summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-11-16upstream: typo in error message; caught by Debian lintian, viadjm@openbsd.org
Colin Watson OpenBSD-Commit-ID: bff614c7bd1f4ca491a84e9b5999f848d0d66758
2018-11-16upstream: correct local variable name; from yawang AT microsoft.comdjm@openbsd.org
OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87
2018-11-16upstream: Import new moduli.dtucker@openbsd.org
OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403
2018-11-16upstream: mention ssh-ed25519-cert-v01@openssh.com in list of certdjm@openbsd.org
key type at start of doc OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324
2018-11-16Remove fallback check for /usr/local/ssl.Darren Tucker
If configure could not find a working OpenSSL installation it would fall back to checking in /usr/local/ssl. This made sense back when systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't use that as a default any more. The fallback behaviour also meant that if you pointed --with-ssl-dir at a specific directory and it didn't work, it would silently use either the system libs or the ones in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
2018-11-16Fix check for OpenSSL 1.0.1 exactly.Darren Tucker
Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix compile-time check for 1.0.1 to match.
2018-11-11Improve warnings in cygwin service setup.Darren Tucker
bz#2922, patch from vinschen at redhat.com.
2018-11-11Remove hardcoded service name in cygwin setup.Darren Tucker
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check by vinschen at redhat.com.
2018-11-10AC_CHECK_SIZEOF() no longer needs a second argument.Dag-Erling Smørgrav
2018-11-10Fix error message w/out nistp521.Manoj Ampalam
Correct error message when OpenSSL doesn't support certain ECDSA key lengths.
2018-11-09fix compilation with openssl built without ECCEneas U de Queiroz
ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be guarded by OPENSSL_HAS_ECC Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-11-08Simplify OpenSSL 1.1 function checks.Darren Tucker
Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single AC_CHECK_FUNCS. ok djm@
2018-11-05Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.Darren Tucker
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
2018-10-31Import new moduli.Darren Tucker
2018-10-28Update check for minimum OpenSSL version.Darren Tucker
2018-10-28Update required OpenSSL versions to match current.Darren Tucker
2018-10-28Use detected version functions in openssl compat.Darren Tucker
Use detected functions in compat layer instead of guessing based on versions. Really fixes builds with LibreSSL, not just configure.
2018-10-27Check for the existence of openssl version funcs.Darren Tucker
Check for the existence of openssl version functions and use the ones detected instead of trying to guess based on the int32 version identifier. Fixes builds with LibreSSL.
2018-10-26fix builds on OpenSSL <= 1.0.xDamien Miller
I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API to obtain version number, but they don't.
2018-10-23remove remaining references to SSLeayDamien Miller
Prompted by Rosen Penev
2018-10-23regen dependDamien Miller
2018-10-23upstream: refer to OpenSSL not SSLeay;djm@openbsd.org
we're old, but we don't have to act it OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
2018-10-23fix compile for openssl 1.0.x w/ --with-ssl-engineDamien Miller
bz#2921, patch from cotequeiroz
2018-10-22Include openssl compatibility.Darren Tucker
Patch from rosenp at gmail.com via openssh-unix-dev.
2018-10-22upstream: when printing certificate contents "ssh-keygen -Lfdjm@openbsd.org
/path/certificate", include the algorithm that the CA used to sign the cert. OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
2018-10-22upstream: struct sockaddr_storage is guaranteed to be large enough,florian@openbsd.org
no need to check the size. OK kn, deraadt OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
2018-10-17Require OpenSSL 1.1.x series 1.1.0g or greaterDamien Miller
Previous versions have a bug with EVP_CipherInit() when passed a NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613 ok dtucker@
2018-10-17unbreak compilation with --with-ssl-engineDamien Miller
Missing last argument to OPENSSL_init_crypto()
2018-10-16Remove gcc spectre mitigation flags.Darren Tucker
Current impementions of the gcc spectre mitigation flags cause miscompilations when combined with other flags and do not provide much protection. Found by fweimer at redhat.com, ok djm@
2018-10-16Avoid deprecated OPENSSL_config when using 1.1.xDamien Miller
OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of OPENSSL_init_crypto; pointed out by Jakub Jelen
2018-10-12Don't avoid our *sprintf replacements.Darren Tucker
Don't let systems with broken printf(3) avoid our replacements via asprintf(3)/vasprintf(3) calling libc internally. From djm@
2018-10-12Check if snprintf understands %zu.Darren Tucker
If the platforms snprintf and friends don't understand %zu, use the compat replacement. Prevents segfaults on those platforms.
2018-10-12remove stale link, tweakDamien Miller
2018-10-12update version numbers ahead of releaseDamien Miller
2018-10-12upstream: don't send new-style rsa-sha2-*-cert-v01@openssh.com names todjm@openbsd.org
older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
2018-10-11update dependsDamien Miller
2018-10-11some more duplicated key algorithm linesDamien Miller
From Adam Eijdenberg
2018-10-11fix duplicated algorithm specification linesDamien Miller
Spotted by Adam Eijdenberg
2018-10-11upstream: typo in plain RSA algorithm counterpart names fordjm@openbsd.org
certificates; spotted by Adam Eijdenberg; ok dtucker@ OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11check pw_passwd != NULL here tooDamien Miller
Again, for systems with broken NIS implementations. Prompted by coolbugcheckers AT gmail.com
2018-10-11check for NULL return from shadow_pw()Damien Miller
probably unreachable on this platform; pointed out by coolbugcheckers AT gmail.com
2018-10-11upstream: introducing openssh 7.9deraadt@openbsd.org
OpenBSD-Commit-ID: 42d526a9fe01a40dd299ac58014d3349adf40e25
2018-10-11supply callback to PEM_read_bio_PrivateKeyDamien Miller
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, so that empty passphrases are interpreted differently. This probabalistically breaks loading some keys, because the PEM format is terrible and doesn't include a proper MAC. Avoid this by providing a basic callback to avoid passing empty passphrases to OpenSSL in cases where one is required. Based on patch from Jakub Jelen in bz#2913; ok dtucker@
2018-10-10in pick_salt() avoid dereference of NULL passwordsDamien Miller
Apparently some NIS implementations can leave pw->pw_passwd (or the shadow equivalent) NULL. bz#2909; based on patch from Todd Eigenschink
2018-10-09upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrasedjm@openbsd.org
is specified as "incorrect passphrase" instead of trying to choose between that and "invalid format". libcrypto can return ASN1 parsing errors rather than the expected decrypt error in certain infrequent cases when trying to decrypt/parse PEM private keys when supplied with an invalid passphrase. Report and repro recipe from Thomas Deutschmann in bz#2901 ok markus@ OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
2018-10-07upstream: Support using service names for port numbers.naddy@openbsd.org
* Try to resolve a port specification with getservbyname(3) if a numeric conversion fails. * Make the "Port" option in ssh_config handle its argument as a port rather than a plain integer. ok dtucker@ deraadt@ OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
2018-10-04upstream: when the peer sends a channel-close message, make sure wedjm@openbsd.org
close the local extended read fd (stderr) along with the regular read fd (stdout). Avoids weird stuck processed in multiplexing mode. Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863 ok dtucker@ markus@ OpenBSD-Commit-ID: a48a2467fe938de4de69d2e7193d5fa701f12ae9
2018-10-04upstream: factor out channel status formatting fromdjm@openbsd.org
channel_open_message() so we can use it in other debug messages OpenBSD-Commit-ID: 9c3903ca28fcabad57f566c9d0045b41ab7d52ba
2018-10-04upstream: include a little more information about the status anddjm@openbsd.org
disposition of channel's extended (stderr) fd; makes debugging some things a bit easier. No behaviour change. OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce
2018-10-04upstream: explicit_bzero here to be consistent with other kex*.c;djm@openbsd.org
report from coolbugcheckers AT gmail.com OpenBSD-Commit-ID: a90f146c5b5f5b1408700395e394f70b440856cb