summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-07-18 - djm@cvs.openbsd.org 2014/07/17 07:22:19Damien Miller
[mux.c ssh.c] reflect stdio-forward ("ssh -W host:port ...") failures in exit status. previously we were always returning 0. bz#2255 reported by Brendan Germain; ok dtucker
2014-07-18 - djm@cvs.openbsd.org 2014/07/17 00:12:03Damien Miller
[key.c] silence "incorrect passphrase" error spam; reported and ok dtucker@
2014-07-18 - djm@cvs.openbsd.org 2014/07/17 00:10:18Damien Miller
[mux.c] preserve errno across syscall
2014-07-18 - djm@cvs.openbsd.org 2014/07/17 00:10:56Damien Miller
[sandbox-systrace.c] ifdef SYS_sendsyslog so this will compile without patching on -stable
2014-07-18 - jmc@cvs.openbsd.org 2014/07/16 14:48:57Damien Miller
[ssh.1] add the streamlocal* options to ssh's -o list; millert says they're irrelevant for scp/sftp; ok markus millert
2014-07-18 - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
2014-07-17 - tedu@cvs.openbsd.org 2014/07/11 13:54:34Damien Miller
[myproposal.h] by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
2014-07-17 - deraadt@cvs.openbsd.org 2014/07/11 08:09:54Damien Miller
[sandbox-systrace.c] Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking, update your kernels and sshd soon.. libc will start using sendsyslog() in about 4 days.
2014-07-17 - (djm) [digest-openssl.c] Preserve array order when disabling digests.Damien Miller
Reported by Petr Lautrbach.
2014-07-15 - (djm) [configure.ac] Delay checks for arc4random* until after libcryptoDamien Miller
has been located; fixes builds agains libressl-portable
2014-07-11 - OpenBSD CVS SyncDamien Miller
- benno@cvs.openbsd.org 2014/07/09 14:15:56 [ssh-add.c] fix ssh-add crash while loading more than one key ok markus@
2014-07-09 - djm@cvs.openbsd.org 2014/07/07 08:15:26Damien Miller
[multiplex.sh] remove forced-fatal that I stuck in there to test the new cleanup logic and forgot to remove...
2014-07-09 - djm@cvs.openbsd.org 2014/07/06 07:42:03Damien Miller
[multiplex.sh test-exec.sh] add a hook to the cleanup() function to kill $SSH_PID if it is set use it to kill the mux master started in multiplex.sh (it was being left around on fatal failures)
2014-07-09 - djm@cvs.openbsd.org 2014/07/09 03:02:15Damien Miller
[key.c] downgrade more error() to debug() to better match what old authfile.c did; suppresses spurious errors with hostbased authentication enabled
2014-07-09 - djm@cvs.openbsd.org 2014/07/09 01:45:10Damien Miller
[sftp.c] more useful error message when GLOB_NOSPACE occurs; bz#2254, patch from Orion Poplawski
2014-07-09 - djm@cvs.openbsd.org 2014/07/07 08:19:12Damien Miller
[ssh_config.5] mention that ProxyCommand is executed using shell "exec" to avoid a lingering process; bz#1977
2014-07-06 - djm@cvs.openbsd.org 2014/07/05 23:11:48Damien Miller
[channels.c] fix remote-forward cancel regression; ok markus@
2014-07-06 - djm@cvs.openbsd.org 2014/07/03 23:18:35Damien Miller
[authfile.h] remove leakmalloc droppings
2014-07-04 - djm@cvs.openbsd.org 2014/07/03 22:40:43Damien Miller
[servconf.c servconf.h session.c sshd.8 sshd_config.5] Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160; ok markus@
2014-07-04 - djm@cvs.openbsd.org 2014/07/03 22:33:41Damien Miller
[channels.c] allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family; bz#2222 ok markus@
2014-07-04 - djm@cvs.openbsd.org 2014/07/03 22:23:46Damien Miller
[sshconnect.c] when rekeying, skip file/DNS lookup if it is the same as the key sent during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
2014-07-04 - jsing@cvs.openbsd.org 2014/07/03 12:42:16Damien Miller
[cipher-chachapoly.c] Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this makes it easier to verify that chacha_encrypt_bytes() is only called once per chacha_ivsetup() call. ok djm@
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 11:16:55Damien Miller
[auth.c auth.h auth1.c auth2.c] make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
2014-07-03 - jmc@cvs.openbsd.org 2014/07/03 07:45:27Damien Miller
[ssh_config.5] escape %C since groff thinks it part of an Rs/Re block;
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 06:39:19Damien Miller
[ssh.c ssh_config.5] Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a has of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding sockaddr_un's miserly pathname limits for mux control paths. bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 05:38:17Damien Miller
[ssh.1] document that -g will only work in the multiplexed case if applied to the mux master
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 05:32:36Damien Miller
[ssh_config.5] mention '%%' escape sequence in HostName directives and how it may be used to specify IPv6 link-local addresses
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 04:36:45Damien Miller
[digest.h] forward-declare struct sshbuf so consumers don't need to include sshbuf.h
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 03:47:27Damien Miller
[ssh-keygen.c] When hashing or removing hosts using ssh-keygen, don't choke on @revoked markers and don't remove @cert-authority markers; bz#2241, reported by mlindgren AT runelind.net
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 03:34:09Damien Miller
[gss-serv.c session.c ssh-keygen.c] standardise on NI_MAXHOST for gethostname() string lengths; about 1/2 the cases were using it already. Fixes bz#2239 en passant
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 03:26:43Damien Miller
[digest-openssl.c] use EVP_Digest() for one-shot hash instead of creating, updating, finalising and destroying a context. bz#2231, based on patch from Timo Teras
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 03:15:01Damien Miller
[ssh-add.c] make stdout line-buffered; saves partial output getting lost when ssh-add fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add doesn't); bz#2234, reported by Phil Pennock
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 03:11:03Damien Miller
[ssh-agent.c] Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(); bz#2236 patch from Dmitry V. Levin
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 01:45:38Damien Miller
[sshkey.c] make Ed25519 keys' title fit properly in the randomart border; bz#2247 based on patch from Christian Hesse
2014-07-03 - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;Damien Miller
bz#2237
2014-07-03 - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcryptoDamien Miller
doesn't support it.
2014-07-02 - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz testDamien Miller
2014-07-02 - (djm) [sshkey.c] Conditionalise inclusion of util.hDamien Miller
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 01:14:17Damien Miller
[Makefile.in regress/Makefile regress/unittests/Makefile] [regress/unittests/sshkey/Makefile] [regress/unittests/sshkey/common.c] [regress/unittests/sshkey/common.h] [regress/unittests/sshkey/mktestdata.sh] [regress/unittests/sshkey/test_file.c] [regress/unittests/sshkey/test_fuzz.c] [regress/unittests/sshkey/test_sshkey.c] [regress/unittests/sshkey/tests.c] [regress/unittests/sshkey/testdata/dsa_1] [regress/unittests/sshkey/testdata/dsa_1-cert.fp] [regress/unittests/sshkey/testdata/dsa_1-cert.pub] [regress/unittests/sshkey/testdata/dsa_1.fp] [regress/unittests/sshkey/testdata/dsa_1.fp.bb] [regress/unittests/sshkey/testdata/dsa_1.param.g] [regress/unittests/sshkey/testdata/dsa_1.param.priv] [regress/unittests/sshkey/testdata/dsa_1.param.pub] [regress/unittests/sshkey/testdata/dsa_1.pub] [regress/unittests/sshkey/testdata/dsa_1_pw] [regress/unittests/sshkey/testdata/dsa_2] [regress/unittests/sshkey/testdata/dsa_2.fp] [regress/unittests/sshkey/testdata/dsa_2.fp.bb] [regress/unittests/sshkey/testdata/dsa_2.pub] [regress/unittests/sshkey/testdata/dsa_n] [regress/unittests/sshkey/testdata/dsa_n_pw] [regress/unittests/sshkey/testdata/ecdsa_1] [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp] [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub] [regress/unittests/sshkey/testdata/ecdsa_1.fp] [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb] [regress/unittests/sshkey/testdata/ecdsa_1.param.curve] [regress/unittests/sshkey/testdata/ecdsa_1.param.priv] [regress/unittests/sshkey/testdata/ecdsa_1.param.pub] [regress/unittests/sshkey/testdata/ecdsa_1.pub] [regress/unittests/sshkey/testdata/ecdsa_1_pw] [regress/unittests/sshkey/testdata/ecdsa_2] [regress/unittests/sshkey/testdata/ecdsa_2.fp] [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb] [regress/unittests/sshkey/testdata/ecdsa_2.param.curve] [regress/unittests/sshkey/testdata/ecdsa_2.param.priv] [regress/unittests/sshkey/testdata/ecdsa_2.param.pub] [regress/unittests/sshkey/testdata/ecdsa_2.pub] [regress/unittests/sshkey/testdata/ecdsa_n] [regress/unittests/sshkey/testdata/ecdsa_n_pw] [regress/unittests/sshkey/testdata/ed25519_1] [regress/unittests/sshkey/testdata/ed25519_1-cert.fp] [regress/unittests/sshkey/testdata/ed25519_1-cert.pub] [regress/unittests/sshkey/testdata/ed25519_1.fp] [regress/unittests/sshkey/testdata/ed25519_1.fp.bb] [regress/unittests/sshkey/testdata/ed25519_1.pub] [regress/unittests/sshkey/testdata/ed25519_1_pw] [regress/unittests/sshkey/testdata/ed25519_2] [regress/unittests/sshkey/testdata/ed25519_2.fp] [regress/unittests/sshkey/testdata/ed25519_2.fp.bb] [regress/unittests/sshkey/testdata/ed25519_2.pub] [regress/unittests/sshkey/testdata/pw] [regress/unittests/sshkey/testdata/rsa1_1] [regress/unittests/sshkey/testdata/rsa1_1.fp] [regress/unittests/sshkey/testdata/rsa1_1.fp.bb] [regress/unittests/sshkey/testdata/rsa1_1.param.n] [regress/unittests/sshkey/testdata/rsa1_1.pub] [regress/unittests/sshkey/testdata/rsa1_1_pw] [regress/unittests/sshkey/testdata/rsa1_2] [regress/unittests/sshkey/testdata/rsa1_2.fp] [regress/unittests/sshkey/testdata/rsa1_2.fp.bb] [regress/unittests/sshkey/testdata/rsa1_2.param.n] [regress/unittests/sshkey/testdata/rsa1_2.pub] [regress/unittests/sshkey/testdata/rsa_1] [regress/unittests/sshkey/testdata/rsa_1-cert.fp] [regress/unittests/sshkey/testdata/rsa_1-cert.pub] [regress/unittests/sshkey/testdata/rsa_1.fp] [regress/unittests/sshkey/testdata/rsa_1.fp.bb] [regress/unittests/sshkey/testdata/rsa_1.param.n] [regress/unittests/sshkey/testdata/rsa_1.param.p] [regress/unittests/sshkey/testdata/rsa_1.param.q] [regress/unittests/sshkey/testdata/rsa_1.pub] [regress/unittests/sshkey/testdata/rsa_1_pw] [regress/unittests/sshkey/testdata/rsa_2] [regress/unittests/sshkey/testdata/rsa_2.fp] [regress/unittests/sshkey/testdata/rsa_2.fp.bb] [regress/unittests/sshkey/testdata/rsa_2.param.n] [regress/unittests/sshkey/testdata/rsa_2.param.p] [regress/unittests/sshkey/testdata/rsa_2.param.q] [regress/unittests/sshkey/testdata/rsa_2.pub] [regress/unittests/sshkey/testdata/rsa_n] [regress/unittests/sshkey/testdata/rsa_n_pw] unit and fuzz tests for new key API
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 01:04:43Damien Miller
[regress/krl.sh] regress test for broken consecutive revoked serial number ranges
2014-07-02 - djm@cvs.openbsd.org 2014/05/21 07:04:21Damien Miller
[regress/integrity.sh] when failing because of unexpected output, show the offending output
2014-07-02 - djm@cvs.openbsd.org 2014/04/30 05:32:00Damien Miller
[regress/Makefile] unit tests for new buffer API; including basic fuzz testing NB. Id sync only.
2014-07-02 - djm@cvs.openbsd.org 2014/06/30 12:54:39Damien Miller
[key.c] suppress spurious error message when loading key with a passphrase; reported by kettenis@ ok markus@ - djm@cvs.openbsd.org 2014/07/02 04:59:06 [cipher-3des1.c] fix ssh protocol 1 on the server that regressed with the sshkey change (sometimes fatal() after auth completed), make file return useful status codes. NB. Id sync only for these two. They were bundled into the sshkey merge above, since it was easier to sync the entire file and then apply portable-specific changed atop it.
2014-07-02 - markus@cvs.openbsd.org 2014/06/27 18:50:39Damien Miller
[ssh-add.c] fix loading of private keys
2014-07-02 - markus@cvs.openbsd.org 2014/06/27 16:41:56Damien Miller
[channels.c channels.h clientloop.c ssh.c] fix remote fwding with same listen port but different listen address with gerhard@, ok djm@
2014-07-02 - deraadt@cvs.openbsd.org 2014/06/25 14:16:09Damien Miller
[sshbuf.c] unblock SIGSEGV before raising it ok djm
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 02:21:01Damien Miller
[scp.c] when copying local->remote fails during read, don't send uninitialised heap to the remote end. Reported by Jann Horn
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 02:19:48Damien Miller
[ssh.c] don't fatal() when hostname canonicalisation fails with a ProxyCommand in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion)
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 00:52:02Damien Miller
[krl.c] fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted.