Age | Commit message (Collapse) | Author |
|
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
|
|
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
|
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2015-08-19
Patch-Name: selinux-role.patch
|
|
|
|
|
|
On some platforms the native realpath doesn't work with non-existent
files (this is actually specified in some versions of POSIX), however
the sftp spec says its realpath with "canonicalize any given path name".
On those platforms, use realpath from the compat library.
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
the realpath symbol to the checked version, so redefine ours to
something else so we pick up the compat version we want.
bz#2428, ok djm@
|
|
ok djm, sanity check by Corinna Vinschen.
|
|
- tedu@cvs.openbsd.org 2015/01/12 03:20:04
[bcrypt_pbkdf.c]
rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,
nor are they the same size.
|
|
- deraadt@cvs.openbsd.org 2015/01/08 00:30:07
[bcrypt_pbkdf.c]
declare a local version of MIN(), call it MINIMUM()
|
|
- djm@cvs.openbsd.org 2014/12/30 01:41:43
[bcrypt_pbkdf.c]
typo in comment: ouput => output
|
|
This might help with the reported problem cross compiling for Android
("error: expected identifier or '(' before numeric constant") but
shouldn't hurt in any case.
|
|
|
|
From FreeBSD.
|
|
|
|
Remove ssh_get_progname's dependency on xmalloc, which should reduce
link order problems. ok djm@
|
|
_NSIG is only unsed in one file, so move it there prevent redefinition
warnings reported by Kevin Brott.
|
|
Our getaddrinfo implementation always returns numeric values already.
|
|
|
|
|
|
|
|
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
|
|
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
|
|
If an invalid rdclass was passed to getrrsetbyname() then
this would execute a free on an uninitialised pointer.
OpenSSH only ever calls this with a fixed and valid rdclass.
Reported by Joshua Rogers
|
|
Includes fix for 1 byte output overflow for large key length
requests (not reachable in OpenSSH).
Pointed out by Joshua Rogers
|
|
revision 1.2
date: 2014/12/08 03:45:00; author: bcook; state: Exp; lines: +2 -2; commitid: 7zWEBgJJOCZ2hvTV;
avoid left shift overflow in reallocarray.
Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting
1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with
(size_t)1 so that we get the correct constant size for the platform.
discussed with tedu@ & deraadt@
|
|
|
|
[openbsd-compat/openbsd-compat.h] Kludge around bad glibc
_FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
ok dtucker@
|
|
|
|
|
|
OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
|
|
using memset_s() where possible; improve fallback to indirect bzero
via a volatile pointer to give it more of a chance to avoid being
optimised away.
|
|
definition mismatch) and warning for broken/missing snprintf case.
|
|
needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
|
|
in servconf.h.
|
|
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
[auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
[cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
[digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
[hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
[ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
[ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
[sshconnect2.c sshd.c sshkey.c sshkey.h
[openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.
NB. This commit also removes portable OpenSSH support for OpenSSL
<0.9.8e.
|
|
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
Move the OpenSSL header/library version test into its own function and add
tests for it. Fix it to allow fix version upgrades (but not downgrades).
Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
ok djm@ chl@
|
|
assigment that might get optimized out. ok djm@
|
|
[openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
separation user at runtime, since it may need to be a domain account.
Patch from Corinna Vinschen.
|
|
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
|
|
before freeing since free(NULL) is a no-op. ok djm.
|
|
|
|
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
|
|
platform that is expected to use the reuse-argv style setproctitle
hack surprises us by providing a setproctitle in libc; ok dtucker
|
|
declarations that stopped being included when we stopped including
<windows.h> from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at
redhat.com.
|
|
need them to cut down on the name collisions.
|
|
openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
to be useful (and for the regression tests to pass) on platforms that
have statfs and fstatfs. ok djm@
|
|
|
|
openbsd-compat/openssl-compat.h] Add compatibility layer for older
openssl versions. ok djm@
|
|
#ifdef HAVE_STDINT_H.
|
|
Vinschen
|