summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-03-12upstream commitdjm@openbsd.org
allow ssh to use certificates accompanied by a private key file but no corresponding plain *.pub public key. bz#2617 based on patch from Adam Eijdenberg; ok dtucker@ markus@ Upstream-ID: 295668dca2c39505281577217583ddd2bd4b00b9
2017-03-12upstream commitmarkus@openbsd.org
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
2017-03-12upstream commitdtucker@openbsd.org
krl.c Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1
2017-03-12sync fmt_scaled.c with OpenBSDDamien Miller
revision 1.13 date: 2017/03/11 23:37:23; author: djm; state: Exp; lines: +14 -1; commitid: jnFKyHkB3CEiEZ2R; fix signed integer overflow in scan_scaled. Found by Nicolas Iooss using AFL against ssh_config. ok deraadt@ millert@ ---------------------------- revision 1.12 date: 2013/11/29 19:00:51; author: deraadt; state: Exp; lines: +6 -5; fairly simple unsigned char casts for ctype ok krw ---------------------------- revision 1.11 date: 2012/11/12 14:07:20; author: halex; state: Exp; lines: +4 -2; make scan_scaled set errno to EINVAL rather than ERANGE if it encounters an invalid multiplier, like the man page says it should "looks sensible" deraadt@, ok ian@ ---------------------------- revision 1.10 date: 2009/06/20 15:00:04; author: martynas; state: Exp; lines: +4 -4; use llabs instead of the home-grown version; and some comment changes ok ian@, millert@ ----------------------------
2017-03-10upstream commitdjm@openbsd.org
When updating hostkeys, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok dtucker@ Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
2017-03-10upstream commitdjm@openbsd.org
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@ Upstream-ID: e467622ff154269e36ba8b6c9e3d105e1c4a9253
2017-03-10upstream commitdjm@openbsd.org
reword a comment to make it fit 80 columns Upstream-ID: 4ef509a66b96c7314bbcc87027c2af71fa9d0ba4
2017-03-10upstream commitdjm@openbsd.org
better match sshd config parser behaviour: fatal() if line is overlong, increase line buffer to match sshd's; bz#2651 reported by Don Fong; ok dtucker@ Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18
2017-03-10upstream commitdjm@openbsd.org
ensure hostname is lower-case before hashing it; bz#2591 reported by Griff Miller II; ok dtucker@ Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
2017-03-10upstream commitdjm@openbsd.org
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@ Upstream-ID: e632b7a9bf0d0558d5ff56dab98b7cca6c3db549
2017-03-10upstream commitdtucker@openbsd.org
Remove old null check from config dumper. Patch from jjelen at redhat.com vi bz#2687, ok djm@ Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
2017-03-10upstream commitdjm@openbsd.org
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@ Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
2017-03-10upstream commitdtucker@openbsd.org
Check for NULL return value from key_new. Patch from jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: 059e33cd43cba88dc8caf0b1936fd4dd88fd5b8e
2017-03-10upstream commitdjm@openbsd.org
reword a comment to make it fit 80 columns Upstream-ID: b4b48b4487c0821d16e812c40c9b09f03b28e349
2017-03-10upstream commitdtucker@openbsd.org
Check for NULL argument to sshkey_read. Patch from jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e
2017-03-10upstream commitdtucker@openbsd.org
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
2017-03-10upstream commitdtucker@openbsd.org
Plug mem leak on GLOB_NOMATCH case. From jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d
2017-03-10upstream commitdtucker@openbsd.org
Plug descriptor leaks of auth_sock. From jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: 248acb99a5ed2fdca37d1aa33c0fcee7be286d88
2017-03-10upstream commitdjm@openbsd.org
correctly hash hosts with a port number. Reported by Josh Powers in bz#2692; ok dtucker@ Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
2017-03-10upstream commitdjm@openbsd.org
don't truncate off \r\n from long stderr lines; bz#2688, reported by Brian Dyson; ok dtucker@ Upstream-ID: cdfdc4ba90639af807397ce996153c88af046ca4
2017-03-10upstream commitdtucker@openbsd.org
Validate digest arg in ssh_digest_final; from jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: dbe5494dfddfe523fab341a3dab5a79e7338f878
2017-03-10Check for NULL from malloc.Darren Tucker
Part of bz#2687, from jjelen at redhat.com.
2017-03-10If OSX is using launchd, remove screen no.Darren Tucker
Check for socket with and without screen number. From Apple and Jakob Schlyter via bz#2341, with contributions from Ron Frederick, ok djm@
2017-03-08upstream commitdjm@openbsd.org
quote [host]:port in generated ProxyJump commandline; the [ / ] characters can confuse some shells (e.g. zsh). Reported by Lauri Tirkkonen via bugs@ Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182
2017-03-06upstream commitdtucker@openbsd.org
Check l->hosts before dereferencing; fixes potential null pointer deref. ok djm@ Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
2017-03-06upstream commitdtucker@openbsd.org
linenum is unsigned long so use %lu in log formats. ok deraadt@ Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
2017-03-03upstream commitdjm@openbsd.org
fix ssh-keygen -H accidentally corrupting known_hosts that contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by hostkeys_foreach() when hostname matching is in use, so we need to look for the hash marker explicitly. Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
2017-02-28upstream commitdjm@openbsd.org
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683 Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
2017-02-28upstream commitjmc@openbsd.org
errant dot; from klemens nanni Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
2017-02-28upstream commitdjm@openbsd.org
might as well set the listener socket CLOEXEC Upstream-ID: 9c538433d6a0ca79f5f21decc5620e46fb68ab57
2017-02-19upstream commitdjm@openbsd.org
add test cases for C locale; ok schwarze@ Upstream-Regress-ID: 783d75de35fbc923d46e2a5e6cee30f8f381ba87
2017-02-19upstream commitdjm@openbsd.org
Add a common nl_langinfo(CODESET) alias for US-ASCII "ANSI_X3.4-1968" that is used by Linux. Fixes mprintf output truncation for non-UTF-8 locales on Linux spotted by dtucker@; ok deraadt@ schwarze@ Upstream-ID: c6808956ebffd64066f9075d839f74ff0dd60719
2017-02-17upstream commitdtucker@openbsd.org
Remove deprecated SSH1 options RSAAuthentication and RhostsRSAAuthentication from regression test sshd_config. Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491
2017-02-17upstream commitdtucker@openbsd.org
Do not show rsa1 key type in usage when compiled without SSH1 support. Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
2017-02-17upstream commitdtucker@openbsd.org
ifdef out "rsa1" from the list of supported keytypes when compiled without SSH1 support. Found by kdunlop at guralp.com, ok djm@ Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
2017-02-17upstream commitdjm@openbsd.org
For ProxyJump/-J, surround host name with brackets to allow literal IPv6 addresses. From Dick Visser; ok dtucker@ Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
2017-02-17upstream commitjsg@openbsd.org
Fix memory leaks in match_filter_list() error paths. ok dtucker@ markus@ Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e
2017-02-17upstream commitdjm@openbsd.org
fix division by zero crash in "df" output when server returns zero total filesystem blocks/inodes. Spotted by Guido Vranken; ok dtucker@ Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f
2017-02-12ifdef out EVP_R_PRIVATE_KEY_DECODE_ERRORDarren Tucker
EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out for the benefit of OpenSSL versions prior to that.
2017-02-10upstream commitdjm@openbsd.org
bring back r1.34 that was backed out for problems loading public keys: translate OpenSSL error codes to something more meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@ with additional fix from Jakub Jelen to solve the backout. bz#2525 bz#2523 re-ok dtucker@ Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
2017-02-10upstream commitdjm@openbsd.org
Sanitise escape sequences in key comments sent to printf but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@ Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
2017-02-10upstream commitmillert@openbsd.org
Avoid printf %s NULL. From semarie@, OK djm@ Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
2017-02-06upstream commitdjm@openbsd.org
Restore \r\n newline sequence for server ident string. The CR got lost in the flensing of SSHv1. Pointed out by Stef Bon Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac
2017-02-04upstream commitdjm@openbsd.org
unit test for match_filter_list() function; still want a better name for this... Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a
2017-02-04upstream commitdjm@openbsd.org
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g. Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth] ok markus@ bz#113 Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
2017-02-04upstream commitdjm@openbsd.org
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@ Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
2017-02-04upstream commitdjm@openbsd.org
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@ Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-03upstream commitdjm@openbsd.org
allow form-feed characters at EOL; bz#2431 ok dtucker@ Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
2017-02-03prefer to use ldns-config to find libldnsDamien Miller
Should fix bz#2603 - "Build with ldns and without kerberos support fails if ldns compiled with kerberos support" by including correct cflags/libs ok dtucker@
2017-02-03upstream commitdtucker@openbsd.org
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning. rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway). some early guidance deraadt@, ok djm@ Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c