summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-01-18 - djm@cvs.openbsd.org 2013/01/18 00:45:29Damien Miller
[regress/Makefile regress/cert-userkey.sh regress/krl.sh] Tests for Key Revocation Lists (KRLs)
2013-01-18 - djm@cvs.openbsd.org 2013/01/17 23:00:01Damien Miller
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] [krl.c krl.h PROTOCOL.krl] add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
2013-01-17 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]Damien Miller
check for GCM support before testing GCM ciphers.
2013-01-12 - (djm) [regress/integrity.sh] repair botched mergeDamien Miller
2013-01-12 - djm@cvs.openbsd.org 2013/01/12 11:23:53Damien Miller
[regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] test AES-GCM modes; feedback markus@
2013-01-12 - djm@cvs.openbsd.org 2013/01/12 11:22:04Damien Miller
[cipher.c] improve error message for integrity failure in AES-GCM modes; ok markus@
2013-01-09 - djm@cvs.openbsd.org 2013/01/09 05:40:17Damien Miller
[ssh-keygen.c] correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]Damien Miller
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little cipher compat code to openssl-compat.h
2013-01-09 - markus@cvs.openbsd.org 2013/01/08 18:49:04Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] [myproposal.h packet.c ssh_config.5 sshd_config.5] support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
2013-01-09 - jmc@cvs.openbsd.org 2013/01/04 19:26:38Damien Miller
[sftp-server.8 sftp-server.c] sftp-server.8: add argument name to -d sftp-server.c: add -d to usage() ok djm
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 23:22:58Damien Miller
[ssh-keygen.c] allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... ok markus@
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 12:54:49Damien Miller
[sftp-server.8 sftp-server.c] allow specification of an alternate start directory for sftp-server(8) "I like this" markus@
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 12:49:01Damien Miller
[PROTOCOL] fix description of MAC calculation for EtM modes; ok markus@
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 05:49:36Damien Miller
[servconf.h] add a couple of ServerOptions members that should be copied to the privsep child (for consistency, in this case they happen only to be accessed in the monitor); ok dtucker@
2013-01-09 - djm@cvs.openbsd.org 2013/01/02 00:33:49Damien Miller
[PROTOCOL.agent] correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED bz#2051 from david AT lechnology.com
2013-01-09 - djm@cvs.openbsd.org 2013/01/02 00:32:07Damien Miller
[clientloop.c mux.c] channel_setup_local_fwd_listener() returns 0 on failure, not -ve bz#2055 reported by mathieu.lacage AT gmail.com
2013-01-09 - dtucker@cvs.openbsd.org 2012/12/14 05:26:43Damien Miller
[auth.c] use correct string in error message; from rustybsd at gmx.fr
2012-12-17 - (dtucker) [Makefile.in] Add some scaffolding so that the new regressDarren Tucker
tests will work with VPATH directories.
2012-12-13 - (djm) [cipher.c] Fix missing prototype for compat codeDamien Miller
2012-12-13 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain ourDamien Miller
compat code for older OpenSSL
2012-12-13 - markus@cvs.openbsd.org 2012/12/12 16:45:52Damien Miller
[packet.c] reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-12 - (djm) [regress/Makefile] fix t-exec ruleDamien Miller
2012-12-12- (djm) [regress/integrity.sh] Fix awk quoting, packet length skipDamien Miller
2012-12-12 - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh testDamien Miller
work on platforms without 'jot'
2012-12-12 - (djm) [mac.c] fix merge botchDamien Miller
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 23:12:13Damien Miller
[try-ciphers.sh] add hmac-ripemd160-etm@openssh.com
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:42:11Damien Miller
[regress/Makefile regress/modpipe.c regress/integrity.sh] test the integrity of the packets; with djm@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:32:56Damien Miller
[regress/try-ciphers.sh] add etm modes
2012-12-12 - sthen@cvs.openbsd.org 2012/12/11 22:51:45Damien Miller
[mac.c] fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:31:18Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:16:21Damien Miller
[monitor.c] drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
2012-12-07 - dtucker@cvs.openbsd.org 2012/12/07 01:51:35Darren Tucker
[serverloop.c] Cast signal to int for logging. A no-op on openbsd (they're always ints) but will prevent warnings in portable. ok djm@
2012-12-07 - markus@cvs.openbsd.org 2012/12/05 15:42:52Darren Tucker
[ssh-add.c] prevent double-free of comment; ok djm@
2012-12-07 - jmc@cvs.openbsd.org 2012/12/03 08:33:03Darren Tucker
[ssh-add.1 sshd_config.5] tweak previous;
2012-12-07 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54Darren Tucker
[regress/keys-command.sh] Fix some problems with the keys-command test: - use string comparison rather than numeric comparison - check for existing KEY_COMMAND file and don't clobber if it exists - clean up KEY_COMMAND file if we do create it. - check that KEY_COMMAND is executable (which it won't be if eg /var/run is mounted noexec). ok djm.
2012-12-0420121205Tim Rice
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-03 - (djm) [configure.ac] Revert previous. configure.ac already does thisDamien Miller
for us.
2012-12-03 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installationDamien Miller
debugging. ok dtucker@
2012-12-03 - djm@cvs.openbsd.org 2012/12/03 00:14:06Damien Miller
[auth2-chall.c ssh-keygen.c] Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:47:48Damien Miller
[Makefile regress/forward-control.sh] regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/11/22 22:49:30Damien Miller
[regress/Makefile regress/keys-command.sh] regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 - djm@cvs.openbsd.org 2012/10/19 05:10:42Damien Miller
[regress/cert-userkey.sh] include a serial number when generating certs
2012-12-03 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48Damien Miller
[regress/cipher-speed.sh regress/try-ciphers.sh] Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30Damien Miller
[regress/multiplex.sh] Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:34:10Damien Miller
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] [monitor.c monitor.h] Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:46:11Damien Miller
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:42:15Damien Miller
[ssh-add.1 ssh-add.c] make deleting explicit keys "ssh-add -d" symmetric with adding keys - try to delete the corresponding certificate too and respect the -k option to allow deleting of the key only; feedback and ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:26:11Damien Miller
[ssh_config.5 sshconnect2.c] Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. ok markus@
2012-12-03 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to getDamien Miller
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-11-14 - djm@cvs.openbsd.org 2012/11/14 02:32:15Damien Miller
[ssh-keygen.c] allow the full range of unsigned serial numbers; 'fine' deraadt@