summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-05-02upstream commitdjm@openbsd.org
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@ Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
2016-05-02upstream commitdjm@openbsd.org
support SHA256 and SHA512 RSA signatures in certificates; ok markus@ Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
2016-05-02upstream commitdjm@openbsd.org
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@ Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
2016-04-29upstream commitdjm@openbsd.org
close ControlPersist background process stderr when not in debug mode or when logging to a file or syslog. bz#1988 ok dtucker Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
2016-04-29upstream commitdjm@openbsd.org
fix comment Upstream-ID: 313a385bd7b69a82f8e28ecbaf5789c774457b15
2016-04-28upstream commitjmc@openbsd.org
cidr permitted for {allow,deny}users; from lars nooden ok djm Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
2016-04-21upstream commitdjm@openbsd.org
make argument == NULL tests more consistent Upstream-ID: dc4816678704aa5cbda3a702e0fa2033ff04581d
2016-04-21upstream commitjmc@openbsd.org
tweak previous; Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
2016-04-15upstream commitdjm@openbsd.org
missing bit of Include regress Upstream-Regress-ID: 1063595f7f40f8489a1b7a27230b9e8acccea34f
2016-04-15upstream commitdjm@openbsd.org
remove redundant CLEANFILES section Upstream-Regress-ID: 29ef1b267fa56daa60a1463396635e7d53afb587
2016-04-15upstream commitdjm@openbsd.org
sync CLEANFILES with portable, sort Upstream-Regress-ID: cb782f4f1ab3e079efbc335c6b64942f790766ed
2016-04-15upstream commitdjm@openbsd.org
regression test for ssh_config Include directive Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e
2016-04-15upstream commitdjm@openbsd.org
unbreak test for recent ssh de-duplicated forwarding change Upstream-Regress-ID: 6b2b115d99acd7cff13986e6739ea214cf2a3da3
2016-04-15upstream commitdjm@openbsd.org
add test knob and warning for StrictModes Upstream-Regress-ID: 8cd10952ce7898655ee58945904f2a0a3bdf7682
2016-04-15upstream commitdjm@openbsd.org
Include directive for ssh_config(5); feedback & ok markus@ Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
2016-04-13ignore PAM environment vars when UseLogin=yesDamien Miller
If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
2016-04-13upstream commitdjm@openbsd.org
make private key loading functions consistently handle NULL key pointer arguments; ok markus@ Upstream-ID: 92038726ef4a338169c35dacc9c5a07fcc7fa761
2016-04-08Remove NO_IPPORT_RESERVED_CONCEPTDarren Tucker
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have the same effect without causing problems syncing patches with OpenBSD. Resync the two affected functions with OpenBSD. ok djm, sanity checked by Corinna.
2016-04-08upstream commitdjm@openbsd.org
whitespace at EOL Upstream-ID: 5beffd4e001515da12851b974e2323ae4aa313b6
2016-04-08upstream commitdjm@openbsd.org
We accidentally send an empty string and a zero uint32 with every direct-streamlocal@openssh.com channel open, in contravention of our own spec. Fixing this is too hard wrt existing versions that expect these fields to be present and fatal() if they aren't, so document them as "reserved" fields in the PROTOCOL spec as though we always intended this and let us never speak of it again. bz#2529, reported by Ron Frederick Upstream-ID: 34cd326a4d236ca6e39084c4ff796bd97ab833e7
2016-04-08upstream commitdjm@openbsd.org
don't record duplicate LocalForward and RemoteForward entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation where the same forwards are added on the second pass through the configuration file. bz#2562; ok dtucker@ Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
2016-04-08upstream commitkrw@openbsd.org
Another use for fcntl() and thus of the superfluous 3rd parameter is when sanitising standard fd's before calling daemon(). Use a tweaked version of the ssh(1) function in all three places found using fcntl() this way. ok jca@ beck@ Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218
2016-04-04Tidy up openssl header test.Darren Tucker
2016-04-04Fix configure-time warnings for openssl test.Darren Tucker
2016-04-01upstream commitdjm@openbsd.org
whitespace at EOL Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a
2016-04-01upstream commitdtucker@openbsd.org
Remove fallback from moduli to "primes" file that was deprecated in 2001 and fix log messages referring to primes file. Based on patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@ Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713
2016-03-18upstream commitdjm@openbsd.org
UseDNS affects ssh hostname processing in authorized_keys, not known_hosts; bz#2554 reported by jjelen AT redhat.com Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
2016-03-15Don't call Solaris setproject() with UsePAM=yes.Darren Tucker
When Solaris Projects are enabled along with PAM setting the project is PAM's responsiblity. bz#2425, based on patch from brent.paulson at gmail.com.
2016-03-15remove slogin from *.specDamien Miller
2016-03-15upstream commitdjm@openbsd.org
unbreak authentication using lone certificate keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself. bz#2550 reported by Peter Moody Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
2016-03-15upstream commitdjm@openbsd.org
sanitise characters destined for xauth reported by github.com/tintinweb feedback and ok deraadt and markus Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
2016-03-14Pass supported malloc options to connect-privsep.Darren Tucker
This allows us to activate only the supported options during the malloc option portion of the connect-privsep test.
2016-03-14Remove leftover roaming.h file.Darren Tucker
Pointed out by des at des.no.
2016-03-14Quote variables that may contain whitespace.Darren Tucker
The variable $L_TMP_ID_FILE needs to be surrounded by quotes in order to survive paths containing whitespace. bz#2551, from Corinna Vinschen via Philip Hands.
2016-03-11Include priv.h for priv_set_t.Darren Tucker
From alex at cooperi.net.
2016-03-10Import openssh_7.2p2.orig.tar.gzColin Watson
2016-03-10update versions for releaseDamien Miller
2016-03-10sanitise characters destined for xauth(1)Damien Miller
reported by github.com/tintinweb
2016-03-09Wrap stdint.h inside #ifdef HAVE_STDINT_H.Darren Tucker
2016-03-09Add compat to monotime_double().Darren Tucker
Apply all of the portability changes in monotime() to monotime() double. Fixes build on at least older FreeBSD systems.
2016-03-08make a regress-binaries targetDamien Miller
Easier to build all the regression/unit test binaries in one pass than going through all of ${REGRESS_BINARIES}
2016-03-08unbreak kexfuzz for -Werror without __bounded__Damien Miller
2016-03-08unbreak PAM after canohost refactorDamien Miller
2016-03-08auth_get_canonical_hostname in portable code.Darren Tucker
"refactor canohost.c" replaced get_canonical_hostname, this makes the same change to some portable-specific code.
2016-03-08upstream commitdjm@openbsd.org
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@ Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-04hook unittests/misc/kexfuzz into buildDamien Miller
2016-03-04upstream commitdtucker@openbsd.org
Filter debug messages out of log before picking the last two lines. Should prevent problems if any more debug output is added late in the connection. Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363
2016-03-04upstream commitdjm@openbsd.org
add KEX fuzzer harness; ok deraadt@ Upstream-Regress-ID: 3df5242d30551b12b828aa9ba4a4cec0846be8d1
2016-03-04upstream commitdtucker@openbsd.org
Look back 3 lines for possible error messages. Changes to the code mean that "Bad packet length" errors are 3 lines back instead of the previous two, which meant we didn't skip some offsets that we intended to. Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684
2016-03-04upstream commitdjm@openbsd.org
fix ClientAliveInterval when a time-based RekeyLimit is set; previously keepalive packets were not being sent. bz#2252 report and analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@ Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81