summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-09-12Resync ssh-keygen -W error message with upstream.Darren Tucker
2016-09-12Move ssh-keygen -W handling code to match upstreamDarren Tucker
2016-09-12Move ssh-keygen -T handling code to match upstream.Darren Tucker
2016-09-12Move -M handling code to match upstream.Darren Tucker
2016-09-12upstream commitdtucker@openbsd.org
Spaces->tabs. Upstream-ID: f4829dfc3f36318273f6082b379ac562eead70b7
2016-09-12upstream commitdtucker@openbsd.org
Style whitespace fix. Also happens to remove a no-op diff with portable. Upstream-ID: 45d90f9a62ad56340913a433a9453eb30ceb8bf3
2016-09-12upstream commitderaadt@openbsd.org
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12upstream commitjmc@openbsd.org
sort; from matthew martin Upstream-ID: 73cec7f7ecc82d37a4adffad7745e4684de67ce7
2016-09-12upstream commitmarkus@openbsd.org
ssh_set_newkeys: print correct block counters on rekeying; ok djm@ Upstream-ID: 32bb7a9cb9919ff5bab28d50ecef3a2b2045dd1e
2016-09-12upstream commitmarkus@openbsd.org
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@ Upstream-ID: 2ceaa1076e19dbd3542254b4fb8e42d608f28856
2016-09-12upstream commitdjm@openbsd.org
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway. ok deraadt, markus, dtucker Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
2016-09-12upstream commitdjm@openbsd.org
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@ Upstream-ID: d4bc0e70e1be403735d3d9d7e176309b1fd626b9
2016-09-12Restore ssh-keygen's -J and -j option handling.Darren Tucker
These were incorrectly removed in the 1d9a2e28 sync commit.
2016-08-31tighten PAM monitor callsDamien Miller
only allow kbd-interactive ones when that authentication method is enabled. Prompted by Solar Designer
2016-08-31upstream commitdjm@openbsd.org
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration. prompted by Solar Designer; ok markus dtucker Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
2016-08-29Tighten monitor state-machine flow for PAM callsDamien Miller
(attack surface reduction)
2016-08-29upstream commitdjm@openbsd.org
fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin. Reported by James Slepicka ok deraadt@ Upstream-ID: 1987ccee508ba5b18f016c85100d7ac3f70ff965
2016-08-29upstream commitguenther@openbsd.org
Pull in <sys/time.h> for struct timeval ok deraadt@ Upstream-ID: ae34525485a173bccd61ac8eefeb91c57e3b7df6
2016-08-29upstream commitguenther@openbsd.org
Pull in <stdlib.h> for NULL ok deraadt@ Upstream-ID: 7baa6a0f1e049bb3682522b4b95a26c866bfc043
2016-08-29upstream commitdjm@openbsd.org
add a sIgnore opcode that silently ignores options and use it to suppress noisy deprecation warnings for the Protocol directive. req henning, ok markus Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0
2016-08-29upstream commitdjm@openbsd.org
remove superfluous NOTREACHED comment Upstream-ID: a7485c1f1be618e8c9e38fd9be46c13b2d03b90c
2016-08-29upstream commitotto@openbsd.org
fix previous, a condition was modified incorrectly; ok markus@ deraadt@ Upstream-ID: c443e339768e7ed396dff3bb55f693e7d3641453
2016-08-29upstream commitdjm@openbsd.org
downgrade an error() to a debug2() to match similar cases in addr_match_list() Upstream-ID: 07c3d53e357214153d9d08f234411e0d1a3d6f5c
2016-08-23upstream commitdjm@openbsd.org
remove Protocol directive from client/server configs that causes spammy deprecation warnings hardcode SSH_PROTOCOLS=2, since that's all we support on the server now (the client still may support both, so it could get confused) Upstream-Regress-ID: c16662c631af51633f9fd06aca552a70535de181
2016-08-23hook match and utf8 unittests up to MakefileDamien Miller
2016-08-23upstream commitdjm@openbsd.org
add tests for matching functions Upstream-Regress-ID: 0869d4f5c5d627c583c6a929d69c17d5dd65882c
2016-08-23removing UseLogin bits from configure.acDamien Miller
2016-08-23upstream commitdjm@openbsd.org
fix negated address matching where the address list consists of a single negated match, e.g. "Match addr !192.20.0.1" Report and patch from Jakub Jelen. bz#2397 ok dtucker@ Upstream-ID: 01dcac3f3e6ca47518cf293e31c73597a4bb40d8
2016-08-23upstream commitdjm@openbsd.org
fix matching for pattern lists that contain a single negated match, e.g. "Host !example" report and patch from Robin Becker. bz#1918 ok dtucker@ Upstream-ID: 05a0cb323ea4bc20e98db099b42c067bfb9ea1ea
2016-08-23upstream commitdjm@openbsd.org
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23upstream commitnaddy@openbsd.org
Catch up with the SSH1 code removal and delete all mention of protocol 1 particularities, key files and formats, command line options, and configuration keywords from the server documentation and examples. ok jmc@ Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
2016-08-23upstream commitnaddy@openbsd.org
Remove more SSH1 server code: * Drop sshd's -k option. * Retire configuration keywords that only apply to protocol 1, as well as the "protocol" keyword. * Remove some related vestiges of protocol 1 support. ok markus@ Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
2016-08-17Only check for prctl once.Darren Tucker
2016-08-17Fix typo.Darren Tucker
2016-08-17Correct LDFLAGS for clang example.Darren Tucker
--with-ldflags isn't used until after the -ftrapv test, so mention LDFLAGS instead for now.
2016-08-17Remove obsolete CVS $Id from source files.Darren Tucker
Since -portable switched to git the CVS $Id tags are no longer being updated and are becoming increasingly misleading. Remove them.
2016-08-17Remove now-obsolete CVS $Id tags from text files.Darren Tucker
Since -portable switched to git, the CVS $Id tags are no longer being updated and are becoming increasingly misleading. Remove them.
2016-08-17Add a section for compiler specifics.Darren Tucker
Add a section for compiler specifics and document the runtime requirements for clang's integer sanitization.
2016-08-17Test multiplying two long long ints.Darren Tucker
When using clang with -ftrapv or -sanitize=integer the tests would pass but linking would fail with "undefined reference to __mulodi4". Explicitly test for this before enabling -trapv.
2016-08-16add a --with-login-program configure argumentDamien Miller
Saves messing around with LOGIN_PROGRAM env var, which come packaging environments make hard to do during configure phase.
2016-08-16add --with-pam-service to specify PAM service nameDamien Miller
Saves messing around with CFLAGS to do it.
2016-08-16fix false positives when compiled with msanDamien Miller
Our explicit_bzero successfully confused clang -fsanitize-memory in to thinking that memset is never called to initialise memory. Ensure that it is called in a way that the compiler recognises.
2016-08-14upstream commitmarkus@openbsd.org
remove ssh1 server code; ok djm@ Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-08-14upstream commitjca@openbsd.org
Use 2001:db8::/32, the official IPv6 subnet for configuration examples. This makes the IPv6 example consistent with IPv4, and removes a dubious mention of a 6bone subnet. ok sthen@ millert@ Upstream-ID: b027f3d0e0073419a132fd1bf002e8089b233634
2016-08-14upstream commitdtucker@openbsd.org
Update moduli file. Upstream-ID: 6da9a37f74aef9f9cc639004345ad893cad582d8
2016-08-11Import updated moduli.Darren Tucker
2016-08-09upstream commitdtucker@openbsd.org
Improve error message for overlong ControlPath. ok markus@ djm@ Upstream-ID: aed374e2e88dd3eb41390003e5303d0089861eb5
2016-08-09upstream commitdjm@openbsd.org
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@ Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
2016-08-03upstream commitdtucker@openbsd.org
Fix bug introduced in rev 1.467 which causes "buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1 and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol 2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de, ok deraadt@ Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
2016-08-03upstream commitdjm@openbsd.org
better bounds check on iovcnt (we only ever use fixed, positive values) Upstream-ID: 9baa6eb5cd6e30c9dc7398e5fe853721a3a5bdee