summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-01-17 - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if weDarren Tucker
need them to cut down on the name collisions.
2014-01-17 - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.cDarren Tucker
openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs to be useful (and for the regression tests to pass) on platforms that have statfs and fstatfs. ok djm@
2014-01-17 - (dtucker) Fix typo in #ifndef.Darren Tucker
2014-01-17 - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.cDarren Tucker
openbsd-compat/openssl-compat.h] Add compatibility layer for older openssl versions. ok djm@
2014-01-17 - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]Damien Miller
[sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
2014-01-17 - dtucker@cvs.openbsd.org 2014/01/17 05:26:41Darren Tucker
[digest.c] remove unused includes. ok djm@
2014-01-17 - djm@cvs.openbsd.org 2014/01/17 00:21:06Darren Tucker
[sftp-client.c] signed/unsigned comparison warning fix; from portable (Id sync only)
2014-01-17 - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions intoDarren Tucker
separate lines and alphabetize for easier diffing of changes.
2014-01-17 - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms thatDarren Tucker
don't have them.
2014-01-17 - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include insideDarren Tucker
#ifdef HAVE_STDINT_H.
2014-01-17 - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] IncludeDarren Tucker
includes.h to pull in all of the compatibility stuff.
2014-01-17 - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.Darren Tucker
2014-01-17 - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.Darren Tucker
2014-01-17 - (dtucker) [loginrec.c] Cast to the types specfied in the formatDarren Tucker
specification to prevent warnings.
2014-01-17 - (djm) [sftp-client.c] signed/unsigned comparison fixDamien Miller
2014-01-17 - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchainDarren Tucker
hardening flags including -fstack-protector-strong. These default to on if the toolchain supports them, but there is a configure-time knob (--without-hardening) to disable them if necessary. ok djm@
2014-01-16 - (djm) [README] update release notes URL.Damien Miller
2014-01-16 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank RPM spec version numbers.
2014-01-16 - djm@cvs.openbsd.org 2014/01/16 07:32:00Damien Miller
[version.h] openssh-6.5
2014-01-16 - djm@cvs.openbsd.org 2014/01/16 07:31:09Damien Miller
[sftp-client.c] needless and incorrect cast to size_t can break resumption of large download; patch from tobias@
2014-01-12 - djm@cvs.openbsd.org 2014/01/12 08:13:13Damien Miller
[bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c] [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c] avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
2014-01-12 - djm@cvs.openbsd.org 2014/01/10 05:59:19Damien Miller
[sshd_config] the /etc/ssh/ssh_host_ed25519_key is loaded by default too
2014-01-10 - djm@cvs.openbsd.org 2014/01/09 23:26:48Damien Miller
[sshconnect.c sshd.c] ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, deranged and might make some attacks on KEX easier; ok markus@
2014-01-10 - djm@cvs.openbsd.org 2014/01/09 23:20:00Damien Miller
[digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
2014-01-10 - guenther@cvs.openbsd.org 2014/01/09 03:26:00Damien Miller
[sftp-common.c] When formating the time for "ls -l"-style output, show dates in the future with the year, and rearrange a comparison to avoid a potentional signed arithmetic overflow that would give the wrong result. ok djm@
2014-01-10 - tedu@cvs.openbsd.org 2014/01/04 17:50:55Damien Miller
[mac.c monitor_mm.c monitor_mm.h xmalloc.c] use standard types and formats for size_t like variables. ok dtucker
2014-01-08 - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@Damien Miller
2013-12-31 - djm@cvs.openbsd.org 2013/12/30 23:52:28Damien Miller
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] refuse RSA keys from old proprietary clients/servers that use the obsolete RSA+MD5 signature scheme. it will still be possible to connect with these clients/servers but only DSA keys will be accepted, and we'll deprecate them entirely in a future release. ok markus@
2013-12-29 - (djm) [regress/Makefile] Add some generated files for cleaningDamien Miller
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 05:57:02Damien Miller
[sshconnect.c] when showing other hostkeys, don't forget Ed25519 keys
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 05:42:16Damien Miller
[ssh.c] don't forget to load Ed25519 certs too
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 04:35:50Damien Miller
[authfile.c] don't refuse to load Ed25519 certificates
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 04:29:25Damien Miller
[authfd.c] allow deletion of ed25519 keys from the agent
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 04:20:04Damien Miller
[key.c] to make sure we don't omit any key types as valid CA keys again, factor the valid key type check into a key_type_is_valid_ca() function
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 02:49:52Damien Miller
[key.c] correct comment for key_drop_cert()
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 02:37:04Damien Miller
[key.c] correct comment for key_to_certified()
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 02:28:10Damien Miller
[key.c] allow ed25519 keys to appear as certificate authorities
2013-12-29 - djm@cvs.openbsd.org 2013/12/27 22:37:18Damien Miller
[ssh-rsa.c] correct comment
2013-12-29 - djm@cvs.openbsd.org 2013/12/27 22:30:17Damien Miller
[ssh-dss.c ssh-ecdsa.c ssh-rsa.c] make the original RSA and DSA signing/verification code look more like the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type rather than tediously listing all variants, use __func__ for debug/ error messages
2013-12-29 - tedu@cvs.openbsd.org 2013/12/21 07:10:47Damien Miller
[ssh-keygen.1] small typo
2013-12-29 - djm@cvs.openbsd.org 2013/12/19 22:57:13Damien Miller
[poly1305.c poly1305.h] use full name for author, with his permission
2013-12-29 - djm@cvs.openbsd.org 2013/12/19 01:19:41Damien Miller
[ssh-agent.c] bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com; ok dtucker
2013-12-29 - djm@cvs.openbsd.org 2013/12/19 01:04:36Damien Miller
[channels.c] bz#2147: fix multiple remote forwardings with dynamically assigned listen ports. In the s->c message to open the channel we were sending zero (the magic number to request a dynamic port) instead of the actual listen port. The client therefore had no way of discriminating between them. Diagnosis and fix by ronf AT timeheart.net
2013-12-29 - djm@cvs.openbsd.org 2013/12/19 00:27:57Damien Miller
[auth-options.c] simplify freeing of source-address certificate restriction
2013-12-29 - dtucker@cvs.openbsd.org 2013/12/19 00:19:12Damien Miller
[serverloop.c] Cast client_alive_interval to u_int64_t before assinging to max_time_milliseconds to avoid potential integer overflow in the timeout. bz#2170, patch from Loganaden Velvindron, ok djm@
2013-12-29 - djm@cvs.openbsd.org 2013/12/19 00:10:30Damien Miller
[ssh-add.c] skip requesting smartcard PIN when removing keys from agent; bz#2187 patch from jay AT slushpupie.com; ok dtucker
2013-12-29 - (djm) [loginrec.c] Check for username truncation when looking up lastlogDamien Miller
entries
2013-12-2120131221Darren Tucker
- (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
2013-12-19 - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().Darren Tucker
Patch from Loganaden Velvindron.
2013-12-19 - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versionsDarren Tucker
greater than 11 either rather than just 11. Patch from Tomas Kuthan.