summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-01-09upstream committedu@openbsd.org
workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm markus
2015-01-09upstream commitdjm@openbsd.org
KNF and add a little more debug()
2015-01-09upstream commitjmc@openbsd.org
add fingerprinthash to the options list;
2015-01-09upstream commitjmc@openbsd.org
tweak previous;
2014-12-30avoid uninitialised free of ldns_resDamien Miller
If an invalid rdclass was passed to getrrsetbyname() then this would execute a free on an uninitialised pointer. OpenSSH only ever calls this with a fixed and valid rdclass. Reported by Joshua Rogers
2014-12-29pull updated OpenBSD BCrypt PBKDF implementationDamien Miller
Includes fix for 1 byte output overflow for large key length requests (not reachable in OpenSSH). Pointed out by Joshua Rogers
2014-12-23fix variable name for IPv6 case in construct_utmpxDamien Miller
patch from writeonce AT midipix.org via bz#2296
2014-12-23include and use OpenBSD netcat in regress/Damien Miller
2014-12-22upstream commitdjm@openbsd.org
mention ssh -Q feature to list supported { MAC, cipher, KEX, key } algorithms in more places and include the query string used to list the relevant information; bz#2288
2014-12-22upstream commitjmc@openbsd.org
tweak previous;
2014-12-22upstream commitdjm@openbsd.org
regression test for multiple required pubkey authentication; ok markus@
2014-12-22upstream commitdjm@openbsd.org
correct description of what will happen when a AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd will refuse to start)
2014-12-22upstream commitdjm@openbsd.org
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised. Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
2014-12-22upstream commitdjm@openbsd.org
remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys. ok markus@
2014-12-22upstream commitdjm@openbsd.org
fix passing of wildcard forward bind addresses when connection multiplexing is in use; patch from Sami Hartikainen via bz#2324; ok dtucker@
2014-12-22upstream commitdjm@openbsd.org
make this slightly easier to diff against portable
2014-12-22add missing regress output fileDamien Miller
2014-12-22upstream commitdjm@openbsd.org
adjust for new SHA256 key fingerprints and slightly-different MD5 hex fingerprint format
2014-12-22upstream commitdjm@openbsd.org
poll changes to netcat (usr.bin/netcat.c r1.125) broke this test; fix it by ensuring more stdio fds are sent to devnull
2014-12-22upstream commitjmc@openbsd.org
tweak previous;
2014-12-22upstream commitdjm@openbsd.org
document FingerprintHash here too
2014-12-22missing include for base64 encodingDamien Miller
2014-12-22upstream commitdjm@openbsd.org
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
2014-12-22upstream commitdjm@openbsd.org
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
2014-12-18upstream commitdjm@openbsd.org
revert chunk I didn't mean to commit yet; via jmc@
2014-12-18upstream libc changeDamien Miller
revision 1.2 date: 2014/12/08 03:45:00; author: bcook; state: Exp; lines: +2 -2; commitid: 7zWEBgJJOCZ2hvTV; avoid left shift overflow in reallocarray. Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting 1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with (size_t)1 so that we get the correct constant size for the platform. discussed with tedu@ & deraadt@
2014-12-18include CFLAGS in gnome askpass targetsDamien Miller
from Fedora
2014-12-11upstream commitdjm@openbsd.org
explicitly include sys/param.h in files that use the howmany() macro; from portable
2014-12-11upstream commitdjm@openbsd.org
mention AuthorizedKeysCommandUser must be set for AuthorizedKeysCommand to be run; bz#2287
2014-12-11upstream commitdjm@openbsd.org
show in debug output which hostkeys are being tried when attempting hostbased auth; patch from Iain Morgan
2014-12-11upstream commitdjm@openbsd.org
Make manual reflect reality: sftp-server's -d option accepts a "%d" option, not a "%h" one. bz#2316; reported by Kirk Wolf
2014-12-10upstream commitdjm@openbsd.org
better error value for invalid signature length
2014-12-10Resync more with OpenBSD's rijndael.c, in particular "#if 0"-ing out someDarren Tucker
unused code. Should fix compile error reported by plautrba at redhat.
2014-12-10Add reallocarray to compat libraryDarren Tucker
2014-12-05upstream commitdjm@openbsd.org
add tests for new client RevokedHostKeys option; refactor to make it a bit more readable
2014-12-05upstream commitkrw@openbsd.org
Nuke yet more obvious #include duplications. ok deraadt@
2014-12-05upstream commitdjm@openbsd.org
key_in_file() wrapper is no longer used
2014-12-05upstream commitdjm@openbsd.org
add RevokedHostKeys option for the client Allow textfile or KRL-based revocation of hostkeys.
2014-12-05upstream commitdjm@openbsd.org
convert KRL code to new buffer API ok markus@
2014-12-05upstream commitmillert@openbsd.org
Prefer setvbuf() to setlinebuf() for portability; ok deraadt@
2014-11-26upstream commitjsg@openbsd.org
Fix crashes in the handling of the sshd config file found with the afl fuzzer. ok deraadt@ djm@
2014-11-26Avoid Cygwin ssh-host-config reading /etc/groupDamien Miller
Patch from Corinna Vinschen
2014-11-26allow custom service name for sshd on CygwinDamien Miller
Permits the use of multiple sshd running with different service names. Patch by Florian Friesdorf via Corinna Vinschen
2014-11-24upstream commitjmc@openbsd.org
restore word zapped in previous, and remove some useless "No" macros;
2014-11-24upstream commitderaadt@openbsd.org
/dev/random has created the same effect as /dev/arandom (and /dev/urandom) for quite some time. Mop up the last few, by using /dev/random where we actually want it, or not even mentioning arandom where it is irrelevant.
2014-11-24upstream commitdjm@openbsd.org
fix NULL pointer dereference crash on invalid timestamp found using Michal Zalewski's afl fuzzer
2014-11-24upstream commitmikeb@openbsd.org
Sync AES code to the one shipped in OpenSSL/LibreSSL. This includes a commit made by Andy Polyakov <appro at openssl ! org> to the OpenSSL source tree on Wed, 28 Jun 2006 with the following message: "Mitigate cache-collision timing attack on last round." OK naddy, miod, djm
2014-11-24upstream commitkrw@openbsd.org
Nuke more obvious #include duplications. ok deraadt@ millert@ tedu@
2014-11-19upstream commitdjm@openbsd.org
fix KRL generation when multiple CAs are in use We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org
2014-11-18upstream commitdjm@openbsd.org
fix NULL pointer dereference crash in key loading found by Michal Zalewski's AFL fuzzer