| Age | Commit message (Collapse) | Author |
|---|
|
[auth.c]
Fix comment, from jfree.e1 at gmail
|
|
[servconf.c sshd_config sshd_config.5]
Change default of MaxStartups to 10:30:100 to start doing random early
drop at 10 connections up to 100 connections. This will make it harder
to DoS as CPUs have come a long way since the original value was set
back in 2000. Prompted by nion at debian org, ok markus@
|
|
[krl.c]
actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
|
|
[Makefile.in acss.c acss.h cipher-acss.c cipher.c]
[openbsd-compat/openssl-compat.h]
remove ACSS, now that it is gone from libcrypto too
|
|
[krl.c]
redo last commit without the vi-vomit that snuck in:
skip serial lookup when cert's serial number is zero
(now with 100% better comment)
|
|
[krl.c]
Revert last. Breaks due to likely typo. Let djm@ fix later.
ok djm@ via dlg@
|
|
[krl.c]
skip serial lookup when cert's serial number is zero
|
|
- djm@cvs.openbsd.org 2013/01/24 21:45:37
[krl.c]
fix handling of (unused) KRL signatures; skip string in correct buffer
|
|
libcrypto that lacks EVP_CIPHER_CTX_ctrl
|
|
__attribute__ on return values and work around if necessary. ok djm@
|
|
patch from Iain Morgan in bz#2059
|
|
at configure time; the seccomp sandbox will fall back to rlimit at
runtime anyway. Patch from plautrba AT redhat.com in bz#2011
|
|
|
|
version.
|
|
[krl.c]
RB_INSERT does not remove existing elments; ok djm@
|
|
[ssh-keygen.1]
fix some formatting; ok djm
|
|
[ssh-keygen.1]
command-line (adj.) -> command line (n.);
|
|
[ssh-keygen.1]
add -Q to the options list; ok djm
|
|
[sshd_config.5]
tweak previous;
|
|
[ssh-keygen.c]
-u before -V in usage();
|
|
[ssh-keygen.1]
tweak previous;
|
|
Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
prototypes for openssl-1.0.0-fips.
|
|
[krl.c]
fix KRL generation bug for list sections
|
|
[regress/Makefile regress/cert-userkey.sh regress/krl.sh]
Tests for Key Revocation Lists (KRLs)
|
|
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
[krl.c krl.h PROTOCOL.krl]
add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
|
check for GCM support before testing GCM ciphers.
|
|
|
|
[regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
test AES-GCM modes; feedback markus@
|
|
[cipher.c]
improve error message for integrity failure in AES-GCM modes; ok markus@
|
|
[ssh-keygen.c]
correctly initialise fingerprint type for fingerprinting PKCS#11 keys
|
|
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
cipher compat code to openssl-compat.h
|
|
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
[myproposal.h packet.c ssh_config.5 sshd_config.5]
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@
|
|
[sftp-server.8 sftp-server.c]
sftp-server.8: add argument name to -d
sftp-server.c: add -d to usage()
ok djm
|
|
[ssh-keygen.c]
allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
ok markus@
|
|
[sftp-server.8 sftp-server.c]
allow specification of an alternate start directory for sftp-server(8)
"I like this" markus@
|
|
[PROTOCOL]
fix description of MAC calculation for EtM modes; ok markus@
|
|
[servconf.h]
add a couple of ServerOptions members that should be copied to the privsep
child (for consistency, in this case they happen only to be accessed in
the monitor); ok dtucker@
|
|
[PROTOCOL.agent]
correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
bz#2051 from david AT lechnology.com
|
|
[clientloop.c mux.c]
channel_setup_local_fwd_listener() returns 0 on failure, not -ve
bz#2055 reported by mathieu.lacage AT gmail.com
|
|
[auth.c]
use correct string in error message; from rustybsd at gmx.fr
|
|
tests will work with VPATH directories.
|
|
|
|
compat code for older OpenSSL
|
|
[packet.c]
reset incoming_packet buffer for each new packet in EtM-case, too;
this happens if packets are parsed only parially (e.g. ignore
messages sent when su/sudo turn off echo); noted by sthen/millert
|
|
|
|
|
|
work on platforms without 'jot'
|
|
|
|
[try-ciphers.sh]
add hmac-ripemd160-etm@openssh.com
|
|
[regress/Makefile regress/modpipe.c regress/integrity.sh]
test the integrity of the packets; with djm@
|
