Age | Commit message (Collapse) | Author |
|
[addrmatch.c]
Cast the sizeof to socklen_t so it'll work even if the supplied len is
negative. Suggested by and ok djm, ok deraadt.
|
|
[ssh_config.5]
fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
|
|
[canohost.c addrmatch.c]
Cast socklen_t when comparing to size_t and use socklen_t to iterate over
the ip options, both to prevent signed/unsigned comparison warnings.
Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
|
|
[session.c]
explicitly define USE_PIPES to 1 to prevent redefinition warnings in
portable on platforms that use pipes for everything. From redhat @
redhat.
|
|
[sftp-server.c]
fix log message statvfs. ok djm
|
|
return value check for cap_enter() consistent with the other uses in
FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140.
|
|
optind) are defined in getopt.h already. Unfortunately they are defined as
"declspec(dllimport)" for historical reasons, because the GNU linker didn't
allow auto-import on PE/COFF targets way back when. The problem is the
dllexport attributes collide with the definitions in the various source
files in OpenSSH, which obviousy define the variables without
declspec(dllimport). The least intrusive way to get rid of these warnings
is to disable warnings for GCC compiler attributes when building on Cygwin.
Patch from vinschen at redhat.com.
|
|
declarations that stopped being included when we stopped including
<windows.h> from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at
redhat.com.
|
|
from vinschen at redhat.com
|
|
they're defined if we have to define them ourselves. Fixes builds on old
AIX.
|
|
Solaris.
|
|
stack-protector since that has a separate flag that's been around a while.
|
|
|
|
need them to cut down on the name collisions.
|
|
openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
to be useful (and for the regression tests to pass) on platforms that
have statfs and fstatfs. ok djm@
|
|
|
|
openbsd-compat/openssl-compat.h] Add compatibility layer for older
openssl versions. ok djm@
|
|
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
[sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
|
|
[digest.c]
remove unused includes. ok djm@
|
|
[sftp-client.c]
signed/unsigned comparison warning fix; from portable (Id sync only)
|
|
separate lines and alphabetize for easier diffing of changes.
|
|
don't have them.
|
|
#ifdef HAVE_STDINT_H.
|
|
includes.h to pull in all of the compatibility stuff.
|
|
|
|
|
|
specification to prevent warnings.
|
|
|
|
hardening flags including -fstack-protector-strong. These default to on
if the toolchain supports them, but there is a configure-time knob
(--without-hardening) to disable them if necessary. ok djm@
|
|
|
|
[contrib/suse/openssh.spec] Crank RPM spec version numbers.
|
|
[version.h]
openssh-6.5
|
|
[sftp-client.c]
needless and incorrect cast to size_t can break resumption of
large download; patch from tobias@
|
|
[bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
[kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
avoid use of OpenSSL BIGNUM type and functions for KEX with
Curve25519 by adding a buffer_put_bignum2_from_string() that stores
a string using the bignum encoding rules. Will make it easier to
build a reduced-feature OpenSSH without OpenSSL in the future;
ok markus@
|
|
[sshd_config]
the /etc/ssh/ssh_host_ed25519_key is loaded by default too
|
|
[sshconnect.c sshd.c]
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
deranged and might make some attacks on KEX easier; ok markus@
|
|
[digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
[kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
[kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
[schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@
|
|
[sftp-common.c]
When formating the time for "ls -l"-style output, show dates in the future
with the year, and rearrange a comparison to avoid a potentional signed
arithmetic overflow that would give the wrong result.
ok djm@
|
|
[mac.c monitor_mm.c monitor_mm.h xmalloc.c]
use standard types and formats for size_t like variables. ok dtucker
|
|
|
|
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
|
|
|
|
[sshconnect.c]
when showing other hostkeys, don't forget Ed25519 keys
|
|
[ssh.c]
don't forget to load Ed25519 certs too
|
|
[authfile.c]
don't refuse to load Ed25519 certificates
|
|
[authfd.c]
allow deletion of ed25519 keys from the agent
|
|
[key.c]
to make sure we don't omit any key types as valid CA keys again,
factor the valid key type check into a key_type_is_valid_ca()
function
|
|
[key.c]
correct comment for key_drop_cert()
|
|
[key.c]
correct comment for key_to_certified()
|
|
[key.c]
allow ed25519 keys to appear as certificate authorities
|