summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-09-13forgot to stage these test files in commit d70d061Damien Miller
2018-09-13upstream: hold our collective noses and use the openssl-1.1.x API indjm@openbsd.org
OpenSSH; feedback and ok tb@ jsing@ markus@ OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
2018-09-12upstream: Include certs with multiple RSA signature variants indjm@openbsd.org
test data Ensure that cert->signature_key is populated correctly OpenBSD-Regress-ID: 56e68f70fe46cb3a193ca207385bdb301fd6603a
2018-09-12upstream: test revocation by explicit hash and by fingerprintdjm@openbsd.org
OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8
2018-09-12upstream: s/sshkey_demote/sshkey_from_private/gdjm@openbsd.org
OpenBSD-Regress-ID: 782bde7407d94a87aa8d1db7c23750e09d4443c4
2018-09-12delete the correct thing; kexfuzz binaryDamien Miller
2018-09-12upstream: fix edit mistake; spotted by jmc@djm@openbsd.org
OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
2018-09-12upstream: add SSH_ALLOWED_CA_SIGALGS - the default list ofdjm@openbsd.org
signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
2018-09-12upstream: add sshkey_check_cert_sigtype() that checks adjm@openbsd.org
cert->signature_type against a supplied whitelist; ok markus OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
2018-09-12upstream: add cert->signature_type field and keep it in sync withdjm@openbsd.org
certificate signature wrt loading and certification operations; ok markus@ OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3
2018-09-12upstream: Add "ssh -Q sig" to allow listing supported signaturedjm@openbsd.org
algorithms ok markus@ OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
2018-09-12upstream: allow key revocation by SHA256 hash and allow ssh-keygendjm@openbsd.org
to create KRLs using SHA256/base64 key fingerprints; ok markus@ OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
2018-09-12upstream: log certificate fingerprint in authenticationdjm@openbsd.org
success/failure message (previously we logged only key ID and CA key fingerprint). ok markus@ OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
2018-09-09upstream: Add FALLTHROUGH comments where appropriate. Patch fromdtucker@openbsd.org
jjelen at redhat via bz#2687. OpenBSD-Commit-ID: c48eb457be697a19d6d2950c6d0879f3ccc851d3
2018-09-09upstream: ssh -MM requires confirmation for all operations thatdjm@openbsd.org
change the multiplexing state, not just new sessions. mention that confirmation is checked via ssh-askpass OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
2018-09-09upstream: fix misplaced parenthesis inside if-clause. it's harmlessmestre@openbsd.org
and the only issue is showing an unknown error (since it's not defined) during fatal(), if it ever an error occurs inside that condition. OK deraadt@ markus@ djm@ OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8
2018-09-09upstream: fix build with DEBUG_PK enabledmestre@openbsd.org
OK dtucker@ OpenBSD-Commit-ID: ec1568cf27726e9638a0415481c20c406e7b441c
2018-09-07Handle ngroups>_SC_NGROUPS_MAX.Darren Tucker
Based on github pull request #99 from Darren Maffat at Oracle: Solaris' getgrouplist considers _SC_NGROUPS_MAX more of a guideline and can return a larger number of groups. In this case, retry getgrouplist with a larger array and defer allocating groups_byname. ok djm@
2018-09-07Initial len for the fmt=NULL case.Darren Tucker
Patch from jjelen at redhat via bz#2687. (OpenSSH never calls setproctitle with a null format so len is always initialized).
2018-09-07Include stdlib.h.Darren Tucker
Patch from jjelen at redhat via bz#2687.
2018-08-27document some more regress control env variablesDamien Miller
Specifically SKIP_UNIT, USE_VALGRING and LTESTS. Sort the list of environment variables. Based on patch from Jakub Jelen
2018-08-23shorten temporary SSH_REGRESS_TMP pathDamien Miller
Previous path was exceeding max socket length on at least one platform (OSX)
2018-08-23rebuild dependenciesDamien Miller
2018-08-23fix path in distclean targetDamien Miller
Patch from Jakub Jelen
2018-08-23upstream: memleak introduced in r1.83; from Colin Watsondjm@openbsd.org
OpenBSD-Commit-ID: 5c019104c280cbd549a264a7217b67665e5732dc
2018-08-22upstream: AIX reports the CODESET as "ISO8859-1" in the POSIX locale.schwarze@openbsd.org
Treating that as a safe encoding is OK because even when other systems return that string for real ISO8859-1, it is still safe in the sense that it is ASCII-compatible and stateless. Issue reported by Val dot Baranov at duke dot edu. Additional information provided by Michael dot Felt at felt dot demon dot nl. Tested by Michael Felt on AIX 6.1 and by Val Baranov on AIX 7.1. Tweak and OK djm@. OpenBSD-Commit-ID: 36f1210e0b229817d10eb490d6038f507b8256a7
2018-08-21 modified: openbsd-compat/port-uw.cTim Rice
remove obsolete and un-needed include
2018-08-20Missing unistd.h for regress/mkdtemp.cDamien Miller
2018-08-17update version numbers in anticipation of releaseDamien Miller
2018-08-13configure: work around GCC shortcoming on CygwinCorinna Vinschen
Cygwin's latest 7.x GCC allows to specify -mfunction-return=thunk as well as -mindirect-branch=thunk on the command line, albeit producing invalid code, leading to an error at link stage. The check in configure.ac only checks if the option is present, but not if it produces valid code. This patch fixes it by special-casing Cygwin. Another solution may be to change these to linker checks. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2018-08-13cygwin: add missing stdarg.h includeCorinna Vinschen
Further header file standarization in Cygwin uncovered a lazy indirect include in bsd-cygwin_util.c Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2018-08-13upstream: revert compat.[ch] section of the following change. Itdjm@openbsd.org
causes double-free under some circumstances. -- date: 2018/07/31 03:07:24; author: djm; state: Exp; lines: +33 -18; commitid: f7g4UI8eeOXReTPh; fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366 feedback and ok dtucker@ OpenBSD-Commit-ID: 1e77547f60fdb5e2ffe23e2e4733c54d8d2d1137
2018-08-13upstream: better diagnosics on alg list assembly errors; okdjm@openbsd.org
deraadt@ markus@ OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
2018-08-11Some AIX fixes; report from Michael FeltDamien Miller
2018-08-10upstream: The script that cooks up PuTTY format host keys does notdtucker@openbsd.org
understand the new key format so convert back to old format to create the PuTTY key and remove it once done. OpenBSD-Regress-ID: 2a449a18846c3a144bc645135b551ba6177e38d3
2018-08-10upstream: improvedjm@openbsd.org
OpenBSD-Commit-ID: 40d839db0977b4e7ac8b647b16d5411d4faf2f60
2018-08-10upstream: Describe pubkey format, prompted by bz#2853djm@openbsd.org
While I'm here, describe and link to the remaining local PROTOCOL.* docs that weren't already mentioned (PROTOCOL.key, PROTOCOL.krl and PROTOCOL.mux) OpenBSD-Commit-ID: 2a900f9b994ba4d53e7aeb467d44d75829fd1231
2018-08-10upstream: fix numberingdjm@openbsd.org
OpenBSD-Commit-ID: bc7a1764dff23fa4c5ff0e3379c9c4d5b63c9596
2018-08-08upstream: Use new private key format by default. This format isdjm@openbsd.org
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
2018-08-06upstream: invalidate dh->priv_key after freeing it in error path;djm@openbsd.org
avoids unlikely double-free later. Reported by Viktor Dukhovni via https://github.com/openssh/openssh-portable/pull/96 feedback jsing@ tb@ OpenBSD-Commit-ID: e317eb17c3e05500ae851f279ef6486f0457c805
2018-07-31upstream: delay bailout for invalid authenticdjm@openbsd.org
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
2018-07-31upstream: fix some memory leaks spotted by Coverity via Jakub Jelendjm@openbsd.org
in bz#2366 feedback and ok dtucker@ OpenBSD-Commit-ID: 8402bbae67d578bedbadb0ce68ff7c5a136ef563
2018-07-31Remove support for S/KeyDamien Miller
Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
2018-07-31upstream: avoid expensive channel_open_message() calls; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: aea3b5512ad681cd8710367d743e8a753d4425d9
2018-07-31upstream: Now that ssh can't be setuid, remove thedtucker@openbsd.org
original_real_uid and original_effective_uid globals and replace with calls to plain getuid(). ok djm@ OpenBSD-Commit-ID: 92561c0cd418d34e6841e20ba09160583e27b68c
2018-07-31upstream: Remove uid checks from low port binds. Now that sshdtucker@openbsd.org
cannot be setuid and sshd always has privsep on, we can remove the uid checks for low port binds and just let the system do the check. We leave a sanity check for the !privsep case so long as the code is stil there. with & ok djm@ OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
2018-07-27upstream: ssh(1) no longer supports being setuid root. Remove referencedtucker@openbsd.org
to crc32 which went with protocol 1. Pointed out by deraadt@. OpenBSD-Commit-ID: f8763c25fd96ed91dd1abdab5667fd2e27e377b6
2018-07-27correct snprintf truncation check in closefrom()Damien Miller
Truncation cannot happen unless the system has set PATH_MAX to some nonsensically low value. bz#2862, patch from Daniel Le
2018-07-27Include stdarg.h in mkdtemp for va_list.Darren Tucker
2018-07-26upstream: Don't redefine Makefile choices which come correct fromderaadt@openbsd.org
bsd.*.mk ok markus OpenBSD-Commit-ID: 814b2f670df75759e1581ecef530980b2b3d7e0f