summaryrefslogtreecommitdiff
path: root/ssh-keyscan.c
AgeCommit message (Collapse)Author
2019-06-08upstream: Replace calls to ssh_malloc_init() by a static init ofotto@openbsd.org
malloc_options. Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@ OpenBSD-Commit-ID: 154f4e3e174f614b09f792d4d06575e08de58a6b
2019-01-27upstream: make ssh-keyscan return a non-zero exit status if itdjm@openbsd.org
finds no keys. bz#2903 OpenBSD-Commit-ID: 89f1081fb81d950ebb48e6e73d21807b2723d488
2019-01-21upstream: rename kex->kem_client_pub -> kex->client_pub now thatdjm@openbsd.org
KEM has been renamed to kexgen from markus@ ok djm@ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
2019-01-21upstream: use KEM API for vanilla ECDHdjm@openbsd.org
from markus@ ok djm@ OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
2019-01-21upstream: use KEM API for vanilla DH KEXdjm@openbsd.org
from markus@ ok djm@ OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
2019-01-21upstream: use KEM API for vanilla c25519 KEXdjm@openbsd.org
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
2019-01-21upstream: Add support for a PQC KEX/KEM:djm@openbsd.org
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@ OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
2019-01-20last bits of old packet API / active_state globalDamien Miller
2018-06-07upstream: switch config file parsing to getline(3) as this avoidsmarkus@openbsd.org
static limits noted by gerhard@; ok dtucker@, djm@ OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-03-03upstream: apply a lick of paint; tweaks/ok dtuckerjmc@openbsd.org
OpenBSD-Commit-ID: 518a6736338045e0037f503c21027d958d05e703
2018-02-26upstream: Add experimental support for PQC XMSS keys (Extendedmarkus@openbsd.org
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-23upstream: Add ssh-keyscan -D option to make it print its results indjm@openbsd.org
SSHFP format bz#2821, ok dtucker@ OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221
2017-11-28upstream commitdtucker@openbsd.org@openbsd.org
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@ OpenBSD-Commit-ID: 74d684264814ff806f197948b87aa732cb1b0b8a
2017-06-30upstream commitdtucker@openbsd.org
Only call close once in confree(). ssh_packet_close will close the FD so only explicitly close non-SSH channels. bz#2734, from bagajjal at microsoft.com, ok djm@ Upstream-ID: a81ce0c8b023527167739fccf1732b154718ab02
2017-06-01upstream commitmarkus@openbsd.org
remove now obsolete ctx from ssh_dispatch_run; ok djm@ Upstream-ID: 9870aabf7f4d71660c31fda91b942b19a8e68d29
2017-05-01upstream commitdjm@openbsd.org
obliterate ssh1.h and some dead code that used it ok markus@ Upstream-ID: 1ca9159a9fb95618f9d51e069ac8e1131a087343
2017-05-01upstream commitdjm@openbsd.org
remove KEY_RSA1 ok markus@ Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01upstream commitdjm@openbsd.org
remove compat20/compat13/compat15 variables ok markus@ Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
2017-05-01upstream commitdjm@openbsd.org
unifdef WITH_SSH1 ok markus@ Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-03-10upstream commitdjm@openbsd.org
ensure hostname is lower-case before hashing it; bz#2591 reported by Griff Miller II; ok dtucker@ Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
2017-03-10upstream commitdjm@openbsd.org
correctly hash hosts with a port number. Reported by Josh Powers in bz#2692; ok dtucker@ Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
2017-01-30upstream commitdjm@openbsd.org
Avoid confusing error message when attempting to use ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583 Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
2016-05-02upstream commitdjm@openbsd.org
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@ Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
2016-02-16upstream commitdtucker@openbsd.org
Add a function to enable security-related malloc_options. With and ok deraadt@, something similar has been in the snaps for a while. Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
2015-11-09upstream commitjmc@openbsd.org
-c before -H, in SYNOPSIS and usage(); Upstream-ID: 25e8c58a69e1f37fcd54ac2cd1699370acb5e404
2015-11-09upstream commitdjm@openbsd.org
Add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys; ok markus@ Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
2015-10-25upstream commitdjm@openbsd.org
fix keyscan output for multiple hosts/addrs on one line when host hashing or a non standard port is in use; bz#2479 ok dtucker@ Upstream-ID: 5321dabfaeceba343da3c8a8b5754c6f4a0a307b
2015-04-13upstream commitdjm@openbsd.org
include port number if a non-default one has been specified; based on patch from Michael Handler
2015-04-13upstream commitmiod@openbsd.org
Do not use int for sig_atomic_t; spotted by christos@netbsd; ok markus@
2015-02-23Repair for non-ECC OpenSSL.Darren Tucker
Ifdef out the ECC parts when building with an OpenSSL that doesn't have it.
2015-01-30upstream commitdjm@openbsd.org
set a timeout to prevent hangs when talking to busted servers; ok markus@
2015-01-30upstream commitdjm@openbsd.org
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
2015-01-29upstream commitdjm@openbsd.org
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
2015-01-27these need active_state defined to link on OSXDamien Miller
temporary measure until active_state goes away entirely
2015-01-26upstream commitderaadt@openbsd.org
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
2015-01-20upstream commitmarkus@openbsd.org
switch ssh-keyscan from setjmp to multiple ssh transport layer instances ok djm@
2015-01-20upstream commitmarkus@openbsd.org
adapt kex to sshbuf and struct ssh; ok djm@
2014-12-11upstream commitdjm@openbsd.org
explicitly include sys/param.h in files that use the howmany() macro; from portable
2014-05-15 - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
2014-04-20Three commits in one (since they touch the same heavily-diverged fileDamien Miller
repeatedly): - markus@cvs.openbsd.org 2014/03/25 09:40:03 [myproposal.h] trimm default proposals. This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 [myproposal.h] The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. - markus@cvs.openbsd.org 2014/03/27 23:01:27 [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:44:58Damien Miller
[ssh-keyscan.c] scan for Ed25519 keys by default too
2013-12-07 - markus@cvs.openbsd.org 2013/12/06 13:39:49Damien Miller
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
2013-11-04 - markus@cvs.openbsd.org 2013/11/02 21:59:15Damien Miller
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
2013-06-02 - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
2012-04-22 - djm@cvs.openbsd.org 2012/04/11 13:34:17Damien Miller
[ssh-keyscan.1 ssh-keyscan.c] now that sshd defaults to offering ECDSA keys, ssh-keyscan should also look for them by default; bz#1971
2011-05-05 - okan@cvs.openbsd.org 2011/03/15 10:36:02Damien Miller
[ssh-keyscan.c] use timerclear macro ok djm@
2011-05-05 - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]Damien Miller
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms.
2011-01-06 - otto@cvs.openbsd.org 2011/01/04 20:44:13Damien Miller
[ssh-keyscan.c] handle ecdsa-sha2 with various key lengths; hint and ok djm@
2010-08-31 - djm@cvs.openbsd.org 2010/08/31 11:54:45Damien Miller
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
2010-06-26 - djm@cvs.openbsd.org 2010/06/22 04:54:30Damien Miller
[ssh-keyscan.c] replace verbose and overflow-prone Linebuf code with read_keyfile_line() based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@