summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-11-16Fix check for OpenSSL 1.0.1 exactly.Darren Tucker
Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix compile-time check for 1.0.1 to match.
2018-11-11Improve warnings in cygwin service setup.Darren Tucker
bz#2922, patch from vinschen at redhat.com.
2018-11-11Remove hardcoded service name in cygwin setup.Darren Tucker
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check by vinschen at redhat.com.
2018-11-10AC_CHECK_SIZEOF() no longer needs a second argument.Dag-Erling Smørgrav
2018-11-10Fix error message w/out nistp521.Manoj Ampalam
Correct error message when OpenSSL doesn't support certain ECDSA key lengths.
2018-11-09fix compilation with openssl built without ECCEneas U de Queiroz
ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be guarded by OPENSSL_HAS_ECC Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-11-08Simplify OpenSSL 1.1 function checks.Darren Tucker
Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single AC_CHECK_FUNCS. ok djm@
2018-11-05Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.Darren Tucker
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
2018-10-31Import new moduli.Darren Tucker
2018-10-28Update check for minimum OpenSSL version.Darren Tucker
2018-10-28Update required OpenSSL versions to match current.Darren Tucker
2018-10-28Use detected version functions in openssl compat.Darren Tucker
Use detected functions in compat layer instead of guessing based on versions. Really fixes builds with LibreSSL, not just configure.
2018-10-27Check for the existence of openssl version funcs.Darren Tucker
Check for the existence of openssl version functions and use the ones detected instead of trying to guess based on the int32 version identifier. Fixes builds with LibreSSL.
2018-10-26fix builds on OpenSSL <= 1.0.xDamien Miller
I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API to obtain version number, but they don't.
2018-10-23remove remaining references to SSLeayDamien Miller
Prompted by Rosen Penev
2018-10-23regen dependDamien Miller
2018-10-23upstream: refer to OpenSSL not SSLeay;djm@openbsd.org
we're old, but we don't have to act it OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
2018-10-23fix compile for openssl 1.0.x w/ --with-ssl-engineDamien Miller
bz#2921, patch from cotequeiroz
2018-10-22Include openssl compatibility.Darren Tucker
Patch from rosenp at gmail.com via openssh-unix-dev.
2018-10-22upstream: when printing certificate contents "ssh-keygen -Lfdjm@openbsd.org
/path/certificate", include the algorithm that the CA used to sign the cert. OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
2018-10-22upstream: struct sockaddr_storage is guaranteed to be large enough,florian@openbsd.org
no need to check the size. OK kn, deraadt OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
2018-10-17Require OpenSSL 1.1.x series 1.1.0g or greaterDamien Miller
Previous versions have a bug with EVP_CipherInit() when passed a NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613 ok dtucker@
2018-10-17unbreak compilation with --with-ssl-engineDamien Miller
Missing last argument to OPENSSL_init_crypto()
2018-10-16Remove gcc spectre mitigation flags.Darren Tucker
Current impementions of the gcc spectre mitigation flags cause miscompilations when combined with other flags and do not provide much protection. Found by fweimer at redhat.com, ok djm@
2018-10-16Avoid deprecated OPENSSL_config when using 1.1.xDamien Miller
OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of OPENSSL_init_crypto; pointed out by Jakub Jelen
2018-10-12Don't avoid our *sprintf replacements.Darren Tucker
Don't let systems with broken printf(3) avoid our replacements via asprintf(3)/vasprintf(3) calling libc internally. From djm@
2018-10-12Check if snprintf understands %zu.Darren Tucker
If the platforms snprintf and friends don't understand %zu, use the compat replacement. Prevents segfaults on those platforms.
2018-10-12remove stale link, tweakDamien Miller
2018-10-12update version numbers ahead of releaseDamien Miller
2018-10-12upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names todjm@openbsd.org
older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
2018-10-11update dependsDamien Miller
2018-10-11some more duplicated key algorithm linesDamien Miller
From Adam Eijdenberg
2018-10-11fix duplicated algorithm specification linesDamien Miller
Spotted by Adam Eijdenberg
2018-10-11upstream: typo in plain RSA algorithm counterpart names fordjm@openbsd.org
certificates; spotted by Adam Eijdenberg; ok dtucker@ OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11check pw_passwd != NULL here tooDamien Miller
Again, for systems with broken NIS implementations. Prompted by coolbugcheckers AT gmail.com
2018-10-11check for NULL return from shadow_pw()Damien Miller
probably unreachable on this platform; pointed out by coolbugcheckers AT gmail.com
2018-10-11upstream: introducing openssh 7.9deraadt@openbsd.org
OpenBSD-Commit-ID: 42d526a9fe01a40dd299ac58014d3349adf40e25
2018-10-11supply callback to PEM_read_bio_PrivateKeyDamien Miller
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, so that empty passphrases are interpreted differently. This probabalistically breaks loading some keys, because the PEM format is terrible and doesn't include a proper MAC. Avoid this by providing a basic callback to avoid passing empty passphrases to OpenSSL in cases where one is required. Based on patch from Jakub Jelen in bz#2913; ok dtucker@
2018-10-10in pick_salt() avoid dereference of NULL passwordsDamien Miller
Apparently some NIS implementations can leave pw->pw_passwd (or the shadow equivalent) NULL. bz#2909; based on patch from Todd Eigenschink
2018-10-09upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrasedjm@openbsd.org
is specified as "incorrect passphrase" instead of trying to choose between that and "invalid format". libcrypto can return ASN1 parsing errors rather than the expected decrypt error in certain infrequent cases when trying to decrypt/parse PEM private keys when supplied with an invalid passphrase. Report and repro recipe from Thomas Deutschmann in bz#2901 ok markus@ OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
2018-10-07upstream: Support using service names for port numbers.naddy@openbsd.org
* Try to resolve a port specification with getservbyname(3) if a numeric conversion fails. * Make the "Port" option in ssh_config handle its argument as a port rather than a plain integer. ok dtucker@ deraadt@ OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
2018-10-04upstream: when the peer sends a channel-close message, make sure wedjm@openbsd.org
close the local extended read fd (stderr) along with the regular read fd (stdout). Avoids weird stuck processed in multiplexing mode. Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863 ok dtucker@ markus@ OpenBSD-Commit-ID: a48a2467fe938de4de69d2e7193d5fa701f12ae9
2018-10-04upstream: factor out channel status formatting fromdjm@openbsd.org
channel_open_message() so we can use it in other debug messages OpenBSD-Commit-ID: 9c3903ca28fcabad57f566c9d0045b41ab7d52ba
2018-10-04upstream: include a little more information about the status anddjm@openbsd.org
disposition of channel's extended (stderr) fd; makes debugging some things a bit easier. No behaviour change. OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce
2018-10-04upstream: explicit_bzero here to be consistent with other kex*.c;djm@openbsd.org
report from coolbugcheckers AT gmail.com OpenBSD-Commit-ID: a90f146c5b5f5b1408700395e394f70b440856cb
2018-10-03upstream: Allow ssh_config IdentityAgent directive to acceptdjm@openbsd.org
environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
2018-10-02upstream: mention INFO@openssh.com for sending SIGINFOdjm@openbsd.org
OpenBSD-Commit-ID: 132471eeb0df658210afd27852fe65131b26e900
2018-10-02only support SIGINFO on systems with SIGINFODamien Miller
2018-10-02upstream: Add server support for signalling sessions via the SSHdjm@openbsd.org
channel/ session protocol. Signalling is only supported to sesssions that are not subsystems and were not started with a forced command. Long requested in bz#1424 Based on a patch from markus@ and reworked by dtucker@; ok markus@ dtucker@ OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3
2018-09-26upstream: remove big ugly TODO comment from start of file. Some ofdjm@openbsd.org
the mentioned tasks are obsolete and, of the remainder, most are already captured in PROTOCOL.mux where they better belong OpenBSD-Commit-ID: 16d9d76dee42a5bb651c9d6740f7f0ef68aeb407