Age | Commit message (Collapse) | Author |
|
|
|
lack support for SHA2.
|
|
[integrity.sh]
oops, forgot to increase the output of the ssh command to ensure that
we actually reach $offset
|
|
[integrity.sh]
crank the offset yet again; it was still fuzzing KEX one of Darren's
portable test hosts at 2800
|
|
[integrity.sh]
make the ssh command generates some output to ensure that there are at
least offset+tries bytes in the stream.
|
|
[integrity.sh]
make sure the fuzz offset is actually past the end of KEX for all KEX
types. diffie-hellman-group-exchange-sha256 requires an offset around
2700. Noticed via test failures in portable OpenSSH on platforms that
lack ECC and this the more byte-frugal ECDH KEX algorithms.
|
|
an argument. Pointed out by djm.
|
|
group strto* function prototypes together.
|
|
[sshconnect2.c]
Warn more loudly if an IdentityFile provided by the user cannot be read.
bz #1981, ok djm@
|
|
openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
platforms that don't have it.
|
|
|
|
Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
|
|
[auth2-pubkey.c]
Correct error message that had a typo and was logging the wrong thing;
patch from Petr Lautrbach
|
|
Iain Morgan
|
|
of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by
Iain Morgan
|
|
|
|
|
|
|
|
[try-ciphers.sh]
remove acss here too
|
|
[sshd.c]
Add openssl version to debug output similar to the client. ok markus@
|
|
[packet.c]
record "Received disconnect" messages at ERROR rather than INFO priority,
since they are abnormal and result in a non-zero ssh exit status; patch
from Iain Morgan in bz#2057; ok dtucker@
|
|
[ssh-keygen.c]
append to moduli file when screening candidates rather than overwriting.
allows resumption of interrupted screen; patch from Christophe Garault
in bz#1957; ok dtucker@
|
|
[version.h]
openssh 6.2
|
|
[sftp.c]
fix NULL deref when built without libedit and control characters
entered as command; debugging and patch from Iain Morgan an
Loganaden Velvindron in bz#1956
|
|
[auth.c]
Fix comment, from jfree.e1 at gmail
|
|
[servconf.c sshd_config sshd_config.5]
Change default of MaxStartups to 10:30:100 to start doing random early
drop at 10 connections up to 100 connections. This will make it harder
to DoS as CPUs have come a long way since the original value was set
back in 2000. Prompted by nion at debian org, ok markus@
|
|
[krl.c]
actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
|
|
[Makefile.in acss.c acss.h cipher-acss.c cipher.c]
[openbsd-compat/openssl-compat.h]
remove ACSS, now that it is gone from libcrypto too
|
|
[krl.c]
redo last commit without the vi-vomit that snuck in:
skip serial lookup when cert's serial number is zero
(now with 100% better comment)
|
|
[krl.c]
Revert last. Breaks due to likely typo. Let djm@ fix later.
ok djm@ via dlg@
|
|
[krl.c]
skip serial lookup when cert's serial number is zero
|
|
- djm@cvs.openbsd.org 2013/01/24 21:45:37
[krl.c]
fix handling of (unused) KRL signatures; skip string in correct buffer
|
|
libcrypto that lacks EVP_CIPHER_CTX_ctrl
|
|
__attribute__ on return values and work around if necessary. ok djm@
|
|
patch from Iain Morgan in bz#2059
|
|
at configure time; the seccomp sandbox will fall back to rlimit at
runtime anyway. Patch from plautrba AT redhat.com in bz#2011
|
|
|
|
version.
|
|
[krl.c]
RB_INSERT does not remove existing elments; ok djm@
|
|
[ssh-keygen.1]
fix some formatting; ok djm
|
|
[ssh-keygen.1]
command-line (adj.) -> command line (n.);
|
|
[ssh-keygen.1]
add -Q to the options list; ok djm
|
|
[sshd_config.5]
tweak previous;
|
|
[ssh-keygen.c]
-u before -V in usage();
|
|
[ssh-keygen.1]
tweak previous;
|
|
Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
prototypes for openssl-1.0.0-fips.
|
|
[krl.c]
fix KRL generation bug for list sections
|
|
[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
Tests for Key Revocation Lists (KRLs)
|
|
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
[krl.c krl.h PROTOCOL.krl]
add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
|
check for GCM support before testing GCM ciphers.
|