diff options
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 3379 |
1 files changed, 1838 insertions, 1541 deletions
@@ -1,16 +1,1847 @@ | |||
1 | commit 5c35450a0c901d9375fb23343a8dc82397da5f75 | 1 | commit 99522ba7ec6963a05c04a156bf20e3ba3605987c |
2 | Author: Damien Miller <djm@mindrot.org> | 2 | Author: Damien Miller <djm@mindrot.org> |
3 | Date: Thu Mar 10 05:04:48 2016 +1100 | 3 | Date: Thu Jul 28 08:54:27 2016 +1000 |
4 | 4 | ||
5 | update versions for release | 5 | define _OPENBSD_SOURCE for reallocarray on NetBSD |
6 | |||
7 | Report by and debugged with Hisashi T Fujinaka, dtucker nailed | ||
8 | the problem (lack of prototype causing return type confusion). | ||
9 | |||
10 | commit 3e1e076550c27c6bbdddf36d8f42bd79fbaaa187 | ||
11 | Author: Damien Miller <djm@mindrot.org> | ||
12 | Date: Wed Jul 27 08:25:42 2016 +1000 | ||
13 | |||
14 | KNF | ||
15 | |||
16 | commit d99ee9c4e5e217e7d05eeec84e9ce641f4675331 | ||
17 | Author: Damien Miller <djm@mindrot.org> | ||
18 | Date: Wed Jul 27 08:25:23 2016 +1000 | ||
19 | |||
20 | Linux auditing also needs packet.h | ||
21 | |||
22 | commit 393bd381a45884b589baa9aed4394f1d250255ca | ||
23 | Author: Damien Miller <djm@mindrot.org> | ||
24 | Date: Wed Jul 27 08:18:05 2016 +1000 | ||
25 | |||
26 | fix auditing on Linux | ||
27 | |||
28 | get_remote_ipaddr() was replaced with ssh_remote_ipaddr() | ||
29 | |||
30 | commit 80e766fb089de4f3c92b1600eb99e9495e37c992 | ||
31 | Author: Damien Miller <djm@mindrot.org> | ||
32 | Date: Sun Jul 24 21:50:13 2016 +1000 | ||
33 | |||
34 | crank version numbers | ||
35 | |||
36 | commit b1a478792d458f2e938a302e64bab2b520edc1b3 | ||
37 | Author: djm@openbsd.org <djm@openbsd.org> | ||
38 | Date: Sun Jul 24 11:45:36 2016 +0000 | ||
39 | |||
40 | upstream commit | ||
41 | |||
42 | openssh-7.3 | ||
43 | |||
44 | Upstream-ID: af106a7eb665f642648cf1993e162c899f358718 | ||
45 | |||
46 | commit 353766e0881f069aeca30275ab706cd60a1a8fdd | ||
47 | Author: Darren Tucker <dtucker@zip.com.au> | ||
48 | Date: Sat Jul 23 16:14:42 2016 +1000 | ||
49 | |||
50 | Move Cygwin IPPORT_RESERVED overrride to defines.h | ||
51 | |||
52 | Patch from vinschen at redhat.com. | ||
53 | |||
54 | commit 368dd977ae07afb93f4ecea23615128c95ab2b32 | ||
55 | Author: djm@openbsd.org <djm@openbsd.org> | ||
56 | Date: Sat Jul 23 02:54:08 2016 +0000 | ||
57 | |||
58 | upstream commit | ||
59 | |||
60 | fix pledge violation with ssh -f; reported by Valentin | ||
61 | Kozamernik ok dtucker@ | ||
62 | |||
63 | Upstream-ID: a61db7988db88d9dac3c4dd70e18876a8edf84aa | ||
64 | |||
65 | commit f00211e3c6d24d6ea2b64b4b1209f671f6c1d42e | ||
66 | Author: djm@openbsd.org <djm@openbsd.org> | ||
67 | Date: Fri Jul 22 07:00:46 2016 +0000 | ||
68 | |||
69 | upstream commit | ||
70 | |||
71 | improve wording; suggested by jmc@ | ||
72 | |||
73 | Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8 | ||
74 | |||
75 | commit 83cbca693c3b0719270e6a0f2efe3f9ee93a65b8 | ||
76 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
77 | Date: Fri Jul 22 05:46:11 2016 +0000 | ||
78 | |||
79 | upstream commit | ||
80 | |||
81 | Lower loglevel for "Authenticated with partial success" | ||
82 | message similar to other similar level. bz#2599, patch from cgallek at | ||
83 | gmail.com, ok markus@ | ||
84 | |||
85 | Upstream-ID: 3faab814e947dc7b2e292edede23e94c608cb4dd | ||
86 | |||
87 | commit 10358abd087ab228b7ce2048efc4f3854a9ab9a6 | ||
88 | Author: Damien Miller <djm@mindrot.org> | ||
89 | Date: Fri Jul 22 14:06:36 2016 +1000 | ||
90 | |||
91 | retry waitpid on EINTR failure | ||
92 | |||
93 | patch from Jakub Jelen on bz#2581; ok dtucker@ | ||
94 | |||
95 | commit da88a70a89c800e74ea8e5661ffa127a3cc79a92 | ||
96 | Author: djm@openbsd.org <djm@openbsd.org> | ||
97 | Date: Fri Jul 22 03:47:36 2016 +0000 | ||
98 | |||
99 | upstream commit | ||
100 | |||
101 | constify a few functions' arguments; patch from Jakub | ||
102 | Jelen bz#2581 | ||
103 | |||
104 | Upstream-ID: f2043f51454ea37830ff6ad60c8b32b4220f448d | ||
105 | |||
106 | commit c36d91bd4ebf767f310f7cea88d61d1c15f53ddf | ||
107 | Author: djm@openbsd.org <djm@openbsd.org> | ||
108 | Date: Fri Jul 22 03:39:13 2016 +0000 | ||
109 | |||
110 | upstream commit | ||
111 | |||
112 | move debug("%p", key) to before key is free'd; probable | ||
113 | undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581 | ||
114 | |||
115 | Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a | ||
116 | |||
117 | commit 286f5a77c3bfec1e8892ca268087ac885ac871bf | ||
118 | Author: djm@openbsd.org <djm@openbsd.org> | ||
119 | Date: Fri Jul 22 03:35:11 2016 +0000 | ||
120 | |||
121 | upstream commit | ||
122 | |||
123 | reverse the order in which -J/JumpHost proxies are visited to | ||
124 | be more intuitive and document | ||
125 | |||
126 | reported by and manpage bits naddy@ | ||
127 | |||
128 | Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a | ||
129 | |||
130 | commit fcd135c9df440bcd2d5870405ad3311743d78d97 | ||
131 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
132 | Date: Thu Jul 21 01:39:35 2016 +0000 | ||
133 | |||
134 | upstream commit | ||
135 | |||
136 | Skip passwords longer than 1k in length so clients can't | ||
137 | easily DoS sshd by sending very long passwords, causing it to spend CPU | ||
138 | hashing them. feedback djm@, ok markus@. | ||
139 | |||
140 | Brought to our attention by tomas.kuthan at oracle.com, shilei-c at | ||
141 | 360.cn and coredump at autistici.org | ||
142 | |||
143 | Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333 | ||
144 | |||
145 | commit 324583e8fb3935690be58790425793df619c6d4d | ||
146 | Author: naddy@openbsd.org <naddy@openbsd.org> | ||
147 | Date: Wed Jul 20 10:45:27 2016 +0000 | ||
148 | |||
149 | upstream commit | ||
150 | |||
151 | Do not clobber the global jump_host variables when | ||
152 | parsing an inactive configuration. ok djm@ | ||
153 | |||
154 | Upstream-ID: 5362210944d91417d5976346d41ac0b244350d31 | ||
155 | |||
156 | commit 32d921c323b989d28405e78d0a8923d12913d737 | ||
157 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
158 | Date: Tue Jul 19 12:59:16 2016 +0000 | ||
159 | |||
160 | upstream commit | ||
161 | |||
162 | tweak previous; | ||
163 | |||
164 | Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534 | ||
165 | |||
166 | commit d7eabc86fa049a12ba2c3fb198bd1d51b37f7025 | ||
167 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
168 | Date: Tue Jul 19 11:38:53 2016 +0000 | ||
169 | |||
170 | upstream commit | ||
171 | |||
172 | Allow wildcard for PermitOpen hosts as well as ports. | ||
173 | bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok | ||
174 | markus@ | ||
175 | |||
176 | Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2 | ||
177 | |||
178 | commit b98a2a8348e907b3d71caafd80f0be8fdd075943 | ||
179 | Author: markus@openbsd.org <markus@openbsd.org> | ||
180 | Date: Mon Jul 18 11:35:33 2016 +0000 | ||
181 | |||
182 | upstream commit | ||
183 | |||
184 | Reduce timing attack against obsolete CBC modes by always | ||
185 | computing the MAC over a fixed size of data. Reported by Jean Paul | ||
186 | Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@ | ||
187 | |||
188 | Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912 | ||
189 | |||
190 | commit dbf788b4d9d9490a5fff08a7b09888272bb10fcc | ||
191 | Author: Darren Tucker <dtucker@zip.com.au> | ||
192 | Date: Thu Jul 21 14:17:31 2016 +1000 | ||
193 | |||
194 | Search users for one with a valid salt. | ||
195 | |||
196 | If the root account is locked (eg password "!!" or "*LK*") keep looking | ||
197 | until we find a user with a valid salt to use for crypting passwords of | ||
198 | invalid users. ok djm@ | ||
199 | |||
200 | commit e8b58f48fbb1b524fb4f0d4865fa0005d6a4b782 | ||
201 | Author: Darren Tucker <dtucker@zip.com.au> | ||
202 | Date: Mon Jul 18 17:22:49 2016 +1000 | ||
203 | |||
204 | Explicitly specify source files for regress tools. | ||
205 | |||
206 | Since adding $(REGRESSLIBS), $? is wrong because it includes only the | ||
207 | changed source files. $< seems like it'd be right however it doesn't | ||
208 | seem to work on some non-GNU makes, so do what works everywhere. | ||
209 | |||
210 | commit eac1bbd06872c273f16ac0f9976b0aef026b701b | ||
211 | Author: Darren Tucker <dtucker@zip.com.au> | ||
212 | Date: Mon Jul 18 17:12:22 2016 +1000 | ||
213 | |||
214 | Conditionally include err.h. | ||
215 | |||
216 | commit 0a454147568746c503f669e1ba861f76a2e7a585 | ||
217 | Author: Darren Tucker <dtucker@zip.com.au> | ||
218 | Date: Mon Jul 18 16:26:26 2016 +1000 | ||
219 | |||
220 | Remove local implementation of err, errx. | ||
221 | |||
222 | We now have a shared implementation in libopenbsd-compat. | ||
223 | |||
224 | commit eb999a4590846ba4d56ddc90bd07c23abfbab7b1 | ||
225 | Author: djm@openbsd.org <djm@openbsd.org> | ||
226 | Date: Mon Jul 18 06:08:01 2016 +0000 | ||
227 | |||
228 | upstream commit | ||
229 | |||
230 | Add some unsigned overflow checks for extra_pad. None of | ||
231 | these are reachable with the amount of padding that we use internally. | ||
232 | bz#2566, pointed out by Torben Hansen. ok markus@ | ||
233 | |||
234 | Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76 | ||
235 | |||
236 | commit c71ba790c304545464bb494de974cdf0f4b5cf1e | ||
237 | Author: Darren Tucker <dtucker@zip.com.au> | ||
238 | Date: Mon Jul 18 15:43:25 2016 +1000 | ||
239 | |||
240 | Add dependency on libs for unit tests. | ||
241 | |||
242 | Makes "./configure && make tests" work again. ok djm@ | ||
243 | |||
244 | commit 8199d0311aea3e6fd0284c9025e7a83f4ece79e8 | ||
245 | Author: Darren Tucker <dtucker@zip.com.au> | ||
246 | Date: Mon Jul 18 13:47:39 2016 +1000 | ||
247 | |||
248 | Correct location for kexfuzz in clean target. | ||
249 | |||
250 | commit 01558b7b07af43da774d3a11a5c51fa9c310849d | ||
251 | Author: Darren Tucker <dtucker@zip.com.au> | ||
252 | Date: Mon Jul 18 09:33:25 2016 +1000 | ||
253 | |||
254 | Handle PAM_MAXTRIES from modules. | ||
255 | |||
256 | bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer | ||
257 | password and keyboard-interative authentication methods. Should prevent | ||
258 | "sshd ignoring max retries" warnings in the log. ok djm@ | ||
259 | |||
260 | It probably won't trigger with keyboard-interactive in the default | ||
261 | configuration because the retry counter is stored in module-private | ||
262 | storage which goes away with the sshd PAM process (see bz#688). On the | ||
263 | other hand, those cases probably won't log a warning either. | ||
264 | |||
265 | commit 65c6c6b567ab5ab12945a5ad8e0ab3a8c26119cc | ||
266 | Author: djm@openbsd.org <djm@openbsd.org> | ||
267 | Date: Sun Jul 17 04:20:16 2016 +0000 | ||
268 | |||
269 | upstream commit | ||
270 | |||
271 | support UTF-8 characters in ssh(1) banners using | ||
272 | schwarze@'s safe fmprintf printer; bz#2058 | ||
273 | |||
274 | feedback schwarze@ ok dtucker@ | ||
275 | |||
276 | Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7 | ||
277 | |||
278 | commit e4eb7d910976fbfc7ce3e90c95c11b07b483d0d7 | ||
279 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
280 | Date: Sat Jul 16 06:57:55 2016 +0000 | ||
281 | |||
282 | upstream commit | ||
283 | |||
284 | - add proxyjump to the options list - formatting fixes - | ||
285 | update usage() | ||
286 | |||
287 | ok djm | ||
288 | |||
289 | Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457 | ||
290 | |||
291 | commit af1f084857621f14bd9391aba8033d35886c2455 | ||
292 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
293 | Date: Fri Jul 15 05:01:58 2016 +0000 | ||
294 | |||
295 | upstream commit | ||
296 | |||
297 | Reduce the syslog level of some relatively common protocol | ||
298 | events from LOG_CRIT by replacing fatal() calls with logdie(). Part of | ||
299 | bz#2585, ok djm@ | ||
300 | |||
301 | Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5 | ||
302 | |||
303 | commit bd5f2b78b69cf38d6049a0de445a79c8595e4a1f | ||
304 | Author: Damien Miller <djm@mindrot.org> | ||
305 | Date: Fri Jul 15 19:14:48 2016 +1000 | ||
306 | |||
307 | missing openssl/dh.h | ||
308 | |||
309 | commit 4a984fd342effe5f0aad874a0d538c4322d973c0 | ||
310 | Author: Damien Miller <djm@mindrot.org> | ||
311 | Date: Fri Jul 15 18:47:07 2016 +1000 | ||
312 | |||
313 | cast to avoid type warning in error message | ||
314 | |||
315 | commit 5abfb15ced985c340359ae7fb65a625ed3692b3e | ||
316 | Author: Darren Tucker <dtucker@zip.com.au> | ||
317 | Date: Fri Jul 15 14:48:30 2016 +1000 | ||
318 | |||
319 | Move VA_COPY macro into compat header. | ||
320 | |||
321 | Some AIX compilers unconditionally undefine va_copy but don't set it back | ||
322 | to an internal function, causing link errors. In some compat code we | ||
323 | already use VA_COPY instead so move the two existing instances into the | ||
324 | shared header and use for sshbuf-getput-basic.c too. Should fix building | ||
325 | with at lease some versions of AIX's compiler. bz#2589, ok djm@ | ||
326 | |||
327 | commit 832b7443b7a8e181c95898bc5d73497b7190decd | ||
328 | Author: Damien Miller <djm@mindrot.org> | ||
329 | Date: Fri Jul 15 14:45:34 2016 +1000 | ||
330 | |||
331 | disable ciphers not supported by OpenSSL | ||
332 | |||
333 | bz#2466 ok dtucker@ | ||
334 | |||
335 | commit 5fbe93fc6fbb2fe211e035703dec759d095e3dd8 | ||
336 | Author: Damien Miller <djm@mindrot.org> | ||
337 | Date: Fri Jul 15 13:54:31 2016 +1000 | ||
338 | |||
339 | add a --disable-pkcs11 knob | ||
340 | |||
341 | commit 679ce88ec2a8e2fe6515261c489e8c1449bb9da9 | ||
342 | Author: Damien Miller <djm@mindrot.org> | ||
343 | Date: Fri Jul 15 13:44:38 2016 +1000 | ||
344 | |||
345 | fix newline escaping for unsupported_algorithms | ||
346 | |||
347 | The hmac-ripemd160 was incorrect and could lead to broken | ||
348 | Makefiles on systems that lacked support for it, but I made | ||
349 | all the others consistent too. | ||
350 | |||
351 | commit ed877ef653847d056bb433975d731b7a1132a979 | ||
352 | Author: djm@openbsd.org <djm@openbsd.org> | ||
353 | Date: Fri Jul 15 00:24:30 2016 +0000 | ||
354 | |||
355 | upstream commit | ||
356 | |||
357 | Add a ProxyJump ssh_config(5) option and corresponding -J | ||
358 | ssh(1) command-line flag to allow simplified indirection through a SSH | ||
359 | bastion or "jump host". | ||
360 | |||
361 | These options construct a proxy command that connects to the | ||
362 | specified jump host(s) (more than one may be specified) and uses | ||
363 | port-forwarding to establish a connection to the next destination. | ||
364 | |||
365 | This codifies the safest way of indirecting connections through SSH | ||
366 | servers and makes it easy to use. | ||
367 | |||
368 | ok markus@ | ||
369 | |||
370 | Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397 | ||
371 | |||
372 | commit 5c02dd126206a26785379e80f2d3848e4470b711 | ||
373 | Author: Darren Tucker <dtucker@zip.com.au> | ||
374 | Date: Fri Jul 15 12:56:39 2016 +1000 | ||
375 | |||
376 | Map umac_ctx struct name too. | ||
377 | |||
378 | Prevents size mismatch linker warnings on Solaris 11. | ||
379 | |||
380 | commit 283b97ff33ea2c641161950849931bd578de6946 | ||
381 | Author: Darren Tucker <dtucker@zip.com.au> | ||
382 | Date: Fri Jul 15 13:49:44 2016 +1000 | ||
383 | |||
384 | Mitigate timing of disallowed users PAM logins. | ||
385 | |||
386 | When sshd decides to not allow a login (eg PermitRootLogin=no) and | ||
387 | it's using PAM, it sends a fake password to PAM so that the timing for | ||
388 | the failure is not noticeably different whether or not the password | ||
389 | is correct. This behaviour can be detected by sending a very long | ||
390 | password string which is slower to hash than the fake password. | ||
391 | |||
392 | Mitigate by constructing an invalid password that is the same length | ||
393 | as the one from the client and thus takes the same time to hash. | ||
394 | Diff from djm@ | ||
395 | |||
396 | commit 9286875a73b2de7736b5e50692739d314cd8d9dc | ||
397 | Author: Darren Tucker <dtucker@zip.com.au> | ||
398 | Date: Fri Jul 15 13:32:45 2016 +1000 | ||
399 | |||
400 | Determine appropriate salt for invalid users. | ||
401 | |||
402 | When sshd is processing a non-PAM login for a non-existent user it uses | ||
403 | the string from the fakepw structure as the salt for crypt(3)ing the | ||
404 | password supplied by the client. That string has a Blowfish prefix, so on | ||
405 | systems that don't understand that crypt will fail fast due to an invalid | ||
406 | salt, and even on those that do it may have significantly different timing | ||
407 | from the hash methods used for real accounts (eg sha512). This allows | ||
408 | user enumeration by, eg, sending large password strings. This was noted | ||
409 | by EddieEzra.Harari at verint.com (CVE-2016-6210). | ||
410 | |||
411 | To mitigate, use the same hash algorithm that root uses for hashing | ||
412 | passwords for users that do not exist on the system. ok djm@ | ||
413 | |||
414 | commit a162dd5e58ca5b224d7500abe35e1ef32b5de071 | ||
415 | Author: Darren Tucker <dtucker@zip.com.au> | ||
416 | Date: Thu Jul 14 21:19:59 2016 +1000 | ||
417 | |||
418 | OpenSSL 1.1.x not currently supported. | ||
419 | |||
420 | commit 7df91b01fc558a33941c5c5f31abbcdc53a729fb | ||
421 | Author: Darren Tucker <dtucker@zip.com.au> | ||
422 | Date: Thu Jul 14 12:25:24 2016 +1000 | ||
423 | |||
424 | Check for VIS_ALL. | ||
425 | |||
426 | If we don't have it, set BROKEN_STRNVIS to activate the compat replacement. | ||
427 | |||
428 | commit ee67716f61f1042d5e67f91c23707cca5dcdd7d0 | ||
429 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
430 | Date: Thu Jul 14 01:24:21 2016 +0000 | ||
431 | |||
432 | upstream commit | ||
433 | |||
434 | Correct equal in test. | ||
435 | |||
436 | Upstream-Regress-ID: 4e32f7a5c57a619c4e8766cb193be2a1327ec37a | ||
437 | |||
438 | commit 372807c2065c8572fdc6478b25cc5ac363743073 | ||
439 | Author: tb@openbsd.org <tb@openbsd.org> | ||
440 | Date: Mon Jul 11 21:38:13 2016 +0000 | ||
441 | |||
442 | upstream commit | ||
443 | |||
444 | Add missing "recvfd" pledge promise: Raf Czlonka reported | ||
445 | ssh coredumps when Control* keywords were set in ssh_config. This patch also | ||
446 | fixes similar problems with scp and sftp. | ||
447 | |||
448 | ok deraadt, looks good to millert | ||
449 | |||
450 | Upstream-ID: ca2099eade1ef3e87a79614fefa26a0297ad8a3b | ||
451 | |||
452 | commit e0453f3df64bf485c61c7eb6bd12893eee9fe2cd | ||
453 | Author: tedu@openbsd.org <tedu@openbsd.org> | ||
454 | Date: Mon Jul 11 03:19:44 2016 +0000 | ||
455 | |||
456 | upstream commit | ||
457 | |||
458 | obsolete note about fascistloggin is obsolete. ok djm | ||
459 | dtucker | ||
460 | |||
461 | Upstream-ID: dae60df23b2bb0e89f42661ddd96a7b0d1b7215a | ||
462 | |||
463 | commit a2333584170a565adf4f209586772ef8053b10b8 | ||
464 | Author: Darren Tucker <dtucker@zip.com.au> | ||
465 | Date: Thu Jul 14 10:59:09 2016 +1000 | ||
466 | |||
467 | Add compat code for missing wcwidth. | ||
468 | |||
469 | If we don't have wcwidth force fallback implementations of nl_langinfo | ||
470 | and mbtowc. Based on advice from Ingo Schwarze. | ||
471 | |||
472 | commit 8aaec7050614494014c47510b7e94daf6e644c62 | ||
473 | Author: Damien Miller <djm@mindrot.org> | ||
474 | Date: Thu Jul 14 09:48:48 2016 +1000 | ||
475 | |||
476 | fix missing include for systems with err.h | ||
477 | |||
478 | commit 6310ef27a2567cda66d6cf0c1ad290ee1167f243 | ||
479 | Author: Darren Tucker <dtucker@zip.com.au> | ||
480 | Date: Wed Jul 13 14:42:35 2016 +1000 | ||
481 | |||
482 | Move err.h replacements into compat lib. | ||
483 | |||
484 | Move implementations of err.h replacement functions into their own file | ||
485 | in the libopenbsd-compat so we can use them in kexfuzz.c too. ok djm@ | ||
486 | |||
487 | commit f3f2cc8386868f51440c45210098f65f9787449a | ||
488 | Author: Darren Tucker <dtucker@zip.com.au> | ||
489 | Date: Mon Jul 11 17:23:38 2016 +1000 | ||
490 | |||
491 | Check for wchar.h and langinfo.h | ||
492 | |||
493 | Wrap includes in the appropriate #ifdefs. | ||
494 | |||
495 | commit b9c50614eba9d90939b2b119b6e1b7e03b462278 | ||
496 | Author: Damien Miller <djm@mindrot.org> | ||
497 | Date: Fri Jul 8 13:59:13 2016 +1000 | ||
498 | |||
499 | whitelist more architectures for seccomp-bpf | ||
500 | |||
501 | bz#2590 - testing and patch from Jakub Jelen | ||
502 | |||
503 | commit 18813a32b6fd964037e0f5e1893cb4468ac6a758 | ||
504 | Author: guenther@openbsd.org <guenther@openbsd.org> | ||
505 | Date: Mon Jul 4 18:01:44 2016 +0000 | ||
506 | |||
507 | upstream commit | ||
508 | |||
509 | DEBUGLIBS has been broken since the gcc4 switch, so delete | ||
510 | it. CFLAGS contains -g by default anyway | ||
511 | |||
512 | problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com) | ||
513 | ok millert@ kettenis@ deraadt@ | ||
514 | |||
515 | Upstream-Regress-ID: 4a0bb72f95c63f2ae9daa8a040ac23914bddb542 | ||
516 | |||
517 | commit 6d31193d0baa3da339c196ac49625b7ba1c2ecc7 | ||
518 | Author: djm@openbsd.org <djm@openbsd.org> | ||
519 | Date: Fri Jul 8 03:44:42 2016 +0000 | ||
520 | |||
521 | upstream commit | ||
522 | |||
523 | Improve crypto ordering for Encrypt-then-MAC (EtM) mode | ||
524 | MAC algorithms. | ||
525 | |||
526 | Previously we were computing the MAC, decrypting the packet and then | ||
527 | checking the MAC. This gave rise to the possibility of creating a | ||
528 | side-channel oracle in the decryption step, though no such oracle has | ||
529 | been identified. | ||
530 | |||
531 | This adds a mac_check() function that computes and checks the MAC in | ||
532 | one pass, and uses it to advance MAC checking for EtM algorithms to | ||
533 | before payload decryption. | ||
534 | |||
535 | Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and | ||
536 | Martin Albrecht. feedback and ok markus@ | ||
537 | |||
538 | Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b | ||
539 | |||
540 | commit 71f5598f06941f645a451948c4a5125c83828e1c | ||
541 | Author: guenther@openbsd.org <guenther@openbsd.org> | ||
542 | Date: Mon Jul 4 18:01:44 2016 +0000 | ||
543 | |||
544 | upstream commit | ||
545 | |||
546 | DEBUGLIBS has been broken since the gcc4 switch, so | ||
547 | delete it. CFLAGS contains -g by default anyway | ||
548 | |||
549 | problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com) | ||
550 | ok millert@ kettenis@ deraadt@ | ||
551 | |||
552 | Upstream-ID: 96c5054e3e1f170c6276902d5bc65bb3b87a2603 | ||
553 | |||
554 | commit e683fc6f1c8c7295648dbda679df8307786ec1ce | ||
555 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
556 | Date: Thu Jun 30 05:17:05 2016 +0000 | ||
557 | |||
558 | upstream commit | ||
559 | |||
560 | Explicitly check for 100% completion to avoid potential | ||
561 | floating point rounding error, which could cause progressmeter to report 99% | ||
562 | on completion. While there invert the test so the 100% case is clearer. with | ||
563 | & ok djm@ | ||
564 | |||
565 | Upstream-ID: a166870c5878e422f3c71ff802e2ccd7032f715d | ||
566 | |||
567 | commit 772e6cec0ed740fc7db618dc30b4134f5a358b43 | ||
568 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
569 | Date: Wed Jun 29 17:14:28 2016 +0000 | ||
570 | |||
571 | upstream commit | ||
572 | |||
573 | sort the -o list; | ||
574 | |||
575 | Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac | ||
576 | |||
577 | commit 46ecd19e554ccca15a7309cd1b6b44bc8e6b84af | ||
578 | Author: djm@openbsd.org <djm@openbsd.org> | ||
579 | Date: Thu Jun 23 05:17:51 2016 +0000 | ||
580 | |||
581 | upstream commit | ||
582 | |||
583 | fix AuthenticationMethods during configuration re-parse; | ||
584 | reported by Juan Francisco Cantero Hurtado | ||
585 | |||
586 | Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4 | ||
587 | |||
588 | commit 3147e7595d0f2f842a666c844ac53e6c7a253d7e | ||
589 | Author: djm@openbsd.org <djm@openbsd.org> | ||
590 | Date: Sun Jun 19 07:48:02 2016 +0000 | ||
591 | |||
592 | upstream commit | ||
593 | |||
594 | revert 1.34; causes problems loading public keys | ||
595 | |||
596 | reported by semarie@ | ||
597 | |||
598 | Upstream-ID: b393794f8935c8b15d98a407fe7721c62d2ed179 | ||
599 | |||
600 | commit ad23a75509f4320d43f628c50f0817e3ad12bfa7 | ||
601 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
602 | Date: Fri Jun 17 06:33:30 2016 +0000 | ||
603 | |||
604 | upstream commit | ||
605 | |||
606 | grammar fix; | ||
607 | |||
608 | Upstream-ID: 5d5b21c80f1e81db367333ce0bb3e5874fb3e463 | ||
609 | |||
610 | commit 5e28b1a2a3757548b40018cc2493540a17c82e27 | ||
611 | Author: djm@openbsd.org <djm@openbsd.org> | ||
612 | Date: Fri Jun 17 05:06:23 2016 +0000 | ||
613 | |||
614 | upstream commit | ||
615 | |||
616 | translate OpenSSL error codes to something more | ||
617 | meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@ | ||
618 | |||
619 | Upstream-ID: 4cb0795a366381724314e6515d57790c5930ffe5 | ||
620 | |||
621 | commit b64faeb5eda7eff8210c754d00464f9fe9d23de5 | ||
622 | Author: djm@openbsd.org <djm@openbsd.org> | ||
623 | Date: Fri Jun 17 05:03:40 2016 +0000 | ||
624 | |||
625 | upstream commit | ||
626 | |||
627 | ban AuthenticationMethods="" and accept | ||
628 | AuthenticationMethods=any for the default behaviour of not requiring multiple | ||
629 | authentication | ||
630 | |||
631 | bz#2398 from Jakub Jelen; ok dtucker@ | ||
632 | |||
633 | Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27 | ||
634 | |||
635 | commit 9816fc5daee5ca924dd5c4781825afbaab728877 | ||
636 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
637 | Date: Thu Jun 16 11:00:17 2016 +0000 | ||
638 | |||
639 | upstream commit | ||
640 | |||
641 | Include stdarg.h for va_copy as per man page. | ||
642 | |||
643 | Upstream-ID: 105d6b2f1af2fbd9d91c893c436ab121434470bd | ||
644 | |||
645 | commit b6cf84b51bc0f5889db48bf29a0c771954ade283 | ||
646 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
647 | Date: Thu Jun 16 06:10:45 2016 +0000 | ||
648 | |||
649 | upstream commit | ||
650 | |||
651 | keys stored in openssh format can have comments too; diff | ||
652 | from yonas yanfa, tweaked a bit; | ||
653 | |||
654 | ok djm | ||
655 | |||
656 | Upstream-ID: 03d48536da6e51510d73ade6fcd44ace731ceb27 | ||
657 | |||
658 | commit aa37768f17d01974b6bfa481e5e83841b6c76f86 | ||
659 | Author: Darren Tucker <dtucker@zip.com.au> | ||
660 | Date: Mon Jun 20 15:55:34 2016 +1000 | ||
661 | |||
662 | get_remote_name_or_ip inside LOGIN_NEEDS_UTMPX | ||
663 | |||
664 | Apply the same get_remote_name_or_ip -> session_get_remote_name_or_ip | ||
665 | change as commit 95767262 to the code inside #ifdef LOGIN_NEEDS_UTMPX. | ||
666 | Fixes build on AIX. | ||
667 | |||
668 | commit 009891afc8df37bc2101e15d1e0b6433cfb90549 | ||
669 | Author: Darren Tucker <dtucker@zip.com.au> | ||
670 | Date: Fri Jun 17 14:34:09 2016 +1000 | ||
671 | |||
672 | Remove duplicate code from PAM. ok djm@ | ||
673 | |||
674 | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba | ||
675 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
676 | Date: Wed Jun 15 00:40:40 2016 +0000 | ||
677 | |||
678 | upstream commit | ||
679 | |||
680 | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message | ||
681 | about forward and reverse DNS not matching. We haven't supported IP-based | ||
682 | auth methods for a very long time so it's now misleading. part of bz#2585, | ||
683 | ok markus@ | ||
684 | |||
685 | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 | ||
686 | |||
687 | commit 57b4ee04cad0d3e0fec1194753b0c4d31e39a1cd | ||
688 | Author: Darren Tucker <dtucker@zip.com.au> | ||
689 | Date: Wed Jun 15 11:22:38 2016 +1000 | ||
690 | |||
691 | Move platform_disable_tracing into its own file. | ||
692 | |||
693 | Prevents link errors resolving the extern "options" when platform.o | ||
694 | gets linked into ssh-agent when building --with-pam. | ||
695 | |||
696 | commit 78dc8e3724e30ee3e1983ce013e80277dc6ca070 | ||
697 | Author: Darren Tucker <dtucker@zip.com.au> | ||
698 | Date: Tue Jun 14 13:55:12 2016 +1000 | ||
699 | |||
700 | Track skipped upstream commit IDs. | ||
701 | |||
702 | There are a small number of "upstream" commits that do not correspond to | ||
703 | a file in -portable. This file tracks those so that we can reconcile | ||
704 | OpenBSD and Portable to ensure that no commits are accidentally missed. | ||
705 | |||
706 | If you add something to .skipped-commit-ids please also add an upstream | ||
707 | ID line in the following format when you commit it. | ||
708 | |||
709 | Upstream-ID: 321065a95a7ccebdd5fd08482a1e19afbf524e35 | ||
710 | Upstream-ID: d4f699a421504df35254cf1c6f1a7c304fb907ca | ||
711 | Upstream-ID: aafe246655b53b52bc32c8a24002bc262f4230f7 | ||
712 | Upstream-ID: 8fa9cd1dee3c3339ae329cf20fb591db6d605120 | ||
713 | Upstream-ID: f31327a48dd4103333cc53315ec53fe65ed8a17a | ||
714 | Upstream-ID: edbfde98c40007b7752a4ac106095e060c25c1ef | ||
715 | Upstream-ID: 052fd565e3ff2d8cec3bc957d1788f50c827f8e2 | ||
716 | Upstream-ID: 7cf73737f357492776223da1c09179fa6ba74660 | ||
717 | Upstream-ID: 180d84674be1344e45a63990d60349988187c1ae | ||
718 | Upstream-ID: f6ae971186ba68d066cd102e57d5b0b2c211a5ee | ||
719 | |||
720 | commit 9f919d1a3219d476d6a662d18df058e1c4f36a6f | ||
721 | Author: Darren Tucker <dtucker@zip.com.au> | ||
722 | Date: Tue Jun 14 13:51:01 2016 +1000 | ||
723 | |||
724 | Remove now-defunct .cvsignore files. ok djm | ||
725 | |||
726 | commit 68777faf271efb2713960605c748f6c8a4b26d55 | ||
727 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
728 | Date: Wed Jun 8 02:13:01 2016 +0000 | ||
729 | |||
730 | upstream commit | ||
731 | |||
732 | Back out rev 1.28 "Check min and max sizes sent by the | ||
733 | client" change. It caused "key_verify failed for server_host_key" in clients | ||
734 | that send a DH-GEX min value less that DH_GRP_MIN, eg old OpenSSH and PuTTY. | ||
735 | ok djm@ | ||
736 | |||
737 | Upstream-ID: 452979d3ca5c1e9dff063287ea0a5314dd091f65 | ||
738 | |||
739 | commit a86ec4d0737ac5879223e7cd9d68c448df46e169 | ||
740 | Author: Darren Tucker <dtucker@zip.com.au> | ||
741 | Date: Tue Jun 14 10:48:27 2016 +1000 | ||
742 | |||
743 | Use Solaris setpflags(__PROC_PROTECT, ...). | ||
744 | |||
745 | Where possible, use Solaris setpflags to disable process tracing on | ||
746 | ssh-agent and sftp-server. bz#2584, based on a patch from huieying.lee | ||
747 | at oracle.com, ok djm. | ||
748 | |||
749 | commit 0f916d39b039fdc0b5baf9b5ab0754c0f11ec573 | ||
750 | Author: Darren Tucker <dtucker@zip.com.au> | ||
751 | Date: Tue Jun 14 10:43:53 2016 +1000 | ||
752 | |||
753 | Shorten prctl code a tiny bit. | ||
754 | |||
755 | commit 0fb7f5985351fbbcd2613d8485482c538e5123be | ||
756 | Author: Darren Tucker <dtucker@zip.com.au> | ||
757 | Date: Thu Jun 9 16:23:07 2016 +1000 | ||
758 | |||
759 | Move prctl PR_SET_DUMPABLE into platform.c. | ||
760 | |||
761 | This should make it easier to add additional platform support such as | ||
762 | Solaris (bz#2584). | ||
763 | |||
764 | commit e6508898c3cd838324ecfe1abd0eb8cf802e7106 | ||
765 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
766 | Date: Fri Jun 3 04:10:41 2016 +0000 | ||
767 | |||
768 | upstream commit | ||
769 | |||
770 | Add a test for ssh(1)'s config file parsing. | ||
771 | |||
772 | Upstream-Regress-ID: 558b7f4dc45cc3761cc3d3e889b9f3c5bc91e601 | ||
773 | |||
774 | commit ab0a536066dfa32def0bd7272c096ebb5eb25b11 | ||
775 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
776 | Date: Fri Jun 3 03:47:59 2016 +0000 | ||
777 | |||
778 | upstream commit | ||
779 | |||
780 | Add 'sshd' to the test ID as I'm about to add a similar | ||
781 | set for ssh. | ||
782 | |||
783 | Upstream-Regress-ID: aea7a9c3bac638530165c801ce836875b228ae7a | ||
784 | |||
785 | commit a5577c1ed3ecdfe4b7b1107c526cae886fc91afb | ||
786 | Author: schwarze@openbsd.org <schwarze@openbsd.org> | ||
787 | Date: Mon May 30 12:14:08 2016 +0000 | ||
788 | |||
789 | upstream commit | ||
790 | |||
791 | stricter malloc.conf(5) options for utf8 tests | ||
792 | |||
793 | Upstream-Regress-ID: 111efe20a0fb692fa1a987f6e823310f9b25abf6 | ||
794 | |||
795 | commit 75f0844b4f29d62ec3a5e166d2ee94b02df819fc | ||
796 | Author: schwarze@openbsd.org <schwarze@openbsd.org> | ||
797 | Date: Mon May 30 12:05:56 2016 +0000 | ||
798 | |||
799 | upstream commit | ||
800 | |||
801 | Fix two rare edge cases: 1. If vasprintf() returns < 0, | ||
802 | do not access a NULL pointer in snmprintf(), and do not free() the pointer | ||
803 | returned from vasprintf() because on some systems other than OpenBSD, it | ||
804 | might be a bogus pointer. 2. If vasprintf() returns == 0, return 0 and "" | ||
805 | rather than -1 and NULL. | ||
806 | |||
807 | Besides, free(dst) is pointless after failure (not a bug). | ||
808 | |||
809 | One half OK martijn@, the other half OK deraadt@; | ||
810 | committing quickly before people get hurt. | ||
811 | |||
812 | Upstream-Regress-ID: b164f20923812c9bac69856dbc1385eb1522cba4 | ||
813 | |||
814 | commit 016881eb33a7948028848c90f4c7ac42e3af0e87 | ||
815 | Author: schwarze@openbsd.org <schwarze@openbsd.org> | ||
816 | Date: Thu May 26 19:14:25 2016 +0000 | ||
817 | |||
818 | upstream commit | ||
819 | |||
820 | test the new utf8 module | ||
821 | |||
822 | Upstream-Regress-ID: c923d05a20e84e4ef152cbec947fdc4ce6eabbe3 | ||
823 | |||
824 | commit d4219028bdef448e089376f3afe81ef6079da264 | ||
825 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
826 | Date: Tue May 3 15:30:46 2016 +0000 | ||
827 | |||
828 | upstream commit | ||
829 | |||
830 | Set umask to prevent "Bad owner or permissions" errors. | ||
831 | |||
832 | Upstream-Regress-ID: 8fdf2fc4eb595ccd80c443f474d639f851145417 | ||
833 | |||
834 | commit 07d5608bb237e9b3fe86a2aeaa429392230faebf | ||
835 | Author: djm@openbsd.org <djm@openbsd.org> | ||
836 | Date: Tue May 3 14:41:04 2016 +0000 | ||
837 | |||
838 | upstream commit | ||
839 | |||
840 | support doas | ||
841 | |||
842 | Upstream-Regress-ID: 8d5572b27ea810394eeda432d8b4e9e1064a7c38 | ||
843 | |||
844 | commit 01cabf10adc7676cba5f40536a34d3b246edb73f | ||
845 | Author: djm@openbsd.org <djm@openbsd.org> | ||
846 | Date: Tue May 3 13:48:33 2016 +0000 | ||
847 | |||
848 | upstream commit | ||
849 | |||
850 | unit tests for sshbuf_dup_string() | ||
851 | |||
852 | Upstream-Regress-ID: 7521ff150dc7f20511d1c2c48fd3318e5850a96d | ||
853 | |||
854 | commit 6915f1698e3d1dd4e22eac20f435e1dfc1d46372 | ||
855 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
856 | Date: Fri Jun 3 06:44:12 2016 +0000 | ||
857 | |||
858 | upstream commit | ||
859 | |||
860 | tweak previous; | ||
861 | |||
862 | Upstream-ID: 92979f1a0b63e041a0e5b08c9ed0ba9b683a3698 | ||
863 | |||
864 | commit 0cb2f4c2494b115d0f346ed2d8b603ab3ba643f4 | ||
865 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
866 | Date: Fri Jun 3 04:09:38 2016 +0000 | ||
867 | |||
868 | upstream commit | ||
869 | |||
870 | Allow ExitOnForwardFailure and ClearAllForwardings to be | ||
871 | overridden when using ssh -W (but still default to yes in that case). | ||
872 | bz#2577, ok djm@. | ||
873 | |||
874 | Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4 | ||
875 | |||
876 | commit 8543ff3f5020fe659839b15f05b8c522bde6cee5 | ||
877 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
878 | Date: Fri Jun 3 03:14:41 2016 +0000 | ||
879 | |||
880 | upstream commit | ||
881 | |||
882 | Move the host and port used by ssh -W into the Options | ||
883 | struct. This will make future changes a bit easier. ok djm@ | ||
884 | |||
885 | Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382 | ||
886 | |||
887 | commit 6b87311d3acdc460f926b2c40f4c4f3fd345f368 | ||
888 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
889 | Date: Wed Jun 1 04:19:49 2016 +0000 | ||
890 | |||
891 | upstream commit | ||
892 | |||
893 | Check min and max sizes sent by the client against what | ||
894 | we support before passing them to the monitor. ok djm@ | ||
895 | |||
896 | Upstream-ID: 750627e8117084215412bff00a25b1586ab17ece | ||
897 | |||
898 | commit 564cd2a8926ccb1dca43a535073540935b5e0373 | ||
899 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
900 | Date: Tue May 31 23:46:14 2016 +0000 | ||
901 | |||
902 | upstream commit | ||
903 | |||
904 | Ensure that the client's proposed DH-GEX max value is at | ||
905 | least as big as the minimum the server will accept. ok djm@ | ||
906 | |||
907 | Upstream-ID: b4b84fa04aab2de7e79a6fee4a6e1c189c0fe775 | ||
908 | |||
909 | commit df820722e40309c9b3f360ea4ed47a584ed74333 | ||
910 | Author: Darren Tucker <dtucker@zip.com.au> | ||
911 | Date: Mon Jun 6 11:36:13 2016 +1000 | ||
912 | |||
913 | Add compat bits to utf8.c. | ||
914 | |||
915 | commit 05c6574652571becfe9d924226c967a3f4b3f879 | ||
916 | Author: Darren Tucker <dtucker@zip.com.au> | ||
917 | Date: Mon Jun 6 11:33:43 2016 +1000 | ||
918 | |||
919 | Fix utf->utf8 typo. | ||
920 | |||
921 | commit 6c1717190b4d5ddd729cd9e24e8ed71ed4f087ce | ||
922 | Author: schwarze@openbsd.org <schwarze@openbsd.org> | ||
923 | Date: Mon May 30 18:34:41 2016 +0000 | ||
924 | |||
925 | upstream commit | ||
926 | |||
927 | Backout rev. 1.43 for now. | ||
928 | |||
929 | The function update_progress_meter() calls refresh_progress_meter() | ||
930 | which calls snmprintf() which calls malloc(); but update_progress_meter() | ||
931 | acts as the SIGALRM signal handler. | ||
932 | |||
933 | "malloc(): error: recursive call" reported by sobrado@. | ||
934 | |||
935 | Upstream-ID: aaae57989431e5239c101f8310f74ccc83aeb93e | ||
936 | |||
937 | commit cd9e1eabeb4137182200035ab6fa4522f8d24044 | ||
938 | Author: schwarze@openbsd.org <schwarze@openbsd.org> | ||
939 | Date: Mon May 30 12:57:21 2016 +0000 | ||
940 | |||
941 | upstream commit | ||
942 | |||
943 | Even when only writing an unescaped character, the dst | ||
944 | buffer may need to grow, or it would be overrun; issue found by tb@ with | ||
945 | malloc.conf(5) 'C'. | ||
946 | |||
947 | While here, reserve an additional byte for the terminating NUL | ||
948 | up front such that we don't have to realloc() later just for that. | ||
949 | |||
950 | OK tb@ | ||
951 | |||
952 | Upstream-ID: 30ebcc0c097c4571b16f0a78b44969f170db0cff | ||
953 | |||
954 | commit ac284a355f8065eaef2a16f446f3c44cdd17371d | ||
955 | Author: schwarze@openbsd.org <schwarze@openbsd.org> | ||
956 | Date: Mon May 30 12:05:56 2016 +0000 | ||
957 | |||
958 | upstream commit | ||
959 | |||
960 | Fix two rare edge cases: 1. If vasprintf() returns < 0, | ||
961 | do not access a NULL pointer in snmprintf(), and do not free() the pointer | ||
962 | returned from vasprintf() because on some systems other than OpenBSD, it | ||
963 | might be a bogus pointer. 2. If vasprintf() returns == 0, return 0 and "" | ||
964 | rather than -1 and NULL. | ||
965 | |||
966 | Besides, free(dst) is pointless after failure (not a bug). | ||
967 | |||
968 | One half OK martijn@, the other half OK deraadt@; | ||
969 | committing quickly before people get hurt. | ||
970 | |||
971 | Upstream-ID: b7bcd2e82fc168a8eff94e41f5db336ed986fed0 | ||
972 | |||
973 | commit 0e059cdf5fd86297546c63fa8607c24059118832 | ||
974 | Author: schwarze@openbsd.org <schwarze@openbsd.org> | ||
975 | Date: Wed May 25 23:48:45 2016 +0000 | ||
976 | |||
977 | upstream commit | ||
978 | |||
979 | To prevent screwing up terminal settings when printing to | ||
980 | the terminal, for ASCII and UTF-8, escape bytes not forming characters and | ||
981 | bytes forming non-printable characters with vis(3) VIS_OCTAL. For other | ||
982 | character sets, abort printing of the current string in these cases. In | ||
983 | particular, * let scp(1) respect the local user's LC_CTYPE locale(1); * | ||
984 | sanitize data received from the remote host; * sanitize filenames, usernames, | ||
985 | and similar data even locally; * take character display widths into account | ||
986 | for the progressmeter. | ||
987 | |||
988 | This is believed to be sufficient to keep the local terminal safe | ||
989 | on OpenBSD, but bad things can still happen on other systems with | ||
990 | state-dependent locales because many places in the code print | ||
991 | unencoded ASCII characters into the output stream. | ||
992 | |||
993 | Using feedback from djm@ and martijn@, | ||
994 | various aspects discussed with many others. | ||
995 | |||
996 | deraadt@ says it should go in now, i probably already hesitated too long | ||
997 | |||
998 | Upstream-ID: e66afbc94ee396ddcaffd433b9a3b80f387647e0 | ||
999 | |||
1000 | commit 8c02e3639acefe1e447e293dbe23a0917abd3734 | ||
1001 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1002 | Date: Tue May 24 04:43:45 2016 +0000 | ||
1003 | |||
1004 | upstream commit | ||
1005 | |||
1006 | KNF compression proposal and simplify the client side a | ||
1007 | little. ok djm@ | ||
1008 | |||
1009 | Upstream-ID: aa814b694efe9e5af8a26e4c80a05526ae6d6605 | ||
1010 | |||
1011 | commit 7ec4946fb686813eb5f8c57397e465f5485159f4 | ||
1012 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1013 | Date: Tue May 24 02:31:57 2016 +0000 | ||
1014 | |||
1015 | upstream commit | ||
1016 | |||
1017 | Back out 'plug memleak'. | ||
1018 | |||
1019 | Upstream-ID: 4faacdde136c24a961e24538de373660f869dbc0 | ||
1020 | |||
1021 | commit 82f24c3ddc52053aeb7beb3332fa94c92014b0c5 | ||
1022 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1023 | Date: Mon May 23 23:30:50 2016 +0000 | ||
1024 | |||
1025 | upstream commit | ||
1026 | |||
1027 | prefer agent-hosted keys to keys from PKCS#11; ok markus | ||
1028 | |||
1029 | Upstream-ID: 7417f7653d58d6306d9f8c08d0263d050e2fd8f4 | ||
1030 | |||
1031 | commit a0cb7778fbc9b43458f7072eb68dd858766384d1 | ||
1032 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1033 | Date: Mon May 23 00:17:27 2016 +0000 | ||
1034 | |||
1035 | upstream commit | ||
1036 | |||
1037 | Plug mem leak in filter_proposal. ok djm@ | ||
1038 | |||
1039 | Upstream-ID: bf968da7cfcea2a41902832e7d548356a4e2af34 | ||
1040 | |||
1041 | commit ae9c0d4d5c581b3040d1f16b5c5f4b1cd1616743 | ||
1042 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1043 | Date: Fri Jun 3 16:03:44 2016 +1000 | ||
1044 | |||
1045 | Update vis.h and vis.c from OpenBSD. | ||
1046 | |||
1047 | This will be needed for the upcoming utf8 changes. | ||
1048 | |||
1049 | commit e1d93705f8f48f519433d6ca9fc3d0abe92a1b77 | ||
1050 | Author: Tim Rice <tim@multitalents.net> | ||
1051 | Date: Tue May 31 11:13:22 2016 -0700 | ||
1052 | |||
1053 | modified: configure.ac | ||
1054 | whitspace clean up. No code changes. | ||
1055 | |||
1056 | commit 604a037d84e41e31f0aec9075df0b8740c130200 | ||
1057 | Author: Damien Miller <djm@mindrot.org> | ||
1058 | Date: Tue May 31 16:45:28 2016 +1000 | ||
1059 | |||
1060 | whitespace at EOL | ||
1061 | |||
1062 | commit 18424200160ff5c923113e0a37ebe21ab7bcd17c | ||
1063 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1064 | Date: Mon May 30 19:35:28 2016 +1000 | ||
1065 | |||
1066 | Add missing ssh-host-config --name option | ||
1067 | |||
1068 | Patch from vinschen@redhat.com. | ||
1069 | |||
1070 | commit 39c0cecaa188a37a2e134795caa68e03f3ced592 | ||
1071 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1072 | Date: Fri May 20 10:01:58 2016 +1000 | ||
1073 | |||
1074 | Fix comment about sshpam_const and AIX. | ||
1075 | |||
1076 | From mschwager via github. | ||
1077 | |||
1078 | commit f64062b1f74ad5ee20a8a49aab2732efd0f7ce30 | ||
1079 | Author: Damien Miller <djm@mindrot.org> | ||
1080 | Date: Fri May 20 09:56:53 2016 +1000 | ||
1081 | |||
1082 | Deny lstat syscalls in seccomp sandbox | ||
1083 | |||
1084 | Avoids sandbox violations for some krb/gssapi libraries. | ||
1085 | |||
1086 | commit 531c135409b8d8810795b1f3692a4ebfd5c9cae0 | ||
1087 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1088 | Date: Thu May 19 07:45:32 2016 +0000 | ||
1089 | |||
1090 | upstream commit | ||
1091 | |||
1092 | fix type of ed25519 values | ||
1093 | |||
1094 | Upstream-ID: b32d0cb372bbe918ca2de56906901eae225a59b0 | ||
1095 | |||
1096 | commit 75e21688f523799c9e0cc6601d76a9c5ca79f787 | ||
1097 | Author: markus@openbsd.org <markus@openbsd.org> | ||
1098 | Date: Wed May 4 14:32:26 2016 +0000 | ||
1099 | |||
1100 | upstream commit | ||
1101 | |||
1102 | add IdentityAgent; noticed & ok jmc@ | ||
1103 | |||
1104 | Upstream-ID: 4ba9034b00a4cf1beae627f0728da897802df88a | ||
1105 | |||
1106 | commit 1a75d14daf4b60db903e6103cf50e74e0cd0a76b | ||
1107 | Author: markus@openbsd.org <markus@openbsd.org> | ||
1108 | Date: Wed May 4 14:29:58 2016 +0000 | ||
1109 | |||
1110 | upstream commit | ||
1111 | |||
1112 | allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@ | ||
1113 | |||
1114 | Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac | ||
1115 | |||
1116 | commit 0516454151ae722fc8256c3c56115c6baf24c5b0 | ||
1117 | Author: markus@openbsd.org <markus@openbsd.org> | ||
1118 | Date: Wed May 4 14:22:33 2016 +0000 | ||
1119 | |||
1120 | upstream commit | ||
1121 | |||
1122 | move SSH_MSG_NONE, so we don't have to include ssh1.h; | ||
1123 | ok deraadt@ | ||
1124 | |||
1125 | Upstream-ID: c2f97502efc761a41b18c17ddf460e138ca7994e | ||
1126 | |||
1127 | commit 332ff3d770631e7513fea38cf0d3689f673f0e3f | ||
1128 | Author: Damien Miller <djm@mindrot.org> | ||
1129 | Date: Tue May 10 09:51:06 2016 +1000 | ||
1130 | |||
1131 | initialise salen in binresvport_sa | ||
1132 | |||
1133 | avoids failures with UsePrivilegedPort=yes | ||
1134 | |||
1135 | patch from Juan Gallego | ||
1136 | |||
1137 | commit c5c1d5d2f04ce00d2ddd6647e61b32f28be39804 | ||
1138 | Author: markus@openbsd.org <markus@openbsd.org> | ||
1139 | Date: Wed May 4 14:04:40 2016 +0000 | ||
1140 | |||
1141 | upstream commit | ||
1142 | |||
1143 | missing const in prototypes (ssh1) | ||
1144 | |||
1145 | Upstream-ID: 789c6ad4928b5fa557369b88c3a6a34926082c05 | ||
1146 | |||
1147 | commit 9faae50e2e82ba42eb0cb2726bf6830fe7948f28 | ||
1148 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1149 | Date: Wed May 4 14:00:09 2016 +0000 | ||
1150 | |||
1151 | upstream commit | ||
1152 | |||
1153 | Fix inverted logic for updating StreamLocalBindMask which | ||
1154 | would cause the server to set an invalid mask. ok djm@ | ||
1155 | |||
1156 | Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587 | ||
1157 | |||
1158 | commit b02ad1ce9105bfa7394ac7590c0729dd52e26a81 | ||
1159 | Author: markus@openbsd.org <markus@openbsd.org> | ||
1160 | Date: Wed May 4 12:21:53 2016 +0000 | ||
1161 | |||
1162 | upstream commit | ||
1163 | |||
1164 | IdentityAgent for specifying specific agent sockets; ok | ||
1165 | djm@ | ||
1166 | |||
1167 | Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1 | ||
1168 | |||
1169 | commit 910e59bba09ac309d78ce61e356da35292212935 | ||
1170 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1171 | Date: Wed May 4 12:16:39 2016 +0000 | ||
1172 | |||
1173 | upstream commit | ||
1174 | |||
1175 | fix junk characters after quotes | ||
1176 | |||
1177 | Upstream-ID: cc4d0cd32cb6b55a2ef98975d2f7ae857d0dc578 | ||
1178 | |||
1179 | commit 9283884e647b8be50ccd2997537af0065672107d | ||
1180 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
1181 | Date: Tue May 3 18:38:12 2016 +0000 | ||
1182 | |||
1183 | upstream commit | ||
1184 | |||
1185 | correct article; | ||
1186 | |||
1187 | Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168 | ||
1188 | |||
1189 | commit cfefbcea1057c2623e76c579174a4107a0b6e6cd | ||
1190 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1191 | Date: Tue May 3 15:57:39 2016 +0000 | ||
1192 | |||
1193 | upstream commit | ||
1194 | |||
1195 | fix overriding of StreamLocalBindMask and | ||
1196 | StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes | ||
1197 | |||
1198 | Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2 | ||
1199 | |||
1200 | commit 771c2f51ffc0c9a2877b7892fada0c77bd1f6549 | ||
1201 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1202 | Date: Tue May 3 15:25:06 2016 +0000 | ||
1203 | |||
1204 | upstream commit | ||
1205 | |||
1206 | don't forget to include StreamLocalBindUnlink in the | ||
1207 | config dump output | ||
1208 | |||
1209 | Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb | ||
1210 | |||
1211 | commit cdcd941994dc430f50d0a4e6a712d32b66e6199e | ||
1212 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1213 | Date: Tue May 3 14:54:08 2016 +0000 | ||
1214 | |||
1215 | upstream commit | ||
1216 | |||
1217 | make nethack^wrandomart fingerprint flag more readily | ||
1218 | searchable pointed out by Matt Johnston | ||
1219 | |||
1220 | Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb | ||
1221 | |||
1222 | commit 05855bf2ce7d5cd0a6db18bc0b4214ed5ef7516d | ||
1223 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1224 | Date: Tue May 3 13:10:24 2016 +0000 | ||
1225 | |||
1226 | upstream commit | ||
1227 | |||
1228 | clarify ordering of subkeys; pointed out by ietf-ssh AT | ||
1229 | stbuehler.de | ||
1230 | |||
1231 | Upstream-ID: 05ebe9f949449a555ebce8e0aad7c8c9acaf8463 | ||
1232 | |||
1233 | commit cca3b4395807bfb7aaeb83d2838f5c062ce30566 | ||
1234 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1235 | Date: Tue May 3 12:15:49 2016 +0000 | ||
1236 | |||
1237 | upstream commit | ||
1238 | |||
1239 | Use a subshell for constructing key types to work around | ||
1240 | different sed behaviours for -portable. | ||
1241 | |||
1242 | Upstream-Regress-ID: 0f6eb673162df229eda9a134a0f10da16151552d | ||
1243 | |||
1244 | commit fa58208c6502dcce3e0daac0ca991ee657daf1f5 | ||
1245 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1246 | Date: Tue May 3 10:27:59 2016 +0000 | ||
1247 | |||
1248 | upstream commit | ||
1249 | |||
1250 | correct some typos and remove a long-stale XXX note. | ||
1251 | |||
1252 | add specification for ed25519 certificates | ||
1253 | |||
1254 | mention no host certificate options/extensions are currently defined | ||
1255 | |||
1256 | pointed out by Simon Tatham | ||
1257 | |||
1258 | Upstream-ID: 7b535ab7dba3340b7d8210ede6791fdaefdf839a | ||
1259 | |||
1260 | commit b466f956c32cbaff4200bfcd5db6739fe4bc7d04 | ||
1261 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1262 | Date: Tue May 3 10:24:27 2016 +0000 | ||
1263 | |||
1264 | upstream commit | ||
1265 | |||
1266 | add ed25519 keys that are supported but missing from this | ||
1267 | documents; from Peter Moody | ||
1268 | |||
1269 | Upstream-ID: 8caac2d8e8cfd2fca6dc304877346e0a064b014b | ||
1270 | |||
1271 | commit 7f3d76319a69dab2efe3a520a8fef5b97e923636 | ||
1272 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1273 | Date: Tue May 3 09:03:49 2016 +0000 | ||
1274 | |||
1275 | upstream commit | ||
1276 | |||
1277 | Implement IUTF8 as per draft-sgtatham-secsh-iutf8-00. Patch | ||
1278 | from Simon Tatham, ok markus@ | ||
1279 | |||
1280 | Upstream-ID: 58268ebdf37d9d467f78216c681705a5e10c58e8 | ||
1281 | |||
1282 | commit 31bc01c05d9f51bee3ebe33dc57c4fafb059fb62 | ||
1283 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1284 | Date: Mon May 2 14:10:58 2016 +0000 | ||
1285 | |||
1286 | upstream commit | ||
1287 | |||
1288 | unbreak config parsing on reexec from previous commit | ||
1289 | |||
1290 | Upstream-ID: bc69932638a291770955bd05ca55a32660a613ab | ||
1291 | |||
1292 | commit 67f1459efd2e85bf03d032539283fa8107218936 | ||
1293 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1294 | Date: Mon May 2 09:52:00 2016 +0000 | ||
1295 | |||
1296 | upstream commit | ||
1297 | |||
1298 | unit and regress tests for SHA256/512; ok markus | ||
1299 | |||
1300 | Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6 | ||
1301 | |||
1302 | commit 0e8eeec8e75f6d0eaf33317376f773160018a9c7 | ||
1303 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1304 | Date: Mon May 2 10:26:04 2016 +0000 | ||
1305 | |||
1306 | upstream commit | ||
1307 | |||
1308 | add support for additional fixed DH groups from | ||
1309 | draft-ietf-curdle-ssh-kex-sha2-03 | ||
1310 | |||
1311 | diffie-hellman-group14-sha256 (2K group) | ||
1312 | diffie-hellman-group16-sha512 (4K group) | ||
1313 | diffie-hellman-group18-sha512 (8K group) | ||
1314 | |||
1315 | based on patch from Mark D. Baushke and Darren Tucker | ||
1316 | ok markus@ | ||
1317 | |||
1318 | Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f | ||
1319 | |||
1320 | commit 57464e3934ba53ad8590ee3ccd840f693407fc1e | ||
1321 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1322 | Date: Mon May 2 09:36:42 2016 +0000 | ||
1323 | |||
1324 | upstream commit | ||
1325 | |||
1326 | support SHA256 and SHA512 RSA signatures in certificates; | ||
1327 | ok markus@ | ||
1328 | |||
1329 | Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a | ||
1330 | |||
1331 | commit 1a31d02b2411c4718de58ce796dbb7b5e14db93e | ||
1332 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1333 | Date: Mon May 2 08:49:03 2016 +0000 | ||
1334 | |||
1335 | upstream commit | ||
1336 | |||
1337 | fix signed/unsigned errors reported by clang-3.7; add | ||
1338 | sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with | ||
1339 | better safety checking; feedback and ok markus@ | ||
1340 | |||
1341 | Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820 | ||
1342 | |||
1343 | commit d2d6bf864e52af8491a60dd507f85b74361f5da3 | ||
1344 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1345 | Date: Fri Apr 29 08:07:53 2016 +0000 | ||
1346 | |||
1347 | upstream commit | ||
1348 | |||
1349 | close ControlPersist background process stderr when not | ||
1350 | in debug mode or when logging to a file or syslog. bz#1988 ok dtucker | ||
1351 | |||
1352 | Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24 | ||
1353 | |||
1354 | commit 9ee692fa1146e887e008a2b9a3d3ea81770c9fc8 | ||
1355 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1356 | Date: Thu Apr 28 14:30:21 2016 +0000 | ||
1357 | |||
1358 | upstream commit | ||
1359 | |||
1360 | fix comment | ||
1361 | |||
1362 | Upstream-ID: 313a385bd7b69a82f8e28ecbaf5789c774457b15 | ||
1363 | |||
1364 | commit ee1e0a16ff2ba41a4d203c7670b54644b6c57fa6 | ||
1365 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
1366 | Date: Wed Apr 27 13:53:48 2016 +0000 | ||
1367 | |||
1368 | upstream commit | ||
1369 | |||
1370 | cidr permitted for {allow,deny}users; from lars nooden ok djm | ||
1371 | |||
1372 | Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11 | ||
1373 | |||
1374 | commit b6e0140a5aa883c27b98415bd8aa9f65fc04ee22 | ||
1375 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1376 | Date: Thu Apr 21 06:08:02 2016 +0000 | ||
1377 | |||
1378 | upstream commit | ||
1379 | |||
1380 | make argument == NULL tests more consistent | ||
1381 | |||
1382 | Upstream-ID: dc4816678704aa5cbda3a702e0fa2033ff04581d | ||
1383 | |||
1384 | commit 6aaabc2b610e44bae473457ad9556ffb43d90ee3 | ||
1385 | Author: jmc@openbsd.org <jmc@openbsd.org> | ||
1386 | Date: Sun Apr 17 14:34:46 2016 +0000 | ||
1387 | |||
1388 | upstream commit | ||
1389 | |||
1390 | tweak previous; | ||
1391 | |||
1392 | Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f | ||
1393 | |||
1394 | commit 0f839e5969efa3bda615991be8a9d9311554c573 | ||
1395 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1396 | Date: Fri Apr 15 02:57:10 2016 +0000 | ||
1397 | |||
1398 | upstream commit | ||
1399 | |||
1400 | missing bit of Include regress | ||
1401 | |||
1402 | Upstream-Regress-ID: 1063595f7f40f8489a1b7a27230b9e8acccea34f | ||
1403 | |||
1404 | commit 12e4ac46aed681da55c2bba3cd11dfcab23591be | ||
1405 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1406 | Date: Fri Apr 15 02:55:53 2016 +0000 | ||
1407 | |||
1408 | upstream commit | ||
1409 | |||
1410 | remove redundant CLEANFILES section | ||
1411 | |||
1412 | Upstream-Regress-ID: 29ef1b267fa56daa60a1463396635e7d53afb587 | ||
1413 | |||
1414 | commit b1d05aa653ae560c44baf8e8a9756e33f98ea75c | ||
1415 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1416 | Date: Fri Apr 15 00:48:01 2016 +0000 | ||
1417 | |||
1418 | upstream commit | ||
1419 | |||
1420 | sync CLEANFILES with portable, sort | ||
1421 | |||
1422 | Upstream-Regress-ID: cb782f4f1ab3e079efbc335c6b64942f790766ed | ||
1423 | |||
1424 | commit 35f22dad263cce5c61d933ae439998cb965b8748 | ||
1425 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1426 | Date: Fri Apr 15 00:31:10 2016 +0000 | ||
1427 | |||
1428 | upstream commit | ||
1429 | |||
1430 | regression test for ssh_config Include directive | ||
1431 | |||
1432 | Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e | ||
1433 | |||
1434 | commit 6b8a1a87005818d4700ce8b42faef746e82c1f51 | ||
1435 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1436 | Date: Thu Apr 14 23:57:17 2016 +0000 | ||
1437 | |||
1438 | upstream commit | ||
1439 | |||
1440 | unbreak test for recent ssh de-duplicated forwarding | ||
1441 | change | ||
1442 | |||
1443 | Upstream-Regress-ID: 6b2b115d99acd7cff13986e6739ea214cf2a3da3 | ||
1444 | |||
1445 | commit 076787702418985a2cc6808212dc28ce7afc01f0 | ||
1446 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1447 | Date: Thu Apr 14 23:21:42 2016 +0000 | ||
1448 | |||
1449 | upstream commit | ||
1450 | |||
1451 | add test knob and warning for StrictModes | ||
1452 | |||
1453 | Upstream-Regress-ID: 8cd10952ce7898655ee58945904f2a0a3bdf7682 | ||
1454 | |||
1455 | commit dc7990be865450574c7940c9880567f5d2555b37 | ||
1456 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1457 | Date: Fri Apr 15 00:30:19 2016 +0000 | ||
1458 | |||
1459 | upstream commit | ||
1460 | |||
1461 | Include directive for ssh_config(5); feedback & ok markus@ | ||
1462 | |||
1463 | Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff | ||
1464 | |||
1465 | commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 | ||
1466 | Author: Damien Miller <djm@mindrot.org> | ||
1467 | Date: Wed Apr 13 10:39:57 2016 +1000 | ||
1468 | |||
1469 | ignore PAM environment vars when UseLogin=yes | ||
1470 | |||
1471 | If PAM is configured to read user-specified environment variables | ||
1472 | and UseLogin=yes in sshd_config, then a hostile local user may | ||
1473 | attack /bin/login via LD_PRELOAD or similar environment variables | ||
1474 | set via PAM. | ||
1475 | |||
1476 | CVE-2015-8325, found by Shayan Sadigh, via Colin Watson | ||
1477 | |||
1478 | commit dce19bf6e4a2a3d0b13a81224de63fc316461ab9 | ||
1479 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1480 | Date: Sat Apr 9 12:39:30 2016 +0000 | ||
1481 | |||
1482 | upstream commit | ||
1483 | |||
1484 | make private key loading functions consistently handle NULL | ||
1485 | key pointer arguments; ok markus@ | ||
1486 | |||
1487 | Upstream-ID: 92038726ef4a338169c35dacc9c5a07fcc7fa761 | ||
1488 | |||
1489 | commit 5f41f030e2feb5295657285aa8c6602c7810bc4b | ||
1490 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1491 | Date: Fri Apr 8 21:14:13 2016 +1000 | ||
1492 | |||
1493 | Remove NO_IPPORT_RESERVED_CONCEPT | ||
1494 | |||
1495 | Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have | ||
1496 | the same effect without causing problems syncing patches with OpenBSD. | ||
1497 | Resync the two affected functions with OpenBSD. ok djm, sanity checked | ||
1498 | by Corinna. | ||
1499 | |||
1500 | commit 34a01b2cf737d946ddb140618e28c3048ab7a229 | ||
1501 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1502 | Date: Fri Apr 8 08:19:17 2016 +0000 | ||
1503 | |||
1504 | upstream commit | ||
1505 | |||
1506 | whitespace at EOL | ||
1507 | |||
1508 | Upstream-ID: 5beffd4e001515da12851b974e2323ae4aa313b6 | ||
1509 | |||
1510 | commit 90ee563fa6b54c59896c6c332c5188f866c5e75f | ||
1511 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1512 | Date: Fri Apr 8 06:35:54 2016 +0000 | ||
1513 | |||
1514 | upstream commit | ||
1515 | |||
1516 | We accidentally send an empty string and a zero uint32 with | ||
1517 | every direct-streamlocal@openssh.com channel open, in contravention of our | ||
1518 | own spec. | ||
1519 | |||
1520 | Fixing this is too hard wrt existing versions that expect these | ||
1521 | fields to be present and fatal() if they aren't, so document them | ||
1522 | as "reserved" fields in the PROTOCOL spec as though we always | ||
1523 | intended this and let us never speak of it again. | ||
1524 | |||
1525 | bz#2529, reported by Ron Frederick | ||
1526 | |||
1527 | Upstream-ID: 34cd326a4d236ca6e39084c4ff796bd97ab833e7 | ||
1528 | |||
1529 | commit 0ccbd5eca0f0dd78e71a4b69c66f03a66908d558 | ||
1530 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1531 | Date: Wed Apr 6 06:42:17 2016 +0000 | ||
1532 | |||
1533 | upstream commit | ||
1534 | |||
1535 | don't record duplicate LocalForward and RemoteForward | ||
1536 | entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation | ||
1537 | where the same forwards are added on the second pass through the | ||
1538 | configuration file. bz#2562; ok dtucker@ | ||
1539 | |||
1540 | Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1 | ||
1541 | |||
1542 | commit 574def0eb493cd6efeffd4ff2e9257abcffee0c8 | ||
1543 | Author: krw@openbsd.org <krw@openbsd.org> | ||
1544 | Date: Sat Apr 2 14:37:42 2016 +0000 | ||
1545 | |||
1546 | upstream commit | ||
1547 | |||
1548 | Another use for fcntl() and thus of the superfluous 3rd | ||
1549 | parameter is when sanitising standard fd's before calling daemon(). | ||
1550 | |||
1551 | Use a tweaked version of the ssh(1) function in all three places | ||
1552 | found using fcntl() this way. | ||
1553 | |||
1554 | ok jca@ beck@ | ||
1555 | |||
1556 | Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218 | ||
1557 | |||
1558 | commit b3413534aa9d71a941005df2760d1eec2c2b0854 | ||
1559 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1560 | Date: Mon Apr 4 11:09:21 2016 +1000 | ||
1561 | |||
1562 | Tidy up openssl header test. | ||
1563 | |||
1564 | commit 815bcac0b94bb448de5acdd6ba925b8725240b4f | ||
1565 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1566 | Date: Mon Apr 4 11:07:59 2016 +1000 | ||
1567 | |||
1568 | Fix configure-time warnings for openssl test. | ||
1569 | |||
1570 | commit 95687f5831ae680f7959446d8ae4b52452ee05dd | ||
1571 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1572 | Date: Fri Apr 1 02:34:10 2016 +0000 | ||
1573 | |||
1574 | upstream commit | ||
1575 | |||
1576 | whitespace at EOL | ||
1577 | |||
1578 | Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a | ||
1579 | |||
1580 | commit fdfbf4580de09d84a974211715e14f88a5704b8e | ||
1581 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1582 | Date: Thu Mar 31 05:24:06 2016 +0000 | ||
1583 | |||
1584 | upstream commit | ||
1585 | |||
1586 | Remove fallback from moduli to "primes" file that was | ||
1587 | deprecated in 2001 and fix log messages referring to primes file. Based on | ||
1588 | patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@ | ||
1589 | |||
1590 | Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713 | ||
1591 | |||
1592 | commit 0235a5fa67fcac51adb564cba69011a535f86f6b | ||
1593 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1594 | Date: Thu Mar 17 17:19:43 2016 +0000 | ||
1595 | |||
1596 | upstream commit | ||
1597 | |||
1598 | UseDNS affects ssh hostname processing in authorized_keys, | ||
1599 | not known_hosts; bz#2554 reported by jjelen AT redhat.com | ||
1600 | |||
1601 | Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591 | ||
1602 | |||
1603 | commit 8c4739338f5e379d05b19d6e544540114965f07e | ||
1604 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1605 | Date: Tue Mar 15 09:24:43 2016 +1100 | ||
1606 | |||
1607 | Don't call Solaris setproject() with UsePAM=yes. | ||
1608 | |||
1609 | When Solaris Projects are enabled along with PAM setting the project | ||
1610 | is PAM's responsiblity. bz#2425, based on patch from | ||
1611 | brent.paulson at gmail.com. | ||
1612 | |||
1613 | commit cff26f373c58457a32cb263e212cfff53fca987b | ||
1614 | Author: Damien Miller <djm@mindrot.org> | ||
1615 | Date: Tue Mar 15 04:30:21 2016 +1100 | ||
1616 | |||
1617 | remove slogin from *.spec | ||
1618 | |||
1619 | commit c38905ba391434834da86abfc988a2b8b9b62477 | ||
1620 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1621 | Date: Mon Mar 14 16:20:54 2016 +0000 | ||
1622 | |||
1623 | upstream commit | ||
1624 | |||
1625 | unbreak authentication using lone certificate keys in | ||
1626 | ssh-agent: when attempting pubkey auth with a certificate, if no separate | ||
1627 | private key is found among the keys then try with the certificate key itself. | ||
1628 | |||
1629 | bz#2550 reported by Peter Moody | ||
1630 | |||
1631 | Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966 | ||
1632 | |||
1633 | commit 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 | ||
1634 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1635 | Date: Thu Mar 10 11:47:57 2016 +0000 | ||
1636 | |||
1637 | upstream commit | ||
1638 | |||
1639 | sanitise characters destined for xauth reported by | ||
1640 | github.com/tintinweb feedback and ok deraadt and markus | ||
1641 | |||
1642 | Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261 | ||
1643 | |||
1644 | commit 732b463d37221722b1206f43aa59563766a6a968 | ||
1645 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1646 | Date: Mon Mar 14 16:04:23 2016 +1100 | ||
1647 | |||
1648 | Pass supported malloc options to connect-privsep. | ||
1649 | |||
1650 | This allows us to activate only the supported options during the malloc | ||
1651 | option portion of the connect-privsep test. | ||
1652 | |||
1653 | commit d29c5b9b3e9f27394ca97a364ed4bb4a55a59744 | ||
1654 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1655 | Date: Mon Mar 14 09:30:58 2016 +1100 | ||
1656 | |||
1657 | Remove leftover roaming.h file. | ||
1658 | |||
1659 | Pointed out by des at des.no. | ||
1660 | |||
1661 | commit 8ff20ec95f4377021ed5e9b2331320f5c5a34cea | ||
1662 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1663 | Date: Mon Mar 14 09:24:03 2016 +1100 | ||
1664 | |||
1665 | Quote variables that may contain whitespace. | ||
1666 | |||
1667 | The variable $L_TMP_ID_FILE needs to be surrounded by quotes in order to | ||
1668 | survive paths containing whitespace. bz#2551, from Corinna Vinschen via | ||
1669 | Philip Hands. | ||
1670 | |||
1671 | commit 627824480c01f0b24541842c7206ab9009644d02 | ||
1672 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1673 | Date: Fri Mar 11 14:47:41 2016 +1100 | ||
1674 | |||
1675 | Include priv.h for priv_set_t. | ||
1676 | |||
1677 | From alex at cooperi.net. | ||
1678 | |||
1679 | commit e960051f9a264f682c4d2fefbeecffcfc66b0ddf | ||
1680 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1681 | Date: Wed Mar 9 13:14:18 2016 +1100 | ||
1682 | |||
1683 | Wrap stdint.h inside #ifdef HAVE_STDINT_H. | ||
1684 | |||
1685 | commit 2c48bd344d2c4b5e08dae9aea5ff44fc19a5e363 | ||
1686 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1687 | Date: Wed Mar 9 12:46:50 2016 +1100 | ||
1688 | |||
1689 | Add compat to monotime_double(). | ||
1690 | |||
1691 | Apply all of the portability changes in monotime() to monotime() double. | ||
1692 | Fixes build on at least older FreeBSD systems. | ||
1693 | |||
1694 | commit 7b40ef6c2eef40c339f6ea8920cb8a44838e10c9 | ||
1695 | Author: Damien Miller <djm@mindrot.org> | ||
1696 | Date: Tue Mar 8 14:12:58 2016 -0800 | ||
1697 | |||
1698 | make a regress-binaries target | ||
1699 | |||
1700 | Easier to build all the regression/unit test binaries in one pass | ||
1701 | than going through all of ${REGRESS_BINARIES} | ||
1702 | |||
1703 | commit c425494d6b6181beb54a1b3763ef9e944fd3c214 | ||
1704 | Author: Damien Miller <djm@mindrot.org> | ||
1705 | Date: Tue Mar 8 14:03:54 2016 -0800 | ||
1706 | |||
1707 | unbreak kexfuzz for -Werror without __bounded__ | ||
1708 | |||
1709 | commit 3ed9218c336607846563daea5d5ab4f701f4e042 | ||
1710 | Author: Damien Miller <djm@mindrot.org> | ||
1711 | Date: Tue Mar 8 14:01:29 2016 -0800 | ||
1712 | |||
1713 | unbreak PAM after canohost refactor | ||
1714 | |||
1715 | commit 885fb2a44ff694f01e4f6470f803629e11f62961 | ||
1716 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1717 | Date: Tue Mar 8 11:58:43 2016 +1100 | ||
1718 | |||
1719 | auth_get_canonical_hostname in portable code. | ||
1720 | |||
1721 | "refactor canohost.c" replaced get_canonical_hostname, this makes the | ||
1722 | same change to some portable-specific code. | ||
1723 | |||
1724 | commit 95767262caa6692eff1e1565be1f5cb297949a89 | ||
1725 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1726 | Date: Mon Mar 7 19:02:43 2016 +0000 | ||
6 | 1727 | ||
7 | commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56 | 1728 | upstream commit |
1729 | |||
1730 | refactor canohost.c: move functions that cache results closer | ||
1731 | to the places that use them (authn and session code). After this, no state is | ||
1732 | cached in canohost.c | ||
1733 | |||
1734 | feedback and ok markus@ | ||
1735 | |||
1736 | Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e | ||
1737 | |||
1738 | commit af0bb38ffd1f2c4f9f43b0029be2efe922815255 | ||
8 | Author: Damien Miller <djm@mindrot.org> | 1739 | Author: Damien Miller <djm@mindrot.org> |
9 | Date: Thu Mar 10 05:03:39 2016 +1100 | 1740 | Date: Fri Mar 4 15:11:55 2016 +1100 |
1741 | |||
1742 | hook unittests/misc/kexfuzz into build | ||
1743 | |||
1744 | commit 331b8e07ee5bcbdca12c11cc8f51a7e8de09b248 | ||
1745 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1746 | Date: Fri Mar 4 02:48:06 2016 +0000 | ||
1747 | |||
1748 | upstream commit | ||
1749 | |||
1750 | Filter debug messages out of log before picking the last | ||
1751 | two lines. Should prevent problems if any more debug output is added late in | ||
1752 | the connection. | ||
1753 | |||
1754 | Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363 | ||
1755 | |||
1756 | commit 0892edaa3ce623381d3a7635544cbc69b31cf9cb | ||
1757 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1758 | Date: Fri Mar 4 02:30:36 2016 +0000 | ||
1759 | |||
1760 | upstream commit | ||
1761 | |||
1762 | add KEX fuzzer harness; ok deraadt@ | ||
1763 | |||
1764 | Upstream-Regress-ID: 3df5242d30551b12b828aa9ba4a4cec0846be8d1 | ||
1765 | |||
1766 | commit ae2562c47d41b68dbb00240fd6dd60bed205367a | ||
1767 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1768 | Date: Thu Mar 3 00:46:53 2016 +0000 | ||
1769 | |||
1770 | upstream commit | ||
1771 | |||
1772 | Look back 3 lines for possible error messages. Changes | ||
1773 | to the code mean that "Bad packet length" errors are 3 lines back instead of | ||
1774 | the previous two, which meant we didn't skip some offsets that we intended | ||
1775 | to. | ||
1776 | |||
1777 | Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684 | ||
10 | 1778 | ||
11 | sanitise characters destined for xauth(1) | 1779 | commit 988e429d903acfb298bfddfd75e7994327adfed0 |
1780 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1781 | Date: Fri Mar 4 03:35:44 2016 +0000 | ||
1782 | |||
1783 | upstream commit | ||
12 | 1784 | ||
13 | reported by github.com/tintinweb | 1785 | fix ClientAliveInterval when a time-based RekeyLimit is |
1786 | set; previously keepalive packets were not being sent. bz#2252 report and | ||
1787 | analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@ | ||
1788 | |||
1789 | Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81 | ||
1790 | |||
1791 | commit 8ef04d7a94bcdb8b0085fdd2a79a844b7d40792d | ||
1792 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1793 | Date: Wed Mar 2 22:43:52 2016 +0000 | ||
1794 | |||
1795 | upstream commit | ||
1796 | |||
1797 | Improve accuracy of reported transfer speeds by waiting | ||
1798 | for the ack from the other end. Pointed out by mmcc@, ok deraadt@ markus@ | ||
1799 | |||
1800 | Upstream-ID: 99f1cf15c9a8f161086b814d414d862795ae153d | ||
1801 | |||
1802 | commit b8d4eafe29684fe4f5bb587f7eab948e6ed62723 | ||
1803 | Author: dtucker@openbsd.org <dtucker@openbsd.org> | ||
1804 | Date: Wed Mar 2 22:42:40 2016 +0000 | ||
1805 | |||
1806 | upstream commit | ||
1807 | |||
1808 | Improve precision of progressmeter for sftp and scp by | ||
1809 | storing sub-second timestamps. Pointed out by mmcc@, ok deraadt@ markus@ | ||
1810 | |||
1811 | Upstream-ID: 38fd83a3d83dbf81c8ff7b5d1302382fe54970ab | ||
1812 | |||
1813 | commit 18f64b969c70ed00e74b9d8e50359dbe698ce4c0 | ||
1814 | Author: jca@openbsd.org <jca@openbsd.org> | ||
1815 | Date: Mon Feb 29 20:22:36 2016 +0000 | ||
1816 | |||
1817 | upstream commit | ||
1818 | |||
1819 | Print ssize_t with %zd; ok deraadt@ mmcc@ | ||
1820 | |||
1821 | Upstream-ID: 0590313bbb013ff6692298c98f7e0be349d124bd | ||
1822 | |||
1823 | commit 6e7f68ce38130c794ec1fb8d2a6091fbe982628d | ||
1824 | Author: djm@openbsd.org <djm@openbsd.org> | ||
1825 | Date: Sun Feb 28 22:27:00 2016 +0000 | ||
1826 | |||
1827 | upstream commit | ||
1828 | |||
1829 | rearrange DH public value tests to be a little more clear | ||
1830 | |||
1831 | rearrange DH private value generation to explain rationale more | ||
1832 | clearly and include an extra sanity check. | ||
1833 | |||
1834 | ok deraadt | ||
1835 | |||
1836 | Upstream-ID: 9ad8a07e1a12684e1b329f9bd88941b249d4b2ad | ||
1837 | |||
1838 | commit 2ed17aa34008bdfc8db674315adc425a0712be11 | ||
1839 | Author: Darren Tucker <dtucker@zip.com.au> | ||
1840 | Date: Tue Mar 1 15:24:20 2016 +1100 | ||
1841 | |||
1842 | Import updated moduli file from OpenBSD. | ||
1843 | |||
1844 | Note that 1.5k bit groups have been removed. | ||
14 | 1845 | ||
15 | commit 72b061d4ba0f909501c595d709ea76e06b01e5c9 | 1846 | commit 72b061d4ba0f909501c595d709ea76e06b01e5c9 |
16 | Author: Darren Tucker <dtucker@zip.com.au> | 1847 | Author: Darren Tucker <dtucker@zip.com.au> |
@@ -7369,1537 +9200,3 @@ Date: Fri Aug 1 12:26:49 2014 +1000 | |||
7369 | 9200 | ||
7370 | - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need | 9201 | - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need |
7371 | a better solution, but this will have to do for now. | 9202 | a better solution, but this will have to do for now. |
7372 | |||
7373 | commit 426117b2e965e43f47015942b5be8dd88fe74b88 | ||
7374 | Author: Damien Miller <djm@mindrot.org> | ||
7375 | Date: Wed Jul 30 12:33:20 2014 +1000 | ||
7376 | |||
7377 | - schwarze@cvs.openbsd.org 2014/07/28 15:40:08 | ||
7378 | [sftp-server.8 sshd_config.5] | ||
7379 | some systems no longer need /dev/log; | ||
7380 | issue noticed by jirib; | ||
7381 | ok deraadt | ||
7382 | |||
7383 | commit f497794b6962eaf802ab4ac2a7b22ae591cca1d5 | ||
7384 | Author: Damien Miller <djm@mindrot.org> | ||
7385 | Date: Wed Jul 30 12:32:46 2014 +1000 | ||
7386 | |||
7387 | - dtucker@cvs.openbsd.org 2014/07/25 21:22:03 | ||
7388 | [ssh-agent.c] | ||
7389 | Clear buffer used for handling messages. This prevents keys being | ||
7390 | left in memory after they have been expired or deleted in some cases | ||
7391 | (but note that ssh-agent is setgid so you would still need root to | ||
7392 | access them). Pointed out by Kevin Burns, ok deraadt | ||
7393 | |||
7394 | commit a8a0f65c57c8ecba94d65948e9090da54014dfef | ||
7395 | Author: Damien Miller <djm@mindrot.org> | ||
7396 | Date: Wed Jul 30 12:32:28 2014 +1000 | ||
7397 | |||
7398 | - OpenBSD CVS Sync | ||
7399 | - millert@cvs.openbsd.org 2014/07/24 22:57:10 | ||
7400 | [ssh.1] | ||
7401 | Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@ | ||
7402 | |||
7403 | commit 56b840f2b81e14a2f95c203403633a72566736f8 | ||
7404 | Author: Damien Miller <djm@mindrot.org> | ||
7405 | Date: Fri Jul 25 08:11:30 2014 +1000 | ||
7406 | |||
7407 | - (djm) [regress/multiplex.sh] restore incorrectly deleted line; | ||
7408 | pointed out by Christian Hesse | ||
7409 | |||
7410 | commit dd417b60d5ca220565d1014e92b7f8f43dc081eb | ||
7411 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7412 | Date: Wed Jul 23 10:41:21 2014 +1000 | ||
7413 | |||
7414 | - dtucker@cvs.openbsd.org 2014/07/22 23:35:38 | ||
7415 | [regress/unittests/sshkey/testdata/*] | ||
7416 | Regenerate test keys with certs signed with ed25519 instead of ecdsa. | ||
7417 | These can be used in -portable on platforms that don't support ECDSA. | ||
7418 | |||
7419 | commit 40e50211896369dba8f64f3b5e5fd58b76f5ac3f | ||
7420 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7421 | Date: Wed Jul 23 10:35:45 2014 +1000 | ||
7422 | |||
7423 | - dtucker@cvs.openbsd.org 2014/07/22 23:57:40 | ||
7424 | [regress/unittests/sshkey/mktestdata.sh] | ||
7425 | Add $OpenBSD tag to make syncs easier | ||
7426 | |||
7427 | commit 07e644251e809b1d4c062cf85bd1146a7e3f5a8a | ||
7428 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7429 | Date: Wed Jul 23 10:34:26 2014 +1000 | ||
7430 | |||
7431 | - dtucker@cvs.openbsd.org 2014/07/22 23:23:22 | ||
7432 | [regress/unittests/sshkey/mktestdata.sh] | ||
7433 | Sign test certs with ed25519 instead of ecdsa so that they'll work in | ||
7434 | -portable on platforms that don't have ECDSA in their OpenSSL. ok djm | ||
7435 | |||
7436 | commit cea099a7c4eaecb01b001e5453bb4e5c25006c22 | ||
7437 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7438 | Date: Wed Jul 23 10:04:02 2014 +1000 | ||
7439 | |||
7440 | - djm@cvs.openbsd.org 2014/07/22 01:32:12 | ||
7441 | [regress/multiplex.sh] | ||
7442 | change the test for still-open Unix domain sockets to be robust against | ||
7443 | nc implementations that produce error messages. from -portable | ||
7444 | (Id sync only) | ||
7445 | |||
7446 | commit 31eb78078d349b32ea41952ecc944b3ad6cb0d45 | ||
7447 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7448 | Date: Wed Jul 23 09:43:42 2014 +1000 | ||
7449 | |||
7450 | - guenther@cvs.openbsd.org 2014/07/22 07:13:42 | ||
7451 | [umac.c] | ||
7452 | Convert from <sys/endian.h> to the shiney new <endian.h> | ||
7453 | ok dtucker@, who also confirmed that -portable handles this already | ||
7454 | (ID sync only, includes.h pulls in endian.h if available.) | ||
7455 | |||
7456 | commit 820763efef2d19d965602533036c2b4badc9d465 | ||
7457 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7458 | Date: Wed Jul 23 09:40:46 2014 +1000 | ||
7459 | |||
7460 | - dtucker@cvs.openbsd.org 2014/07/22 01:18:50 | ||
7461 | [key.c] | ||
7462 | Prevent spam from key_load_private_pem during hostbased auth. ok djm@ | ||
7463 | |||
7464 | commit c4ee219a66f3190fa96cbd45b4d11015685c6306 | ||
7465 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7466 | Date: Wed Jul 23 04:27:50 2014 +1000 | ||
7467 | |||
7468 | - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa- | ||
7469 | specific tests inside OPENSSL_HAS_ECC. | ||
7470 | |||
7471 | commit 04f4824940ea3edd60835416ececbae16438968a | ||
7472 | Author: Damien Miller <djm@mindrot.org> | ||
7473 | Date: Tue Jul 22 11:31:47 2014 +1000 | ||
7474 | |||
7475 | - (djm) [regress/multiplex.sh] change the test for still-open Unix | ||
7476 | domain sockets to be robust against nc implementations that produce | ||
7477 | error messages. | ||
7478 | |||
7479 | commit 5ea4fe00d55453aaa44007330bb4c3181bd9b796 | ||
7480 | Author: Damien Miller <djm@mindrot.org> | ||
7481 | Date: Tue Jul 22 09:39:19 2014 +1000 | ||
7482 | |||
7483 | - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow; | ||
7484 | put it back | ||
7485 | |||
7486 | commit 948a1774a79a85f9deba6d74db95f402dee32c69 | ||
7487 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7488 | Date: Tue Jul 22 01:07:11 2014 +1000 | ||
7489 | |||
7490 | - (dtucker) [sshkey.c] ifdef out unused variable when compiling without | ||
7491 | OPENSSL_HAS_ECC. | ||
7492 | |||
7493 | commit c8f610f6cc57ae129758052439d9baf13699097b | ||
7494 | Author: Damien Miller <djm@mindrot.org> | ||
7495 | Date: Mon Jul 21 10:23:27 2014 +1000 | ||
7496 | |||
7497 | - (djm) [regress/multiplex.sh] Not all netcat accept the -N option. | ||
7498 | |||
7499 | commit 0e4e95566cd95c887f69272499b8f3880b3ec0f5 | ||
7500 | Author: Damien Miller <djm@mindrot.org> | ||
7501 | Date: Mon Jul 21 09:52:54 2014 +1000 | ||
7502 | |||
7503 | - millert@cvs.openbsd.org 2014/07/15 15:54:15 | ||
7504 | [forwarding.sh multiplex.sh] | ||
7505 | Add support for Unix domain socket forwarding. A remote TCP port | ||
7506 | may be forwarded to a local Unix domain socket and vice versa or | ||
7507 | both ends may be a Unix domain socket. This is a reimplementation | ||
7508 | of the streamlocal patches by William Ahern from: | ||
7509 | http://www.25thandclement.com/~william/projects/streamlocal.html | ||
7510 | OK djm@ markus@ | ||
7511 | |||
7512 | commit 93a87ab27ecdc709169fb24411133998f81e2761 | ||
7513 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7514 | Date: Mon Jul 21 06:30:25 2014 +1000 | ||
7515 | |||
7516 | - (dtucker) [regress/unittests/sshkey/ | ||
7517 | {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in | ||
7518 | ifdefs. | ||
7519 | |||
7520 | commit 5573171352ea23df2dc6d2fe0324d023b7ba697c | ||
7521 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7522 | Date: Mon Jul 21 02:24:59 2014 +1000 | ||
7523 | |||
7524 | - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits | ||
7525 | needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm | ||
7526 | |||
7527 | commit 74e28682711d005026c7c8f15f96aea9d3c8b5a3 | ||
7528 | Author: Tim Rice <tim@multitalents.net> | ||
7529 | Date: Fri Jul 18 20:00:11 2014 -0700 | ||
7530 | |||
7531 | - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used | ||
7532 | in servconf.h. | ||
7533 | |||
7534 | commit d1a0421f8e5e933fee6fb58ee6b9a22c63c8a613 | ||
7535 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7536 | Date: Sat Jul 19 07:23:55 2014 +1000 | ||
7537 | |||
7538 | - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC. | ||
7539 | |||
7540 | commit f0fe9ea1be62227c130b317769de3d1e736b6dc1 | ||
7541 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7542 | Date: Sat Jul 19 06:33:12 2014 +1000 | ||
7543 | |||
7544 | - (dtucker) [Makefile.in] Add a t-exec target to run just the executable | ||
7545 | tests. | ||
7546 | |||
7547 | commit 450bc1180d4b061434a4b733c5c8814fa30b022b | ||
7548 | Author: Darren Tucker <dtucker@zip.com.au> | ||
7549 | Date: Sat Jul 19 06:23:18 2014 +1000 | ||
7550 | |||
7551 | - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used | ||
7552 | in servconf.h. | ||
7553 | |||
7554 | commit ab2ec586baad122ed169285c31927ccf58bc7b28 | ||
7555 | Author: Damien Miller <djm@mindrot.org> | ||
7556 | Date: Fri Jul 18 15:04:47 2014 +1000 | ||
7557 | |||
7558 | - djm@cvs.openbsd.org 2014/07/18 02:46:01 | ||
7559 | [ssh-agent.c] | ||
7560 | restore umask around listener socket creation (dropped in streamlocal patch | ||
7561 | merge) | ||
7562 | |||
7563 | commit 357610d15946381ae90c271837dcdd0cdce7145f | ||
7564 | Author: Damien Miller <djm@mindrot.org> | ||
7565 | Date: Fri Jul 18 15:04:10 2014 +1000 | ||
7566 | |||
7567 | - djm@cvs.openbsd.org 2014/07/17 07:22:19 | ||
7568 | [mux.c ssh.c] | ||
7569 | reflect stdio-forward ("ssh -W host:port ...") failures in exit status. | ||
7570 | previously we were always returning 0. bz#2255 reported by Brendan | ||
7571 | Germain; ok dtucker | ||
7572 | |||
7573 | commit dad9a4a0b7c2b5d78605f8df28718f116524134e | ||
7574 | Author: Damien Miller <djm@mindrot.org> | ||
7575 | Date: Fri Jul 18 15:03:49 2014 +1000 | ||
7576 | |||
7577 | - djm@cvs.openbsd.org 2014/07/17 00:12:03 | ||
7578 | [key.c] | ||
7579 | silence "incorrect passphrase" error spam; reported and ok dtucker@ | ||
7580 | |||
7581 | commit f42f7684ecbeec6ce50e0310f80b3d6da2aaf533 | ||
7582 | Author: Damien Miller <djm@mindrot.org> | ||
7583 | Date: Fri Jul 18 15:03:27 2014 +1000 | ||
7584 | |||
7585 | - djm@cvs.openbsd.org 2014/07/17 00:10:18 | ||
7586 | [mux.c] | ||
7587 | preserve errno across syscall | ||
7588 | |||
7589 | commit 1b83320628cb0733e3688b85bfe4d388a7c51909 | ||
7590 | Author: Damien Miller <djm@mindrot.org> | ||
7591 | Date: Fri Jul 18 15:03:02 2014 +1000 | ||
7592 | |||
7593 | - djm@cvs.openbsd.org 2014/07/17 00:10:56 | ||
7594 | [sandbox-systrace.c] | ||
7595 | ifdef SYS_sendsyslog so this will compile without patching on -stable | ||
7596 | |||
7597 | commit 6d57656331bcd754d912950e4a18ad259d596e61 | ||
7598 | Author: Damien Miller <djm@mindrot.org> | ||
7599 | Date: Fri Jul 18 15:02:06 2014 +1000 | ||
7600 | |||
7601 | - jmc@cvs.openbsd.org 2014/07/16 14:48:57 | ||
7602 | [ssh.1] | ||
7603 | add the streamlocal* options to ssh's -o list; millert says they're | ||
7604 | irrelevant for scp/sftp; | ||
7605 | |||
7606 | ok markus millert | ||
7607 | |||
7608 | commit 7acefbbcbeab725420ea07397ae35992f505f702 | ||
7609 | Author: Damien Miller <djm@mindrot.org> | ||
7610 | Date: Fri Jul 18 14:11:24 2014 +1000 | ||
7611 | |||
7612 | - millert@cvs.openbsd.org 2014/07/15 15:54:14 | ||
7613 | [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] | ||
7614 | [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] | ||
7615 | [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] | ||
7616 | [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] | ||
7617 | [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] | ||
7618 | [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] | ||
7619 | [sshd_config.5 sshlogin.c] | ||
7620 | Add support for Unix domain socket forwarding. A remote TCP port | ||
7621 | may be forwarded to a local Unix domain socket and vice versa or | ||
7622 | both ends may be a Unix domain socket. This is a reimplementation | ||
7623 | of the streamlocal patches by William Ahern from: | ||
7624 | http://www.25thandclement.com/~william/projects/streamlocal.html | ||
7625 | OK djm@ markus@ | ||
7626 | |||
7627 | commit 6262d760e00714523633bd989d62e273a3dca99a | ||
7628 | Author: Damien Miller <djm@mindrot.org> | ||
7629 | Date: Thu Jul 17 09:52:07 2014 +1000 | ||
7630 | |||
7631 | - tedu@cvs.openbsd.org 2014/07/11 13:54:34 | ||
7632 | [myproposal.h] | ||
7633 | by popular demand, add back hamc-sha1 to server proposal for better compat | ||
7634 | with many clients still in use. ok deraadt | ||
7635 | |||
7636 | commit 9d69d937b46ecba17f16d923e538ceda7b705c7a | ||
7637 | Author: Damien Miller <djm@mindrot.org> | ||
7638 | Date: Thu Jul 17 09:49:37 2014 +1000 | ||
7639 | |||
7640 | - deraadt@cvs.openbsd.org 2014/07/11 08:09:54 | ||
7641 | [sandbox-systrace.c] | ||
7642 | Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking, | ||
7643 | update your kernels and sshd soon.. libc will start using sendsyslog() | ||
7644 | in about 4 days. | ||
7645 | |||
7646 | commit f6293a0b4129826fc2e37e4062f96825df43c326 | ||
7647 | Author: Damien Miller <djm@mindrot.org> | ||
7648 | Date: Thu Jul 17 09:01:25 2014 +1000 | ||
7649 | |||
7650 | - (djm) [digest-openssl.c] Preserve array order when disabling digests. | ||
7651 | Reported by Petr Lautrbach. | ||
7652 | |||
7653 | commit 00f9cd230709c04399ef5ff80492d70a55230694 | ||
7654 | Author: Damien Miller <djm@mindrot.org> | ||
7655 | Date: Tue Jul 15 10:41:38 2014 +1000 | ||
7656 | |||
7657 | - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto | ||
7658 | has been located; fixes builds agains libressl-portable | ||
7659 | |||
7660 | commit 1d0df3249c87019556b83306c28d4769375c2edc | ||
7661 | Author: Damien Miller <djm@mindrot.org> | ||
7662 | Date: Fri Jul 11 09:19:04 2014 +1000 | ||
7663 | |||
7664 | - OpenBSD CVS Sync | ||
7665 | - benno@cvs.openbsd.org 2014/07/09 14:15:56 | ||
7666 | [ssh-add.c] | ||
7667 | fix ssh-add crash while loading more than one key | ||
7668 | ok markus@ | ||
7669 | |||
7670 | commit 7a57eb3d105aa4ced15fb47001092c58811e6d9d | ||
7671 | Author: Damien Miller <djm@mindrot.org> | ||
7672 | Date: Wed Jul 9 13:22:31 2014 +1000 | ||
7673 | |||
7674 | - djm@cvs.openbsd.org 2014/07/07 08:15:26 | ||
7675 | [multiplex.sh] | ||
7676 | remove forced-fatal that I stuck in there to test the new cleanup | ||
7677 | logic and forgot to remove... | ||
7678 | |||
7679 | commit 612f965239a30fe536b11ece1834d9f470aeb029 | ||
7680 | Author: Damien Miller <djm@mindrot.org> | ||
7681 | Date: Wed Jul 9 13:22:03 2014 +1000 | ||
7682 | |||
7683 | - djm@cvs.openbsd.org 2014/07/06 07:42:03 | ||
7684 | [multiplex.sh test-exec.sh] | ||
7685 | add a hook to the cleanup() function to kill $SSH_PID if it is set | ||
7686 | |||
7687 | use it to kill the mux master started in multiplex.sh (it was being left | ||
7688 | around on fatal failures) | ||
7689 | |||
7690 | commit d0bb950485ba121e43a77caf434115ed6417b46f | ||
7691 | Author: Damien Miller <djm@mindrot.org> | ||
7692 | Date: Wed Jul 9 13:07:28 2014 +1000 | ||
7693 | |||
7694 | - djm@cvs.openbsd.org 2014/07/09 03:02:15 | ||
7695 | [key.c] | ||
7696 | downgrade more error() to debug() to better match what old authfile.c | ||
7697 | did; suppresses spurious errors with hostbased authentication enabled | ||
7698 | |||
7699 | commit 0070776a038655c57f57e70cd05e4c38a5de9d84 | ||
7700 | Author: Damien Miller <djm@mindrot.org> | ||
7701 | Date: Wed Jul 9 13:07:06 2014 +1000 | ||
7702 | |||
7703 | - djm@cvs.openbsd.org 2014/07/09 01:45:10 | ||
7704 | [sftp.c] | ||
7705 | more useful error message when GLOB_NOSPACE occurs; | ||
7706 | bz#2254, patch from Orion Poplawski | ||
7707 | |||
7708 | commit 079bac2a43c74ef7cf56850afbab3b1932534c50 | ||
7709 | Author: Damien Miller <djm@mindrot.org> | ||
7710 | Date: Wed Jul 9 13:06:25 2014 +1000 | ||
7711 | |||
7712 | - djm@cvs.openbsd.org 2014/07/07 08:19:12 | ||
7713 | [ssh_config.5] | ||
7714 | mention that ProxyCommand is executed using shell "exec" to avoid | ||
7715 | a lingering process; bz#1977 | ||
7716 | |||
7717 | commit 3a48cc090096cf99b9de592deb5f90e444edebfb | ||
7718 | Author: Damien Miller <djm@mindrot.org> | ||
7719 | Date: Sun Jul 6 09:32:49 2014 +1000 | ||
7720 | |||
7721 | - djm@cvs.openbsd.org 2014/07/05 23:11:48 | ||
7722 | [channels.c] | ||
7723 | fix remote-forward cancel regression; ok markus@ | ||
7724 | |||
7725 | commit 48bae3a38cb578713e676708164f6e7151cc64fa | ||
7726 | Author: Damien Miller <djm@mindrot.org> | ||
7727 | Date: Sun Jul 6 09:27:06 2014 +1000 | ||
7728 | |||
7729 | - djm@cvs.openbsd.org 2014/07/03 23:18:35 | ||
7730 | [authfile.h] | ||
7731 | remove leakmalloc droppings | ||
7732 | |||
7733 | commit 72e6b5c9ed5e72ca3a6ccc3177941b7c487a0826 | ||
7734 | Author: Damien Miller <djm@mindrot.org> | ||
7735 | Date: Fri Jul 4 09:00:04 2014 +1000 | ||
7736 | |||
7737 | - djm@cvs.openbsd.org 2014/07/03 22:40:43 | ||
7738 | [servconf.c servconf.h session.c sshd.8 sshd_config.5] | ||
7739 | Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is | ||
7740 | executed, mirroring the no-user-rc authorized_keys option; | ||
7741 | bz#2160; ok markus@ | ||
7742 | |||
7743 | commit 602943d1179a08dfa70af94f62296ea5e3d6ebb8 | ||
7744 | Author: Damien Miller <djm@mindrot.org> | ||
7745 | Date: Fri Jul 4 08:59:41 2014 +1000 | ||
7746 | |||
7747 | - djm@cvs.openbsd.org 2014/07/03 22:33:41 | ||
7748 | [channels.c] | ||
7749 | allow explicit ::1 and 127.0.0.1 forwarding bind addresses when | ||
7750 | GatewayPorts=no; allows client to choose address family; | ||
7751 | bz#2222 ok markus@ | ||
7752 | |||
7753 | commit 6b37fbb7921d156b31e2c8f39d9e1b6746c34983 | ||
7754 | Author: Damien Miller <djm@mindrot.org> | ||
7755 | Date: Fri Jul 4 08:59:24 2014 +1000 | ||
7756 | |||
7757 | - djm@cvs.openbsd.org 2014/07/03 22:23:46 | ||
7758 | [sshconnect.c] | ||
7759 | when rekeying, skip file/DNS lookup if it is the same as the key sent | ||
7760 | during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@ | ||
7761 | |||
7762 | commit d2c3cd5f2e47ee24cf7093ce8e948c2e79dfc3fd | ||
7763 | Author: Damien Miller <djm@mindrot.org> | ||
7764 | Date: Fri Jul 4 08:59:01 2014 +1000 | ||
7765 | |||
7766 | - jsing@cvs.openbsd.org 2014/07/03 12:42:16 | ||
7767 | [cipher-chachapoly.c] | ||
7768 | Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this | ||
7769 | makes it easier to verify that chacha_encrypt_bytes() is only called once | ||
7770 | per chacha_ivsetup() call. | ||
7771 | ok djm@ | ||
7772 | |||
7773 | commit 686feb560ec43a06ba04da82b50f3c183c947309 | ||
7774 | Author: Damien Miller <djm@mindrot.org> | ||
7775 | Date: Thu Jul 3 21:29:38 2014 +1000 | ||
7776 | |||
7777 | - djm@cvs.openbsd.org 2014/07/03 11:16:55 | ||
7778 | [auth.c auth.h auth1.c auth2.c] | ||
7779 | make the "Too many authentication failures" message include the | ||
7780 | user, source address, port and protocol in a format similar to the | ||
7781 | authentication success / failure messages; bz#2199, ok dtucker | ||
7782 | |||
7783 | commit 0f12341402e18fd9996ec23189b9418d2722453f | ||
7784 | Author: Damien Miller <djm@mindrot.org> | ||
7785 | Date: Thu Jul 3 21:28:09 2014 +1000 | ||
7786 | |||
7787 | - jmc@cvs.openbsd.org 2014/07/03 07:45:27 | ||
7788 | [ssh_config.5] | ||
7789 | escape %C since groff thinks it part of an Rs/Re block; | ||
7790 | |||
7791 | commit 9c38643c5cd47a19db2cc28279dcc28abadc22b3 | ||
7792 | Author: Damien Miller <djm@mindrot.org> | ||
7793 | Date: Thu Jul 3 21:27:46 2014 +1000 | ||
7794 | |||
7795 | - djm@cvs.openbsd.org 2014/07/03 06:39:19 | ||
7796 | [ssh.c ssh_config.5] | ||
7797 | Add a %C escape sequence for LocalCommand and ControlPath that expands | ||
7798 | to a unique identifer based on a has of the tuple of (local host, | ||
7799 | remote user, hostname, port). | ||
7800 | |||
7801 | Helps avoid exceeding sockaddr_un's miserly pathname limits for mux | ||
7802 | control paths. | ||
7803 | |||
7804 | bz#2220, based on patch from mancha1 AT zoho.com; ok markus@ | ||
7805 | |||
7806 | commit 49d9bfe2b2f3e90cc158a215dffa7675e57e7830 | ||
7807 | Author: Damien Miller <djm@mindrot.org> | ||
7808 | Date: Thu Jul 3 21:26:42 2014 +1000 | ||
7809 | |||
7810 | - djm@cvs.openbsd.org 2014/07/03 05:38:17 | ||
7811 | [ssh.1] | ||
7812 | document that -g will only work in the multiplexed case if applied to | ||
7813 | the mux master | ||
7814 | |||
7815 | commit ef9f13ba4c58057b2166d1f2e790535da402fbe5 | ||
7816 | Author: Damien Miller <djm@mindrot.org> | ||
7817 | Date: Thu Jul 3 21:26:21 2014 +1000 | ||
7818 | |||
7819 | - djm@cvs.openbsd.org 2014/07/03 05:32:36 | ||
7820 | [ssh_config.5] | ||
7821 | mention '%%' escape sequence in HostName directives and how it may | ||
7822 | be used to specify IPv6 link-local addresses | ||
7823 | |||
7824 | commit e6a407789e5432dd2e53336fb73476cc69048c54 | ||
7825 | Author: Damien Miller <djm@mindrot.org> | ||
7826 | Date: Thu Jul 3 21:25:03 2014 +1000 | ||
7827 | |||
7828 | - djm@cvs.openbsd.org 2014/07/03 04:36:45 | ||
7829 | [digest.h] | ||
7830 | forward-declare struct sshbuf so consumers don't need to include sshbuf.h | ||
7831 | |||
7832 | commit 4a1d3d50f02d0a8a4ef95ea4749293cbfb89f919 | ||
7833 | Author: Damien Miller <djm@mindrot.org> | ||
7834 | Date: Thu Jul 3 21:24:40 2014 +1000 | ||
7835 | |||
7836 | - djm@cvs.openbsd.org 2014/07/03 03:47:27 | ||
7837 | [ssh-keygen.c] | ||
7838 | When hashing or removing hosts using ssh-keygen, don't choke on | ||
7839 | @revoked markers and don't remove @cert-authority markers; | ||
7840 | bz#2241, reported by mlindgren AT runelind.net | ||
7841 | |||
7842 | commit e5c0d52ceb575c3db8c313e0b1aa3845943d7ba8 | ||
7843 | Author: Damien Miller <djm@mindrot.org> | ||
7844 | Date: Thu Jul 3 21:24:19 2014 +1000 | ||
7845 | |||
7846 | - djm@cvs.openbsd.org 2014/07/03 03:34:09 | ||
7847 | [gss-serv.c session.c ssh-keygen.c] | ||
7848 | standardise on NI_MAXHOST for gethostname() string lengths; about | ||
7849 | 1/2 the cases were using it already. Fixes bz#2239 en passant | ||
7850 | |||
7851 | commit c174a3b7c14e0d178c61219de2aa1110e209950c | ||
7852 | Author: Damien Miller <djm@mindrot.org> | ||
7853 | Date: Thu Jul 3 21:23:24 2014 +1000 | ||
7854 | |||
7855 | - djm@cvs.openbsd.org 2014/07/03 03:26:43 | ||
7856 | [digest-openssl.c] | ||
7857 | use EVP_Digest() for one-shot hash instead of creating, updating, | ||
7858 | finalising and destroying a context. | ||
7859 | bz#2231, based on patch from Timo Teras | ||
7860 | |||
7861 | commit d7ca2cd31ecc4d63a055e2dcc4bf35c13f2db4c5 | ||
7862 | Author: Damien Miller <djm@mindrot.org> | ||
7863 | Date: Thu Jul 3 21:23:01 2014 +1000 | ||
7864 | |||
7865 | - djm@cvs.openbsd.org 2014/07/03 03:15:01 | ||
7866 | [ssh-add.c] | ||
7867 | make stdout line-buffered; saves partial output getting lost when | ||
7868 | ssh-add fatal()s part-way through (e.g. when listing keys from an | ||
7869 | agent that supports key types that ssh-add doesn't); | ||
7870 | bz#2234, reported by Phil Pennock | ||
7871 | |||
7872 | commit b1e967c8d7c7578dd0c172d85b3046cf54ea42ba | ||
7873 | Author: Damien Miller <djm@mindrot.org> | ||
7874 | Date: Thu Jul 3 21:22:40 2014 +1000 | ||
7875 | |||
7876 | - djm@cvs.openbsd.org 2014/07/03 03:11:03 | ||
7877 | [ssh-agent.c] | ||
7878 | Only cleanup agent socket in the main agent process and not in any | ||
7879 | subprocesses it may have started (e.g. forked askpass). Fixes | ||
7880 | agent sockets being zapped when askpass processes fatal(); | ||
7881 | bz#2236 patch from Dmitry V. Levin | ||
7882 | |||
7883 | commit 61e28e55c3438d796b02ef878bcd28620d452670 | ||
7884 | Author: Damien Miller <djm@mindrot.org> | ||
7885 | Date: Thu Jul 3 21:22:22 2014 +1000 | ||
7886 | |||
7887 | - djm@cvs.openbsd.org 2014/07/03 01:45:38 | ||
7888 | [sshkey.c] | ||
7889 | make Ed25519 keys' title fit properly in the randomart border; bz#2247 | ||
7890 | based on patch from Christian Hesse | ||
7891 | |||
7892 | commit 9eb4cd9a32c32d40d36450b68ed93badc6a94c68 | ||
7893 | Author: Damien Miller <djm@mindrot.org> | ||
7894 | Date: Thu Jul 3 13:29:50 2014 +1000 | ||
7895 | |||
7896 | - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist; | ||
7897 | bz#2237 | ||
7898 | |||
7899 | commit 8da0fa24934501909408327298097b1629b89eaa | ||
7900 | Author: Damien Miller <djm@mindrot.org> | ||
7901 | Date: Thu Jul 3 11:54:19 2014 +1000 | ||
7902 | |||
7903 | - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto | ||
7904 | doesn't support it. | ||
7905 | |||
7906 | commit 81309c857dd0dbc0a1245a16d621c490ad48cfbb | ||
7907 | Author: Damien Miller <djm@mindrot.org> | ||
7908 | Date: Wed Jul 2 17:45:55 2014 +1000 | ||
7909 | |||
7910 | - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test | ||
7911 | |||
7912 | commit 82b2482ce68654815ee049b9bf021bb362a35ff2 | ||
7913 | Author: Damien Miller <djm@mindrot.org> | ||
7914 | Date: Wed Jul 2 17:43:41 2014 +1000 | ||
7915 | |||
7916 | - (djm) [sshkey.c] Conditionalise inclusion of util.h | ||
7917 | |||
7918 | commit dd8b1dd7933eb6f5652641b0cdced34a387f2e80 | ||
7919 | Author: Damien Miller <djm@mindrot.org> | ||
7920 | Date: Wed Jul 2 17:38:31 2014 +1000 | ||
7921 | |||
7922 | - djm@cvs.openbsd.org 2014/06/24 01:14:17 | ||
7923 | [Makefile.in regress/Makefile regress/unittests/Makefile] | ||
7924 | [regress/unittests/sshkey/Makefile] | ||
7925 | [regress/unittests/sshkey/common.c] | ||
7926 | [regress/unittests/sshkey/common.h] | ||
7927 | [regress/unittests/sshkey/mktestdata.sh] | ||
7928 | [regress/unittests/sshkey/test_file.c] | ||
7929 | [regress/unittests/sshkey/test_fuzz.c] | ||
7930 | [regress/unittests/sshkey/test_sshkey.c] | ||
7931 | [regress/unittests/sshkey/tests.c] | ||
7932 | [regress/unittests/sshkey/testdata/dsa_1] | ||
7933 | [regress/unittests/sshkey/testdata/dsa_1-cert.fp] | ||
7934 | [regress/unittests/sshkey/testdata/dsa_1-cert.pub] | ||
7935 | [regress/unittests/sshkey/testdata/dsa_1.fp] | ||
7936 | [regress/unittests/sshkey/testdata/dsa_1.fp.bb] | ||
7937 | [regress/unittests/sshkey/testdata/dsa_1.param.g] | ||
7938 | [regress/unittests/sshkey/testdata/dsa_1.param.priv] | ||
7939 | [regress/unittests/sshkey/testdata/dsa_1.param.pub] | ||
7940 | [regress/unittests/sshkey/testdata/dsa_1.pub] | ||
7941 | [regress/unittests/sshkey/testdata/dsa_1_pw] | ||
7942 | [regress/unittests/sshkey/testdata/dsa_2] | ||
7943 | [regress/unittests/sshkey/testdata/dsa_2.fp] | ||
7944 | [regress/unittests/sshkey/testdata/dsa_2.fp.bb] | ||
7945 | [regress/unittests/sshkey/testdata/dsa_2.pub] | ||
7946 | [regress/unittests/sshkey/testdata/dsa_n] | ||
7947 | [regress/unittests/sshkey/testdata/dsa_n_pw] | ||
7948 | [regress/unittests/sshkey/testdata/ecdsa_1] | ||
7949 | [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp] | ||
7950 | [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub] | ||
7951 | [regress/unittests/sshkey/testdata/ecdsa_1.fp] | ||
7952 | [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb] | ||
7953 | [regress/unittests/sshkey/testdata/ecdsa_1.param.curve] | ||
7954 | [regress/unittests/sshkey/testdata/ecdsa_1.param.priv] | ||
7955 | [regress/unittests/sshkey/testdata/ecdsa_1.param.pub] | ||
7956 | [regress/unittests/sshkey/testdata/ecdsa_1.pub] | ||
7957 | [regress/unittests/sshkey/testdata/ecdsa_1_pw] | ||
7958 | [regress/unittests/sshkey/testdata/ecdsa_2] | ||
7959 | [regress/unittests/sshkey/testdata/ecdsa_2.fp] | ||
7960 | [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb] | ||
7961 | [regress/unittests/sshkey/testdata/ecdsa_2.param.curve] | ||
7962 | [regress/unittests/sshkey/testdata/ecdsa_2.param.priv] | ||
7963 | [regress/unittests/sshkey/testdata/ecdsa_2.param.pub] | ||
7964 | [regress/unittests/sshkey/testdata/ecdsa_2.pub] | ||
7965 | [regress/unittests/sshkey/testdata/ecdsa_n] | ||
7966 | [regress/unittests/sshkey/testdata/ecdsa_n_pw] | ||
7967 | [regress/unittests/sshkey/testdata/ed25519_1] | ||
7968 | [regress/unittests/sshkey/testdata/ed25519_1-cert.fp] | ||
7969 | [regress/unittests/sshkey/testdata/ed25519_1-cert.pub] | ||
7970 | [regress/unittests/sshkey/testdata/ed25519_1.fp] | ||
7971 | [regress/unittests/sshkey/testdata/ed25519_1.fp.bb] | ||
7972 | [regress/unittests/sshkey/testdata/ed25519_1.pub] | ||
7973 | [regress/unittests/sshkey/testdata/ed25519_1_pw] | ||
7974 | [regress/unittests/sshkey/testdata/ed25519_2] | ||
7975 | [regress/unittests/sshkey/testdata/ed25519_2.fp] | ||
7976 | [regress/unittests/sshkey/testdata/ed25519_2.fp.bb] | ||
7977 | [regress/unittests/sshkey/testdata/ed25519_2.pub] | ||
7978 | [regress/unittests/sshkey/testdata/pw] | ||
7979 | [regress/unittests/sshkey/testdata/rsa1_1] | ||
7980 | [regress/unittests/sshkey/testdata/rsa1_1.fp] | ||
7981 | [regress/unittests/sshkey/testdata/rsa1_1.fp.bb] | ||
7982 | [regress/unittests/sshkey/testdata/rsa1_1.param.n] | ||
7983 | [regress/unittests/sshkey/testdata/rsa1_1.pub] | ||
7984 | [regress/unittests/sshkey/testdata/rsa1_1_pw] | ||
7985 | [regress/unittests/sshkey/testdata/rsa1_2] | ||
7986 | [regress/unittests/sshkey/testdata/rsa1_2.fp] | ||
7987 | [regress/unittests/sshkey/testdata/rsa1_2.fp.bb] | ||
7988 | [regress/unittests/sshkey/testdata/rsa1_2.param.n] | ||
7989 | [regress/unittests/sshkey/testdata/rsa1_2.pub] | ||
7990 | [regress/unittests/sshkey/testdata/rsa_1] | ||
7991 | [regress/unittests/sshkey/testdata/rsa_1-cert.fp] | ||
7992 | [regress/unittests/sshkey/testdata/rsa_1-cert.pub] | ||
7993 | [regress/unittests/sshkey/testdata/rsa_1.fp] | ||
7994 | [regress/unittests/sshkey/testdata/rsa_1.fp.bb] | ||
7995 | [regress/unittests/sshkey/testdata/rsa_1.param.n] | ||
7996 | [regress/unittests/sshkey/testdata/rsa_1.param.p] | ||
7997 | [regress/unittests/sshkey/testdata/rsa_1.param.q] | ||
7998 | [regress/unittests/sshkey/testdata/rsa_1.pub] | ||
7999 | [regress/unittests/sshkey/testdata/rsa_1_pw] | ||
8000 | [regress/unittests/sshkey/testdata/rsa_2] | ||
8001 | [regress/unittests/sshkey/testdata/rsa_2.fp] | ||
8002 | [regress/unittests/sshkey/testdata/rsa_2.fp.bb] | ||
8003 | [regress/unittests/sshkey/testdata/rsa_2.param.n] | ||
8004 | [regress/unittests/sshkey/testdata/rsa_2.param.p] | ||
8005 | [regress/unittests/sshkey/testdata/rsa_2.param.q] | ||
8006 | [regress/unittests/sshkey/testdata/rsa_2.pub] | ||
8007 | [regress/unittests/sshkey/testdata/rsa_n] | ||
8008 | [regress/unittests/sshkey/testdata/rsa_n_pw] | ||
8009 | unit and fuzz tests for new key API | ||
8010 | |||
8011 | commit c1dc24b71f087f385b92652b9673f52af64e0428 | ||
8012 | Author: Damien Miller <djm@mindrot.org> | ||
8013 | Date: Wed Jul 2 17:02:03 2014 +1000 | ||
8014 | |||
8015 | - djm@cvs.openbsd.org 2014/06/24 01:04:43 | ||
8016 | [regress/krl.sh] | ||
8017 | regress test for broken consecutive revoked serial number ranges | ||
8018 | |||
8019 | commit 43d3ed2dd3feca6d0326c7dc82588d2faa115e92 | ||
8020 | Author: Damien Miller <djm@mindrot.org> | ||
8021 | Date: Wed Jul 2 17:01:08 2014 +1000 | ||
8022 | |||
8023 | - djm@cvs.openbsd.org 2014/05/21 07:04:21 | ||
8024 | [regress/integrity.sh] | ||
8025 | when failing because of unexpected output, show the offending output | ||
8026 | |||
8027 | commit 5a96707ffc8d227c2e7d94fa6b0317f8a152cf4e | ||
8028 | Author: Damien Miller <djm@mindrot.org> | ||
8029 | Date: Wed Jul 2 15:38:05 2014 +1000 | ||
8030 | |||
8031 | - djm@cvs.openbsd.org 2014/04/30 05:32:00 | ||
8032 | [regress/Makefile] | ||
8033 | unit tests for new buffer API; including basic fuzz testing | ||
8034 | NB. Id sync only. | ||
8035 | |||
8036 | commit 3ff92ba756aee48e4ae3e0aeff7293517b3dd185 | ||
8037 | Author: Damien Miller <djm@mindrot.org> | ||
8038 | Date: Wed Jul 2 15:33:09 2014 +1000 | ||
8039 | |||
8040 | - djm@cvs.openbsd.org 2014/06/30 12:54:39 | ||
8041 | [key.c] | ||
8042 | suppress spurious error message when loading key with a passphrase; | ||
8043 | reported by kettenis@ ok markus@ | ||
8044 | - djm@cvs.openbsd.org 2014/07/02 04:59:06 | ||
8045 | [cipher-3des1.c] | ||
8046 | fix ssh protocol 1 on the server that regressed with the sshkey change | ||
8047 | (sometimes fatal() after auth completed), make file return useful status | ||
8048 | codes. | ||
8049 | NB. Id sync only for these two. They were bundled into the sshkey merge | ||
8050 | above, since it was easier to sync the entire file and then apply | ||
8051 | portable-specific changed atop it. | ||
8052 | |||
8053 | commit ec3d0e24a1e46873d80507f5cd8ee6d0d03ac5dc | ||
8054 | Author: Damien Miller <djm@mindrot.org> | ||
8055 | Date: Wed Jul 2 15:30:00 2014 +1000 | ||
8056 | |||
8057 | - markus@cvs.openbsd.org 2014/06/27 18:50:39 | ||
8058 | [ssh-add.c] | ||
8059 | fix loading of private keys | ||
8060 | |||
8061 | commit 4b3ed647d5b328cf68e6a8ffbee490d8e0683e82 | ||
8062 | Author: Damien Miller <djm@mindrot.org> | ||
8063 | Date: Wed Jul 2 15:29:40 2014 +1000 | ||
8064 | |||
8065 | - markus@cvs.openbsd.org 2014/06/27 16:41:56 | ||
8066 | [channels.c channels.h clientloop.c ssh.c] | ||
8067 | fix remote fwding with same listen port but different listen address | ||
8068 | with gerhard@, ok djm@ | ||
8069 | |||
8070 | commit 9e01ff28664921ce9b6500681333e42fb133b4d0 | ||
8071 | Author: Damien Miller <djm@mindrot.org> | ||
8072 | Date: Wed Jul 2 15:29:21 2014 +1000 | ||
8073 | |||
8074 | - deraadt@cvs.openbsd.org 2014/06/25 14:16:09 | ||
8075 | [sshbuf.c] | ||
8076 | unblock SIGSEGV before raising it | ||
8077 | ok djm | ||
8078 | |||
8079 | commit 1845fe6bda0729e52f4c645137f4fc3070b5438a | ||
8080 | Author: Damien Miller <djm@mindrot.org> | ||
8081 | Date: Wed Jul 2 15:29:01 2014 +1000 | ||
8082 | |||
8083 | - djm@cvs.openbsd.org 2014/06/24 02:21:01 | ||
8084 | [scp.c] | ||
8085 | when copying local->remote fails during read, don't send uninitialised | ||
8086 | heap to the remote end. Reported by Jann Horn | ||
8087 | |||
8088 | commit 19439e9a2a0ac0b4b3b1210e89695418beb1c883 | ||
8089 | Author: Damien Miller <djm@mindrot.org> | ||
8090 | Date: Wed Jul 2 15:28:40 2014 +1000 | ||
8091 | |||
8092 | - djm@cvs.openbsd.org 2014/06/24 02:19:48 | ||
8093 | [ssh.c] | ||
8094 | don't fatal() when hostname canonicalisation fails with a | ||
8095 | ProxyCommand in use; continue and allow the ProxyCommand to | ||
8096 | connect anyway (e.g. to a host with a name outside the DNS | ||
8097 | behind a bastion) | ||
8098 | |||
8099 | commit 8668706d0f52654fe64c0ca41a96113aeab8d2b8 | ||
8100 | Author: Damien Miller <djm@mindrot.org> | ||
8101 | Date: Wed Jul 2 15:28:02 2014 +1000 | ||
8102 | |||
8103 | - djm@cvs.openbsd.org 2014/06/24 01:13:21 | ||
8104 | [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c | ||
8105 | [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c | ||
8106 | [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h | ||
8107 | [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h | ||
8108 | [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h | ||
8109 | [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c | ||
8110 | [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c | ||
8111 | [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c | ||
8112 | [sshconnect2.c sshd.c sshkey.c sshkey.h | ||
8113 | [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] | ||
8114 | New key API: refactor key-related functions to be more library-like, | ||
8115 | existing API is offered as a set of wrappers. | ||
8116 | |||
8117 | with and ok markus@ | ||
8118 | |||
8119 | Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew | ||
8120 | Dempsky and Ron Bowes for a detailed review a few months ago. | ||
8121 | |||
8122 | NB. This commit also removes portable OpenSSH support for OpenSSL | ||
8123 | <0.9.8e. | ||
8124 | |||
8125 | commit 2cd7929250cf9e9f658d70dcd452f529ba08c942 | ||
8126 | Author: Damien Miller <djm@mindrot.org> | ||
8127 | Date: Wed Jul 2 12:48:30 2014 +1000 | ||
8128 | |||
8129 | - djm@cvs.openbsd.org 2014/06/24 00:52:02 | ||
8130 | [krl.c] | ||
8131 | fix bug in KRL generation: multiple consecutive revoked certificate | ||
8132 | serial number ranges could be serialised to an invalid format. | ||
8133 | |||
8134 | Readers of a broken KRL caused by this bug will fail closed, so no | ||
8135 | should-have-been-revoked key will be accepted. | ||
8136 | |||
8137 | commit 99db840ee8dbbd2b3fbc6c45d0ee2f6a65e96898 | ||
8138 | Author: Damien Miller <djm@mindrot.org> | ||
8139 | Date: Wed Jul 2 12:48:04 2014 +1000 | ||
8140 | |||
8141 | - naddy@cvs.openbsd.org 2014/06/18 15:42:09 | ||
8142 | [sshbuf-getput-crypto.c] | ||
8143 | The ssh_get_bignum functions must accept the same range of bignums | ||
8144 | the corresponding ssh_put_bignum functions create. This fixes the | ||
8145 | use of 16384-bit RSA keys (bug reported by Eivind Evensen). | ||
8146 | ok djm@ | ||
8147 | |||
8148 | commit 84a89161a9629239b64171ef3e22ef6a3e462d51 | ||
8149 | Author: Damien Miller <djm@mindrot.org> | ||
8150 | Date: Wed Jul 2 12:47:48 2014 +1000 | ||
8151 | |||
8152 | - matthew@cvs.openbsd.org 2014/06/18 02:59:13 | ||
8153 | [sandbox-systrace.c] | ||
8154 | Now that we have a dedicated getentropy(2) system call for | ||
8155 | arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace | ||
8156 | sandbox. | ||
8157 | |||
8158 | ok djm | ||
8159 | |||
8160 | commit 51504ceec627c0ad57b9f75585c7b3d277f326be | ||
8161 | Author: Damien Miller <djm@mindrot.org> | ||
8162 | Date: Wed Jul 2 12:47:25 2014 +1000 | ||
8163 | |||
8164 | - deraadt@cvs.openbsd.org 2014/06/13 08:26:29 | ||
8165 | [sandbox-systrace.c] | ||
8166 | permit SYS_getentropy | ||
8167 | from matthew | ||
8168 | |||
8169 | commit a261b8df59117f7dc52abb3a34b35a40c2c9fa88 | ||
8170 | Author: Tim Rice <tim@multitalents.net> | ||
8171 | Date: Wed Jun 18 16:17:28 2014 -0700 | ||
8172 | |||
8173 | - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare | ||
8174 | |||
8175 | commit 316fac6f18f87262a315c79bcf68b9f92c9337e4 | ||
8176 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8177 | Date: Tue Jun 17 23:06:07 2014 +1000 | ||
8178 | |||
8179 | - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h} | ||
8180 | openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}] | ||
8181 | Move the OpenSSL header/library version test into its own function and add | ||
8182 | tests for it. Fix it to allow fix version upgrades (but not downgrades). | ||
8183 | Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150). | ||
8184 | ok djm@ chl@ | ||
8185 | |||
8186 | commit af665bb7b092a59104db1e65577851cf35b86e32 | ||
8187 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8188 | Date: Mon Jun 16 22:50:55 2014 +1000 | ||
8189 | |||
8190 | - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via | ||
8191 | OpenSMTPD and chl@ | ||
8192 | |||
8193 | commit f9696566fb41320820f3b257ab564fa321bb3751 | ||
8194 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8195 | Date: Fri Jun 13 11:06:04 2014 +1000 | ||
8196 | |||
8197 | - (dtucker) [configure.ac] Remove tcpwrappers support, support has already | ||
8198 | been removed from sshd.c. | ||
8199 | |||
8200 | commit 5e2b8894b0b24af4ad0a2f7aa33ebf255df7a8bc | ||
8201 | Author: Tim Rice <tim@multitalents.net> | ||
8202 | Date: Wed Jun 11 18:31:10 2014 -0700 | ||
8203 | |||
8204 | - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for | ||
8205 | u_intXX_t types. | ||
8206 | |||
8207 | commit 985ee2cbc3e43bc65827c3c0d4df3faa99160c37 | ||
8208 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8209 | Date: Thu Jun 12 05:32:29 2014 +1000 | ||
8210 | |||
8211 | - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*] | ||
8212 | Wrap stdlib.h include an ifdef for platforms that don't have it. | ||
8213 | |||
8214 | commit cf5392c2db2bb1dbef9818511d34056404436109 | ||
8215 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8216 | Date: Thu Jun 12 05:22:49 2014 +1000 | ||
8217 | |||
8218 | - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from | ||
8219 | openbsd-compat/bsd-asprintf.c. | ||
8220 | |||
8221 | commit 58538d795e0b662f2f4e5a7193f1204bbe992ddd | ||
8222 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8223 | Date: Wed Jun 11 13:39:24 2014 +1000 | ||
8224 | |||
8225 | - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for | ||
8226 | compat stuff, specifically whether or not OpenSSL has ECC. | ||
8227 | |||
8228 | commit eb012ac581fd0abc16ee86ee3a68cf07c8ce4d08 | ||
8229 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8230 | Date: Wed Jun 11 13:10:00 2014 +1000 | ||
8231 | |||
8232 | - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an | ||
8233 | assigment that might get optimized out. ok djm@ | ||
8234 | |||
8235 | commit b9609fd86c623d6d440e630f5f9a63295f7aea20 | ||
8236 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8237 | Date: Wed Jun 11 08:04:02 2014 +1000 | ||
8238 | |||
8239 | - (dtucker) [sshbuf.h] Only declare ECC functions if building without | ||
8240 | OpenSSL or if OpenSSL has ECC. | ||
8241 | |||
8242 | commit a54a040f66944c6e8913df8635a01a2327219be9 | ||
8243 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8244 | Date: Wed Jun 11 07:58:35 2014 +1000 | ||
8245 | |||
8246 | - dtucker@cvs.openbsd.org 2014/06/10 21:46:11 | ||
8247 | [sshbuf.h] | ||
8248 | Group ECC functions together to make things a little easier in -portable. | ||
8249 | "doesn't bother me" deraadt@ | ||
8250 | |||
8251 | commit 9f92c53bad04a89067756be8198d4ec2d8a08875 | ||
8252 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8253 | Date: Wed Jun 11 07:57:58 2014 +1000 | ||
8254 | |||
8255 | - djm@cvs.openbsd.org 2014/06/05 22:17:50 | ||
8256 | [sshconnect2.c] | ||
8257 | fix inverted test that caused PKCS#11 keys that were explicitly listed | ||
8258 | not to be preferred. Reported by Dirk-Willem van Gulik | ||
8259 | |||
8260 | commit 15c254a25394f96643da2ad0f674acdc51e89856 | ||
8261 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8262 | Date: Wed Jun 11 07:38:49 2014 +1000 | ||
8263 | |||
8264 | - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef | ||
8265 | ECC variable too. | ||
8266 | |||
8267 | commit d7af0cc5bf273eeed0897a99420bc26841d07d8f | ||
8268 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8269 | Date: Wed Jun 11 07:37:25 2014 +1000 | ||
8270 | |||
8271 | - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in | ||
8272 | the proposal if the version of OpenSSL we're using doesn't support ECC. | ||
8273 | |||
8274 | commit 67508ac2563c33d582be181a3e777c65f549d22f | ||
8275 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8276 | Date: Wed Jun 11 06:27:16 2014 +1000 | ||
8277 | |||
8278 | - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c | ||
8279 | regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256 | ||
8280 | curve tests if OpenSSL has them. | ||
8281 | |||
8282 | commit 6482d90a65459a88c18c925368525855832272b3 | ||
8283 | Author: Damien Miller <djm@mindrot.org> | ||
8284 | Date: Tue May 27 14:34:42 2014 +1000 | ||
8285 | |||
8286 | - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c] | ||
8287 | [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege | ||
8288 | separation user at runtime, since it may need to be a domain account. | ||
8289 | Patch from Corinna Vinschen. | ||
8290 | |||
8291 | commit f9eb5e0734f7a7f6e975809eb54684d2a06a7ffc | ||
8292 | Author: Damien Miller <djm@mindrot.org> | ||
8293 | Date: Tue May 27 14:31:58 2014 +1000 | ||
8294 | |||
8295 | - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config | ||
8296 | from Corinna Vinschen, fixing a number of bugs and preparing for | ||
8297 | Cygwin 1.7.30. | ||
8298 | |||
8299 | commit eae88744662e6b149f43ef071657727f1a157d95 | ||
8300 | Author: Damien Miller <djm@mindrot.org> | ||
8301 | Date: Tue May 27 14:27:02 2014 +1000 | ||
8302 | |||
8303 | - (djm) [cipher.c] Fix merge botch. | ||
8304 | |||
8305 | commit 564b5e253c1d95c26a00e8288f0089a2571661c3 | ||
8306 | Author: Damien Miller <djm@mindrot.org> | ||
8307 | Date: Thu May 22 08:23:59 2014 +1000 | ||
8308 | |||
8309 | - (djm) [Makefile.in] typo in path | ||
8310 | |||
8311 | commit e84d10302aeaf7a1acb05c451f8718143656856a | ||
8312 | Author: Damien Miller <djm@mindrot.org> | ||
8313 | Date: Wed May 21 17:13:36 2014 +1000 | ||
8314 | |||
8315 | revert a diff I didn't mean to commit | ||
8316 | |||
8317 | commit 795b86313f1f1aab9691666c4f2d5dae6e4acd50 | ||
8318 | Author: Damien Miller <djm@mindrot.org> | ||
8319 | Date: Wed May 21 17:12:53 2014 +1000 | ||
8320 | |||
8321 | - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC | ||
8322 | when it is available. It takes into account time spent suspended, | ||
8323 | thereby ensuring timeouts (e.g. for expiring agent keys) fire | ||
8324 | correctly. bz#2228 reported by John Haxby | ||
8325 | |||
8326 | commit 18912775cb97c0b1e75e838d3c7d4b56648137b5 | ||
8327 | Author: Damien Miller <djm@mindrot.org> | ||
8328 | Date: Wed May 21 17:06:46 2014 +1000 | ||
8329 | |||
8330 | - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use | ||
8331 | vhangup on Linux. It doens't work for non-root users, and for them | ||
8332 | it just messes up the tty settings. | ||
8333 | |||
8334 | commit 7f1c264d3049cd95234e91970ccb5406e1d15b27 | ||
8335 | Author: Damien Miller <djm@mindrot.org> | ||
8336 | Date: Thu May 15 18:01:52 2014 +1000 | ||
8337 | |||
8338 | - (djm) [sshbuf.c] need __predict_false | ||
8339 | |||
8340 | commit e7429f2be8643e1100380a8a7389d85cc286c8fe | ||
8341 | Author: Damien Miller <djm@mindrot.org> | ||
8342 | Date: Thu May 15 18:01:01 2014 +1000 | ||
8343 | |||
8344 | - (djm) [regress/Makefile Makefile.in] | ||
8345 | [regress/unittests/sshbuf/test_sshbuf.c | ||
8346 | [regress/unittests/sshbuf/test_sshbuf_fixed.c] | ||
8347 | [regress/unittests/sshbuf/test_sshbuf_fuzz.c] | ||
8348 | [regress/unittests/sshbuf/test_sshbuf_getput_basic.c] | ||
8349 | [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] | ||
8350 | [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] | ||
8351 | [regress/unittests/sshbuf/test_sshbuf_misc.c] | ||
8352 | [regress/unittests/sshbuf/tests.c] | ||
8353 | [regress/unittests/test_helper/fuzz.c] | ||
8354 | [regress/unittests/test_helper/test_helper.c] | ||
8355 | Hook new unit tests into the build and "make tests" | ||
8356 | |||
8357 | commit def1de086707b0e6b046fe7e115c60aca0227a99 | ||
8358 | Author: Damien Miller <djm@mindrot.org> | ||
8359 | Date: Thu May 15 15:17:15 2014 +1000 | ||
8360 | |||
8361 | - (djm) [regress/unittests/Makefile] | ||
8362 | [regress/unittests/Makefile.inc] | ||
8363 | [regress/unittests/sshbuf/Makefile] | ||
8364 | [regress/unittests/sshbuf/test_sshbuf.c] | ||
8365 | [regress/unittests/sshbuf/test_sshbuf_fixed.c] | ||
8366 | [regress/unittests/sshbuf/test_sshbuf_fuzz.c] | ||
8367 | [regress/unittests/sshbuf/test_sshbuf_getput_basic.c] | ||
8368 | [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c] | ||
8369 | [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] | ||
8370 | [regress/unittests/sshbuf/test_sshbuf_misc.c] | ||
8371 | [regress/unittests/sshbuf/tests.c] | ||
8372 | [regress/unittests/test_helper/Makefile] | ||
8373 | [regress/unittests/test_helper/fuzz.c] | ||
8374 | [regress/unittests/test_helper/test_helper.c] | ||
8375 | [regress/unittests/test_helper/test_helper.h] | ||
8376 | Import new unit tests from OpenBSD; not yet hooked up to build. | ||
8377 | |||
8378 | commit 167685756fde8bc213a8df2c8e1848e312db0f46 | ||
8379 | Author: Damien Miller <djm@mindrot.org> | ||
8380 | Date: Thu May 15 15:08:40 2014 +1000 | ||
8381 | |||
8382 | - logan@cvs.openbsd.org 2014/05/04 10:40:59 | ||
8383 | [connect-privsep.sh] | ||
8384 | Remove the Z flag from the list of malloc options as it | ||
8385 | was removed from malloc.c 10 days ago. | ||
8386 | |||
8387 | OK from miod@ | ||
8388 | |||
8389 | commit d0b69fe90466920d69c96069312e24b581771bd7 | ||
8390 | Author: Damien Miller <djm@mindrot.org> | ||
8391 | Date: Thu May 15 15:08:19 2014 +1000 | ||
8392 | |||
8393 | - dtucker@cvs.openbsd.org 2014/05/03 18:46:14 | ||
8394 | [proxy-connect.sh] | ||
8395 | Add tests for with and without compression, with and without privsep. | ||
8396 | |||
8397 | commit edb1af50441d19fb2dd9ccb4d75bf14473fca584 | ||
8398 | Author: Damien Miller <djm@mindrot.org> | ||
8399 | Date: Thu May 15 15:07:53 2014 +1000 | ||
8400 | |||
8401 | - djm@cvs.openbsd.org 2014/04/21 22:15:37 | ||
8402 | [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh] | ||
8403 | repair regress tests broken by server-side default cipher/kex/mac changes | ||
8404 | by ensuring that the option under test is included in the server's | ||
8405 | algorithm list | ||
8406 | |||
8407 | commit 54343e95c70994695f8842fb22836321350198d3 | ||
8408 | Author: Damien Miller <djm@mindrot.org> | ||
8409 | Date: Thu May 15 15:07:33 2014 +1000 | ||
8410 | |||
8411 | - djm@cvs.openbsd.org 2014/03/13 20:44:49 | ||
8412 | [login-timeout.sh] | ||
8413 | this test is a sorry mess of race conditions; add another sleep | ||
8414 | to avoid a failure on slow machines (at least until I find a | ||
8415 | better way) | ||
8416 | |||
8417 | commit e5b9f0f2ee6e133894307e44e862b66426990733 | ||
8418 | Author: Damien Miller <djm@mindrot.org> | ||
8419 | Date: Thu May 15 14:58:07 2014 +1000 | ||
8420 | |||
8421 | - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c] | ||
8422 | [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes | ||
8423 | |||
8424 | commit b9c566788a9ebd6a9d466f47a532124f111f0542 | ||
8425 | Author: Damien Miller <djm@mindrot.org> | ||
8426 | Date: Thu May 15 14:43:37 2014 +1000 | ||
8427 | |||
8428 | - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write | ||
8429 | portability glue to support building without libcrypto | ||
8430 | |||
8431 | commit 3dc27178b42234b653a32f7a87292d7994045ee3 | ||
8432 | Author: Damien Miller <djm@mindrot.org> | ||
8433 | Date: Thu May 15 14:37:59 2014 +1000 | ||
8434 | |||
8435 | - logan@cvs.openbsd.org 2014/05/05 07:02:30 | ||
8436 | [sftp.c] | ||
8437 | Zap extra whitespace. | ||
8438 | |||
8439 | OK from djm@ and dtucker@ | ||
8440 | |||
8441 | commit c31a0cd5b31961f01c5b731f62a6cb9d4f767472 | ||
8442 | Author: Damien Miller <djm@mindrot.org> | ||
8443 | Date: Thu May 15 14:37:39 2014 +1000 | ||
8444 | |||
8445 | - markus@cvs.openbsd.org 2014/05/03 17:20:34 | ||
8446 | [monitor.c packet.c packet.h] | ||
8447 | unbreak compression, by re-init-ing the compression code in the | ||
8448 | post-auth child. the new buffer code is more strict, and requires | ||
8449 | buffer_init() while the old code was happy after a bzero(); | ||
8450 | originally from djm@ | ||
8451 | |||
8452 | commit 686c7d9ee6f44b2be4128d7860b6b37adaeba733 | ||
8453 | Author: Damien Miller <djm@mindrot.org> | ||
8454 | Date: Thu May 15 14:37:03 2014 +1000 | ||
8455 | |||
8456 | - djm@cvs.openbsd.org 2014/05/02 03:27:54 | ||
8457 | [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c] | ||
8458 | [misc.h poly1305.h ssh-pkcs11.c defines.h] | ||
8459 | revert __bounded change; it causes way more problems for portable than | ||
8460 | it solves; pointed out by dtucker@ | ||
8461 | |||
8462 | commit 294c58a007cfb2f3bddc4fc3217e255857ffb9bf | ||
8463 | Author: Damien Miller <djm@mindrot.org> | ||
8464 | Date: Thu May 15 14:35:03 2014 +1000 | ||
8465 | |||
8466 | - naddy@cvs.openbsd.org 2014/04/30 19:07:48 | ||
8467 | [mac.c myproposal.h umac.c] | ||
8468 | UMAC can use our local fallback implementation of AES when OpenSSL isn't | ||
8469 | available. Glue code straight from Ted Krovetz's original umac.c. | ||
8470 | ok markus@ | ||
8471 | |||
8472 | commit 05e82c3b963c33048128baf72a6f6b3a1c10b4c1 | ||
8473 | Author: Damien Miller <djm@mindrot.org> | ||
8474 | Date: Thu May 15 14:33:43 2014 +1000 | ||
8475 | |||
8476 | - djm@cvs.openbsd.org 2014/04/30 05:29:56 | ||
8477 | [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c] | ||
8478 | [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c] | ||
8479 | [ssherr.h] | ||
8480 | New buffer API; the first installment of the conversion/replacement | ||
8481 | of OpenSSH's internals to make them usable as a standalone library. | ||
8482 | |||
8483 | This includes a set of wrappers to make it compatible with the | ||
8484 | existing buffer API so replacement can occur incrementally. | ||
8485 | |||
8486 | With and ok markus@ | ||
8487 | |||
8488 | Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew | ||
8489 | Dempsky and Ron Bowes for a detailed review. | ||
8490 | |||
8491 | commit 380948180f847a26f2d0c85b4dad3dca2ed2fd8b | ||
8492 | Author: Damien Miller <djm@mindrot.org> | ||
8493 | Date: Thu May 15 14:25:18 2014 +1000 | ||
8494 | |||
8495 | - dtucker@cvs.openbsd.org 2014/04/29 20:36:51 | ||
8496 | [sftp.c] | ||
8497 | Don't attempt to append a nul quote char to the filename. Should prevent | ||
8498 | fatal'ing with "el_insertstr failed" when there's a single quote char | ||
8499 | somewhere in the string. bz#2238, ok markus@ | ||
8500 | |||
8501 | commit d7fd8bedd4619a2ec7fd02aae4c4e1db4431ad9f | ||
8502 | Author: Damien Miller <djm@mindrot.org> | ||
8503 | Date: Thu May 15 14:24:59 2014 +1000 | ||
8504 | |||
8505 | - dtucker@cvs.openbsd.org 2014/04/29 19:58:50 | ||
8506 | [sftp.c] | ||
8507 | Move nulling of variable next to where it's freed. ok markus@ | ||
8508 | |||
8509 | commit 1f0311c7c7d10c94ff7f823de9c5b2ed79368b14 | ||
8510 | Author: Damien Miller <djm@mindrot.org> | ||
8511 | Date: Thu May 15 14:24:09 2014 +1000 | ||
8512 | |||
8513 | - markus@cvs.openbsd.org 2014/04/29 18:01:49 | ||
8514 | [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] | ||
8515 | [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] | ||
8516 | [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] | ||
8517 | [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] | ||
8518 | make compiling against OpenSSL optional (make OPENSSL=no); | ||
8519 | reduces algorithms to curve25519, aes-ctr, chacha, ed25519; | ||
8520 | allows us to explore further options; with and ok djm | ||
8521 | |||
8522 | commit c5893785564498cea73cb60d2cf199490483e080 | ||
8523 | Author: Damien Miller <djm@mindrot.org> | ||
8524 | Date: Thu May 15 13:48:49 2014 +1000 | ||
8525 | |||
8526 | - djm@cvs.openbsd.org 2014/04/29 13:10:30 | ||
8527 | [clientloop.c serverloop.c] | ||
8528 | bz#1818 - don't send channel success/failre replies on channels that | ||
8529 | have sent a close already; analysis and patch from Simon Tatham; | ||
8530 | ok markus@ | ||
8531 | |||
8532 | commit 633de33b192d808d87537834c316dc8b75fe1880 | ||
8533 | Author: Damien Miller <djm@mindrot.org> | ||
8534 | Date: Thu May 15 13:48:26 2014 +1000 | ||
8535 | |||
8536 | - djm@cvs.openbsd.org 2014/04/28 03:09:18 | ||
8537 | [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h] | ||
8538 | [ssh-keygen.c] | ||
8539 | buffer_get_string_ptr's return should be const to remind | ||
8540 | callers that futzing with it will futz with the actual buffer | ||
8541 | contents | ||
8542 | |||
8543 | commit 15271907843e4ae50dcfc83b3594014cf5e9607b | ||
8544 | Author: Damien Miller <djm@mindrot.org> | ||
8545 | Date: Thu May 15 13:47:56 2014 +1000 | ||
8546 | |||
8547 | - djm@cvs.openbsd.org 2014/04/23 12:42:34 | ||
8548 | [readconf.c] | ||
8549 | don't record duplicate IdentityFiles | ||
8550 | |||
8551 | commit 798a02568b13a2e46efebd81f08c8f4bb33a6dc7 | ||
8552 | Author: Damien Miller <djm@mindrot.org> | ||
8553 | Date: Thu May 15 13:47:37 2014 +1000 | ||
8554 | |||
8555 | - jmc@cvs.openbsd.org 2014/04/22 14:16:30 | ||
8556 | [sftp.1] | ||
8557 | zap eol whitespace; | ||
8558 | |||
8559 | commit d875ff78d2b8436807381051de112f0ebf9b9ae1 | ||
8560 | Author: Damien Miller <djm@mindrot.org> | ||
8561 | Date: Thu May 15 13:47:15 2014 +1000 | ||
8562 | |||
8563 | - logan@cvs.openbsd.org 2014/04/22 12:42:04 | ||
8564 | [sftp.1] | ||
8565 | Document sftp upload resume. | ||
8566 | OK from djm@, with feedback from okan@. | ||
8567 | |||
8568 | commit b15cd7bb097fd80dc99520f45290ef775da1ef19 | ||
8569 | Author: Damien Miller <djm@mindrot.org> | ||
8570 | Date: Thu May 15 13:46:52 2014 +1000 | ||
8571 | |||
8572 | - logan@cvs.openbsd.org 2014/04/22 10:07:12 | ||
8573 | [sftp.c] | ||
8574 | Sort the sftp command list. | ||
8575 | OK from djm@ | ||
8576 | |||
8577 | commit d8accc0aa72656ba63d50937165c5ae49db1dcd6 | ||
8578 | Author: Damien Miller <djm@mindrot.org> | ||
8579 | Date: Thu May 15 13:46:25 2014 +1000 | ||
8580 | |||
8581 | - logan@cvs.openbsd.org 2014/04/21 14:36:16 | ||
8582 | [sftp-client.c sftp-client.h sftp.c] | ||
8583 | Implement sftp upload resume support. | ||
8584 | OK from djm@, with input from guenther@, mlarkin@ and | ||
8585 | okan@ | ||
8586 | |||
8587 | commit 16cd3928a87d20c77b13592a74b60b08621d3ce6 | ||
8588 | Author: Damien Miller <djm@mindrot.org> | ||
8589 | Date: Thu May 15 13:45:58 2014 +1000 | ||
8590 | |||
8591 | - logan@cvs.openbsd.org 2014/04/20 09:24:26 | ||
8592 | [dns.c dns.h ssh-keygen.c] | ||
8593 | Add support for SSHFP DNS records for ED25519 key types. | ||
8594 | OK from djm@ | ||
8595 | |||
8596 | commit ec0b67eb3b4e12f296ced1fafa01860c374f7eea | ||
8597 | Author: Damien Miller <djm@mindrot.org> | ||
8598 | Date: Thu May 15 13:45:26 2014 +1000 | ||
8599 | |||
8600 | - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine | ||
8601 | OpenBSD | ||
8602 | |||
8603 | commit f028460d0b2e5a584355321015cde69bf6fd933e | ||
8604 | Author: Darren Tucker <dtucker@zip.com.au> | ||
8605 | Date: Thu May 1 02:24:35 2014 +1000 | ||
8606 | |||
8607 | - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already | ||
8608 | have it. Only attempt to use __attribute__(__bounded__) for gcc. | ||
8609 | |||
8610 | commit b628cc4c3e4a842bab5e4584d18c2bc5fa4d0edf | ||
8611 | Author: Damien Miller <djm@mindrot.org> | ||
8612 | Date: Sun Apr 20 13:33:58 2014 +1000 | ||
8613 | |||
8614 | - djm@cvs.openbsd.org 2014/04/20 02:49:32 | ||
8615 | [compat.c] | ||
8616 | add a canonical 6.6 + curve25519 bignum fix fake version that I can | ||
8617 | recommend people use ahead of the openssh-6.7 release | ||
8618 | |||
8619 | commit 888566913933a802f3a329ace123ebcb7154cf78 | ||
8620 | Author: Damien Miller <djm@mindrot.org> | ||
8621 | Date: Sun Apr 20 13:33:19 2014 +1000 | ||
8622 | |||
8623 | - djm@cvs.openbsd.org 2014/04/20 02:30:25 | ||
8624 | [misc.c misc.h umac.c] | ||
8625 | use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on | ||
8626 | strict-alignment architectures; reported by and ok stsp@ | ||
8627 | |||
8628 | commit 16f85cbc7e5139950e6a38317e7c8b368beafa5d | ||
8629 | Author: Damien Miller <djm@mindrot.org> | ||
8630 | Date: Sun Apr 20 13:29:28 2014 +1000 | ||
8631 | |||
8632 | - tedu@cvs.openbsd.org 2014/04/19 18:42:19 | ||
8633 | [ssh.1] | ||
8634 | delete .xr to hosts.equiv. there's still an unfortunate amount of | ||
8635 | documentation referring to rhosts equivalency in here. | ||
8636 | |||
8637 | commit 69cb24b7356ec3f0fc5ff04a68f98f2c55c766f4 | ||
8638 | Author: Damien Miller <djm@mindrot.org> | ||
8639 | Date: Sun Apr 20 13:29:06 2014 +1000 | ||
8640 | |||
8641 | - tedu@cvs.openbsd.org 2014/04/19 18:15:16 | ||
8642 | [sshd.8] | ||
8643 | remove some really old rsh references | ||
8644 | |||
8645 | commit 84c1e7bca8c4ceaccf4d5557e39a833585a3c77e | ||
8646 | Author: Damien Miller <djm@mindrot.org> | ||
8647 | Date: Sun Apr 20 13:27:53 2014 +1000 | ||
8648 | |||
8649 | - tedu@cvs.openbsd.org 2014/04/19 14:53:48 | ||
8650 | [ssh-keysign.c sshd.c] | ||
8651 | Delete futile calls to RAND_seed. ok djm | ||
8652 | NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon | ||
8653 | |||
8654 | commit 0e6b67423b8662f9ca4c92750309e144fd637ef1 | ||
8655 | Author: Damien Miller <djm@mindrot.org> | ||
8656 | Date: Sun Apr 20 13:27:01 2014 +1000 | ||
8657 | |||
8658 | - djm@cvs.openbsd.org 2014/04/19 05:54:59 | ||
8659 | [compat.c] | ||
8660 | missing wildcard; pointed out by naddy@ | ||
8661 | |||
8662 | commit 9395b28223334826837c15e8c1bb4dfb3b0d2ca5 | ||
8663 | Author: Damien Miller <djm@mindrot.org> | ||
8664 | Date: Sun Apr 20 13:25:30 2014 +1000 | ||
8665 | |||
8666 | - djm@cvs.openbsd.org 2014/04/18 23:52:25 | ||
8667 | [compat.c compat.h sshconnect2.c sshd.c version.h] | ||
8668 | OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections | ||
8669 | using the curve25519-sha256@libssh.org KEX exchange method to fail | ||
8670 | when connecting with something that implements the spec properly. | ||
8671 | |||
8672 | Disable this KEX method when speaking to one of the affected | ||
8673 | versions. | ||
8674 | |||
8675 | reported by Aris Adamantiadis; ok markus@ | ||
8676 | |||
8677 | commit 8c492da58f8ceb85cf5f7066f23e26fb813a963d | ||
8678 | Author: Damien Miller <djm@mindrot.org> | ||
8679 | Date: Sun Apr 20 13:25:09 2014 +1000 | ||
8680 | |||
8681 | - djm@cvs.openbsd.org 2014/04/16 23:28:12 | ||
8682 | [ssh-agent.1] | ||
8683 | remove the identity files from this manpage - ssh-agent doesn't deal | ||
8684 | with them at all and the same information is duplicated in ssh-add.1 | ||
8685 | (which does deal with them); prodded by deraadt@ | ||
8686 | |||
8687 | commit adbfdbbdccc70c9bd70d81ae096db115445c6e26 | ||
8688 | Author: Damien Miller <djm@mindrot.org> | ||
8689 | Date: Sun Apr 20 13:24:49 2014 +1000 | ||
8690 | |||
8691 | - djm@cvs.openbsd.org 2014/04/16 23:22:45 | ||
8692 | [bufaux.c] | ||
8693 | skip leading zero bytes in buffer_put_bignum2_from_string(); | ||
8694 | reported by jan AT mojzis.com; ok markus@ | ||
8695 | |||
8696 | commit 75c62728dc87af6805696eeb520b9748faa136c8 | ||
8697 | Author: Damien Miller <djm@mindrot.org> | ||
8698 | Date: Sun Apr 20 13:24:31 2014 +1000 | ||
8699 | |||
8700 | - djm@cvs.openbsd.org 2014/04/12 04:55:53 | ||
8701 | [sshd.c] | ||
8702 | avoid crash at exit: check that pmonitor!=NULL before dereferencing; | ||
8703 | bz#2225, patch from kavi AT juniper.net | ||
8704 | |||
8705 | commit 2a328437fb1b0976f2f4522d8645803d5a5d0967 | ||
8706 | Author: Damien Miller <djm@mindrot.org> | ||
8707 | Date: Sun Apr 20 13:24:01 2014 +1000 | ||
8708 | |||
8709 | - djm@cvs.openbsd.org 2014/04/01 05:32:57 | ||
8710 | [packet.c] | ||
8711 | demote a debug3 to PACKET_DEBUG; ok markus@ | ||
8712 | |||
8713 | commit 7d6a9fb660c808882d064e152d6070ffc3844c3f | ||
8714 | Author: Damien Miller <djm@mindrot.org> | ||
8715 | Date: Sun Apr 20 13:23:43 2014 +1000 | ||
8716 | |||
8717 | - djm@cvs.openbsd.org 2014/04/01 03:34:10 | ||
8718 | [sshconnect.c] | ||
8719 | When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any | ||
8720 | certificate keys to plain keys and attempt SSHFP resolution. | ||
8721 | |||
8722 | Prevents a server from skipping SSHFP lookup and forcing a new-hostkey | ||
8723 | dialog by offering only certificate keys. | ||
8724 | |||
8725 | Reported by mcv21 AT cam.ac.uk | ||
8726 | |||
8727 | commit fcd62c0b66b8415405ed0af29c236329eb88cc0f | ||
8728 | Author: Damien Miller <djm@mindrot.org> | ||
8729 | Date: Sun Apr 20 13:23:21 2014 +1000 | ||
8730 | |||
8731 | - djm@cvs.openbsd.org 2014/04/01 02:05:27 | ||
8732 | [ssh-keysign.c] | ||
8733 | include fingerprint of key not found | ||
8734 | use arc4random_buf() instead of loop+arc4random() | ||
8735 | |||
8736 | commit 43b156cf72f900f88065b0a1c1ebd09ab733ca46 | ||
8737 | Author: Damien Miller <djm@mindrot.org> | ||
8738 | Date: Sun Apr 20 13:23:03 2014 +1000 | ||
8739 | |||
8740 | - jmc@cvs.openbsd.org 2014/03/31 13:39:34 | ||
8741 | [ssh-keygen.1] | ||
8742 | the text for the -K option was inserted in the wrong place in -r1.108; | ||
8743 | fix From: Matthew Clarke | ||
8744 | |||
8745 | commit c1621c84f2dc1279065ab9fde2aa9327af418900 | ||
8746 | Author: Damien Miller <djm@mindrot.org> | ||
8747 | Date: Sun Apr 20 13:22:46 2014 +1000 | ||
8748 | |||
8749 | - naddy@cvs.openbsd.org 2014/03/28 05:17:11 | ||
8750 | [ssh_config.5 sshd_config.5] | ||
8751 | sync available and default algorithms, improve algorithm list formatting | ||
8752 | help from jmc@ and schwarze@, ok deraadt@ | ||
8753 | |||
8754 | commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 | ||
8755 | Author: Damien Miller <djm@mindrot.org> | ||
8756 | Date: Sun Apr 20 13:22:18 2014 +1000 | ||
8757 | |||
8758 | - tedu@cvs.openbsd.org 2014/03/26 19:58:37 | ||
8759 | [sshd.8 sshd.c] | ||
8760 | remove libwrap support. ok deraadt djm mfriedl | ||
8761 | |||
8762 | commit 4f40209aa4060b9c066a2f0d9332ace7b8dfb391 | ||
8763 | Author: Damien Miller <djm@mindrot.org> | ||
8764 | Date: Sun Apr 20 13:21:22 2014 +1000 | ||
8765 | |||
8766 | - djm@cvs.openbsd.org 2014/03/26 04:55:35 | ||
8767 | [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c | ||
8768 | [misc.h poly1305.h ssh-pkcs11.c] | ||
8769 | use __bounded(...) attribute recently added to sys/cdefs.h instead of | ||
8770 | longform __attribute__(__bounded(...)); | ||
8771 | |||
8772 | for brevity and a warning free compilation with llvm/clang | ||
8773 | |||
8774 | commit 9235a030ad1b16903fb495d81544e0f7c7449523 | ||
8775 | Author: Damien Miller <djm@mindrot.org> | ||
8776 | Date: Sun Apr 20 13:17:20 2014 +1000 | ||
8777 | |||
8778 | Three commits in one (since they touch the same heavily-diverged file | ||
8779 | repeatedly): | ||
8780 | |||
8781 | - markus@cvs.openbsd.org 2014/03/25 09:40:03 | ||
8782 | [myproposal.h] | ||
8783 | trimm default proposals. | ||
8784 | |||
8785 | This commit removes the weaker pre-SHA2 hashes, the broken ciphers | ||
8786 | (arcfour), and the broken modes (CBC) from the default configuration | ||
8787 | (the patch only changes the default, all the modes are still available | ||
8788 | for the config files). | ||
8789 | |||
8790 | ok djm@, reminded by tedu@ & naddy@ and discussed with many | ||
8791 | - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 | ||
8792 | [myproposal.h] | ||
8793 | The current sharing of myproposal[] between both client and server code | ||
8794 | makes the previous diff highly unpallatable. We want to go in that | ||
8795 | direction for the server, but not for the client. Sigh. | ||
8796 | Brought up by naddy. | ||
8797 | - markus@cvs.openbsd.org 2014/03/27 23:01:27 | ||
8798 | [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] | ||
8799 | disable weak proposals in sshd, but keep them in ssh; ok djm@ | ||
8800 | |||
8801 | commit 6e1777f592f15f4559728c78204617537b1ac076 | ||
8802 | Author: Damien Miller <djm@mindrot.org> | ||
8803 | Date: Sun Apr 20 13:02:58 2014 +1000 | ||
8804 | |||
8805 | - tedu@cvs.openbsd.org 2014/03/19 14:42:44 | ||
8806 | [scp.1] | ||
8807 | there is no need for rcp anymore | ||
8808 | ok deraadt millert | ||
8809 | |||
8810 | commit eb1b7c514d2a7b1802ccee8cd50e565a4d419887 | ||
8811 | Author: Damien Miller <djm@mindrot.org> | ||
8812 | Date: Sun Apr 20 13:02:26 2014 +1000 | ||
8813 | |||
8814 | - tedu@cvs.openbsd.org 2014/03/17 19:44:10 | ||
8815 | [ssh.1] | ||
8816 | old descriptions of des and blowfish are old. maybe ok deraadt | ||
8817 | |||
8818 | commit f0858de6e1324ec730752387074b111b8551081e | ||
8819 | Author: Damien Miller <djm@mindrot.org> | ||
8820 | Date: Sun Apr 20 13:01:30 2014 +1000 | ||
8821 | |||
8822 | - deraadt@cvs.openbsd.org 2014/03/15 17:28:26 | ||
8823 | [ssh-agent.c ssh-keygen.1 ssh-keygen.c] | ||
8824 | Improve usage() and documentation towards the standard form. | ||
8825 | In particular, this line saves a lot of man page reading time. | ||
8826 | usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] | ||
8827 | [-N new_passphrase] [-C comment] [-f output_keyfile] | ||
8828 | ok schwarze jmc | ||
8829 | |||
8830 | commit 94bfe0fbd6e91a56b5b0ab94ac955d2a67d101aa | ||
8831 | Author: Damien Miller <djm@mindrot.org> | ||
8832 | Date: Sun Apr 20 13:00:51 2014 +1000 | ||
8833 | |||
8834 | - naddy@cvs.openbsd.org 2014/03/12 13:06:59 | ||
8835 | [ssh-keyscan.1] | ||
8836 | scan for Ed25519 keys by default too | ||
8837 | |||
8838 | commit 3819519288b2b3928c6882f5883b0f55148f4fc0 | ||
8839 | Author: Damien Miller <djm@mindrot.org> | ||
8840 | Date: Sun Apr 20 13:00:28 2014 +1000 | ||
8841 | |||
8842 | - djm@cvs.openbsd.org 2014/03/12 04:51:12 | ||
8843 | [authfile.c] | ||
8844 | correct test that kdf name is not "none" or "bcrypt" | ||
8845 | |||
8846 | commit 8f9cd709c7cf0655d414306a0ed28306b33802be | ||
8847 | Author: Damien Miller <djm@mindrot.org> | ||
8848 | Date: Sun Apr 20 13:00:11 2014 +1000 | ||
8849 | |||
8850 | - djm@cvs.openbsd.org 2014/03/12 04:50:32 | ||
8851 | [auth-bsdauth.c ssh-keygen.c] | ||
8852 | don't count on things that accept arguments by reference to clear | ||
8853 | things for us on error; most things do, but it's unsafe form. | ||
8854 | |||
8855 | commit 1c7ef4be83f6dec84509a312518b9df00ab491d9 | ||
8856 | Author: Damien Miller <djm@mindrot.org> | ||
8857 | Date: Sun Apr 20 12:59:46 2014 +1000 | ||
8858 | |||
8859 | - djm@cvs.openbsd.org 2014/03/12 04:44:58 | ||
8860 | [ssh-keyscan.c] | ||
8861 | scan for Ed25519 keys by default too | ||
8862 | |||
8863 | commit c10bf4d051c97939b30a1616c0499310057d07da | ||
8864 | Author: Damien Miller <djm@mindrot.org> | ||
8865 | Date: Sun Apr 20 12:58:04 2014 +1000 | ||
8866 | |||
8867 | - djm@cvs.openbsd.org 2014/03/03 22:22:30 | ||
8868 | [session.c] | ||
8869 | ignore enviornment variables with embedded '=' or '\0' characters; | ||
8870 | spotted by Jann Horn; ok deraadt@ | ||
8871 | Id sync only - portable already has this. | ||
8872 | |||
8873 | commit c2e49062faccbcd7135c40d1c78c5c329c58fc2e | ||
8874 | Author: Damien Miller <djm@mindrot.org> | ||
8875 | Date: Tue Apr 1 14:42:46 2014 +1100 | ||
8876 | |||
8877 | - (djm) Use full release (e.g. 6.5p1) in debug output rather than just | ||
8878 | version. From des@des.no | ||
8879 | |||
8880 | commit 14928b7492abec82afa4c2b778fc03f78cd419b6 | ||
8881 | Author: Damien Miller <djm@mindrot.org> | ||
8882 | Date: Tue Apr 1 14:38:07 2014 +1100 | ||
8883 | |||
8884 | - (djm) On platforms that support it, use prctl() to prevent sftp-server | ||
8885 | from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net | ||
8886 | |||
8887 | commit 48abc47e60048461fe9117e108a7e99ea1ac2bb8 | ||
8888 | Author: Damien Miller <djm@mindrot.org> | ||
8889 | Date: Mon Mar 17 14:45:56 2014 +1100 | ||
8890 | |||
8891 | - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to | ||
8892 | remind myself to add sandbox violation logging via the log socket. | ||
8893 | |||
8894 | commit 9c36698ca2f554ec221dc7ef29c7a89e97c88705 | ||
8895 | Author: Tim Rice <tim@multitalents.net> | ||
8896 | Date: Fri Mar 14 12:45:01 2014 -0700 | ||
8897 | |||
8898 | 20140314 | ||
8899 | - (tim) [opensshd.init.in] Add support for ed25519 | ||
8900 | |||
8901 | commit 19158b2447e35838d69b2b735fb640d1e86061ea | ||
8902 | Author: Damien Miller <djm@mindrot.org> | ||
8903 | Date: Thu Mar 13 13:14:21 2014 +1100 | ||
8904 | |||
8905 | - (djm) Release OpenSSH 6.6 | ||