 | ||
41 | |||
42 | commit d77148e3a3ef6c29b26ec74331455394581aa257 | ||
43 | Author: djm@openbsd.org <djm@openbsd.org> | ||
44 | Date: Sun Nov 8 21:59:11 2015 +0000 | ||
45 | |||
46 | upstream commit | ||
47 | |||
48 | fix OOB read in packet code caused by missing return | ||
49 | statement found by Ben Hawkes; ok markus@ deraadt@ | ||
50 | |||
51 | Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 | ||
52 | |||
53 | commit 076d849e17ab12603627f87b301e2dca71bae518 | ||
54 | Author: Damien Miller <djm@mindrot.org> | ||
55 | Date: Sat Nov 14 18:44:49 2015 +1100 | ||
56 | |||
57 | read back from libcrypto RAND when privdropping | ||
58 | |||
59 | makes certain libcrypto implementations cache a /dev/urandom fd | ||
60 | in preparation of sandboxing. Based on patch by Greg Hartman. | ||
61 | |||
62 | commit f72adc0150011a28f177617a8456e1f83733099d | ||
63 | Author: djm@openbsd.org <djm@openbsd.org> | ||
64 | Date: Sun Dec 13 22:42:23 2015 +0000 | ||
65 | |||
66 | upstream commit | ||
67 | |||
68 | unbreak connections with peers that set | ||
69 | first_kex_follows; fix from Matt Johnston va bz#2515 | ||
70 | |||
71 | Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b | ||
72 | |||
73 | commit 04bd8d019ccd906cac1a2b362517b8505f3759e6 | ||
74 | Author: djm@openbsd.org <djm@openbsd.org> | ||
75 | Date: Tue Jan 12 23:42:54 2016 +0000 | ||
76 | |||
77 | upstream commit | ||
78 | |||
79 | use explicit_bzero() more liberally in the buffer code; ok | ||
80 | deraadt | ||
81 | |||
82 | Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf | ||
83 | |||
1 | commit e91346dc2bbf460246df2ab591b7613908c1b0ad | 84 | commit e91346dc2bbf460246df2ab591b7613908c1b0ad |
2 | Author: Damien Miller <djm@mindrot.org> | 85 | Author: Damien Miller <djm@mindrot.org> |
3 | Date: Fri Aug 21 14:49:03 2015 +1000 | 86 | Date: Fri Aug 21 14:49:03 2015 +1000 |
@@ -7530,1604 +7613,3 @@ Date: Thu Jan 16 18:42:10 2014 +1100 | |||
7530 | [sftp-client.c] | 7613 | [sftp-client.c] |
7531 | needless and incorrect cast to size_t can break resumption of | 7614 | needless and incorrect cast to size_t can break resumption of |
7532 | large download; patch from tobias@ | 7615 | large download; patch from tobias@ |
7533 | |||
7534 | commit 91b580e4bec55118bf96ab3cdbe5a50839e75d0a | ||
7535 | Author: Damien Miller <djm@mindrot.org> | ||
7536 | Date: Sun Jan 12 19:21:22 2014 +1100 | ||
7537 | |||
7538 | - djm@cvs.openbsd.org 2014/01/12 08:13:13 | ||
7539 | [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c] | ||
7540 | [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c] | ||
7541 | avoid use of OpenSSL BIGNUM type and functions for KEX with | ||
7542 | Curve25519 by adding a buffer_put_bignum2_from_string() that stores | ||
7543 | a string using the bignum encoding rules. Will make it easier to | ||
7544 | build a reduced-feature OpenSSH without OpenSSL in the future; | ||
7545 | ok markus@ | ||
7546 | |||
7547 | commit af5d4481f4c7c8c3c746e68b961bb85ef907800e | ||
7548 | Author: Damien Miller <djm@mindrot.org> | ||
7549 | Date: Sun Jan 12 19:20:47 2014 +1100 | ||
7550 | |||
7551 | - djm@cvs.openbsd.org 2014/01/10 05:59:19 | ||
7552 | [sshd_config] | ||
7553 | the /etc/ssh/ssh_host_ed25519_key is loaded by default too | ||
7554 | |||
7555 | commit 58cd63bc63038acddfb4051ed14e11179d8f4941 | ||
7556 | Author: Damien Miller <djm@mindrot.org> | ||
7557 | Date: Fri Jan 10 10:59:24 2014 +1100 | ||
7558 | |||
7559 | - djm@cvs.openbsd.org 2014/01/09 23:26:48 | ||
7560 | [sshconnect.c sshd.c] | ||
7561 | ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, | ||
7562 | deranged and might make some attacks on KEX easier; ok markus@ | ||
7563 | |||
7564 | commit b3051d01e505c9c2dc00faab472a0d06fa6b0e65 | ||
7565 | Author: Damien Miller <djm@mindrot.org> | ||
7566 | Date: Fri Jan 10 10:58:53 2014 +1100 | ||
7567 | |||
7568 | - djm@cvs.openbsd.org 2014/01/09 23:20:00 | ||
7569 | [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] | ||
7570 | [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] | ||
7571 | [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] | ||
7572 | [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] | ||
7573 | Introduce digest API and use it to perform all hashing operations | ||
7574 | rather than calling OpenSSL EVP_Digest* directly. Will make it easier | ||
7575 | to build a reduced-feature OpenSSH without OpenSSL in future; | ||
7576 | feedback, ok markus@ | ||
7577 | |||
7578 | commit e00e413dd16eb747fb2c15a099971d91c13cf70f | ||
7579 | Author: Damien Miller <djm@mindrot.org> | ||
7580 | Date: Fri Jan 10 10:40:45 2014 +1100 | ||
7581 | |||
7582 | - guenther@cvs.openbsd.org 2014/01/09 03:26:00 | ||
7583 | [sftp-common.c] | ||
7584 | When formating the time for "ls -l"-style output, show dates in the future | ||
7585 | with the year, and rearrange a comparison to avoid a potentional signed | ||
7586 | arithmetic overflow that would give the wrong result. | ||
7587 | |||
7588 | ok djm@ | ||
7589 | |||
7590 | commit 3e49853650448883685cfa32fa382d0ba6d51d48 | ||
7591 | Author: Damien Miller <djm@mindrot.org> | ||
7592 | Date: Fri Jan 10 10:37:05 2014 +1100 | ||
7593 | |||
7594 | - tedu@cvs.openbsd.org 2014/01/04 17:50:55 | ||
7595 | [mac.c monitor_mm.c monitor_mm.h xmalloc.c] | ||
7596 | use standard types and formats for size_t like variables. ok dtucker | ||
7597 | |||
7598 | commit a9c1e500ef609795cbc662848edb1a1dca279c81 | ||
7599 | Author: Damien Miller <djm@mindrot.org> | ||
7600 | Date: Wed Jan 8 16:13:12 2014 +1100 | ||
7601 | |||
7602 | - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ | ||
7603 | |||
7604 | commit 324541e5264e1489ca0babfaf2b39612eb80dfb3 | ||
7605 | Author: Damien Miller <djm@mindrot.org> | ||
7606 | Date: Tue Dec 31 12:25:40 2013 +1100 | ||
7607 | |||
7608 | - djm@cvs.openbsd.org 2013/12/30 23:52:28 | ||
7609 | [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] | ||
7610 | [sshconnect.c sshconnect2.c sshd.c] | ||
7611 | refuse RSA keys from old proprietary clients/servers that use the | ||
7612 | obsolete RSA+MD5 signature scheme. it will still be possible to connect | ||
7613 | with these clients/servers but only DSA keys will be accepted, and we'll | ||
7614 | deprecate them entirely in a future release. ok markus@ | ||
7615 | |||
7616 | commit 9f4c8e797ea002a883307ca906f1f1f815010e78 | ||
7617 | Author: Damien Miller <djm@mindrot.org> | ||
7618 | Date: Sun Dec 29 17:57:46 2013 +1100 | ||
7619 | |||
7620 | - (djm) [regress/Makefile] Add some generated files for cleaning | ||
7621 | |||
7622 | commit 106bf1ca3c7a5fdc34f9fd7a1fe651ca53085bc5 | ||
7623 | Author: Damien Miller <djm@mindrot.org> | ||
7624 | Date: Sun Dec 29 17:54:03 2013 +1100 | ||
7625 | |||
7626 | - djm@cvs.openbsd.org 2013/12/29 05:57:02 | ||
7627 | [sshconnect.c] | ||
7628 | when showing other hostkeys, don't forget Ed25519 keys | ||
7629 | |||
7630 | commit 0fa47cfb32c239117632cab41e4db7d3e6de5e91 | ||
7631 | Author: Damien Miller <djm@mindrot.org> | ||
7632 | Date: Sun Dec 29 17:53:39 2013 +1100 | ||
7633 | |||
7634 | - djm@cvs.openbsd.org 2013/12/29 05:42:16 | ||
7635 | [ssh.c] | ||
7636 | don't forget to load Ed25519 certs too | ||
7637 | |||
7638 | commit b9a95490daa04cc307589897f95bfaff324ad2c9 | ||
7639 | Author: Damien Miller <djm@mindrot.org> | ||
7640 | Date: Sun Dec 29 17:50:15 2013 +1100 | ||
7641 | |||
7642 | - djm@cvs.openbsd.org 2013/12/29 04:35:50 | ||
7643 | [authfile.c] | ||
7644 | don't refuse to load Ed25519 certificates | ||
7645 | |||
7646 | commit f72cdde6e6fabc51d2a62f4e75b8b926d9d7ee89 | ||
7647 | Author: Damien Miller <djm@mindrot.org> | ||
7648 | Date: Sun Dec 29 17:49:55 2013 +1100 | ||
7649 | |||
7650 | - djm@cvs.openbsd.org 2013/12/29 04:29:25 | ||
7651 | [authfd.c] | ||
7652 | allow deletion of ed25519 keys from the agent | ||
7653 | |||
7654 | commit 29ace1cb68cc378a464c72c0fd67aa5f9acd6b5b | ||
7655 | Author: Damien Miller <djm@mindrot.org> | ||
7656 | Date: Sun Dec 29 17:49:31 2013 +1100 | ||
7657 | |||
7658 | - djm@cvs.openbsd.org 2013/12/29 04:20:04 | ||
7659 | [key.c] | ||
7660 | to make sure we don't omit any key types as valid CA keys again, | ||
7661 | factor the valid key type check into a key_type_is_valid_ca() | ||
7662 | function | ||
7663 | |||
7664 | commit 9de4fcdc5a9cff48d49a3e2f6194d3fb2d7ae34d | ||
7665 | Author: Damien Miller <djm@mindrot.org> | ||
7666 | Date: Sun Dec 29 17:49:13 2013 +1100 | ||
7667 | |||
7668 | - djm@cvs.openbsd.org 2013/12/29 02:49:52 | ||
7669 | [key.c] | ||
7670 | correct comment for key_drop_cert() | ||
7671 | |||
7672 | commit 5baeacf8a80f054af40731c6f92435f9164b8e02 | ||
7673 | Author: Damien Miller <djm@mindrot.org> | ||
7674 | Date: Sun Dec 29 17:48:55 2013 +1100 | ||
7675 | |||
7676 | - djm@cvs.openbsd.org 2013/12/29 02:37:04 | ||
7677 | [key.c] | ||
7678 | correct comment for key_to_certified() | ||
7679 | |||
7680 | commit 83f2fe26cb19330712c952eddbd3c0b621674adc | ||
7681 | Author: Damien Miller <djm@mindrot.org> | ||
7682 | Date: Sun Dec 29 17:48:38 2013 +1100 | ||
7683 | |||
7684 | - djm@cvs.openbsd.org 2013/12/29 02:28:10 | ||
7685 | [key.c] | ||
7686 | allow ed25519 keys to appear as certificate authorities | ||
7687 | |||
7688 | commit 06122e9a74bb488b0fe0a8f64e1135de870f9cc0 | ||
7689 | Author: Damien Miller <djm@mindrot.org> | ||
7690 | Date: Sun Dec 29 17:48:15 2013 +1100 | ||
7691 | |||
7692 | - djm@cvs.openbsd.org 2013/12/27 22:37:18 | ||
7693 | [ssh-rsa.c] | ||
7694 | correct comment | ||
7695 | |||
7696 | commit 3e19295c3a253c8dc8660cf45baad7f45fccb969 | ||
7697 | Author: Damien Miller <djm@mindrot.org> | ||
7698 | Date: Sun Dec 29 17:47:50 2013 +1100 | ||
7699 | |||
7700 | - djm@cvs.openbsd.org 2013/12/27 22:30:17 | ||
7701 | [ssh-dss.c ssh-ecdsa.c ssh-rsa.c] | ||
7702 | make the original RSA and DSA signing/verification code look more like | ||
7703 | the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type | ||
7704 | rather than tediously listing all variants, use __func__ for debug/ | ||
7705 | error messages | ||
7706 | |||
7707 | commit 137977180be6254639e2c90245763e6965f8d815 | ||
7708 | Author: Damien Miller <djm@mindrot.org> | ||
7709 | Date: Sun Dec 29 17:47:14 2013 +1100 | ||
7710 | |||
7711 | - tedu@cvs.openbsd.org 2013/12/21 07:10:47 | ||
7712 | [ssh-keygen.1] | ||
7713 | small typo | ||
7714 | |||
7715 | commit 339a48fe7ffb3186d22bbaa9efbbc3a053e602fd | ||
7716 | Author: Damien Miller <djm@mindrot.org> | ||
7717 | Date: Sun Dec 29 17:46:49 2013 +1100 | ||
7718 | |||
7719 | - djm@cvs.openbsd.org 2013/12/19 22:57:13 | ||
7720 | [poly1305.c poly1305.h] | ||
7721 | use full name for author, with his permission | ||
7722 | |||
7723 | commit 0b36c83148976c7c8268f4f41497359e2fb26251 | ||
7724 | Author: Damien Miller <djm@mindrot.org> | ||
7725 | Date: Sun Dec 29 17:45:51 2013 +1100 | ||
7726 | |||
7727 | - djm@cvs.openbsd.org 2013/12/19 01:19:41 | ||
7728 | [ssh-agent.c] | ||
7729 | bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent | ||
7730 | that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com; | ||
7731 | ok dtucker | ||
7732 | |||
7733 | commit 4def184e9b6c36be6d965a9705632fc4c0c2a8af | ||
7734 | Author: Damien Miller <djm@mindrot.org> | ||
7735 | Date: Sun Dec 29 17:45:26 2013 +1100 | ||
7736 | |||
7737 | - djm@cvs.openbsd.org 2013/12/19 01:04:36 | ||
7738 | [channels.c] | ||
7739 | bz#2147: fix multiple remote forwardings with dynamically assigned | ||
7740 | listen ports. In the s->c message to open the channel we were sending | ||
7741 | zero (the magic number to request a dynamic port) instead of the actual | ||
7742 | listen port. The client therefore had no way of discriminating between | ||
7743 | them. | ||
7744 | |||
7745 | Diagnosis and fix by ronf AT timeheart.net | ||
7746 | |||
7747 | commit bf25d114e23a803f8feca8926281b1aaedb6191b | ||
7748 | Author: Damien Miller <djm@mindrot.org> | ||
7749 | Date: Sun Dec 29 17:44:56 2013 +1100 | ||
7750 | |||
7751 | - djm@cvs.openbsd.org 2013/12/19 00:27:57 | ||
7752 | [auth-options.c] | ||
7753 | simplify freeing of source-address certificate restriction | ||
7754 | |||
7755 | commit bb3dafe7024a5b4e851252e65ee35d45b965e4a8 | ||
7756 | Author: Damien Miller <djm@mindrot.org> | ||
7757 | Date: Sun Dec 29 17:44:29 2013 +1100 | ||
7758 | |||
7759 | - dtucker@cvs.openbsd.org 2013/12/19 00:19:12 | ||
7760 | [serverloop.c] | ||
7761 | Cast client_alive_interval to u_int64_t before assinging to | ||
7762 | max_time_milliseconds to avoid potential integer overflow in the timeout. | ||
7763 | bz#2170, patch from Loganaden Velvindron, ok djm@ | ||
7764 | |||
7765 | commit ef275ead3dcadde4db1efe7a0aa02b5e618ed40c | ||
7766 | Author: Damien Miller <djm@mindrot.org> | ||
7767 | Date: Sun Dec 29 17:44:07 2013 +1100 | ||
7768 | |||
7769 | - djm@cvs.openbsd.org 2013/12/19 00:10:30 | ||
7770 | [ssh-add.c] | ||
7771 | skip requesting smartcard PIN when removing keys from agent; bz#2187 | ||
7772 | patch from jay AT slushpupie.com; ok dtucker | ||
7773 | |||
7774 | commit 7d97fd9a1cae778c3eacf16e09f5da3689d616c6 | ||
7775 | Author: Damien Miller <djm@mindrot.org> | ||
7776 | Date: Sun Dec 29 17:40:18 2013 +1100 | ||
7777 | |||
7778 | - (djm) [loginrec.c] Check for username truncation when looking up lastlog | ||
7779 | entries | ||
7780 | |||
7781 | commit 77244afe3b6d013b485e0952eaab89b9db83380f | ||
7782 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7783 | Date: Sat Dec 21 17:02:39 2013 +1100 | ||
7784 | |||
7785 | 20131221 | ||
7786 | - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. | ||
7787 | |||
7788 | commit 53f8e784dc431a82d31c9b0e95b144507f9330e9 | ||
7789 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7790 | Date: Thu Dec 19 11:31:44 2013 +1100 | ||
7791 | |||
7792 | - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item(). | ||
7793 | Patch from Loganaden Velvindron. | ||
7794 | |||
7795 | commit 1fcec9d4f265e38af248c4c845986ca8c174bd68 | ||
7796 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7797 | Date: Thu Dec 19 11:00:12 2013 +1100 | ||
7798 | |||
7799 | - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions | ||
7800 | greater than 11 either rather than just 11. Patch from Tomas Kuthan. | ||
7801 | |||
7802 | commit 6674eb9683afd1ea4eb35670b5e66815543a759e | ||
7803 | Author: Damien Miller <djm@mindrot.org> | ||
7804 | Date: Wed Dec 18 17:50:39 2013 +1100 | ||
7805 | |||
7806 | - markus@cvs.openbsd.org 2013/12/17 10:36:38 | ||
7807 | [crypto_api.h] | ||
7808 | I've assempled the header file by cut&pasting from generated headers | ||
7809 | and the source files. | ||
7810 | |||
7811 | commit d58a5964426ee014384d67d775d16712e93057f3 | ||
7812 | Author: Damien Miller <djm@mindrot.org> | ||
7813 | Date: Wed Dec 18 17:50:13 2013 +1100 | ||
7814 | |||
7815 | - djm@cvs.openbsd.org 2013/12/15 21:42:35 | ||
7816 | [cipher-chachapoly.c] | ||
7817 | add some comments and constify a constant | ||
7818 | |||
7819 | commit 059321d19af24d87420de3193f79dfab23556078 | ||
7820 | Author: Damien Miller <djm@mindrot.org> | ||
7821 | Date: Wed Dec 18 17:49:48 2013 +1100 | ||
7822 | |||
7823 | - pascal@cvs.openbsd.org 2013/12/15 18:17:26 | ||
7824 | [ssh-add.c] | ||
7825 | Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page. | ||
7826 | ok markus@ | ||
7827 | |||
7828 | commit 155b5a5bf158767f989215479ded2a57f331e1c6 | ||
7829 | Author: Damien Miller <djm@mindrot.org> | ||
7830 | Date: Wed Dec 18 17:48:32 2013 +1100 | ||
7831 | |||
7832 | - markus@cvs.openbsd.org 2013/12/09 11:08:17 | ||
7833 | [crypto_api.h] | ||
7834 | remove unused defines | ||
7835 | |||
7836 | commit 8a56dc2b6b48b05590810e7f4c3567508410000c | ||
7837 | Author: Damien Miller <djm@mindrot.org> | ||
7838 | Date: Wed Dec 18 17:48:11 2013 +1100 | ||
7839 | |||
7840 | - markus@cvs.openbsd.org 2013/12/09 11:03:45 | ||
7841 | [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] | ||
7842 | [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] | ||
7843 | Add Authors for the public domain ed25519/nacl code. | ||
7844 | see also http://nacl.cr.yp.to/features.html | ||
7845 | All of the NaCl software is in the public domain. | ||
7846 | and http://ed25519.cr.yp.to/software.html | ||
7847 | The Ed25519 software is in the public domain. | ||
7848 | |||
7849 | commit 6575c3acf31fca117352f31f37b16ae46e664837 | ||
7850 | Author: Damien Miller <djm@mindrot.org> | ||
7851 | Date: Wed Dec 18 17:47:02 2013 +1100 | ||
7852 | |||
7853 | - dtucker@cvs.openbsd.org 2013/12/08 09:53:27 | ||
7854 | [sshd_config.5] | ||
7855 | Use a literal for the default value of KEXAlgorithms. ok deraadt jmc | ||
7856 | |||
7857 | commit 8ba0ead6985ea14999265136b14ffd5aeec516f9 | ||
7858 | Author: Damien Miller <djm@mindrot.org> | ||
7859 | Date: Wed Dec 18 17:46:27 2013 +1100 | ||
7860 | |||
7861 | - naddy@cvs.openbsd.org 2013/12/07 11:58:46 | ||
7862 | [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] | ||
7863 | [ssh_config.5 sshd.8 sshd_config.5] | ||
7864 | add missing mentions of ed25519; ok djm@ | ||
7865 | |||
7866 | commit 4f752cf71cf44bf4bc777541156c2bf56daf9ce9 | ||
7867 | Author: Damien Miller <djm@mindrot.org> | ||
7868 | Date: Wed Dec 18 17:45:35 2013 +1100 | ||
7869 | |||
7870 | - djm@cvs.openbsd.org 2013/12/07 08:08:26 | ||
7871 | [ssh-keygen.1] | ||
7872 | document -a and -o wrt new key format | ||
7873 | |||
7874 | commit 6d6fcd14e23a9053198342bb379815b15e504084 | ||
7875 | Author: Damien Miller <djm@mindrot.org> | ||
7876 | Date: Sun Dec 8 15:53:28 2013 +1100 | ||
7877 | |||
7878 | - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh] | ||
7879 | [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid | ||
7880 | filesystem before running agent-ptrace.sh; ok dtucker | ||
7881 | |||
7882 | commit 7e6e42fb532c7dafd7078ef5e9e2d3e47fcf6752 | ||
7883 | Author: Damien Miller <djm@mindrot.org> | ||
7884 | Date: Sun Dec 8 08:23:08 2013 +1100 | ||
7885 | |||
7886 | - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna | ||
7887 | Vinschen | ||
7888 | |||
7889 | commit da3ca351b49d52ae85db2e3998265dc3c6617068 | ||
7890 | Author: Damien Miller <djm@mindrot.org> | ||
7891 | Date: Sat Dec 7 21:43:46 2013 +1100 | ||
7892 | |||
7893 | - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from | ||
7894 | Loganaden Velvindron @ AfriNIC in bz#2179 | ||
7895 | |||
7896 | commit eb401585bb8336cbf81fe4fc58eb9f7cac3ab874 | ||
7897 | Author: Damien Miller <djm@mindrot.org> | ||
7898 | Date: Sat Dec 7 17:07:15 2013 +1100 | ||
7899 | |||
7900 | - (djm) [regress/cert-hostkey.sh] Fix merge botch | ||
7901 | |||
7902 | commit f54542af3ad07532188b10136ae302314ec69ed6 | ||
7903 | Author: Damien Miller <djm@mindrot.org> | ||
7904 | Date: Sat Dec 7 16:32:44 2013 +1100 | ||
7905 | |||
7906 | - markus@cvs.openbsd.org 2013/12/06 13:52:46 | ||
7907 | [regress/Makefile regress/agent.sh regress/cert-hostkey.sh] | ||
7908 | [regress/cert-userkey.sh regress/keytype.sh] | ||
7909 | test ed25519 support; from djm@ | ||
7910 | |||
7911 | commit f104da263de995f66b6861b4f3368264ee483d7f | ||
7912 | Author: Damien Miller <djm@mindrot.org> | ||
7913 | Date: Sat Dec 7 12:37:53 2013 +1100 | ||
7914 | |||
7915 | - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in] | ||
7916 | [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on | ||
7917 | Linux | ||
7918 | |||
7919 | commit 1ff130dac9b7aea0628f4ad30683431fe35e0020 | ||
7920 | Author: Damien Miller <djm@mindrot.org> | ||
7921 | Date: Sat Dec 7 11:51:51 2013 +1100 | ||
7922 | |||
7923 | - [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c] | ||
7924 | [openbsd-compat/blf.h openbsd-compat/blowfish.c] | ||
7925 | [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in | ||
7926 | portable. | ||
7927 | |||
7928 | commit 4260828a2958ebe8c96f66d8301dac53f4cde556 | ||
7929 | Author: Damien Miller <djm@mindrot.org> | ||
7930 | Date: Sat Dec 7 11:38:03 2013 +1100 | ||
7931 | |||
7932 | - [authfile.c] Conditionalise inclusion of util.h | ||
7933 | |||
7934 | commit a913442bac8a26fd296a3add51293f8f6f9b3b4c | ||
7935 | Author: Damien Miller <djm@mindrot.org> | ||
7936 | Date: Sat Dec 7 11:35:36 2013 +1100 | ||
7937 | |||
7938 | - [Makefile.in] Add ed25519 sources | ||
7939 | |||
7940 | commit ca570a519cb846da61d002c7f46fa92e39c83e45 | ||
7941 | Author: Damien Miller <djm@mindrot.org> | ||
7942 | Date: Sat Dec 7 11:29:09 2013 +1100 | ||
7943 | |||
7944 | - djm@cvs.openbsd.org 2013/12/07 00:19:15 | ||
7945 | [key.c] | ||
7946 | set k->cert = NULL after freeing it | ||
7947 | |||
7948 | commit 3cccc0e155229a2f2d86b6df40bd4559b4f960ff | ||
7949 | Author: Damien Miller <djm@mindrot.org> | ||
7950 | Date: Sat Dec 7 11:27:47 2013 +1100 | ||
7951 | |||
7952 | - [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] | ||
7953 | [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents | ||
7954 | |||
7955 | commit a7827c11b3f0380b7e593664bd62013ff9c131db | ||
7956 | Author: Damien Miller <djm@mindrot.org> | ||
7957 | Date: Sat Dec 7 11:24:30 2013 +1100 | ||
7958 | |||
7959 | - jmc@cvs.openbsd.org 2013/12/06 15:29:07 | ||
7960 | [sshd.8] | ||
7961 | missing comma; | ||
7962 | |||
7963 | commit 5be9d9e3cbd9c66f24745d25bf2e809c1d158ee0 | ||
7964 | Author: Damien Miller <djm@mindrot.org> | ||
7965 | Date: Sat Dec 7 11:24:01 2013 +1100 | ||
7966 | |||
7967 | - markus@cvs.openbsd.org 2013/12/06 13:39:49 | ||
7968 | [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] | ||
7969 | [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] | ||
7970 | [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] | ||
7971 | [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] | ||
7972 | [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] | ||
7973 | support ed25519 keys (hostkeys and user identities) using the public | ||
7974 | domain ed25519 reference code from SUPERCOP, see | ||
7975 | http://ed25519.cr.yp.to/software.html | ||
7976 | feedback, help & ok djm@ | ||
7977 | |||
7978 | commit bcd00abd8451f36142ae2ee10cc657202149201e | ||
7979 | Author: Damien Miller <djm@mindrot.org> | ||
7980 | Date: Sat Dec 7 10:41:55 2013 +1100 | ||
7981 | |||
7982 | - markus@cvs.openbsd.org 2013/12/06 13:34:54 | ||
7983 | [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] | ||
7984 | [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by | ||
7985 | default; details in PROTOCOL.key; feedback and lots help from djm; | ||
7986 | ok djm@ | ||
7987 | |||
7988 | commit f0e9060d236c0e38bec2fa1c6579fb0a2ea6458d | ||
7989 | Author: Damien Miller <djm@mindrot.org> | ||
7990 | Date: Sat Dec 7 10:40:26 2013 +1100 | ||
7991 | |||
7992 | - markus@cvs.openbsd.org 2013/12/06 13:30:08 | ||
7993 | [authfd.c key.c key.h ssh-agent.c] | ||
7994 | move private key (de)serialization to key.c; ok djm | ||
7995 | |||
7996 | commit 0f8536da23a6ef26e6495177c0d8a4242b710289 | ||
7997 | Author: Damien Miller <djm@mindrot.org> | ||
7998 | Date: Sat Dec 7 10:31:37 2013 +1100 | ||
7999 | |||
8000 | - djm@cvs.openbsd.org 2013/12/06 03:40:51 | ||
8001 | [ssh-keygen.c] | ||
8002 | remove duplicated character ('g') in getopt() string; | ||
8003 | document the (few) remaining option characters so we don't have to | ||
8004 | rummage next time. | ||
8005 | |||
8006 | commit 393920745fd328d3fe07f739a3cf7e1e6db45b60 | ||
8007 | Author: Damien Miller <djm@mindrot.org> | ||
8008 | Date: Sat Dec 7 10:31:08 2013 +1100 | ||
8009 | |||
8010 | - djm@cvs.openbsd.org 2013/12/05 22:59:45 | ||
8011 | [sftp-client.c] | ||
8012 | fix memory leak in error path in do_readdir(); pointed out by | ||
8013 | Loganaden Velvindron @ AfriNIC in bz#2163 | ||
8014 | |||
8015 | commit 534b2ccadea5e5e9a8b27226e6faac3ed5552e97 | ||
8016 | Author: Damien Miller <djm@mindrot.org> | ||
8017 | Date: Thu Dec 5 14:07:27 2013 +1100 | ||
8018 | |||
8019 | - djm@cvs.openbsd.org 2013/12/05 01:16:41 | ||
8020 | [servconf.c servconf.h] | ||
8021 | bz#2161 - fix AuthorizedKeysCommand inside a Match block and | ||
8022 | rearrange things so the same error is harder to make next time; | ||
8023 | with and ok dtucker@ | ||
8024 | |||
8025 | commit 8369c8e61a3408ec6bb75755fad4ffce29b5fdbe | ||
8026 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8027 | Date: Thu Dec 5 11:00:16 2013 +1100 | ||
8028 | |||
8029 | - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct | ||
8030 | -L location for libedit. Patch from Serge van den Boom. | ||
8031 | |||
8032 | commit 9275df3e0a2a3bc3897f7d664ea86a425c8a092d | ||
8033 | Author: Damien Miller <djm@mindrot.org> | ||
8034 | Date: Thu Dec 5 10:26:32 2013 +1100 | ||
8035 | |||
8036 | - djm@cvs.openbsd.org 2013/12/04 04:20:01 | ||
8037 | [sftp-client.c] | ||
8038 | bz#2171: don't leak local_fd on error; from Loganaden Velvindron @ | ||
8039 | AfriNIC | ||
8040 | |||
8041 | commit 960f6a2b5254e4da082d8aa3700302ed12dc769a | ||
8042 | Author: Damien Miller <djm@mindrot.org> | ||
8043 | Date: Thu Dec 5 10:26:14 2013 +1100 | ||
8044 | |||
8045 | - djm@cvs.openbsd.org 2013/12/02 03:13:14 | ||
8046 | [cipher.c] | ||
8047 | correct bzero of chacha20+poly1305 key context. bz#2177 from | ||
8048 | Loganaden Velvindron @ AfriNIC | ||
8049 | |||
8050 | Also make it a memset for consistency with the rest of cipher.c | ||
8051 | |||
8052 | commit f7e8a8796d661c9d6692ab837e1effd4f5ada1c2 | ||
8053 | Author: Damien Miller <djm@mindrot.org> | ||
8054 | Date: Thu Dec 5 10:25:51 2013 +1100 | ||
8055 | |||
8056 | - djm@cvs.openbsd.org 2013/12/02 03:09:22 | ||
8057 | [key.c] | ||
8058 | make key_to_blob() return a NULL blob on failure; part of | ||
8059 | bz#2175 from Loganaden Velvindron @ AfriNIC | ||
8060 | |||
8061 | commit f1e44ea9d9a6d4c1a95a0024132e603bd1778c9c | ||
8062 | Author: Damien Miller <djm@mindrot.org> | ||
8063 | Date: Thu Dec 5 10:23:21 2013 +1100 | ||
8064 | |||
8065 | - djm@cvs.openbsd.org 2013/12/02 02:56:17 | ||
8066 | [ssh-pkcs11-helper.c] | ||
8067 | use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC | ||
8068 | |||
8069 | commit 114e540b15d57618f9ebf624264298f80bbd8c77 | ||
8070 | Author: Damien Miller <djm@mindrot.org> | ||
8071 | Date: Thu Dec 5 10:22:57 2013 +1100 | ||
8072 | |||
8073 | - djm@cvs.openbsd.org 2013/12/02 02:50:27 | ||
8074 | [PROTOCOL.chacha20poly1305] | ||
8075 | typo; from Jon Cave | ||
8076 | |||
8077 | commit e4870c090629e32f2cb649dc16d575eeb693f4a8 | ||
8078 | Author: Damien Miller <djm@mindrot.org> | ||
8079 | Date: Thu Dec 5 10:22:39 2013 +1100 | ||
8080 | |||
8081 | - djm@cvs.openbsd.org 2013/12/01 23:19:05 | ||
8082 | [PROTOCOL] | ||
8083 | mention curve25519-sha256@libssh.org key exchange algorithm | ||
8084 | |||
8085 | commit 1d2f8804a6d33a4e908b876b2e1266b8260ec76b | ||
8086 | Author: Damien Miller <djm@mindrot.org> | ||
8087 | Date: Thu Dec 5 10:22:03 2013 +1100 | ||
8088 | |||
8089 | - deraadt@cvs.openbsd.org 2013/11/26 19:15:09 | ||
8090 | [pkcs11.h] | ||
8091 | cleanup 1 << 31 idioms. Resurrection of this issue pointed out by | ||
8092 | Eitan Adler ok markus for ssh, implies same change in kerberosV | ||
8093 | |||
8094 | commit bdb352a54f82df94a548e3874b22f2d6ae90328d | ||
8095 | Author: Damien Miller <djm@mindrot.org> | ||
8096 | Date: Thu Dec 5 10:20:52 2013 +1100 | ||
8097 | |||
8098 | - jmc@cvs.openbsd.org 2013/11/26 12:14:54 | ||
8099 | [ssh.1 ssh.c] | ||
8100 | - put -Q in the right place | ||
8101 | - Ar was a poor choice for the arguments to -Q. i've chosen an | ||
8102 | admittedly equally poor Cm, at least consistent with the rest | ||
8103 | of the docs. also no need for multiple instances | ||
8104 | - zap a now redundant Nm | ||
8105 | - usage() sync | ||
8106 | |||
8107 | commit d937dc084a087090f1cf5395822c3ac958d33759 | ||
8108 | Author: Damien Miller <djm@mindrot.org> | ||
8109 | Date: Thu Dec 5 10:19:54 2013 +1100 | ||
8110 | |||
8111 | - deraadt@cvs.openbsd.org 2013/11/25 18:04:21 | ||
8112 | [ssh.1 ssh.c] | ||
8113 | improve -Q usage and such. One usage change is that the option is now | ||
8114 | case-sensitive | ||
8115 | ok dtucker markus djm | ||
8116 | |||
8117 | commit dec0393f7ee8aabc7d9d0fc2c5fddb4bc649112e | ||
8118 | Author: Damien Miller <djm@mindrot.org> | ||
8119 | Date: Thu Dec 5 10:18:43 2013 +1100 | ||
8120 | |||
8121 | - jmc@cvs.openbsd.org 2013/11/21 08:05:09 | ||
8122 | [ssh_config.5 sshd_config.5] | ||
8123 | no need for .Pp before displays; | ||
8124 | |||
8125 | commit 8a073cf57940aabf85e49799f89f5d5e9b072c1b | ||
8126 | Author: Damien Miller <djm@mindrot.org> | ||
8127 | Date: Thu Nov 21 14:26:18 2013 +1100 | ||
8128 | |||
8129 | - djm@cvs.openbsd.org 2013/11/21 03:18:51 | ||
8130 | [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] | ||
8131 | [regress/try-ciphers.sh] | ||
8132 | use new "ssh -Q cipher-auth" query to obtain lists of authenticated | ||
8133 | encryption ciphers instead of specifying them manually; ensures that | ||
8134 | the new chacha20poly1305@openssh.com mode is tested; | ||
8135 | |||
8136 | ok markus@ and naddy@ as part of the diff to add | ||
8137 | chacha20poly1305@openssh.com | ||
8138 | |||
8139 | commit ea61b2179f63d48968dd2c9617621002bb658bfe | ||
8140 | Author: Damien Miller <djm@mindrot.org> | ||
8141 | Date: Thu Nov 21 14:25:15 2013 +1100 | ||
8142 | |||
8143 | - djm@cvs.openbsd.org 2013/11/21 03:16:47 | ||
8144 | [regress/modpipe.c] | ||
8145 | use unsigned long long instead of u_int64_t here to avoid warnings | ||
8146 | on some systems portable OpenSSH is built on. | ||
8147 | |||
8148 | commit 36aba25b0409d2db6afc84d54bc47a2532d38424 | ||
8149 | Author: Damien Miller <djm@mindrot.org> | ||
8150 | Date: Thu Nov 21 14:24:42 2013 +1100 | ||
8151 | |||
8152 | - djm@cvs.openbsd.org 2013/11/21 03:15:46 | ||
8153 | [regress/krl.sh] | ||
8154 | add some reminders for additional tests that I'd like to implement | ||
8155 | |||
8156 | commit fa7a20bc289f09b334808d988746bc260a2f60c9 | ||
8157 | Author: Damien Miller <djm@mindrot.org> | ||
8158 | Date: Thu Nov 21 14:24:08 2013 +1100 | ||
8159 | |||
8160 | - naddy@cvs.openbsd.org 2013/11/18 05:09:32 | ||
8161 | [regress/forward-control.sh] | ||
8162 | bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) | ||
8163 | to successfully run this; ok djm@ | ||
8164 | (ID sync only; our timeouts are already longer) | ||
8165 | |||
8166 | commit 0fde8acdad78a4d20cadae974376cc0165f645ee | ||
8167 | Author: Damien Miller <djm@mindrot.org> | ||
8168 | Date: Thu Nov 21 14:12:23 2013 +1100 | ||
8169 | |||
8170 | - djm@cvs.openbsd.org 2013/11/21 00:45:44 | ||
8171 | [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] | ||
8172 | [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] | ||
8173 | [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] | ||
8174 | [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport | ||
8175 | cipher "chacha20-poly1305@openssh.com" that combines Daniel | ||
8176 | Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an | ||
8177 | authenticated encryption mode. | ||
8178 | |||
8179 | Inspired by and similar to Adam Langley's proposal for TLS: | ||
8180 | http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 | ||
8181 | but differs in layout used for the MAC calculation and the use of a | ||
8182 | second ChaCha20 instance to separately encrypt packet lengths. | ||
8183 | Details are in the PROTOCOL.chacha20poly1305 file. | ||
8184 | |||
8185 | Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC | ||
8186 | ok markus@ naddy@ | ||
8187 | |||
8188 | commit fdb2306acdc3eb2bc46b6dfdaaf6005c650af22a | ||
8189 | Author: Damien Miller <djm@mindrot.org> | ||
8190 | Date: Thu Nov 21 13:57:15 2013 +1100 | ||
8191 | |||
8192 | - deraadt@cvs.openbsd.org 2013/11/20 20:54:10 | ||
8193 | [canohost.c clientloop.c match.c readconf.c sftp.c] | ||
8194 | unsigned casts for ctype macros where neccessary | ||
8195 | ok guenther millert markus | ||
8196 | |||
8197 | commit e00167307e4d3692695441e9bd712f25950cb894 | ||
8198 | Author: Damien Miller <djm@mindrot.org> | ||
8199 | Date: Thu Nov 21 13:56:49 2013 +1100 | ||
8200 | |||
8201 | - deraadt@cvs.openbsd.org 2013/11/20 20:53:10 | ||
8202 | [scp.c] | ||
8203 | unsigned casts for ctype macros where neccessary | ||
8204 | ok guenther millert markus | ||
8205 | |||
8206 | commit 23e00aa6ba9eee0e0c218f2026bf405ad4625832 | ||
8207 | Author: Damien Miller <djm@mindrot.org> | ||
8208 | Date: Thu Nov 21 13:56:28 2013 +1100 | ||
8209 | |||
8210 | - djm@cvs.openbsd.org 2013/11/20 02:19:01 | ||
8211 | [sshd.c] | ||
8212 | delay closure of in/out fds until after "Bad protocol version | ||
8213 | identification..." message, as get_remote_ipaddr/get_remote_port | ||
8214 | require them open. | ||
8215 | |||
8216 | commit 867e6934be6521f87f04a5ab86702e2d1b314245 | ||
8217 | Author: Damien Miller <djm@mindrot.org> | ||
8218 | Date: Thu Nov 21 13:56:06 2013 +1100 | ||
8219 | |||
8220 | - markus@cvs.openbsd.org 2013/11/13 13:48:20 | ||
8221 | [ssh-pkcs11.c] | ||
8222 | add missing braces found by pedro | ||
8223 | |||
8224 | commit 0600c7020f4fe68a780bd7cf21ff541a8d4b568a | ||
8225 | Author: Damien Miller <djm@mindrot.org> | ||
8226 | Date: Thu Nov 21 13:55:43 2013 +1100 | ||
8227 | |||
8228 | - dtucker@cvs.openbsd.org 2013/11/08 11:15:19 | ||
8229 | [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c] | ||
8230 | [uidswap.c] Include stdlib.h for free() as per the man page. | ||
8231 | |||
8232 | commit b6a75b0b93b8faa6f79c3a395ab6c71f3f880b80 | ||
8233 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8234 | Date: Sun Nov 10 20:25:22 2013 +1100 | ||
8235 | |||
8236 | - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by | ||
8237 | querying the ones that are compiled in. | ||
8238 | |||
8239 | commit 2c89430119367eb1bc96ea5ee55de83357e4c926 | ||
8240 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8241 | Date: Sun Nov 10 12:38:42 2013 +1100 | ||
8242 | |||
8243 | - (dtucker) [key.c] Check for the correct defines for NID_secp521r1. | ||
8244 | |||
8245 | commit dd5264db5f641dbd03186f9e5e83e4b14b3d0003 | ||
8246 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8247 | Date: Sat Nov 9 22:32:51 2013 +1100 | ||
8248 | |||
8249 | - (dtucker) [configure.ac] Add missing "test". | ||
8250 | |||
8251 | commit 95cb2d4eb08117be061f3ff076adef3e9a5372c3 | ||
8252 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8253 | Date: Sat Nov 9 22:02:31 2013 +1100 | ||
8254 | |||
8255 | - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test. | ||
8256 | |||
8257 | commit 37bcef51b3d9d496caecea6394814d2f49a1357f | ||
8258 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8259 | Date: Sat Nov 9 18:39:25 2013 +1100 | ||
8260 | |||
8261 | - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of | ||
8262 | NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the | ||
8263 | latter actually works before using it. Fedora (at least) has NID_secp521r1 | ||
8264 | that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897). | ||
8265 | |||
8266 | commit 6e2fe81f926d995bae4be4a6b5b3c88c1c525187 | ||
8267 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8268 | Date: Sat Nov 9 16:55:03 2013 +1100 | ||
8269 | |||
8270 | - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 | ||
8271 | [regress/test-exec.sh regress/rekey.sh] | ||
8272 | Use smaller test data files to speed up tests. Grow test datafiles | ||
8273 | where necessary for a specific test. | ||
8274 | |||
8275 | commit aff7ef1bb8b7c1eeb1f4812129091c5adbf51848 | ||
8276 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8277 | Date: Sat Nov 9 00:19:22 2013 +1100 | ||
8278 | |||
8279 | - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation: | ||
8280 | rather than testing and generating each key, call ssh-keygen -A. | ||
8281 | Patch from vinschen at redhat.com. | ||
8282 | |||
8283 | commit 882abfd3fb3c98cfe70b4fc79224770468b570a5 | ||
8284 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8285 | Date: Sat Nov 9 00:17:41 2013 +1100 | ||
8286 | |||
8287 | - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform | ||
8288 | and pass in TEST_ENV. Unknown options cause stderr to get polluted | ||
8289 | and the stderr-data test to fail. | ||
8290 | |||
8291 | commit 8c333ec23bdf7da917aa20ac6803a2cdd79182c5 | ||
8292 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8293 | Date: Fri Nov 8 21:12:58 2013 +1100 | ||
8294 | |||
8295 | - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile | ||
8296 | warnings. | ||
8297 | |||
8298 | commit d94240b2f6b376b6e9de187e4a0cd4b89dfc48cb | ||
8299 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8300 | Date: Fri Nov 8 21:10:04 2013 +1100 | ||
8301 | |||
8302 | - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. | ||
8303 | |||
8304 | commit 1c8ce34909886288a3932dce770deec5449f7bb5 | ||
8305 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8306 | Date: Fri Nov 8 19:50:32 2013 +1100 | ||
8307 | |||
8308 | - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have | ||
8309 | EVP_sha256. | ||
8310 | |||
8311 | commit ccdb9bec46bcc88549b26a94aa0bae2b9f51031c | ||
8312 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8313 | Date: Fri Nov 8 18:54:38 2013 +1100 | ||
8314 | |||
8315 | - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of | ||
8316 | arc4random_stir for platforms that have arc4random but don't have | ||
8317 | arc4random_stir (right now this is only OpenBSD -current). | ||
8318 | |||
8319 | commit 3420a50169b52cc8d2775d51316f9f866c73398f | ||
8320 | Author: Damien Miller <djm@mindrot.org> | ||
8321 | Date: Fri Nov 8 16:48:13 2013 +1100 | ||
8322 | |||
8323 | - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
8324 | [contrib/suse/openssh.spec] Update version numbers following release. | ||
8325 | |||
8326 | commit 3ac4a234df842fd8c94d9cb0ad198e1fe84b895b | ||
8327 | Author: Damien Miller <djm@mindrot.org> | ||
8328 | Date: Fri Nov 8 12:39:49 2013 +1100 | ||
8329 | |||
8330 | - djm@cvs.openbsd.org 2013/11/08 01:38:11 | ||
8331 | [version.h] | ||
8332 | openssh-6.4 | ||
8333 | |||
8334 | commit 6c81fee693038de7d4a5559043350391db2a2761 | ||
8335 | Author: Damien Miller <djm@mindrot.org> | ||
8336 | Date: Fri Nov 8 12:19:55 2013 +1100 | ||
8337 | |||
8338 | - djm@cvs.openbsd.org 2013/11/08 00:39:15 | ||
8339 | [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c] | ||
8340 | [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c] | ||
8341 | [sftp-client.c sftp-glob.c] | ||
8342 | use calloc for all structure allocations; from markus@ | ||
8343 | |||
8344 | commit 690d989008e18af3603a5e03f1276c9bad090370 | ||
8345 | Author: Damien Miller <djm@mindrot.org> | ||
8346 | Date: Fri Nov 8 12:16:49 2013 +1100 | ||
8347 | |||
8348 | - dtucker@cvs.openbsd.org 2013/11/07 11:58:27 | ||
8349 | [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] | ||
8350 | Output the effective values of Ciphers, MACs and KexAlgorithms when | ||
8351 | the default has not been overridden. ok markus@ | ||
8352 | |||
8353 | commit 08998c5fb9c7c1d248caa73b76e02ca0482e6d85 | ||
8354 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8355 | Date: Fri Nov 8 12:11:46 2013 +1100 | ||
8356 | |||
8357 | - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 | ||
8358 | [regress/rekey.sh] | ||
8359 | Rekey less frequently during tests to speed them up | ||
8360 | |||
8361 | commit 4bf7e50e533aa956366df7402c132f202e841a48 | ||
8362 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8363 | Date: Thu Nov 7 22:33:48 2013 +1100 | ||
8364 | |||
8365 | - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment | ||
8366 | variable. It's no longer used now that we get the supported MACs from | ||
8367 | ssh -Q. | ||
8368 | |||
8369 | commit 6e9d6f411288374d1dee4b7debbfa90bc7e73035 | ||
8370 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8371 | Date: Thu Nov 7 15:32:37 2013 +1100 | ||
8372 | |||
8373 | - dtucker@cvs.openbsd.org 2013/11/07 04:26:56 | ||
8374 | [regress/kextype.sh] | ||
8375 | trailing space | ||
8376 | |||
8377 | commit 74cbc22529f3e5de756e1b7677b7624efb28f62c | ||
8378 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8379 | Date: Thu Nov 7 15:26:12 2013 +1100 | ||
8380 | |||
8381 | - dtucker@cvs.openbsd.org 2013/11/07 03:55:41 | ||
8382 | [regress/kextype.sh] | ||
8383 | Use ssh -Q to get kex types instead of a static list. | ||
8384 | |||
8385 | commit a955041c930e63405159ff7d25ef14272f36eab3 | ||
8386 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8387 | Date: Thu Nov 7 15:21:19 2013 +1100 | ||
8388 | |||
8389 | - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 | ||
8390 | [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] | ||
8391 | Use ssh -Q instead of hardcoding lists of ciphers or MACs. | ||
8392 | |||
8393 | commit 06595d639577577bc15d359e037a31eb83563269 | ||
8394 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8395 | Date: Thu Nov 7 15:08:02 2013 +1100 | ||
8396 | |||
8397 | - dtucker@cvs.openbsd.org 2013/11/07 01:12:51 | ||
8398 | [regress/rekey.sh] | ||
8399 | Factor out the data transfer rekey tests | ||
8400 | |||
8401 | commit 651dc8b2592202dac6b16ee3b82ce5b331be7da3 | ||
8402 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8403 | Date: Thu Nov 7 15:04:44 2013 +1100 | ||
8404 | |||
8405 | - dtucker@cvs.openbsd.org 2013/11/07 00:12:05 | ||
8406 | [regress/rekey.sh] | ||
8407 | Test rekeying for every Cipher, MAC and KEX, plus test every KEX with | ||
8408 | the GCM ciphers. | ||
8409 | |||
8410 | commit 234557762ba1096a867ca6ebdec07efebddb5153 | ||
8411 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8412 | Date: Thu Nov 7 15:00:51 2013 +1100 | ||
8413 | |||
8414 | - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 | ||
8415 | [regress/rekey.sh] | ||
8416 | Test rekeying with all KexAlgorithms. | ||
8417 | |||
8418 | commit bbfb9b0f386aab0c3e19d11f136199ef1b9ad0ef | ||
8419 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8420 | Date: Thu Nov 7 14:56:43 2013 +1100 | ||
8421 | |||
8422 | - markus@cvs.openbsd.org 2013/11/02 22:39:53 | ||
8423 | [regress/kextype.sh] | ||
8424 | add curve25519-sha256@libssh.org | ||
8425 | |||
8426 | commit aa19548a98c0f89283ebd7354abd746ca6bc4fdf | ||
8427 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8428 | Date: Thu Nov 7 14:50:09 2013 +1100 | ||
8429 | |||
8430 | - djm@cvs.openbsd.org 2013/10/09 23:44:14 | ||
8431 | [regress/Makefile] (ID sync only) | ||
8432 | regression test for sftp request white/blacklisting and readonly mode. | ||
8433 | |||
8434 | commit c8908aabff252f5da772d4e679479c2b7d18cac1 | ||
8435 | Author: Damien Miller <djm@mindrot.org> | ||
8436 | Date: Thu Nov 7 13:38:35 2013 +1100 | ||
8437 | |||
8438 | - djm@cvs.openbsd.org 2013/11/06 23:05:59 | ||
8439 | [ssh-pkcs11.c] | ||
8440 | from portable: s/true/true_val/ to avoid name collisions on dump platforms | ||
8441 | RCSID sync only | ||
8442 | |||
8443 | commit 49c145c5e89b9d7d48e84328d6347d5ad640b567 | ||
8444 | Author: Damien Miller <djm@mindrot.org> | ||
8445 | Date: Thu Nov 7 13:35:39 2013 +1100 | ||
8446 | |||
8447 | - markus@cvs.openbsd.org 2013/11/06 16:52:11 | ||
8448 | [monitor_wrap.c] | ||
8449 | fix rekeying for AES-GCM modes; ok deraadt | ||
8450 | |||
8451 | commit 67a8800f290b39fd60e379988c700656ae3f2539 | ||
8452 | Author: Damien Miller <djm@mindrot.org> | ||
8453 | Date: Thu Nov 7 13:32:51 2013 +1100 | ||
8454 | |||
8455 | - markus@cvs.openbsd.org 2013/11/04 11:51:16 | ||
8456 | [monitor.c] | ||
8457 | fix rekeying for KEX_C25519_SHA256; noted by dtucker@ | ||
8458 | RCSID sync only; I thought this was a merge botch and fixed it already | ||
8459 | |||
8460 | commit df8b030b15fcec7baf38ec7944f309f9ca8cc9a7 | ||
8461 | Author: Damien Miller <djm@mindrot.org> | ||
8462 | Date: Thu Nov 7 13:28:16 2013 +1100 | ||
8463 | |||
8464 | - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms | ||
8465 | that lack it but have arc4random_uniform() | ||
8466 | |||
8467 | commit a6fd1d3c38a562709374a70fa76423859160aa90 | ||
8468 | Author: Damien Miller <djm@mindrot.org> | ||
8469 | Date: Thu Nov 7 12:03:26 2013 +1100 | ||
8470 | |||
8471 | - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these | ||
8472 | |||
8473 | commit c98319750b0bbdd0d1794420ec97d65dd9244613 | ||
8474 | Author: Damien Miller <djm@mindrot.org> | ||
8475 | Date: Thu Nov 7 12:00:23 2013 +1100 | ||
8476 | |||
8477 | - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff | ||
8478 | |||
8479 | commit 61c5c2319e84a58210810d39b062c8b8e3321160 | ||
8480 | Author: Damien Miller <djm@mindrot.org> | ||
8481 | Date: Thu Nov 7 11:34:14 2013 +1100 | ||
8482 | |||
8483 | - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) | ||
8484 | that got lost in recent merge. | ||
8485 | |||
8486 | commit 094003f5454a9f5a607674b2739824a7e91835f4 | ||
8487 | Author: Damien Miller <djm@mindrot.org> | ||
8488 | Date: Mon Nov 4 22:59:27 2013 +1100 | ||
8489 | |||
8490 | - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from | ||
8491 | KEX/curve25519 change | ||
8492 | |||
8493 | commit ca67a7eaf8766499ba67801d0be8cdaa550b9a50 | ||
8494 | Author: Damien Miller <djm@mindrot.org> | ||
8495 | Date: Mon Nov 4 09:05:17 2013 +1100 | ||
8496 | |||
8497 | - djm@cvs.openbsd.org 2013/11/03 10:37:19 | ||
8498 | [roaming_common.c] | ||
8499 | fix a couple of function definitions foo() -> foo(void) | ||
8500 | (-Wold-style-definition) | ||
8501 | |||
8502 | commit 0bd8f1519d51af8d4229be81e8f2f4903a1d440b | ||
8503 | Author: Damien Miller <djm@mindrot.org> | ||
8504 | Date: Mon Nov 4 08:55:43 2013 +1100 | ||
8505 | |||
8506 | - markus@cvs.openbsd.org 2013/11/02 22:39:19 | ||
8507 | [ssh_config.5 sshd_config.5] | ||
8508 | the default kex is now curve25519-sha256@libssh.org | ||
8509 | |||
8510 | commit 4c3ba0767fbe4a8a2a748df4035aaf86651f6b30 | ||
8511 | Author: Damien Miller <djm@mindrot.org> | ||
8512 | Date: Mon Nov 4 08:40:13 2013 +1100 | ||
8513 | |||
8514 | - markus@cvs.openbsd.org 2013/11/02 22:34:01 | ||
8515 | [auth-options.c] | ||
8516 | no need to include monitor_wrap.h and ssh-gss.h | ||
8517 | |||
8518 | commit 660621b2106b987b874c2f120218bec249d0f6ba | ||
8519 | Author: Damien Miller <djm@mindrot.org> | ||
8520 | Date: Mon Nov 4 08:37:51 2013 +1100 | ||
8521 | |||
8522 | - markus@cvs.openbsd.org 2013/11/02 22:24:24 | ||
8523 | [kexdhs.c kexecdhs.c] | ||
8524 | no need to include ssh-gss.h | ||
8525 | |||
8526 | commit abdca986decfbbc008c895195b85e879ed460ada | ||
8527 | Author: Damien Miller <djm@mindrot.org> | ||
8528 | Date: Mon Nov 4 08:30:05 2013 +1100 | ||
8529 | |||
8530 | - markus@cvs.openbsd.org 2013/11/02 22:10:15 | ||
8531 | [kexdhs.c kexecdhs.c] | ||
8532 | no need to include monitor_wrap.h | ||
8533 | |||
8534 | commit 1e1242604eb0fd510fe93f81245c529237ffc513 | ||
8535 | Author: Damien Miller <djm@mindrot.org> | ||
8536 | Date: Mon Nov 4 08:26:52 2013 +1100 | ||
8537 | |||
8538 | - markus@cvs.openbsd.org 2013/11/02 21:59:15 | ||
8539 | [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] | ||
8540 | use curve25519 for default key exchange (curve25519-sha256@libssh.org); | ||
8541 | initial patch from Aris Adamantiadis; ok djm@ | ||
8542 | |||
8543 | commit d2252c79191d069372ed6effce7c7a2de93448cd | ||
8544 | Author: Damien Miller <djm@mindrot.org> | ||
8545 | Date: Mon Nov 4 07:41:48 2013 +1100 | ||
8546 | |||
8547 | - markus@cvs.openbsd.org 2013/11/02 20:03:54 | ||
8548 | [ssh-pkcs11.c] | ||
8549 | support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys; | ||
8550 | fixes bz#1908; based on patch from Laurent Barbe; ok djm | ||
8551 | |||
8552 | commit 007e3b357e880caa974d5adf9669298ba0751c78 | ||
8553 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8554 | Date: Sun Nov 3 18:43:55 2013 +1100 | ||
8555 | |||
8556 | - (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t | ||
8557 | for platforms that don't have them. | ||
8558 | |||
8559 | commit 710f3747352fb93a63e5b69b12379da37f5b3fa9 | ||
8560 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8561 | Date: Sun Nov 3 17:20:34 2013 +1100 | ||
8562 | |||
8563 | - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd | ||
8564 | vsnprintf. From eric at openbsd via chl@. | ||
8565 | |||
8566 | commit d52770452308e5c2e99f4da6edaaa77ef078b610 | ||
8567 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8568 | Date: Sun Nov 3 16:30:46 2013 +1100 | ||
8569 | |||
8570 | - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep. | ||
8571 | From OpenSMTPD where it prevents "implicit declaration" warnings (it's | ||
8572 | a no-op in OpenSSH). From chl at openbsd. | ||
8573 | |||
8574 | commit 63857c9340d3482746a5622ffdacc756751f6448 | ||
8575 | Author: Damien Miller <djm@mindrot.org> | ||
8576 | Date: Wed Oct 30 22:31:06 2013 +1100 | ||
8577 | |||
8578 | - jmc@cvs.openbsd.org 2013/10/29 18:49:32 | ||
8579 | [sshd_config.5] | ||
8580 | pty(4), not pty(7); | ||
8581 | |||
8582 | commit 5ff30c6b68adeee767dd29bf2369763c6a13c0b3 | ||
8583 | Author: Damien Miller <djm@mindrot.org> | ||
8584 | Date: Wed Oct 30 22:21:50 2013 +1100 | ||
8585 | |||
8586 | - djm@cvs.openbsd.org 2013/10/29 09:48:02 | ||
8587 | [servconf.c servconf.h session.c sshd_config sshd_config.5] | ||
8588 | shd_config PermitTTY to disallow TTY allocation, mirroring the | ||
8589 | longstanding no-pty authorized_keys option; | ||
8590 | bz#2070, patch from Teran McKinney; ok markus@ | ||
8591 | |||
8592 | commit 4a3a9d4bbf8048473f5cc202cd8db7164d5e6b8d | ||
8593 | Author: Damien Miller <djm@mindrot.org> | ||
8594 | Date: Wed Oct 30 22:19:47 2013 +1100 | ||
8595 | |||
8596 | - djm@cvs.openbsd.org 2013/10/29 09:42:11 | ||
8597 | [key.c key.h] | ||
8598 | fix potential stack exhaustion caused by nested certificates; | ||
8599 | report by Mateusz Kocielski; ok dtucker@ markus@ | ||
8600 | |||
8601 | commit 28631ceaa7acd9bc500f924614431542893c6a21 | ||
8602 | Author: Damien Miller <djm@mindrot.org> | ||
8603 | Date: Sat Oct 26 10:07:56 2013 +1100 | ||
8604 | |||
8605 | - djm@cvs.openbsd.org 2013/10/25 23:04:51 | ||
8606 | [ssh.c] | ||
8607 | fix crash when using ProxyCommand caused by previous commit - was calling | ||
8608 | freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@ | ||
8609 | |||
8610 | commit 26506ad29350c5681815745cc90b3952a84cf118 | ||
8611 | Author: Damien Miller <djm@mindrot.org> | ||
8612 | Date: Sat Oct 26 10:05:46 2013 +1100 | ||
8613 | |||
8614 | - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove | ||
8615 | unnecessary arc4random_stir() calls. The only ones left are to ensure | ||
8616 | that the PRNG gets a different state after fork() for platforms that | ||
8617 | have broken the API. | ||
8618 | |||
8619 | commit bd43e8872325e9bbb3319c89da593614709f317c | ||
8620 | Author: Tim Rice <tim@multitalents.net> | ||
8621 | Date: Thu Oct 24 12:22:49 2013 -0700 | ||
8622 | |||
8623 | - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd" | ||
8624 | |||
8625 | commit a90c0338083ee0e4064c4bdf61f497293a699be0 | ||
8626 | Author: Damien Miller <djm@mindrot.org> | ||
8627 | Date: Thu Oct 24 21:03:17 2013 +1100 | ||
8628 | |||
8629 | - djm@cvs.openbsd.org 2013/10/24 08:19:36 | ||
8630 | [ssh.c] | ||
8631 | fix bug introduced in hostname canonicalisation commit: don't try to | ||
8632 | resolve hostnames when a ProxyCommand is set unless the user has forced | ||
8633 | canonicalisation; spotted by Iain Morgan | ||
8634 | |||
8635 | commit cf31f3863425453ffcda540fbefa9df80088c8d1 | ||
8636 | Author: Damien Miller <djm@mindrot.org> | ||
8637 | Date: Thu Oct 24 21:02:56 2013 +1100 | ||
8638 | |||
8639 | - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 | ||
8640 | [readconf.c servconf.c ssh_config.5 sshd_config.5] | ||
8641 | Disallow empty Match statements and add "Match all" which matches | ||
8642 | everything. ok djm, man page help jmc@ | ||
8643 | |||
8644 | commit 4bedd4032a09ce87322ae5ea80f193f109e5c607 | ||
8645 | Author: Damien Miller <djm@mindrot.org> | ||
8646 | Date: Thu Oct 24 21:02:26 2013 +1100 | ||
8647 | |||
8648 | - dtucker@cvs.openbsd.org 2013/10/24 00:49:49 | ||
8649 | [moduli.c] | ||
8650 | Periodically print progress and, if possible, expected time to completion | ||
8651 | when screening moduli for DH groups. ok deraadt djm | ||
8652 | |||
8653 | commit 5ecb41629860687b145be63b8877fabb6bae5eda | ||
8654 | Author: Damien Miller <djm@mindrot.org> | ||
8655 | Date: Thu Oct 24 21:02:02 2013 +1100 | ||
8656 | |||
8657 | - djm@cvs.openbsd.org 2013/10/23 23:35:32 | ||
8658 | [sshd.c] | ||
8659 | include local address and port in "Connection from ..." message (only | ||
8660 | shown at loglevel>=verbose) | ||
8661 | |||
8662 | commit 03bf2e61ad6ac59a362a1f11b105586cb755c147 | ||
8663 | Author: Damien Miller <djm@mindrot.org> | ||
8664 | Date: Thu Oct 24 21:01:26 2013 +1100 | ||
8665 | |||
8666 | - dtucker@cvs.openbsd.org 2013/10/23 05:40:58 | ||
8667 | [servconf.c] | ||
8668 | fix comment | ||
8669 | |||
8670 | commit 8f1873191478847773906af961c8984d02a49dd6 | ||
8671 | Author: Damien Miller <djm@mindrot.org> | ||
8672 | Date: Thu Oct 24 10:53:02 2013 +1100 | ||
8673 | |||
8674 | - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check | ||
8675 | rather than full client name which may be of form user@REALM; | ||
8676 | patch from Miguel Sanders; ok dtucker@ | ||
8677 | |||
8678 | commit 5b01b0dcb417eb615df77e7ce1b59319bf04342c | ||
8679 | Author: Damien Miller <djm@mindrot.org> | ||
8680 | Date: Wed Oct 23 16:31:31 2013 +1100 | ||
8681 | |||
8682 | - djm@cvs.openbsd.org 2013/10/23 04:16:22 | ||
8683 | [ssh-keygen.c] | ||
8684 | Make code match documentation: relative-specified certificate expiry time | ||
8685 | should be relative to current time and not the validity start time. | ||
8686 | Reported by Petr Lautrbach; ok deraadt@ | ||
8687 | |||
8688 | commit eff5cada589f25793dbe63a76aba9da39837a148 | ||
8689 | Author: Damien Miller <djm@mindrot.org> | ||
8690 | Date: Wed Oct 23 16:31:10 2013 +1100 | ||
8691 | |||
8692 | - djm@cvs.openbsd.org 2013/10/23 03:05:19 | ||
8693 | [readconf.c ssh.c] | ||
8694 | comment | ||
8695 | |||
8696 | commit 084bcd24e9fe874020e4df4e073e7408e1b17fb7 | ||
8697 | Author: Damien Miller <djm@mindrot.org> | ||
8698 | Date: Wed Oct 23 16:30:51 2013 +1100 | ||
8699 | |||
8700 | - djm@cvs.openbsd.org 2013/10/23 03:03:07 | ||
8701 | [readconf.c] | ||
8702 | Hostname may have %h sequences that should be expanded prior to Match | ||
8703 | evaluation; spotted by Iain Morgan | ||
8704 | |||
8705 | commit 8e5a67f46916def40b2758bb7755350dd2eee843 | ||
8706 | Author: Damien Miller <djm@mindrot.org> | ||
8707 | Date: Wed Oct 23 16:30:25 2013 +1100 | ||
8708 | |||
8709 | - jmc@cvs.openbsd.org 2013/10/20 18:00:13 | ||
8710 | [ssh_config.5] | ||
8711 | tweak the "exec" description, as worded by djm; | ||
8712 | |||
8713 | commit c0049bd0bca02890cd792babc594771c563f91f2 | ||
8714 | Author: Damien Miller <djm@mindrot.org> | ||
8715 | Date: Wed Oct 23 16:29:59 2013 +1100 | ||
8716 | |||
8717 | - djm@cvs.openbsd.org 2013/10/20 09:51:26 | ||
8718 | [scp.1 sftp.1] | ||
8719 | add canonicalisation options to -o lists | ||
8720 | |||
8721 | commit 8a04be795fc28514a09e55a54b2e67968f2e1b3a | ||
8722 | Author: Damien Miller <djm@mindrot.org> | ||
8723 | Date: Wed Oct 23 16:29:40 2013 +1100 | ||
8724 | |||
8725 | - djm@cvs.openbsd.org 2013/10/20 06:19:28 | ||
8726 | [readconf.c ssh_config.5] | ||
8727 | rename "command" subclause of the recently-added "Match" keyword to | ||
8728 | "exec"; it's shorter, clearer in intent and we might want to add the | ||
8729 | ability to match against the command being executed at the remote end in | ||
8730 | the future. | ||
8731 | |||
8732 | commit 5c86ebdf83b636b6741db4b03569ef4a53b89a58 | ||
8733 | Author: Damien Miller <djm@mindrot.org> | ||
8734 | Date: Wed Oct 23 16:29:12 2013 +1100 | ||
8735 | |||
8736 | - djm@cvs.openbsd.org 2013/10/20 04:39:28 | ||
8737 | [ssh_config.5] | ||
8738 | document % expansions performed by "Match command ..." | ||
8739 | |||
8740 | commit 4502f88774edc56194707167443f94026d3c7cfa | ||
8741 | Author: Damien Miller <djm@mindrot.org> | ||
8742 | Date: Fri Oct 18 10:17:36 2013 +1100 | ||
8743 | |||
8744 | - djm@cvs.openbsd.org 2013/10/17 22:08:04 | ||
8745 | [sshd.c] | ||
8746 | include remote port in bad banner message; bz#2162 | ||
8747 | |||
8748 | commit 1edcbf65ebd2febeaf10a836468f35e519eed7ca | ||
8749 | Author: Damien Miller <djm@mindrot.org> | ||
8750 | Date: Fri Oct 18 10:17:17 2013 +1100 | ||
8751 | |||
8752 | - jmc@cvs.openbsd.org 2013/10/17 07:35:48 | ||
8753 | [sftp.1 sftp.c] | ||
8754 | tweak previous; | ||
8755 | |||
8756 | commit a176e1823013dd8533a20235b3a5131f0626f46b | ||
8757 | Author: Damien Miller <djm@mindrot.org> | ||
8758 | Date: Fri Oct 18 09:05:41 2013 +1100 | ||
8759 | |||
8760 | - djm@cvs.openbsd.org 2013/10/09 23:44:14 | ||
8761 | [regress/Makefile regress/sftp-perm.sh] | ||
8762 | regression test for sftp request white/blacklisting and readonly mode. | ||
8763 | |||
8764 | commit e3ea09494dcfe7ba76536e95765c8328ecfc18fb | ||
8765 | Author: Damien Miller <djm@mindrot.org> | ||
8766 | Date: Thu Oct 17 11:57:23 2013 +1100 | ||
8767 | |||
8768 | - djm@cvs.openbsd.org 2013/10/17 00:46:49 | ||
8769 | [ssh.c] | ||
8770 | rearrange check to reduce diff against -portable | ||
8771 | (Id sync only) | ||
8772 | |||
8773 | commit f29238e67471a7f1088a99c3c3dbafce76b790cf | ||
8774 | Author: Damien Miller <djm@mindrot.org> | ||
8775 | Date: Thu Oct 17 11:48:52 2013 +1100 | ||
8776 | |||
8777 | - djm@cvs.openbsd.org 2013/10/17 00:30:13 | ||
8778 | [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c] | ||
8779 | fsync@openssh.com protocol extension for sftp-server | ||
8780 | client support to allow calling fsync() faster successful transfer | ||
8781 | patch mostly by imorgan AT nas.nasa.gov; bz#1798 | ||
8782 | "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@ | ||
8783 | |||
8784 | commit 51682faa599550a69d8120e5e2bdbdc0625ef4be | ||
8785 | Author: Damien Miller <djm@mindrot.org> | ||
8786 | Date: Thu Oct 17 11:48:31 2013 +1100 | ||
8787 | |||
8788 | - djm@cvs.openbsd.org 2013/10/16 22:58:01 | ||
8789 | [ssh.c ssh_config.5] | ||
8790 | one I missed in previous: s/isation/ization/ | ||
8791 | |||
8792 | commit 3850559be93f1a442ae9ed370e8c389889dd5f72 | ||
8793 | Author: Damien Miller <djm@mindrot.org> | ||
8794 | Date: Thu Oct 17 11:48:13 2013 +1100 | ||
8795 | |||
8796 | - djm@cvs.openbsd.org 2013/10/16 22:49:39 | ||
8797 | [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] | ||
8798 | s/canonicalise/canonicalize/ for consistency with existing spelling, | ||
8799 | e.g. authorized_keys; pointed out by naddy@ | ||
8800 | |||
8801 | commit 607af3434b75acc7199a5d99d5a9c11068c01f27 | ||
8802 | Author: Damien Miller <djm@mindrot.org> | ||
8803 | Date: Thu Oct 17 11:47:51 2013 +1100 | ||
8804 | |||
8805 | - jmc@cvs.openbsd.org 2013/10/16 06:42:25 | ||
8806 | [ssh_config.5] | ||
8807 | tweak previous; | ||
8808 | |||
8809 | commit 0faf747e2f77f0f7083bcd59cbed30c4b5448444 | ||
8810 | Author: Damien Miller <djm@mindrot.org> | ||
8811 | Date: Thu Oct 17 11:47:23 2013 +1100 | ||
8812 | |||
8813 | - djm@cvs.openbsd.org 2013/10/16 02:31:47 | ||
8814 | [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] | ||
8815 | [sshconnect.c sshconnect.h] | ||
8816 | Implement client-side hostname canonicalisation to allow an explicit | ||
8817 | search path of domain suffixes to use to convert unqualified host names | ||
8818 | to fully-qualified ones for host key matching. | ||
8819 | This is particularly useful for host certificates, which would otherwise | ||
8820 | need to list unqualified names alongside fully-qualified ones (and this | ||
8821 | causes a number of problems). | ||
8822 | "looks fine" markus@ | ||
8823 | |||
8824 | commit d77b81f856e078714ec6b0f86f61c20249b7ead4 | ||
8825 | Author: Damien Miller <djm@mindrot.org> | ||
8826 | Date: Thu Oct 17 11:39:00 2013 +1100 | ||
8827 | |||
8828 | - jmc@cvs.openbsd.org 2013/10/15 14:10:25 | ||
8829 | [ssh.1 ssh_config.5] | ||
8830 | tweak previous; | ||
8831 | |||
8832 | commit dcd39f29ce3308dc74a0ff27a9056205a932ce05 | ||
8833 | Author: Damien Miller <djm@mindrot.org> | ||
8834 | Date: Thu Oct 17 11:31:40 2013 +1100 | ||
8835 | |||
8836 | - [ssh.c] g/c unused variable. | ||
8837 | |||
8838 | commit 5359a628ce3763408da25d83271a8eddec597a0c | ||
8839 | Author: Damien Miller <djm@mindrot.org> | ||
8840 | Date: Tue Oct 15 12:20:37 2013 +1100 | ||
8841 | |||
8842 | - [ssh.c] g/c unused variable. | ||
8843 | |||
8844 | commit 386feab0c4736b054585ee8ee372865d5cde8d69 | ||
8845 | Author: Damien Miller <djm@mindrot.org> | ||
8846 | Date: Tue Oct 15 12:14:49 2013 +1100 | ||
8847 | |||
8848 | - djm@cvs.openbsd.org 2013/10/14 23:31:01 | ||
8849 | [ssh.c] | ||
8850 | whitespace at EOL; pointed out by markus@ | ||
8851 | |||
8852 | commit e9fc72edd6c313b670558cd5219601c38a949b67 | ||
8853 | Author: Damien Miller <djm@mindrot.org> | ||
8854 | Date: Tue Oct 15 12:14:12 2013 +1100 | ||
8855 | |||
8856 | - djm@cvs.openbsd.org 2013/10/14 23:28:23 | ||
8857 | [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c] | ||
8858 | refactor client config code a little: | ||
8859 | add multistate option partsing to readconf.c, similar to servconf.c's | ||
8860 | existing code. | ||
8861 | move checking of options that accept "none" as an argument to readconf.c | ||
8862 | add a lowercase() function and use it instead of explicit tolower() in | ||
8863 | loops | ||
8864 | part of a larger diff that was ok markus@ | ||
8865 | |||
8866 | commit 194fd904d8597a274b93e075b2047afdf5a175d4 | ||
8867 | Author: Damien Miller <djm@mindrot.org> | ||
8868 | Date: Tue Oct 15 12:13:05 2013 +1100 | ||
8869 | |||
8870 | - djm@cvs.openbsd.org 2013/10/14 22:22:05 | ||
8871 | [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] | ||
8872 | add a "Match" keyword to ssh_config that allows matching on hostname, | ||
8873 | user and result of arbitrary commands. "nice work" markus@ | ||
8874 | |||
8875 | commit 71df752de2a04f423b1cd18d961a79f4fbccbcee | ||
8876 | Author: Damien Miller <djm@mindrot.org> | ||
8877 | Date: Tue Oct 15 12:12:02 2013 +1100 | ||
8878 | |||
8879 | - djm@cvs.openbsd.org 2013/10/14 21:20:52 | ||
8880 | [session.c session.h] | ||
8881 | Add logging of session starts in a useful format; ok markus@ feedback and | ||
8882 | ok dtucker@ | ||
8883 | |||
8884 | commit 6efab27109b82820e8d32a5d811adb7bfc354f65 | ||
8885 | Author: Damien Miller <djm@mindrot.org> | ||
8886 | Date: Tue Oct 15 12:07:05 2013 +1100 | ||
8887 | |||
8888 | - jmc@cvs.openbsd.org 2013/10/14 14:18:56 | ||
8889 | [sftp-server.8 sftp-server.c] | ||
8890 | tweak previous; | ||
8891 | ok djm | ||
8892 | |||
8893 | commit 61c7de8a94156f6d7e9718ded9be8c65bb902b66 | ||
8894 | Author: Damien Miller <djm@mindrot.org> | ||
8895 | Date: Tue Oct 15 12:06:45 2013 +1100 | ||
8896 | |||
8897 | - djm@cvs.openbsd.org 2013/10/11 02:53:45 | ||
8898 | [sftp-client.h] | ||
8899 | obsolete comment | ||
8900 | |||
8901 | commit 2f93d0556e4892208c9b072624caa8cc5ddd839d | ||
8902 | Author: Damien Miller <djm@mindrot.org> | ||
8903 | Date: Tue Oct 15 12:06:27 2013 +1100 | ||
8904 | |||
8905 | - djm@cvs.openbsd.org 2013/10/11 02:52:23 | ||
8906 | [sftp-client.c] | ||
8907 | missed one arg reorder | ||
8908 | |||
8909 | commit bda5c8445713ae592d969a5105ed1a65da22bc96 | ||
8910 | Author: Damien Miller <djm@mindrot.org> | ||
8911 | Date: Tue Oct 15 12:05:58 2013 +1100 | ||
8912 | |||
8913 | - djm@cvs.openbsd.org 2013/10/11 02:45:36 | ||
8914 | [sftp-client.c] | ||
8915 | rename flag arguments to be more clear and consistent. | ||
8916 | reorder some internal function arguments to make adding additional flags | ||
8917 | easier. | ||
8918 | no functional change | ||
8919 | |||
8920 | commit 61ee4d68ca0fcc793a826fc7ec70f3b8ffd12ab6 | ||
8921 | Author: Damien Miller <djm@mindrot.org> | ||
8922 | Date: Tue Oct 15 11:56:47 2013 +1100 | ||
8923 | |||
8924 | - djm@cvs.openbsd.org 2013/10/10 01:43:03 | ||
8925 | [sshd.c] | ||
8926 | bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly | ||
8927 | updated; ok dtucker@ | ||
8928 | |||
8929 | commit 73600e51af9ee734a19767e0c084bbbc5eb5b8da | ||
8930 | Author: Damien Miller <djm@mindrot.org> | ||
8931 | Date: Tue Oct 15 11:56:25 2013 +1100 | ||
8932 | |||
8933 | - djm@cvs.openbsd.org 2013/10/10 00:53:25 | ||
8934 | [sftp-server.c] | ||
8935 | add -Q, -P and -p to usage() before jmc@ catches me | ||
8936 | |||
8937 | commit 6eaeebf27d92f39a38c772aa3f20c2250af2dd29 | ||
8938 | Author: Damien Miller <djm@mindrot.org> | ||
8939 | Date: Tue Oct 15 11:55:57 2013 +1100 | ||
8940 | |||
8941 | - djm@cvs.openbsd.org 2013/10/09 23:42:17 | ||
8942 | [sftp-server.8 sftp-server.c] | ||
8943 | Add ability to whitelist and/or blacklist sftp protocol requests by name. | ||
8944 | Refactor dispatch loop and consolidate read-only mode checks. | ||
8945 | Make global variables static, since sftp-server is linked into sshd(8). | ||
8946 | ok dtucker@ | ||
8947 | |||
8948 | commit df62d71e64d29d1054e7a53d1a801075ef70335f | ||
8949 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8950 | Date: Thu Oct 10 10:32:39 2013 +1100 | ||
8951 | |||
8952 | - dtucker@cvs.openbsd.org 2013/10/08 11:42:13 | ||
8953 | [dh.c dh.h] | ||
8954 | Increase the size of the Diffie-Hellman groups requested for a each | ||
8955 | symmetric key size. New values from NIST Special Publication 800-57 with | ||
8956 | the upper limit specified by RFC4419. Pointed out by Peter Backes, ok | ||
8957 | djm@. | ||
8958 | |||
8959 | commit e6e52f8c5dc89a6767702e65bb595aaf7bc8991c | ||
8960 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8961 | Date: Thu Oct 10 10:28:07 2013 +1100 | ||
8962 | |||
8963 | - djm@cvs.openbsd.org 2013/09/19 01:26:29 | ||
8964 | [sshconnect.c] | ||
8965 | bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from | ||
8966 | swp AT swp.pp.ru; ok dtucker@ | ||
8967 | |||
8968 | commit 71152bc9911bc34a98810b2398dac20df3fe8de3 | ||
8969 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8970 | Date: Thu Oct 10 10:27:21 2013 +1100 | ||
8971 | |||
8972 | - djm@cvs.openbsd.org 2013/09/19 01:24:46 | ||
8973 | [channels.c] | ||
8974 | bz#1297 - tell the client (via packet_send_debug) when their preferred | ||
8975 | listen address has been overridden by the server's GatewayPorts; | ||
8976 | ok dtucker@ | ||
8977 | |||
8978 | commit b59aaf3c4f3f449a4b86d8528668bd979be9aa5f | ||
8979 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8980 | Date: Thu Oct 10 10:26:21 2013 +1100 | ||
8981 | |||
8982 | - djm@cvs.openbsd.org 2013/09/19 00:49:12 | ||
8983 | [sftp-client.c] | ||
8984 | fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan | ||
8985 | |||
8986 | commit 5d80e4522d6238bdefe9d0c634f0e6d35a241e41 | ||
8987 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8988 | Date: Thu Oct 10 10:25:09 2013 +1100 | ||
8989 | |||
8990 | - djm@cvs.openbsd.org 2013/09/19 00:24:52 | ||
8991 | [progressmeter.c] | ||
8992 | store the initial file offset so the progress meter doesn't freak out | ||
8993 | when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@ | ||
8994 | |||
8995 | commit ad92df7e5ed26fea85adfb3f95352d6cd8e86344 | ||
8996 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8997 | Date: Thu Oct 10 10:24:11 2013 +1100 | ||
8998 | |||
8999 | - sthen@cvs.openbsd.org 2013/09/16 11:35:43 | ||
9000 | [ssh_config] | ||
9001 | Remove gssapi config parts from ssh_config, as was already done for | ||
9002 | sshd_config. Req by/ok ajacoutot@ | ||
9003 | ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular | ||
9004 | |||
9005 | commit 720711960b130d36dfdd3d50eb25ef482bdd000e | ||
9006 | Author: Damien Miller <djm@mindrot.org> | ||
9007 | Date: Wed Oct 9 10:44:47 2013 +1100 | ||
9008 | |||
9009 | - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c] | ||
9010 | [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random | ||
9011 | implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@, | ||
9012 | tested tim@ | ||
9013 | |||
9014 | commit 9159310087a218e28940a592896808b8eb76a039 | ||
9015 | Author: Damien Miller <djm@mindrot.org> | ||
9016 | Date: Wed Oct 9 10:42:32 2013 +1100 | ||
9017 | |||
9018 | - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull | ||
9019 | in OpenBSD implementation of arc4random, shortly to replace the existing | ||
9020 | bsd-arc4random.c | ||
9021 | |||
9022 | commit 67f1d557a68d6fa8966a327d7b6dee3408cf0e72 | ||
9023 | Author: Damien Miller <djm@mindrot.org> | ||
9024 | Date: Wed Oct 9 09:33:08 2013 +1100 | ||
9025 | |||
9026 | correct incorrect years in datestamps; from des | ||
9027 | |||
9028 | commit f2bf36c3eb4d969f85ec8aa342e9aecb61cc8bb1 | ||
9029 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9030 | Date: Sun Sep 22 19:02:40 2013 +1000 | ||
9031 | |||
9032 | - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj | ||
9033 | setting when handling SIGHUP to maintain behaviour over retart. Patch | ||
9034 | from Matthew Ife. | ||
9035 | |||
9036 | commit e90a06ae570fd259a2f5ced873c7f17390f535a5 | ||
9037 | Author: Darren Tucker <dtucker@zip.com.au> | ||
9038 | Date: Wed Sep 18 15:09:38 2013 +1000 | ||
9039 | |||
9040 | - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu. | ||
9041 | |||
9042 | commit 13840e0103946982cee2a05c40697be7e57dca41 | ||
9043 | Author: Damien Miller <djm@mindrot.org> | ||
9044 | Date: Sat Sep 14 09:49:43 2013 +1000 | ||
9045 | |||
9046 | - djm@cvs.openbsd.org 2013/09/13 06:54:34 | ||
9047 | [channels.c] | ||
9048 | avoid unaligned access in code that reused a buffer to send a | ||
9049 | struct in_addr in a reply; simpler just use use buffer_put_int(); | ||
9050 | from portable; spotted by and ok dtucker@ | ||
9051 | |||
9052 | commit 70182522a47d283513a010338cd028cb80dac2ab | ||
9053 | Author: Damien Miller <djm@mindrot.org> | ||
9054 | Date: Sat Sep 14 09:49:19 2013 +1000 | ||
9055 | |||
9056 | - djm@cvs.openbsd.org 2013/09/12 01:41:12 | ||
9057 | [clientloop.c] | ||
9058 | fix connection crash when sending break (~B) on ControlPersist'd session; | ||
9059 | ok dtucker@ | ||
9060 | |||
9061 | commit ff9d6c2a4171ee32e8fe28fc3b86eb33bd5c845b | ||
9062 | Author: Damien Miller <djm@mindrot.org> | ||
9063 | Date: Sat Sep 14 09:48:55 2013 +1000 | ||
9064 | |||
9065 | - sthen@cvs.openbsd.org 2013/09/07 13:53:11 | ||
9066 | [sshd_config] | ||
9067 | Remove commented-out kerberos/gssapi config options from sample config, | ||
9068 | kerberos support is currently not enabled in ssh in OpenBSD. Discussed with | ||
9069 | various people; ok deraadt@ | ||
9070 | ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular | ||
9071 | |||
9072 | commit 8bab5e7b5ff6721d926b5ebf05a3a24489889c58 | ||
9073 | Author: Damien Miller <djm@mindrot.org> | ||
9074 | Date: Sat Sep 14 09:47:00 2013 +1000 | ||
9075 | |||
9076 | - deraadt@cvs.openbsd.org 2013/09/02 22:00:34 | ||
9077 | [ssh-keygen.c sshconnect1.c sshd.c] | ||
9078 | All the instances of arc4random_stir() are bogus, since arc4random() | ||
9079 | does this itself, inside itself, and has for a very long time.. Actually, | ||
9080 | this was probably reducing the entropy available. | ||
9081 | ok djm | ||
9082 | ID SYNC ONLY for portable; we don't trust other arc4random implementations | ||
9083 | to do this right. | ||
9084 | |||
9085 | commit 61353b3208d548fab863e0e0ac5d2400ee5bb340 | ||
9086 | Author: Damien Miller <djm@mindrot.org> | ||
9087 | Date: Sat Sep 14 09:45:32 2013 +1000 | ||
9088 | |||
9089 | - djm@cvs.openbsd.org 2013/08/31 00:13:54 | ||
9090 | [sftp.c] | ||
9091 | make ^w match ksh behaviour (delete previous word instead of entire line) | ||
9092 | |||
9093 | commit 660854859cad31d234edb9353fb7ca2780df8128 | ||
9094 | Author: Damien Miller <djm@mindrot.org> | ||
9095 | Date: Sat Sep 14 09:45:03 2013 +1000 | ||
9096 | |||
9097 | - mikeb@cvs.openbsd.org 2013/08/28 12:34:27 | ||
9098 | [ssh-keygen.c] | ||
9099 | improve batch processing a bit by making use of the quite flag a bit | ||
9100 | more often and exit with a non zero code if asked to find a hostname | ||
9101 | in a known_hosts file and it wasn't there; | ||
9102 | originally from reyk@, ok djm | ||
9103 | |||
9104 | commit 045bda5cb8acf0eb9d71c275ee1247e3154fc9e5 | ||
9105 | Author: Damien Miller <djm@mindrot.org> | ||
9106 | Date: Sat Sep 14 09:44:37 2013 +1000 | ||
9107 | |||
9108 | - djm@cvs.openbsd.org 2013/08/22 19:02:21 | ||
9109 | [sshd.c] | ||
9110 | Stir PRNG after post-accept fork. The child gets a different PRNG state | ||
9111 | anyway via rexec and explicit privsep reseeds, but it's good to be sure. | ||
9112 | ok markus@ | ||
9113 | |||
9114 | commit ed4af412da60a084891b20412433a27966613fb8 | ||
9115 | Author: Damien Miller <djm@mindrot.org> | ||
9116 | Date: Sat Sep 14 09:40:51 2013 +1000 | ||
9117 | |||
9118 | add marker for 6.3p1 release at the point of the last included change | ||
9119 | |||
9120 | commit 43968a8e66a0aa1afefb11665bf96f86b113f5d9 | ||
9121 | Author: Damien Miller <djm@mindrot.org> | ||
9122 | Date: Wed Aug 28 14:00:54 2013 +1000 | ||
9123 | |||
9124 | - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits | ||
9125 | until we have configure support. | ||
9126 | |||
9127 | commit 04be8b9e53f8388c94b531ebc5d1bd6e10e930d1 | ||
9128 | Author: Damien Miller <djm@mindrot.org> | ||
9129 | Date: Wed Aug 28 12:49:43 2013 +1000 | ||
9130 | |||
9131 | - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the | ||
9132 | 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we | ||
9133 | start to use them in the future. | ||
@@ -1,4 +1,4 @@ | |||
1 | See http://www.openssh.com/txt/release-7.1 for the release notes. | 1 | See http://www.openssh.com/txt/release-7.1p2 for the release notes. |
2 | 2 | ||
3 | Please read http://www.openssh.com/report.html for bug reporting | 3 | Please read http://www.openssh.com/report.html for bug reporting |
4 | instructions and note that we do not use Github for bug reporting or | 4 | instructions and note that we do not use Github for bug reporting or |
@@ -53,7 +53,7 @@ void | |||
53 | bitmap_free(struct bitmap *b) | 53 | bitmap_free(struct bitmap *b) |
54 | { | 54 | { |
55 | if (b != NULL && b->d != NULL) { | 55 | if (b != NULL && b->d != NULL) { |
56 | memset(b->d, 0, b->len); | 56 | explicit_bzero(b->d, b->len); |
57 | free(b->d); | 57 | free(b->d); |
58 | } | 58 | } |
59 | free(b); | 59 | free(b); |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 5b27106fb..4c55227e5 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 7.1p1 | 1 | %define ver 7.1p2 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 596895882..3ee526805 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -13,7 +13,7 @@ | |||
13 | 13 | ||
14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
15 | Name: openssh | 15 | Name: openssh |
16 | Version: 7.1p1 | 16 | Version: 7.1p2 |
17 | URL: http://www.openssh.com/ | 17 | URL: http://www.openssh.com/ |
18 | Release: 1 | 18 | Release: 1 |
19 | Source0: openssh-%{version}.tar.gz | 19 | Source0: openssh-%{version}.tar.gz |
diff --git a/debian/.git-dpm b/debian/.git-dpm index b6e38a18d..e7130afa6 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,8 +1,8 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 31cc76b587fe2305eab8f7788c5dc6c876aff60e | 2 | 003a875a474100d250b6643270ef3874da6591d8 |
3 | 31cc76b587fe2305eab8f7788c5dc6c876aff60e | 3 | 003a875a474100d250b6643270ef3874da6591d8 |
4 | 651211fd4a199b299540c00c54a46e27fadb04be | 4 | eeff4de96f5d7365750dc56912c2c62b5c28db6b |
5 | 651211fd4a199b299540c00c54a46e27fadb04be | 5 | eeff4de96f5d7365750dc56912c2c62b5c28db6b |
6 | openssh_7.1p1.orig.tar.gz | 6 | openssh_7.1p2.orig.tar.gz |
7 | ed22af19f962262c493fcc6ed8c8826b2761d9b6 | 7 | 9202f5a2a50c8a55ecfb830609df1e1fde97f758 |
8 | 1493170 | 8 | 1475829 |
diff --git a/debian/changelog b/debian/changelog index 51d296c5e..86ea183ef 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,19 @@ | |||
1 | openssh (1:7.1p2-1) UNRELEASED; urgency=high | ||
2 | |||
3 | * New upstream release (http://www.openssh.com/txt/release-7.1p2): | ||
4 | - CVE-2016-0777, CVE-2016-0778: Disable experimental client-side support | ||
5 | for roaming, which could be tricked by a malicious server into leaking | ||
6 | client memory to the server, including private client user keys; this | ||
7 | information leak is restricted to connections to malicious or | ||
8 | compromised servers (closes: #810984). | ||
9 | - SECURITY: Fix an out of-bound read access in the packet handling code. | ||
10 | Reported by Ben Hawkes. | ||
11 | - Further use of explicit_bzero has been added in various buffer | ||
12 | handling code paths to guard against compilers aggressively doing | ||
13 | dead-store removal. | ||
14 | |||
15 | -- Colin Watson <cjwatson@debian.org> Thu, 14 Jan 2016 15:08:21 +0000 | ||
16 | |||
1 | openssh (1:7.1p1-6) unstable; urgency=medium | 17 | openssh (1:7.1p1-6) unstable; urgency=medium |
2 | 18 | ||
3 | [ Colin Watson ] | 19 | [ Colin Watson ] |
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index dc82a6085..3635e50ad 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bede2f8c8a352b57ae5188fe6d3e45c5a57892eb Mon Sep 17 00:00:00 2001 | 1 | From a791d607756f04e41153c2297e5f9a608daa7335 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 694b8e584..2b1bd05f7 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From efc61f37910b46ad2ac920aca7eefce909ef2555 Mon Sep 17 00:00:00 2001 | 1 | From 9769daa27369920a909debed3ee297c32f0c3ef7 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
diff --git a/debian/patches/backport-fix-first-kex-follows.patch b/debian/patches/backport-fix-first-kex-follows.patch deleted file mode 100644 index 0039a55a6..000000000 --- a/debian/patches/backport-fix-first-kex-follows.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 31cc76b587fe2305eab8f7788c5dc6c876aff60e Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Tue, 15 Dec 2015 15:25:04 +0000 | ||
4 | Subject: upstream commit | ||
5 | |||
6 | unbreak connections with peers that set first_kex_follows; | ||
7 | fix from Matt Johnston va bz#2515 | ||
8 | |||
9 | Origin: backport, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.114&r2=1.115 | ||
10 | Forwarded: not-needed | ||
11 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1526357 | ||
12 | |||
13 | Patch-Name: backport-fix-first-kex-follows.patch | ||
14 | --- | ||
15 | kex.c | 6 +++--- | ||
16 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
17 | |||
18 | diff --git a/kex.c b/kex.c | ||
19 | index 39a6f98..12f3e41 100644 | ||
20 | --- a/kex.c | ||
21 | +++ b/kex.c | ||
22 | @@ -286,11 +286,11 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) | ||
23 | debug2("kex_parse_kexinit: %s", proposal[i]); | ||
24 | } | ||
25 | /* first kex follows / reserved */ | ||
26 | - if ((r = sshbuf_get_u8(b, &v)) != 0 || | ||
27 | - (r = sshbuf_get_u32(b, &i)) != 0) | ||
28 | + if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ | ||
29 | + (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ | ||
30 | goto out; | ||
31 | if (first_kex_follows != NULL) | ||
32 | - *first_kex_follows = i; | ||
33 | + *first_kex_follows = v; | ||
34 | debug2("kex_parse_kexinit: first_kex_follows %d ", v); | ||
35 | debug2("kex_parse_kexinit: reserved %u ", i); | ||
36 | r = 0; | ||
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 0ca73053b..eceac3ccf 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e35768a64e1ca5a6ad2a5df3ebbe6806ffb8afa2 Mon Sep 17 00:00:00 2001 | 1 | From 1cbbbb90ae1a4f88f8090e1fdecee007b8d360f8 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -80,7 +80,7 @@ index 778ba17..161fa37 100644 | |||
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index 0d4fb7f..6024e0e 100644 | 83 | index 189d34a..8d17521 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | 86 | @@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 0a2b1c58d..0a5e2cd39 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 966fde291d530349c427da5c98e4f1869cb4e0bb Mon Sep 17 00:00:00 2001 | 1 | From 003a875a474100d250b6643270ef3874da6591d8 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -32,7 +32,7 @@ Patch-Name: debian-config.patch | |||
32 | 6 files changed, 72 insertions(+), 4 deletions(-) | 32 | 6 files changed, 72 insertions(+), 4 deletions(-) |
33 | 33 | ||
34 | diff --git a/readconf.c b/readconf.c | 34 | diff --git a/readconf.c b/readconf.c |
35 | index c0ba5a7..e4e1cba 100644 | 35 | index b9442fd..ee46ad6 100644 |
36 | --- a/readconf.c | 36 | --- a/readconf.c |
37 | +++ b/readconf.c | 37 | +++ b/readconf.c |
38 | @@ -1749,7 +1749,7 @@ fill_default_options(Options * options) | 38 | @@ -1749,7 +1749,7 @@ fill_default_options(Options * options) |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index 16c4d61b9..725d26e81 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c35c5d9e775ad138661f3c4ef797060be53a4bd8 Mon Sep 17 00:00:00 2001 | 1 | From 54d62ce82775d6a6f556cef7b1ff61412d2d0581 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index ec2878845..646716fe5 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a6edf4df120a78aefe39b44d07c89e13340c9ac8 Mon Sep 17 00:00:00 2001 | 1 | From 6f8b6ab94f4c4351e49598f08abc6da16fe29740 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index 1f3d7bf08..b7a072414 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5e6ecf32f56fa0c7d102239b74ae09bd4186c5a3 Mon Sep 17 00:00:00 2001 | 1 | From 17063f049ca0f00cb455eed0852405bc9abe6213 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index 4fce0733d..c3b601c76 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a9bfb2fba2b1ec9ebeca20550cbccf2499d42461 Mon Sep 17 00:00:00 2001 | 1 | From a1913369b4abfcebec320706e561591c1ed8640c Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 8c96afbb0..8bc83cace 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 48424483cbf2232ba849038e02675b2db1ea3a88 Mon Sep 17 00:00:00 2001 | 1 | From 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -1212,7 +1212,7 @@ index 53993d6..2f6baf7 100644 | |||
1212 | 1212 | ||
1213 | #endif | 1213 | #endif |
1214 | diff --git a/kex.c b/kex.c | 1214 | diff --git a/kex.c b/kex.c |
1215 | index 5100c66..39a6f98 100644 | 1215 | index b777b7d..390bb69 100644 |
1216 | --- a/kex.c | 1216 | --- a/kex.c |
1217 | +++ b/kex.c | 1217 | +++ b/kex.c |
1218 | @@ -55,6 +55,10 @@ | 1218 | @@ -55,6 +55,10 @@ |
@@ -2222,7 +2222,7 @@ index de4a08f..9758290 100644 | |||
2222 | 2222 | ||
2223 | #ifdef USE_PAM | 2223 | #ifdef USE_PAM |
2224 | diff --git a/readconf.c b/readconf.c | 2224 | diff --git a/readconf.c b/readconf.c |
2225 | index 1d03bdf..43b7570 100644 | 2225 | index cd01482..56e0f44 100644 |
2226 | --- a/readconf.c | 2226 | --- a/readconf.c |
2227 | +++ b/readconf.c | 2227 | +++ b/readconf.c |
2228 | @@ -147,6 +147,8 @@ typedef enum { | 2228 | @@ -147,6 +147,8 @@ typedef enum { |
@@ -2801,7 +2801,7 @@ index 7751031..32e9b0d 100644 | |||
2801 | 2801 | ||
2802 | int | 2802 | int |
2803 | diff --git a/sshd.c b/sshd.c | 2803 | diff --git a/sshd.c b/sshd.c |
2804 | index 65ef7e8..839c2e0 100644 | 2804 | index 43d4650..d659a68 100644 |
2805 | --- a/sshd.c | 2805 | --- a/sshd.c |
2806 | +++ b/sshd.c | 2806 | +++ b/sshd.c |
2807 | @@ -126,6 +126,10 @@ | 2807 | @@ -126,6 +126,10 @@ |
@@ -2815,7 +2815,7 @@ index 65ef7e8..839c2e0 100644 | |||
2815 | #ifndef O_NOCTTY | 2815 | #ifndef O_NOCTTY |
2816 | #define O_NOCTTY 0 | 2816 | #define O_NOCTTY 0 |
2817 | #endif | 2817 | #endif |
2818 | @@ -1827,10 +1831,13 @@ main(int ac, char **av) | 2818 | @@ -1833,10 +1837,13 @@ main(int ac, char **av) |
2819 | logit("Disabling protocol version 1. Could not load host key"); | 2819 | logit("Disabling protocol version 1. Could not load host key"); |
2820 | options.protocol &= ~SSH_PROTO_1; | 2820 | options.protocol &= ~SSH_PROTO_1; |
2821 | } | 2821 | } |
@@ -2829,7 +2829,7 @@ index 65ef7e8..839c2e0 100644 | |||
2829 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2829 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2830 | logit("sshd: no hostkeys available -- exiting."); | 2830 | logit("sshd: no hostkeys available -- exiting."); |
2831 | exit(1); | 2831 | exit(1); |
2832 | @@ -2145,6 +2152,60 @@ main(int ac, char **av) | 2832 | @@ -2151,6 +2158,60 @@ main(int ac, char **av) |
2833 | remote_ip, remote_port, laddr, get_local_port()); | 2833 | remote_ip, remote_port, laddr, get_local_port()); |
2834 | free(laddr); | 2834 | free(laddr); |
2835 | 2835 | ||
@@ -2890,7 +2890,7 @@ index 65ef7e8..839c2e0 100644 | |||
2890 | /* | 2890 | /* |
2891 | * We don't want to listen forever unless the other side | 2891 | * We don't want to listen forever unless the other side |
2892 | * successfully authenticates itself. So we set up an alarm which is | 2892 | * successfully authenticates itself. So we set up an alarm which is |
2893 | @@ -2563,6 +2624,48 @@ do_ssh2_kex(void) | 2893 | @@ -2569,6 +2630,48 @@ do_ssh2_kex(void) |
2894 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2894 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2895 | list_hostkey_types()); | 2895 | list_hostkey_types()); |
2896 | 2896 | ||
@@ -2939,7 +2939,7 @@ index 65ef7e8..839c2e0 100644 | |||
2939 | /* start key exchange */ | 2939 | /* start key exchange */ |
2940 | if ((r = kex_setup(active_state, myproposal)) != 0) | 2940 | if ((r = kex_setup(active_state, myproposal)) != 0) |
2941 | fatal("kex_setup: %s", ssh_err(r)); | 2941 | fatal("kex_setup: %s", ssh_err(r)); |
2942 | @@ -2577,6 +2680,13 @@ do_ssh2_kex(void) | 2942 | @@ -2583,6 +2686,13 @@ do_ssh2_kex(void) |
2943 | # endif | 2943 | # endif |
2944 | #endif | 2944 | #endif |
2945 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2945 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch index 0dc5bafbf..a19fe6c6d 100644 --- a/debian/patches/helpful-wait-terminate.patch +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 86d7bcd53809aacc75344386bd8b88bf5fcb2fce Mon Sep 17 00:00:00 2001 | 1 | From 0a3d1df1344642161b1ee001a3885a1ee8ebc03b Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 |
4 | Subject: Mention ~& when waiting for forwarded connections to terminate | 4 | Subject: Mention ~& when waiting for forwarded connections to terminate |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index bbb3ef86f..9b5d38271 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8f53616f872acf853b52e94f5b0668c78bf0cb76 Mon Sep 17 00:00:00 2001 | 1 | From ea47a6eba9fce31a1b4cd909b7ba19541c9d9c9b Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index 522ad37..46c343f 100644 | 29 | index 831072f..83582e3 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -160,6 +160,7 @@ typedef enum { | 32 | @@ -160,6 +160,7 @@ typedef enum { |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index 252cd99b8..a2a440fae 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ca06409500b9f4f3a43fa61526a4c0654761e009 Mon Sep 17 00:00:00 2001 | 1 | From c685ea67334abf73c014aa6ab9f833e9d28fdab8 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 |
4 | Subject: Fix picky lintian errors about slogin symlinks | 4 | Subject: Fix picky lintian errors about slogin symlinks |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 79c984179..a9c4cb7fc 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9f59e8a3ddd28351126a5b26d2dd3d9f24442c09 Mon Sep 17 00:00:00 2001 | 1 | From 89f2729da6734f2d5e3a31d2a75e817750f6cd95 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index 14ec01dbf..194100f56 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e5908e70f9a105f725d9884fba1a68bfb3ba664f Mon Sep 17 00:00:00 2001 | 1 | From dcc3ce03144d1560d878db8290c9f19dc0511f6f Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index 4ce6c79e0..9b1c38bfc 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 70ef4add88e4f6adc7f9f0e9521567dcd80a12e6 Mon Sep 17 00:00:00 2001 | 1 | From eb8141e6ac12c0714e0951598fe44634327bfde7 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 51e14b07a..fb7724f58 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3b79d6bcaf9405b878496c9107855ebe8906a60a Mon Sep 17 00:00:00 2001 | 1 | From 3e38e90de2e2ead094624f4f140568574c40cae6 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -36,7 +36,7 @@ index bbde8af..0ec1e54 100644 | |||
36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | 36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, |
37 | strlen(client_version_string)) != strlen(client_version_string)) | 37 | strlen(client_version_string)) != strlen(client_version_string)) |
38 | diff --git a/sshd.c b/sshd.c | 38 | diff --git a/sshd.c b/sshd.c |
39 | index 0537bc9..0d4fb7f 100644 | 39 | index 1b49b26..189d34a 100644 |
40 | --- a/sshd.c | 40 | --- a/sshd.c |
41 | +++ b/sshd.c | 41 | +++ b/sshd.c |
42 | @@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) | 42 | @@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) |
@@ -49,13 +49,13 @@ index 0537bc9..0d4fb7f 100644 | |||
49 | options.version_addendum, newline); | 49 | options.version_addendum, newline); |
50 | 50 | ||
51 | diff --git a/version.h b/version.h | 51 | diff --git a/version.h b/version.h |
52 | index d917ca1..5c22d90 100644 | 52 | index 41e1ea9..2969570 100644 |
53 | --- a/version.h | 53 | --- a/version.h |
54 | +++ b/version.h | 54 | +++ b/version.h |
55 | @@ -3,4 +3,9 @@ | 55 | @@ -3,4 +3,9 @@ |
56 | #define SSH_VERSION "OpenSSH_7.1" | 56 | #define SSH_VERSION "OpenSSH_7.1" |
57 | 57 | ||
58 | #define SSH_PORTABLE "p1" | 58 | #define SSH_PORTABLE "p2" |
59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
60 | +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | 60 | +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |
61 | +#ifdef SSH_EXTRAVERSION | 61 | +#ifdef SSH_EXTRAVERSION |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 4d9267c19..0dc3f1c32 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From de340b1ef1920a34e8c640a571a88a3f58121c6a Mon Sep 17 00:00:00 2001 | 1 | From 72aec10a082f61d9a601b03ec57e0053e03397dd Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index 0bda03255..13090ff06 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c538473bc1958b99bb26283752f287df5934045a Mon Sep 17 00:00:00 2001 | 1 | From f1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
@@ -128,7 +128,7 @@ index 213b5fc..2105979 100644 | |||
128 | .Xr moduli 5 , | 128 | .Xr moduli 5 , |
129 | .Xr sshd_config 5 , | 129 | .Xr sshd_config 5 , |
130 | diff --git a/sshd.c b/sshd.c | 130 | diff --git a/sshd.c b/sshd.c |
131 | index 839c2e0..0e30e6e 100644 | 131 | index d659a68..9275e0b 100644 |
132 | --- a/sshd.c | 132 | --- a/sshd.c |
133 | +++ b/sshd.c | 133 | +++ b/sshd.c |
134 | @@ -130,6 +130,13 @@ | 134 | @@ -130,6 +130,13 @@ |
@@ -145,7 +145,7 @@ index 839c2e0..0e30e6e 100644 | |||
145 | #ifndef O_NOCTTY | 145 | #ifndef O_NOCTTY |
146 | #define O_NOCTTY 0 | 146 | #define O_NOCTTY 0 |
147 | #endif | 147 | #endif |
148 | @@ -2145,6 +2152,24 @@ main(int ac, char **av) | 148 | @@ -2151,6 +2158,24 @@ main(int ac, char **av) |
149 | #ifdef SSH_AUDIT_EVENTS | 149 | #ifdef SSH_AUDIT_EVENTS |
150 | audit_connection_from(remote_ip, remote_port); | 150 | audit_connection_from(remote_ip, remote_port); |
151 | #endif | 151 | #endif |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index c6568cf1e..e8049d902 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bad235ddc7e9cb8fa83ccefac7640fe456bcf993 Mon Sep 17 00:00:00 2001 | 1 | From efd79b5b880f473ef06d4659cf279b07a65de208 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index f479c4635..5fec9eae0 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5f583693723b0f56608a9a91e58b248219a668c9 Mon Sep 17 00:00:00 2001 | 1 | From 701eb985309b1c9fce617949298659843fce723d Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644 | |||
458 | const char *value); | 458 | const char *value); |
459 | 459 | ||
460 | diff --git a/sshd.c b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
461 | index 0e30e6e..0537bc9 100644 | 461 | index 9275e0b..1b49b26 100644 |
462 | --- a/sshd.c | 462 | --- a/sshd.c |
463 | +++ b/sshd.c | 463 | +++ b/sshd.c |
464 | @@ -782,7 +782,7 @@ privsep_postauth(Authctxt *authctxt) | 464 | @@ -786,7 +786,7 @@ privsep_postauth(Authctxt *authctxt) |
465 | explicit_bzero(rnd, sizeof(rnd)); | 465 | explicit_bzero(rnd, sizeof(rnd)); |
466 | 466 | ||
467 | /* Drop privileges */ | 467 | /* Drop privileges */ |
diff --git a/debian/patches/series b/debian/patches/series index f7eb1cc8b..e612e0554 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -26,4 +26,3 @@ gnome-ssh-askpass2-icon.patch | |||
26 | sigstop.patch | 26 | sigstop.patch |
27 | systemd-readiness.patch | 27 | systemd-readiness.patch |
28 | debian-config.patch | 28 | debian-config.patch |
29 | backport-fix-first-kex-follows.patch | ||
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 3a98343cc..e60dfc4d3 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bf28735236933b0a1f011d73d7cbb948e197c4cc Mon Sep 17 00:00:00 2001 | 1 | From ccc03dd81a15fa91155bbdfa6b84a0d6e37c43e4 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index 7db2557a0..0cf814455 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bf533d857451efe2f9abc6fb96e1c9c93ff1a7ee Mon Sep 17 00:00:00 2001 | 1 | From 5af03fab96e1d53019d1c50282eb21ce3e581895 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch | |||
13 | 1 file changed, 10 insertions(+) | 13 | 1 file changed, 10 insertions(+) |
14 | 14 | ||
15 | diff --git a/sshd.c b/sshd.c | 15 | diff --git a/sshd.c b/sshd.c |
16 | index 6024e0e..7e72b9b 100644 | 16 | index 8d17521..5ccf175 100644 |
17 | --- a/sshd.c | 17 | --- a/sshd.c |
18 | +++ b/sshd.c | 18 | +++ b/sshd.c |
19 | @@ -2042,6 +2042,16 @@ main(int ac, char **av) | 19 | @@ -2048,6 +2048,16 @@ main(int ac, char **av) |
20 | } | 20 | } |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index 11ecc5c42..ffab898c7 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0f29b62fb2529bd6341dae7bea1271f5b967ece0 Mon Sep 17 00:00:00 2001 | 1 | From 7566d3563c174cc339da8b72833e66614cfc1458 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 3c22db5cf..d3097fe10 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 11e3509a4baa45a988598b937ea16e6ed3949d44 Mon Sep 17 00:00:00 2001 | 1 | From 078b7a5e7b89d20ce867e2c9839096be673b6ae0 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 59b0983f9..be725e357 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6b1e8291597ff151b913c470f4af4b04ddec5c7d Mon Sep 17 00:00:00 2001 | 1 | From 7f0a4ecb6694298414e6d84c0aa49c35b19cad1b Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 43b7570..522ad37 100644 | 20 | index 56e0f44..831072f 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -181,6 +181,7 @@ static struct { | 23 | @@ -181,6 +181,7 @@ static struct { |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index d591c1a70..255395666 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2b9216f2931cfe880a7ea85750730579f8da4465 Mon Sep 17 00:00:00 2001 | 1 | From 25ead9080a3f98eafc64a9a9c4b6650d922a19fa Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,7 +33,7 @@ index ad12930..e68b84a 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 59c1f93..712ea0e 100644 | 36 | index 67c1ebf..eb73903 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -1106,7 +1106,7 @@ main(int ac, char **av) | 39 | @@ -1106,7 +1106,7 @@ main(int ac, char **av) |
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index 4914cd6f5..62ca0f284 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0aff7ca980bc54be68f7479a016d7779f99cf06e Mon Sep 17 00:00:00 2001 | 1 | From 9d88bc29443745ebf30004136ac18ced47292833 Mon Sep 17 00:00:00 2001 |
2 | From: Michael Biebl <biebl@debian.org> | 2 | From: Michael Biebl <biebl@debian.org> |
3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 | 3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 |
4 | Subject: Add systemd readiness notification support | 4 | Subject: Add systemd readiness notification support |
@@ -56,7 +56,7 @@ index 128889a..eec2b72 100644 | |||
56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
57 | echo " BSD Auth support: $BSD_AUTH_MSG" | 57 | echo " BSD Auth support: $BSD_AUTH_MSG" |
58 | diff --git a/sshd.c b/sshd.c | 58 | diff --git a/sshd.c b/sshd.c |
59 | index 7e72b9b..19ee92b 100644 | 59 | index 5ccf175..366ae92 100644 |
60 | --- a/sshd.c | 60 | --- a/sshd.c |
61 | +++ b/sshd.c | 61 | +++ b/sshd.c |
62 | @@ -85,6 +85,10 @@ | 62 | @@ -85,6 +85,10 @@ |
@@ -70,7 +70,7 @@ index 7e72b9b..19ee92b 100644 | |||
70 | #include "xmalloc.h" | 70 | #include "xmalloc.h" |
71 | #include "ssh.h" | 71 | #include "ssh.h" |
72 | #include "ssh1.h" | 72 | #include "ssh1.h" |
73 | @@ -2052,6 +2056,11 @@ main(int ac, char **av) | 73 | @@ -2058,6 +2062,11 @@ main(int ac, char **av) |
74 | unsetenv("SSH_SIGSTOP"); | 74 | unsetenv("SSH_SIGSTOP"); |
75 | } | 75 | } |
76 | 76 | ||
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 70d5275aa..c2dbdcd7a 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c60b1066b877429b723b351f44efb9e84bc64252 Mon Sep 17 00:00:00 2001 | 1 | From a1010980d6906a140307825466934a21c3d4d228 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -216,7 +216,7 @@ index f35ec39..9a23e6e 100644 | |||
216 | - return 0; | 216 | - return 0; |
217 | -} | 217 | -} |
218 | diff --git a/readconf.c b/readconf.c | 218 | diff --git a/readconf.c b/readconf.c |
219 | index 46c343f..c0ba5a7 100644 | 219 | index 83582e3..b9442fd 100644 |
220 | --- a/readconf.c | 220 | --- a/readconf.c |
221 | +++ b/readconf.c | 221 | +++ b/readconf.c |
222 | @@ -39,6 +39,8 @@ | 222 | @@ -39,6 +39,8 @@ |
@@ -291,8 +291,8 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) | |||
291 | goto out; | 291 | goto out; |
292 | if (first_kex_follows != NULL) | 292 | if (first_kex_follows != NULL) |
293 | *first_kex_follows = v; | 293 | *first_kex_follows = v; |
294 | debug2("kex_parse_kexinit: first_kex_follows %d ", v); | 294 | debug2("first_kex_follows %d ", v); |
295 | debug2("kex_parse_kexinit: reserved %u ", i); | 295 | debug2("reserved %u ", i); |
296 | r = 0; | 296 | r = 0; |
297 | *propp = proposal; | 297 | *propp = proposal; |
298 | out: | 298 | out: |
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | |||
1581 | logit("Bad packet length %u.", state->packlen); | 1581 | logit("Bad packet length %u.", state->packlen); |
1582 | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) | 1582 | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
1583 | return r; | 1583 | return r; |
1584 | return SSH_ERR_CONN_CORRUPT; | ||
1584 | } | 1585 | } |
1585 | sshbuf_reset(state->incoming_packet); | 1586 | sshbuf_reset(state->incoming_packet); |
1586 | } else if (state->packlen == 0) { | 1587 | } else if (state->packlen == 0) { |
diff --git a/readconf.c b/readconf.c index e4e1cbae3..ee46ad623 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1703,7 +1703,7 @@ initialize_options(Options * options) | |||
1703 | options->tun_remote = -1; | 1703 | options->tun_remote = -1; |
1704 | options->local_command = NULL; | 1704 | options->local_command = NULL; |
1705 | options->permit_local_command = -1; | 1705 | options->permit_local_command = -1; |
1706 | options->use_roaming = -1; | 1706 | options->use_roaming = 0; |
1707 | options->visual_host_key = -1; | 1707 | options->visual_host_key = -1; |
1708 | options->ip_qos_interactive = -1; | 1708 | options->ip_qos_interactive = -1; |
1709 | options->ip_qos_bulk = -1; | 1709 | options->ip_qos_bulk = -1; |
@@ -1887,8 +1887,7 @@ fill_default_options(Options * options) | |||
1887 | options->tun_remote = SSH_TUNID_ANY; | 1887 | options->tun_remote = SSH_TUNID_ANY; |
1888 | if (options->permit_local_command == -1) | 1888 | if (options->permit_local_command == -1) |
1889 | options->permit_local_command = 0; | 1889 | options->permit_local_command = 0; |
1890 | if (options->use_roaming == -1) | 1890 | options->use_roaming = 0; |
1891 | options->use_roaming = 1; | ||
1892 | if (options->visual_host_key == -1) | 1891 | if (options->visual_host_key == -1) |
1893 | options->visual_host_key = 0; | 1892 | options->visual_host_key = 0; |
1894 | if (options->ip_qos_interactive == -1) | 1893 | if (options->ip_qos_interactive == -1) |
@@ -1932,9 +1932,6 @@ ssh_session2(void) | |||
1932 | fork_postauth(); | 1932 | fork_postauth(); |
1933 | } | 1933 | } |
1934 | 1934 | ||
1935 | if (options.use_roaming) | ||
1936 | request_roaming(); | ||
1937 | |||
1938 | return client_loop(tty_flag, tty_flag ? | 1935 | return client_loop(tty_flag, tty_flag ? |
1939 | options.escape_char : SSH_ESCAPECHAR_NONE, id); | 1936 | options.escape_char : SSH_ESCAPECHAR_NONE, id); |
1940 | } | 1937 | } |
diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c index e2e093c00..d0d791b50 100644 --- a/sshbuf-getput-crypto.c +++ b/sshbuf-getput-crypto.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshbuf-getput-crypto.c,v 1.4 2015/01/14 15:02:39 djm Exp $ */ | 1 | /* $OpenBSD: sshbuf-getput-crypto.c,v 1.5 2016/01/12 23:42:54 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2011 Damien Miller | 3 | * Copyright (c) 2011 Damien Miller |
4 | * | 4 | * |
@@ -158,10 +158,10 @@ sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v) | |||
158 | if (len > 0 && (d[1] & 0x80) != 0) | 158 | if (len > 0 && (d[1] & 0x80) != 0) |
159 | prepend = 1; | 159 | prepend = 1; |
160 | if ((r = sshbuf_put_string(buf, d + 1 - prepend, len + prepend)) < 0) { | 160 | if ((r = sshbuf_put_string(buf, d + 1 - prepend, len + prepend)) < 0) { |
161 | bzero(d, sizeof(d)); | 161 | explicit_bzero(d, sizeof(d)); |
162 | return r; | 162 | return r; |
163 | } | 163 | } |
164 | bzero(d, sizeof(d)); | 164 | explicit_bzero(d, sizeof(d)); |
165 | return 0; | 165 | return 0; |
166 | } | 166 | } |
167 | 167 | ||
@@ -177,13 +177,13 @@ sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v) | |||
177 | if (BN_bn2bin(v, d) != (int)len_bytes) | 177 | if (BN_bn2bin(v, d) != (int)len_bytes) |
178 | return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */ | 178 | return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */ |
179 | if ((r = sshbuf_reserve(buf, len_bytes + 2, &dp)) < 0) { | 179 | if ((r = sshbuf_reserve(buf, len_bytes + 2, &dp)) < 0) { |
180 | bzero(d, sizeof(d)); | 180 | explicit_bzero(d, sizeof(d)); |
181 | return r; | 181 | return r; |
182 | } | 182 | } |
183 | POKE_U16(dp, len_bits); | 183 | POKE_U16(dp, len_bits); |
184 | if (len_bytes != 0) | 184 | if (len_bytes != 0) |
185 | memcpy(dp + 2, d, len_bytes); | 185 | memcpy(dp + 2, d, len_bytes); |
186 | bzero(d, sizeof(d)); | 186 | explicit_bzero(d, sizeof(d)); |
187 | return 0; | 187 | return 0; |
188 | } | 188 | } |
189 | 189 | ||
@@ -210,7 +210,7 @@ sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g) | |||
210 | } | 210 | } |
211 | BN_CTX_free(bn_ctx); | 211 | BN_CTX_free(bn_ctx); |
212 | ret = sshbuf_put_string(buf, d, len); | 212 | ret = sshbuf_put_string(buf, d, len); |
213 | bzero(d, len); | 213 | explicit_bzero(d, len); |
214 | return ret; | 214 | return ret; |
215 | } | 215 | } |
216 | 216 | ||
diff --git a/sshbuf-misc.c b/sshbuf-misc.c index d022065f9..3da4b80e7 100644 --- a/sshbuf-misc.c +++ b/sshbuf-misc.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshbuf-misc.c,v 1.4 2015/03/24 20:03:44 markus Exp $ */ | 1 | /* $OpenBSD: sshbuf-misc.c,v 1.5 2015/10/05 17:11:21 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2011 Damien Miller | 3 | * Copyright (c) 2011 Damien Miller |
4 | * | 4 | * |
@@ -103,7 +103,7 @@ sshbuf_dtob64(struct sshbuf *buf) | |||
103 | if (SIZE_MAX / 2 <= len || (ret = malloc(plen)) == NULL) | 103 | if (SIZE_MAX / 2 <= len || (ret = malloc(plen)) == NULL) |
104 | return NULL; | 104 | return NULL; |
105 | if ((r = b64_ntop(p, len, ret, plen)) == -1) { | 105 | if ((r = b64_ntop(p, len, ret, plen)) == -1) { |
106 | bzero(ret, plen); | 106 | explicit_bzero(ret, plen); |
107 | free(ret); | 107 | free(ret); |
108 | return NULL; | 108 | return NULL; |
109 | } | 109 | } |
@@ -122,16 +122,16 @@ sshbuf_b64tod(struct sshbuf *buf, const char *b64) | |||
122 | if ((p = malloc(plen)) == NULL) | 122 | if ((p = malloc(plen)) == NULL) |
123 | return SSH_ERR_ALLOC_FAIL; | 123 | return SSH_ERR_ALLOC_FAIL; |
124 | if ((nlen = b64_pton(b64, p, plen)) < 0) { | 124 | if ((nlen = b64_pton(b64, p, plen)) < 0) { |
125 | bzero(p, plen); | 125 | explicit_bzero(p, plen); |
126 | free(p); | 126 | free(p); |
127 | return SSH_ERR_INVALID_FORMAT; | 127 | return SSH_ERR_INVALID_FORMAT; |
128 | } | 128 | } |
129 | if ((r = sshbuf_put(buf, p, nlen)) < 0) { | 129 | if ((r = sshbuf_put(buf, p, nlen)) < 0) { |
130 | bzero(p, plen); | 130 | explicit_bzero(p, plen); |
131 | free(p); | 131 | free(p); |
132 | return r; | 132 | return r; |
133 | } | 133 | } |
134 | bzero(p, plen); | 134 | explicit_bzero(p, plen); |
135 | free(p); | 135 | free(p); |
136 | return 0; | 136 | return 0; |
137 | } | 137 | } |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshbuf.c,v 1.3 2015/01/20 23:14:00 deraadt Exp $ */ | 1 | /* $OpenBSD: sshbuf.c,v 1.4 2015/10/05 17:11:21 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2011 Damien Miller | 3 | * Copyright (c) 2011 Damien Miller |
4 | * | 4 | * |
@@ -134,7 +134,7 @@ sshbuf_fromb(struct sshbuf *buf) | |||
134 | void | 134 | void |
135 | sshbuf_init(struct sshbuf *ret) | 135 | sshbuf_init(struct sshbuf *ret) |
136 | { | 136 | { |
137 | bzero(ret, sizeof(*ret)); | 137 | explicit_bzero(ret, sizeof(*ret)); |
138 | ret->alloc = SSHBUF_SIZE_INIT; | 138 | ret->alloc = SSHBUF_SIZE_INIT; |
139 | ret->max_size = SSHBUF_SIZE_MAX; | 139 | ret->max_size = SSHBUF_SIZE_MAX; |
140 | ret->readonly = 0; | 140 | ret->readonly = 0; |
@@ -177,10 +177,10 @@ sshbuf_free(struct sshbuf *buf) | |||
177 | return; | 177 | return; |
178 | dont_free = buf->dont_free; | 178 | dont_free = buf->dont_free; |
179 | if (!buf->readonly) { | 179 | if (!buf->readonly) { |
180 | bzero(buf->d, buf->alloc); | 180 | explicit_bzero(buf->d, buf->alloc); |
181 | free(buf->d); | 181 | free(buf->d); |
182 | } | 182 | } |
183 | bzero(buf, sizeof(*buf)); | 183 | explicit_bzero(buf, sizeof(*buf)); |
184 | if (!dont_free) | 184 | if (!dont_free) |
185 | free(buf); | 185 | free(buf); |
186 | } | 186 | } |
@@ -196,7 +196,7 @@ sshbuf_reset(struct sshbuf *buf) | |||
196 | return; | 196 | return; |
197 | } | 197 | } |
198 | if (sshbuf_check_sanity(buf) == 0) | 198 | if (sshbuf_check_sanity(buf) == 0) |
199 | bzero(buf->d, buf->alloc); | 199 | explicit_bzero(buf->d, buf->alloc); |
200 | buf->off = buf->size = 0; | 200 | buf->off = buf->size = 0; |
201 | if (buf->alloc != SSHBUF_SIZE_INIT) { | 201 | if (buf->alloc != SSHBUF_SIZE_INIT) { |
202 | if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) { | 202 | if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) { |
@@ -255,7 +255,7 @@ sshbuf_set_max_size(struct sshbuf *buf, size_t max_size) | |||
255 | rlen = roundup(buf->size, SSHBUF_SIZE_INC); | 255 | rlen = roundup(buf->size, SSHBUF_SIZE_INC); |
256 | if (rlen > max_size) | 256 | if (rlen > max_size) |
257 | rlen = max_size; | 257 | rlen = max_size; |
258 | bzero(buf->d + buf->size, buf->alloc - buf->size); | 258 | explicit_bzero(buf->d + buf->size, buf->alloc - buf->size); |
259 | SSHBUF_DBG(("new alloc = %zu", rlen)); | 259 | SSHBUF_DBG(("new alloc = %zu", rlen)); |
260 | if ((dp = realloc(buf->d, rlen)) == NULL) | 260 | if ((dp = realloc(buf->d, rlen)) == NULL) |
261 | return SSH_ERR_ALLOC_FAIL; | 261 | return SSH_ERR_ALLOC_FAIL; |
@@ -640,6 +640,8 @@ privsep_preauth_child(void) | |||
640 | arc4random_buf(rnd, sizeof(rnd)); | 640 | arc4random_buf(rnd, sizeof(rnd)); |
641 | #ifdef WITH_OPENSSL | 641 | #ifdef WITH_OPENSSL |
642 | RAND_seed(rnd, sizeof(rnd)); | 642 | RAND_seed(rnd, sizeof(rnd)); |
643 | if ((RAND_bytes((u_char *)rnd, 1)) != 1) | ||
644 | fatal("%s: RAND_bytes failed", __func__); | ||
643 | #endif | 645 | #endif |
644 | explicit_bzero(rnd, sizeof(rnd)); | 646 | explicit_bzero(rnd, sizeof(rnd)); |
645 | 647 | ||
@@ -783,6 +785,8 @@ privsep_postauth(Authctxt *authctxt) | |||
783 | arc4random_buf(rnd, sizeof(rnd)); | 785 | arc4random_buf(rnd, sizeof(rnd)); |
784 | #ifdef WITH_OPENSSL | 786 | #ifdef WITH_OPENSSL |
785 | RAND_seed(rnd, sizeof(rnd)); | 787 | RAND_seed(rnd, sizeof(rnd)); |
788 | if ((RAND_bytes((u_char *)rnd, 1)) != 1) | ||
789 | fatal("%s: RAND_bytes failed", __func__); | ||
786 | #endif | 790 | #endif |
787 | explicit_bzero(rnd, sizeof(rnd)); | 791 | explicit_bzero(rnd, sizeof(rnd)); |
788 | 792 | ||
@@ -1452,6 +1456,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1452 | arc4random_buf(rnd, sizeof(rnd)); | 1456 | arc4random_buf(rnd, sizeof(rnd)); |
1453 | #ifdef WITH_OPENSSL | 1457 | #ifdef WITH_OPENSSL |
1454 | RAND_seed(rnd, sizeof(rnd)); | 1458 | RAND_seed(rnd, sizeof(rnd)); |
1459 | if ((RAND_bytes((u_char *)rnd, 1)) != 1) | ||
1460 | fatal("%s: RAND_bytes failed", __func__); | ||
1455 | #endif | 1461 | #endif |
1456 | explicit_bzero(rnd, sizeof(rnd)); | 1462 | explicit_bzero(rnd, sizeof(rnd)); |
1457 | } | 1463 | } |
@@ -2,7 +2,7 @@ | |||
2 | 2 | ||
3 | #define SSH_VERSION "OpenSSH_7.1" | 3 | #define SSH_VERSION "OpenSSH_7.1" |
4 | 4 | ||
5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p2" |
6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | 6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |
7 | #ifdef SSH_EXTRAVERSION | 7 | #ifdef SSH_EXTRAVERSION |
8 | #define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION | 8 | #define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION |