Age | Commit message (Collapse) | Author |
|
EVP_sha256.
|
|
arc4random_stir for platforms that have arc4random but don't have
arc4random_stir (right now this is only OpenBSD -current).
|
|
[contrib/suse/openssh.spec] Update version numbers following release.
|
|
[version.h]
openssh-6.4
|
|
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
[clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
[sftp-client.c sftp-glob.c]
use calloc for all structure allocations; from markus@
|
|
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
|
|
[regress/rekey.sh]
Rekey less frequently during tests to speed them up
|
|
variable. It's no longer used now that we get the supported MACs from
ssh -Q.
|
|
[regress/kextype.sh]
trailing space
|
|
[regress/kextype.sh]
Use ssh -Q to get kex types instead of a static list.
|
|
[regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
Use ssh -Q instead of hardcoding lists of ciphers or MACs.
|
|
[regress/rekey.sh]
Factor out the data transfer rekey tests
|
|
[regress/rekey.sh]
Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
the GCM ciphers.
|
|
[regress/rekey.sh]
Test rekeying with all KexAlgorithms.
|
|
[regress/kextype.sh]
add curve25519-sha256@libssh.org
|
|
[regress/Makefile] (ID sync only)
regression test for sftp request white/blacklisting and readonly mode.
|
|
[ssh-pkcs11.c]
from portable: s/true/true_val/ to avoid name collisions on dump platforms
RCSID sync only
|
|
[monitor_wrap.c]
fix rekeying for AES-GCM modes; ok deraadt
|
|
[monitor.c]
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
RCSID sync only; I thought this was a merge botch and fixed it already
|
|
that lack it but have arc4random_uniform()
|
|
|
|
|
|
that got lost in recent merge.
|
|
KEX/curve25519 change
|
|
[roaming_common.c]
fix a couple of function definitions foo() -> foo(void)
(-Wold-style-definition)
|
|
[ssh_config.5 sshd_config.5]
the default kex is now curve25519-sha256@libssh.org
|
|
[auth-options.c]
no need to include monitor_wrap.h and ssh-gss.h
|
|
[kexdhs.c kexecdhs.c]
no need to include ssh-gss.h
|
|
[kexdhs.c kexecdhs.c]
no need to include monitor_wrap.h
|
|
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
use curve25519 for default key exchange (curve25519-sha256@libssh.org);
initial patch from Aris Adamantiadis; ok djm@
|
|
[ssh-pkcs11.c]
support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
fixes bz#1908; based on patch from Laurent Barbe; ok djm
|
|
for platforms that don't have them.
|
|
vsnprintf. From eric at openbsd via chl@.
|
|
From OpenSMTPD where it prevents "implicit declaration" warnings (it's
a no-op in OpenSSH). From chl at openbsd.
|
|
[sshd_config.5]
pty(4), not pty(7);
|
|
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
|
|
[key.c key.h]
fix potential stack exhaustion caused by nested certificates;
report by Mateusz Kocielski; ok dtucker@ markus@
|
|
[ssh.c]
fix crash when using ProxyCommand caused by previous commit - was calling
freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
|
|
unnecessary arc4random_stir() calls. The only ones left are to ensure
that the PRNG gets a different state after fork() for platforms that
have broken the API.
|
|
|
|
[ssh.c]
fix bug introduced in hostname canonicalisation commit: don't try to
resolve hostnames when a ProxyCommand is set unless the user has forced
canonicalisation; spotted by Iain Morgan
|
|
[readconf.c servconf.c ssh_config.5 sshd_config.5]
Disallow empty Match statements and add "Match all" which matches
everything. ok djm, man page help jmc@
|
|
[moduli.c]
Periodically print progress and, if possible, expected time to completion
when screening moduli for DH groups. ok deraadt djm
|
|
[sshd.c]
include local address and port in "Connection from ..." message (only
shown at loglevel>=verbose)
|
|
[servconf.c]
fix comment
|
|
rather than full client name which may be of form user@REALM;
patch from Miguel Sanders; ok dtucker@
|
|
[ssh-keygen.c]
Make code match documentation: relative-specified certificate expiry time
should be relative to current time and not the validity start time.
Reported by Petr Lautrbach; ok deraadt@
|
|
[readconf.c ssh.c]
comment
|
|
[readconf.c]
Hostname may have %h sequences that should be expanded prior to Match
evaluation; spotted by Iain Morgan
|
|
[ssh_config.5]
tweak the "exec" description, as worded by djm;
|