summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-11-19upstream: silence (to log level debug2) failure messages whendjm@openbsd.org
loading the default hostkeys. Hostkeys explicitly specified in the configuration or on the command-line are still reported as errors, and failure to load at least one host key remains a fatal error. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch from Dag-Erling Smørgrav via https://github.com/openssh/openssh-portable/pull/103 ok markus@ OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
2018-11-19upstream: Fix inverted logic for redirecting ProxyCommand stderr todtucker@openbsd.org
/dev/null. Fixes mosh in proxycommand mode that was broken by the previous ProxyCommand change that was reported by matthieu@. ok djm@ danj@ OpenBSD-Commit-ID: c6fc9641bc250221a0a81c6beb2e72d603f8add6
2018-11-16upstream: redirect stderr of ProxyCommands to /dev/null when ssh isdjm@openbsd.org
started with ControlPersist; based on patch from Steffen Prohaska OpenBSD-Commit-ID: 1bcaa14a03ae80369d31021271ec75dce2597957
2018-11-16upstream: make grandparent-parent-child sshbuf chains robust todjm@openbsd.org
use-after-free faults if the ancestors are freed before the descendents. Nothing in OpenSSH uses this deallocation pattern. Reported by Jann Horn OpenBSD-Commit-ID: d93501d1d2734245aac802a252b9bb2eccdba0f2
2018-11-16upstream: use path_absolute() for pathname checks; from Manoj Ampalamdjm@openbsd.org
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2018-11-16Test for OPENSSL_init_crypto before using.Darren Tucker
Check for the presence of OPENSSL_init_crypto and all the flags we want before trying to use it (bz#2931).
2018-11-16upstream: disallow empty incoming filename or ones that refer to thedjm@openbsd.org
current directory; based on report/patch from Harry Sintonen OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
2018-11-16upstream: fix bug in client that was keeping a redundant ssh-agentdjm@openbsd.org
socket around for the life of the connection; bz#2912; reported by Simon Tatham; ok dtucker@ OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478
2018-11-16upstream: fix bug in HostbasedAcceptedKeyTypes anddjm@openbsd.org
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
2018-11-16upstream: support a prefix of '@' to suppress echo of sftp batchdjm@openbsd.org
commands; bz#2926; ok dtucker@ OpenBSD-Commit-ID: 9d635636bc84aeae796467e059f7634de990a79d
2018-11-16upstream: fix markup error (missing blank before delimiter); fromschwarze@openbsd.org
Mike Frysinger <vapier at gentoo dot org> OpenBSD-Commit-ID: 1bc5392f795ca86318d695e0947eaf71a5a4f6d9
2018-11-16upstream: typo in error message; caught by Debian lintian, viadjm@openbsd.org
Colin Watson OpenBSD-Commit-ID: bff614c7bd1f4ca491a84e9b5999f848d0d66758
2018-11-16upstream: correct local variable name; from yawang AT microsoft.comdjm@openbsd.org
OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87
2018-11-16upstream: Import new moduli.dtucker@openbsd.org
OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403
2018-11-16upstream: mention ssh-ed25519-cert-v01@openssh.com in list of certdjm@openbsd.org
key type at start of doc OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324
2018-11-16Remove fallback check for /usr/local/ssl.Darren Tucker
If configure could not find a working OpenSSL installation it would fall back to checking in /usr/local/ssl. This made sense back when systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't use that as a default any more. The fallback behaviour also meant that if you pointed --with-ssl-dir at a specific directory and it didn't work, it would silently use either the system libs or the ones in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
2018-11-16Fix check for OpenSSL 1.0.1 exactly.Darren Tucker
Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix compile-time check for 1.0.1 to match.
2018-11-11Improve warnings in cygwin service setup.Darren Tucker
bz#2922, patch from vinschen at redhat.com.
2018-11-11Remove hardcoded service name in cygwin setup.Darren Tucker
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check by vinschen at redhat.com.
2018-11-10AC_CHECK_SIZEOF() no longer needs a second argument.Dag-Erling Smørgrav
2018-11-10Fix error message w/out nistp521.Manoj Ampalam
Correct error message when OpenSSL doesn't support certain ECDSA key lengths.
2018-11-09fix compilation with openssl built without ECCEneas U de Queiroz
ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be guarded by OPENSSL_HAS_ECC Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-11-08Simplify OpenSSL 1.1 function checks.Darren Tucker
Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single AC_CHECK_FUNCS. ok djm@
2018-11-05Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.Darren Tucker
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
2018-10-31Import new moduli.Darren Tucker
2018-10-28Update check for minimum OpenSSL version.Darren Tucker
2018-10-28Update required OpenSSL versions to match current.Darren Tucker
2018-10-28Use detected version functions in openssl compat.Darren Tucker
Use detected functions in compat layer instead of guessing based on versions. Really fixes builds with LibreSSL, not just configure.
2018-10-27Check for the existence of openssl version funcs.Darren Tucker
Check for the existence of openssl version functions and use the ones detected instead of trying to guess based on the int32 version identifier. Fixes builds with LibreSSL.
2018-10-26fix builds on OpenSSL <= 1.0.xDamien Miller
I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API to obtain version number, but they don't.
2018-10-23remove remaining references to SSLeayDamien Miller
Prompted by Rosen Penev
2018-10-23regen dependDamien Miller
2018-10-23upstream: refer to OpenSSL not SSLeay;djm@openbsd.org
we're old, but we don't have to act it OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
2018-10-23fix compile for openssl 1.0.x w/ --with-ssl-engineDamien Miller
bz#2921, patch from cotequeiroz
2018-10-22Include openssl compatibility.Darren Tucker
Patch from rosenp at gmail.com via openssh-unix-dev.
2018-10-22upstream: when printing certificate contents "ssh-keygen -Lfdjm@openbsd.org
/path/certificate", include the algorithm that the CA used to sign the cert. OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
2018-10-22upstream: struct sockaddr_storage is guaranteed to be large enough,florian@openbsd.org
no need to check the size. OK kn, deraadt OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
2018-10-17Require OpenSSL 1.1.x series 1.1.0g or greaterDamien Miller
Previous versions have a bug with EVP_CipherInit() when passed a NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613 ok dtucker@
2018-10-17unbreak compilation with --with-ssl-engineDamien Miller
Missing last argument to OPENSSL_init_crypto()
2018-10-16Remove gcc spectre mitigation flags.Darren Tucker
Current impementions of the gcc spectre mitigation flags cause miscompilations when combined with other flags and do not provide much protection. Found by fweimer at redhat.com, ok djm@
2018-10-16Avoid deprecated OPENSSL_config when using 1.1.xDamien Miller
OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of OPENSSL_init_crypto; pointed out by Jakub Jelen
2018-10-12Don't avoid our *sprintf replacements.Darren Tucker
Don't let systems with broken printf(3) avoid our replacements via asprintf(3)/vasprintf(3) calling libc internally. From djm@
2018-10-12Check if snprintf understands %zu.Darren Tucker
If the platforms snprintf and friends don't understand %zu, use the compat replacement. Prevents segfaults on those platforms.
2018-10-12remove stale link, tweakDamien Miller
2018-10-12update version numbers ahead of releaseDamien Miller
2018-10-12upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names todjm@openbsd.org
older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
2018-10-11update dependsDamien Miller
2018-10-11some more duplicated key algorithm linesDamien Miller
From Adam Eijdenberg
2018-10-11fix duplicated algorithm specification linesDamien Miller
Spotted by Adam Eijdenberg
2018-10-11upstream: typo in plain RSA algorithm counterpart names fordjm@openbsd.org
certificates; spotted by Adam Eijdenberg; ok dtucker@ OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 00:39:24 +0000