summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-02-04 - djm@cvs.openbsd.org 2014/02/02 03:44:31Damien Miller
[digest-libc.c digest-openssl.c] convert memset of potentially-private data to explicit_bzero()
2014-02-04 - djm@cvs.openbsd.org 2014/02/03 23:28:00Damien Miller
[ssh-ecdsa.c] fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike DSA_SIG_new. Reported by Batz Spear; ok markus@
2014-02-04 - djm@cvs.openbsd.org 2014/02/02 03:44:32Damien Miller
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c] [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c] [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c] [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c] [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c] [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c] [sshd.c] convert memset of potentially-private data to explicit_bzero()
2014-02-04 - tedu@cvs.openbsd.org 2014/01/31 16:39:19Damien Miller
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
2014-02-04 - djm@cvs.openbsd.org 2014/01/30 22:26:14Damien Miller
[sandbox-systrace.c] allow shutdown(2) syscall in sandbox - it may be called by packet_close() from portable (Id sync only; change is already in portable)
2014-02-04 - jmc@cvs.openbsd.org 2014/01/29 14:04:51Damien Miller
[sshd_config.5] document kbdinteractiveauthentication; requested From: Ross L Richardson dtucker/markus helped explain its workings;
2014-02-04 - djm@cvs.openbsd.org 2014/01/29 06:18:35Damien Miller
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c] [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h] [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c] remove experimental, never-enabled JPAKE code; ok markus@
2014-02-04 - djm@cvs.openbsd.org 2014/01/29 00:19:26Damien Miller
[sshd.c] use kill(0, ...) instead of killpg(0, ...); on most operating systems they are equivalent, but SUSv2 describes the latter as having undefined behaviour; from portable; ok dtucker (Id sync only; change is already in portable)
2014-02-04 - jmc@cvs.openbsd.org 2014/01/28 14:13:39Damien Miller
[ssh-keyscan.1] kill some bad Pa; From: Jan Stary
2014-02-04ignore a few more regress droppingsDamien Miller
2014-02-04 - markus@cvs.openbsd.org 2014/01/27 20:13:46Damien Miller
[digest.c digest-openssl.c digest-libc.c Makefile.in] rename digest.c to digest-openssl.c and add libc variant; ok djm@
2014-02-04 - markus@cvs.openbsd.org 2014/01/27 19:18:54Damien Miller
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c] replace openssl MD5 with our ssh_digest_*; ok djm@
2014-02-04 - markus@cvs.openbsd.org 2014/01/27 18:58:14Damien Miller
[Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h] replace openssl HMAC with an implementation based on our ssh_digest_* ok and feedback djm@
2014-01-31 - (tim) [Makefile.in] build regress/setuid-allow.Tim Rice
2014-01-31 - (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros. FixesDarren Tucker
build with HP-UX's compiler. Patch from Kevin Brott.
2014-01-31 - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)Damien Miller
syscall from sandboxes; it may be called by packet_close.
2014-01-30 - (djm) Release openssh-6.5p1Damien Miller
2014-01-30trim entries prior to openssh-6.0p1Damien Miller
2014-01-30 - (djm) [configure.ac atomicio.c] Kludge around NetBSD offeringDamien Miller
different symbols for 'read' when various compiler flags are in use, causing atomicio.c comparisons against it to break and read/write operations to hang; ok dtucker
2014-01-30 - (djm) [configure.ac] Only check for width-specified integer typesDamien Miller
in headers that actually exist. patch from Tom G. Christensen; ok dtucker@
2014-01-29 - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch fromDamien Miller
Tom G. Christensen
2014-01-28 - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variableTim Rice
when used as an error message inside an if statement so we display the correct into. agent.sh patch from Petr Lautrbach.
2014-01-28 - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); theDamien Miller
latter being specified to have undefined behaviour in SUSv3; ok dtucker
2014-01-28 - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;Damien Miller
ok dtucker
2014-01-27 - (dtucker) [Makefile.in] Remove trailing backslash which some makeDarren Tucker
implementations (eg older Solaris) do not cope with.
2014-01-27Welcome to 2014Darren Tucker
2014-01-26 - (djm) [configure.ac] correct AC_DEFINE for previous.Damien Miller
2014-01-26 - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] DisableDamien Miller
RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, libc will attempt to open additional file descriptors for crypto offload and crash if they cannot be opened.
2014-01-26 - markus@cvs.openbsd.org 2014/01/25 20:35:37Damien Miller
[kex.c] dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
2014-01-26 - dtucker@cvs.openbsd.org 2014/01/25 10:12:50Damien Miller
[cipher.c cipher.h kex.c kex.h kexgexc.c] Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
2014-01-25 - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so testDamien Miller
against the correct thing.
2014-01-25 - (djm) [configure.ac] Do not attempt to use capsicum sandbox unlessDamien Miller
sys/capability.h exists and cap_rights_limit is in libc. Fixes build on FreeBSD9x which provides the header but not the libc support.
2014-01-25 - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSDDamien Miller
2014-01-24 - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] MakeDamien Miller
the scp regress test actually test the built scp rather than the one in $PATH. ok dtucker@
2014-01-23 - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitouslyDarren Tucker
incompatible with OpenBSD's despite post-dating it by more than a decade. Declare it as broken, and document FreeBSD's as the same. ok djm@
2014-01-22 - (tim) [session.c] Improve error reporting on set_id().Tim Rice
2014-01-22 - (djm) [configure.ac aclocal.m4] More tests to detect fallout fromDamien Miller
platform hardening options: include some long long int arithmatic to detect missing support functions for -ftrapv in libgcc and equivalents, actually test linking when -ftrapv is supplied and set either both -pie/-fPIE or neither. feedback and ok dtucker@
2014-01-22 - (djm) [configure.ac] Unless specifically requested, only attemptDamien Miller
to build Position Independent Executables on gcc >= 4.x; ok dtucker
2014-01-22 - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if aDamien Miller
platform that is expected to use the reuse-argv style setproctitle hack surprises us by providing a setproctitle in libc; ok dtucker
2014-01-21 - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILEDamien Miller
and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of detecting toolchain-related problems; ok dtucker
2014-01-20 - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introducedTim Rice
with sftp chroot support. Move set_id call after chroot.
2014-01-21 - (dtucker) [aclocal.m4] Differentiate between compile-time and link-timeDarren Tucker
tests in the configure output. ok djm.
2014-01-21 - (dtucker) [configure.ac] Make PIE a configure-time option which defaultsDarren Tucker
to on platforms where it's known to be reliably detected and off elsewhere. Works around platforms such as FreeBSD 9.1 where it does not interop with -ftrapv (it seems to work but fails when trying to link ssh). ok djm@
2014-01-20 - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms thatDamien Miller
skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
2014-01-20- (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the KerberosDarren Tucker
implementation does not have krb5_cc_new_unique, similar to what we do in auth-krb5.c.
2014-01-20 - djm@cvs.openbsd.org 2014/01/20 00:08:48Damien Miller
[digest.c] memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
2014-01-19 - dtucker@cvs.openbsd.org 2014/01/19 11:21:51Darren Tucker
[addrmatch.c] Cast the sizeof to socklen_t so it'll work even if the supplied len is negative. Suggested by and ok djm, ok deraadt.
2014-01-19 - djm@cvs.openbsd.org 2014/01/19 04:48:08Darren Tucker
[ssh_config.5] fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
2014-01-19 - dtucker@cvs.openbsd.org 2014/01/19 04:17:29Darren Tucker
[canohost.c addrmatch.c] Cast socklen_t when comparing to size_t and use socklen_t to iterate over the ip options, both to prevent signed/unsigned comparison warnings. Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
2014-01-19 - dtucker@cvs.openbsd.org 2014/01/18 09:36:26Darren Tucker
[session.c] explicitly define USE_PIPES to 1 to prevent redefinition warnings in portable on platforms that use pipes for everything. From redhat @ redhat.