| Age | Commit message (Collapse) | Author |
|---|
|
current directory; based on report/patch from Harry Sintonen
OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
|
|
socket around for the life of the connection; bz#2912; reported by Simon
Tatham; ok dtucker@
OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478
|
|
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
specified, then authentication would always fail for RSA keys as the monitor
checks only the base key (not the signature algorithm) type against
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
|
|
commands; bz#2926; ok dtucker@
OpenBSD-Commit-ID: 9d635636bc84aeae796467e059f7634de990a79d
|
|
Mike Frysinger <vapier at gentoo dot org>
OpenBSD-Commit-ID: 1bc5392f795ca86318d695e0947eaf71a5a4f6d9
|
|
Colin Watson
OpenBSD-Commit-ID: bff614c7bd1f4ca491a84e9b5999f848d0d66758
|
|
OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87
|
|
OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403
|
|
key type at start of doc
OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324
|
|
If configure could not find a working OpenSSL installation it would
fall back to checking in /usr/local/ssl. This made sense back when
systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't
use that as a default any more. The fallback behaviour also meant
that if you pointed --with-ssl-dir at a specific directory and it
didn't work, it would silently use either the system libs or the ones
in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to
pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
|
|
Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix
compile-time check for 1.0.1 to match.
|
|
bz#2922, patch from vinschen at redhat.com.
|
|
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check
by vinschen at redhat.com.
|
|
|
|
Correct error message when OpenSSL doesn't support certain ECDSA key
lengths.
|
|
ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
guarded by OPENSSL_HAS_ECC
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
|
Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single
AC_CHECK_FUNCS. ok djm@
|
|
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
|
|
|
|
|
|
|
|
Use detected functions in compat layer instead of guessing based on
versions. Really fixes builds with LibreSSL, not just configure.
|
|
Check for the existence of openssl version functions and use the ones
detected instead of trying to guess based on the int32 version
identifier. Fixes builds with LibreSSL.
|
|
I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API
to obtain version number, but they don't.
|
|
Prompted by Rosen Penev
|
|
|
|
we're old, but we don't have to act it
OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
|
|
bz#2921, patch from cotequeiroz
|
|
Patch from rosenp at gmail.com via openssh-unix-dev.
|
|
/path/certificate", include the algorithm that the CA used to sign the cert.
OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
|
|
no need to check the size. OK kn, deraadt
OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
|
|
Previous versions have a bug with EVP_CipherInit() when passed a
NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613
ok dtucker@
|
|
Missing last argument to OPENSSL_init_crypto()
|
|
Current impementions of the gcc spectre mitigation flags cause
miscompilations when combined with other flags and do not provide much
protection. Found by fweimer at redhat.com, ok djm@
|
|
OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of
OPENSSL_init_crypto; pointed out by Jakub Jelen
|
|
Don't let systems with broken printf(3) avoid our replacements
via asprintf(3)/vasprintf(3) calling libc internally. From djm@
|
|
If the platforms snprintf and friends don't understand %zu, use the
compat replacement. Prevents segfaults on those platforms.
|
|
|
|
|
|
older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker
OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
|
|
|
|
From Adam Eijdenberg
|
|
Spotted by Adam Eijdenberg
|
|
certificates; spotted by Adam Eijdenberg; ok dtucker@
OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
|
|
Again, for systems with broken NIS implementations.
Prompted by coolbugcheckers AT gmail.com
|
|
probably unreachable on this platform; pointed out by
coolbugcheckers AT gmail.com
|
|
OpenBSD-Commit-ID: 42d526a9fe01a40dd299ac58014d3349adf40e25
|
|
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs,
so that empty passphrases are interpreted differently. This
probabalistically breaks loading some keys, because the PEM format
is terrible and doesn't include a proper MAC.
Avoid this by providing a basic callback to avoid passing empty
passphrases to OpenSSL in cases where one is required.
Based on patch from Jakub Jelen in bz#2913; ok dtucker@
|
|
Apparently some NIS implementations can leave pw->pw_passwd (or the
shadow equivalent) NULL.
bz#2909; based on patch from Todd Eigenschink
|
|
is specified as "incorrect passphrase" instead of trying to choose between
that and "invalid format".
libcrypto can return ASN1 parsing errors rather than the expected
decrypt error in certain infrequent cases when trying to decrypt/parse
PEM private keys when supplied with an invalid passphrase.
Report and repro recipe from Thomas Deutschmann in bz#2901
ok markus@
OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
|
