Age | Commit message (Collapse) | Author |
|
|
|
openbsd-compat/openssl-compat.h] Add compatibility layer for older
openssl versions. ok djm@
|
|
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
|
|
[digest.c]
remove unused includes. ok djm@
|
|
[sftp-client.c]
signed/unsigned comparison warning fix; from portable (Id sync only)
|
|
separate lines and alphabetize for easier diffing of changes.
|
|
don't have them.
|
|
#ifdef HAVE_STDINT_H.
|
|
includes.h to pull in all of the compatibility stuff.
|
|
|
|
|
|
specification to prevent warnings.
|
|
|
|
hardening flags including -fstack-protector-strong. These default to on
if the toolchain supports them, but there is a configure-time knob
(--without-hardening) to disable them if necessary. ok djm@
|
|
|
|
[contrib/suse/openssh.spec] Crank RPM spec version numbers.
|
|
[version.h]
openssh-6.5
|
|
[sftp-client.c]
needless and incorrect cast to size_t can break resumption of
large download; patch from tobias@
|
|
[bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
[kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
avoid use of OpenSSL BIGNUM type and functions for KEX with
Curve25519 by adding a buffer_put_bignum2_from_string() that stores
a string using the bignum encoding rules. Will make it easier to
build a reduced-feature OpenSSH without OpenSSL in the future;
ok markus@
|
|
[sshd_config]
the /etc/ssh/ssh_host_ed25519_key is loaded by default too
|
|
[sshconnect.c sshd.c]
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
deranged and might make some attacks on KEX easier; ok markus@
|
|
[digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
[kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
[kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
[schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@
|
|
[sftp-common.c]
When formating the time for "ls -l"-style output, show dates in the future
with the year, and rearrange a comparison to avoid a potentional signed
arithmetic overflow that would give the wrong result.
ok djm@
|
|
[mac.c monitor_mm.c monitor_mm.h xmalloc.c]
use standard types and formats for size_t like variables. ok dtucker
|
|
|
|
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
|
|
|
|
[sshconnect.c]
when showing other hostkeys, don't forget Ed25519 keys
|
|
[ssh.c]
don't forget to load Ed25519 certs too
|
|
[authfile.c]
don't refuse to load Ed25519 certificates
|
|
[authfd.c]
allow deletion of ed25519 keys from the agent
|
|
[key.c]
to make sure we don't omit any key types as valid CA keys again,
factor the valid key type check into a key_type_is_valid_ca()
function
|
|
[key.c]
correct comment for key_drop_cert()
|
|
[key.c]
correct comment for key_to_certified()
|
|
[key.c]
allow ed25519 keys to appear as certificate authorities
|
|
[ssh-rsa.c]
correct comment
|
|
[ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
make the original RSA and DSA signing/verification code look more like
the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
rather than tediously listing all variants, use __func__ for debug/
error messages
|
|
[ssh-keygen.1]
small typo
|
|
[poly1305.c poly1305.h]
use full name for author, with his permission
|
|
[ssh-agent.c]
bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
ok dtucker
|
|
[channels.c]
bz#2147: fix multiple remote forwardings with dynamically assigned
listen ports. In the s->c message to open the channel we were sending
zero (the magic number to request a dynamic port) instead of the actual
listen port. The client therefore had no way of discriminating between
them.
Diagnosis and fix by ronf AT timeheart.net
|
|
[auth-options.c]
simplify freeing of source-address certificate restriction
|
|
[serverloop.c]
Cast client_alive_interval to u_int64_t before assinging to
max_time_milliseconds to avoid potential integer overflow in the timeout.
bz#2170, patch from Loganaden Velvindron, ok djm@
|
|
[ssh-add.c]
skip requesting smartcard PIN when removing keys from agent; bz#2187
patch from jay AT slushpupie.com; ok dtucker
|
|
entries
|
|
- (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
|
|
Patch from Loganaden Velvindron.
|
|
greater than 11 either rather than just 11. Patch from Tomas Kuthan.
|
|
[crypto_api.h]
I've assempled the header file by cut&pasting from generated headers
and the source files.
|
|
[cipher-chachapoly.c]
add some comments and constify a constant
|