]>
git.ipfire.org Git - thirdparty/openssh-portable.git/log
djm@openbsd.org [Mon, 21 Jan 2019 10:28:01 +0000 (10:28 +0000)]
upstream: use KEM API for vanilla DH KEX
from markus@ ok djm@
OpenBSD-Commit-ID:
af56466426b08a8be275412ae2743319e3d277c9
djm@openbsd.org [Mon, 21 Jan 2019 10:24:09 +0000 (10:24 +0000)]
upstream: use KEM API for vanilla c25519 KEX
OpenBSD-Commit-ID:
38d937b85ff770886379dd66a8f32ab0c1c35c1f
djm@openbsd.org [Mon, 21 Jan 2019 10:20:12 +0000 (10:20 +0000)]
upstream: Add support for a PQC KEX/KEM:
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
OpenBSD-Commit-ID:
d687f76cffd3561dd73eb302d17a1c3bf321d1a7
djm@openbsd.org [Mon, 21 Jan 2019 10:07:22 +0000 (10:07 +0000)]
upstream: factor out kex_verify_hostkey() - again, duplicated
almost exactly across client and server for several KEX methods.
from markus@ ok djm@
OpenBSD-Commit-ID:
4e4a16d949dadde002a0aacf6d280a684e20829c
djm@openbsd.org [Mon, 21 Jan 2019 10:05:09 +0000 (10:05 +0000)]
upstream: factor out kex_load_hostkey() - this is duplicated in
both the client and server implementations for most KEX methods.
from markus@ ok djm@
OpenBSD-Commit-ID:
8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
djm@openbsd.org [Mon, 21 Jan 2019 10:03:37 +0000 (10:03 +0000)]
upstream: factor out kex_dh_compute_key() - it's shared between
plain DH KEX and DH GEX in both the client and server implementations
from markus@ ok djm@
OpenBSD-Commit-ID:
12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
djm@openbsd.org [Mon, 21 Jan 2019 10:00:23 +0000 (10:00 +0000)]
upstream: factor out DH keygen; it's identical between the client
and the server
from markus@ ok djm@
OpenBSD-Commit-ID:
2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
djm@openbsd.org [Mon, 21 Jan 2019 09:55:52 +0000 (09:55 +0000)]
upstream: save the derived session id in kex_derive_keys() rather
than making each kex method implementation do it.
from markus@ ok djm@
OpenBSD-Commit-ID:
d61ade9c8d1e13f665f8663c552abff8c8a30673
djm@openbsd.org [Mon, 21 Jan 2019 09:54:11 +0000 (09:54 +0000)]
upstream: Make sshpkt_get_bignum2() allocate the bignum it is
parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
OpenBSD-Commit-ID:
576bf784f9a240f5a1401f7005364e59aed3bce9
djm@openbsd.org [Mon, 21 Jan 2019 09:52:25 +0000 (09:52 +0000)]
upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1
functions
from markus@ ok djm@
OpenBSD-Commit-ID:
0380b1b2d9de063de3c5a097481a622e6a04943e
djm@openbsd.org [Mon, 21 Jan 2019 09:49:37 +0000 (09:49 +0000)]
upstream: fix all-zero check in kexc25519_shared_key
from markus@ ok djm@
OpenBSD-Commit-ID:
60b1d364e0d9d34d1d1ef1620cb92e36cf06712d
jmc@openbsd.org [Mon, 21 Jan 2019 07:09:10 +0000 (07:09 +0000)]
upstream: - -T was added to the first synopsis by mistake - since
"..." denotes optional, no need to surround it in []
ok djm
OpenBSD-Commit-ID:
918f6d8eed4e0d8d9ef5eadae1b8983d796f0e25
Darren Tucker [Mon, 21 Jan 2019 10:28:27 +0000 (21:28 +1100)]
Make --with-rpath take a flag instead of yes/no.
Damien Miller [Mon, 21 Jan 2019 04:05:43 +0000 (15:05 +1100)]
fix previous test
Darren Tucker [Mon, 21 Jan 2019 02:50:17 +0000 (13:50 +1100)]
Wrap ECC static globals in EC_KEY_METHOD_NEW too.
Damien Miller [Mon, 21 Jan 2019 01:53:40 +0000 (12:53 +1100)]
pass TEST_SSH_SSHPKCS11HELPER to regress tests
Damien Miller [Mon, 21 Jan 2019 01:31:29 +0000 (12:31 +1100)]
make agent-pkcs11 search harder for softhsm2.so
djm@openbsd.org [Mon, 21 Jan 2019 02:05:38 +0000 (02:05 +0000)]
upstream: always print the caller's error message in ossl_error(),
even when there are no libcrypto errors to report.
OpenBSD-Commit-ID:
09ebaa8f706e0eccedd209775baa1eee2ada806a
djm@openbsd.org [Mon, 21 Jan 2019 02:01:03 +0000 (02:01 +0000)]
upstream: get the ex_data (pkcs11_key object) back from the keys at
the index at which it was inserted, rather than assuming index 0
OpenBSD-Commit-ID:
1f3a6ce0346c8014e895e50423bef16401510aa8
djm@openbsd.org [Mon, 21 Jan 2019 01:05:00 +0000 (01:05 +0000)]
upstream: GSSAPI code got missed when converting to new packet API
OpenBSD-Commit-ID:
37e4f06ab4a0f4214430ff462ba91acba28b7851
Damien Miller [Mon, 21 Jan 2019 00:57:21 +0000 (11:57 +1100)]
Fix -Wunused when compiling PKCS#11 without ECDSA
djm@openbsd.org [Sun, 20 Jan 2019 23:26:44 +0000 (23:26 +0000)]
upstream: allow override of ssh-pkcs11-helper binary via
$TEST_SSH_SSHPKCS11HELPER from markus@
OpenBSD-Regress-ID:
7382a3d76746f5a792d106912a5819fd5e49e469
djm@openbsd.org [Sun, 20 Jan 2019 23:25:25 +0000 (23:25 +0000)]
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support
for ECDSA keys
work by markus@, ok djm@
OpenBSD-Regress-ID:
1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe
djm@openbsd.org [Sun, 20 Jan 2019 23:24:19 +0000 (23:24 +0000)]
upstream: add "extra:" target to run some extra tests that are not
enabled by default (currently includes agent-pkcs11.sh); from markus@
OpenBSD-Regress-ID:
9a969e1adcd117fea174d368dcb9c61eb50a2a3c
djm@openbsd.org [Mon, 21 Jan 2019 00:47:34 +0000 (00:47 +0000)]
upstream: use ECDSA_SIG_set0() instead of poking signature values into
structure directly; the latter works on LibreSSL but not on OpenSSL. From
portable.
OpenBSD-Commit-ID:
5b22a1919d9cee907d3f8a029167f70a481891c6
Damien Miller [Mon, 21 Jan 2019 00:44:19 +0000 (11:44 +1100)]
remove HAVE_DLOPEN that snuck in
Damien Miller [Mon, 21 Jan 2019 00:32:28 +0000 (11:32 +1100)]
conditionalise ECDSA PKCS#11 support
djm@openbsd.org [Sun, 20 Jan 2019 23:12:35 +0000 (23:12 +0000)]
upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
now, so there is no need to keep a copy of each in the pkcs11_key object.
work by markus@, ok djm@
OpenBSD-Commit-ID:
43b4856516e45c0595f17a8e95b2daee05f12faa
djm@openbsd.org [Sun, 20 Jan 2019 23:11:11 +0000 (23:11 +0000)]
upstream: KNF previous; from markus@
OpenBSD-Commit-ID:
3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
djm@openbsd.org [Sun, 20 Jan 2019 23:10:33 +0000 (23:10 +0000)]
upstream: use OpenSSL's RSA reference counting hooks to
implicitly clean up pkcs11_key objects when their owning RSA object's
reference count drops to zero. Simplifies the cleanup path and makes it more
like ECDSA's
work by markus@, ok djm@
OpenBSD-Commit-ID:
74b9c98f405cd78f7148e9e4a4982336cd3df25c
djm@openbsd.org [Sun, 20 Jan 2019 23:08:24 +0000 (23:08 +0000)]
upstream: make the PKCS#11 RSA code more like the new PKCS#11
ECDSA code: use a single custom RSA_METHOD instead of a method per key
suggested by me, but markus@ did all the work.
ok djm@
OpenBSD-Commit-ID:
8aafcebe923dc742fc5537a995cee549d07e4b2e
djm@openbsd.org [Sun, 20 Jan 2019 23:05:52 +0000 (23:05 +0000)]
upstream: fix leak of ECDSA pkcs11_key objects
work by markus, ok djm@
OpenBSD-Commit-ID:
9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
djm@openbsd.org [Sun, 20 Jan 2019 23:03:26 +0000 (23:03 +0000)]
upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
EC_KEY internals as that won't work on OpenSSL
work by markus@, feedback and ok djm@
OpenBSD-Commit-ID:
4a99cdb89fbd6f5155ef8c521c99dc66e2612700
djm@openbsd.org [Sun, 20 Jan 2019 23:01:59 +0000 (23:01 +0000)]
upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
object should never have a DER header
work by markus; feedback and ok djm@
OpenBSD-Commit-ID:
b617fa585eddbbf0b1245b58b7a3c4b8d613db17
djm@openbsd.org [Sun, 20 Jan 2019 23:00:12 +0000 (23:00 +0000)]
upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
work by markus@, feedback and ok djm@
OpenBSD-Commit-ID:
affa5ca7d58d59fbd16169f77771dcdbd2b0306d
djm@openbsd.org [Sun, 20 Jan 2019 22:57:45 +0000 (22:57 +0000)]
upstream: cleanup pkcs#11 client code: use sshkey_new in instead
of stack- allocating a sshkey
work by markus@, ok djm@
OpenBSD-Commit-ID:
a048eb6ec8aa7fa97330af927022c0da77521f91
djm@openbsd.org [Sun, 20 Jan 2019 22:54:30 +0000 (22:54 +0000)]
upstream: allow override of the pkcs#11 helper binary via
$SSH_PKCS11_HELPER; needed for regress tests.
work by markus@, ok me
OpenBSD-Commit-ID:
f78d8185500bd7c37aeaf7bd27336db62f0f7a83
djm@openbsd.org [Sun, 20 Jan 2019 22:51:37 +0000 (22:51 +0000)]
upstream: add support for ECDSA keys in PKCS#11 tokens
Work by markus@ and Pedro Martelletto, feedback and ok me@
OpenBSD-Commit-ID:
a37d651e221341376636056512bddfc16efb4424
djm@openbsd.org [Sun, 20 Jan 2019 22:03:29 +0000 (22:03 +0000)]
upstream: add option to test whether keys in an agent are usable,
by performing a signature and a verification using each key "ssh-add -T
pubkey [...]"
work by markus@, ok djm@
OpenBSD-Commit-ID:
931b888a600b6a883f65375bd5f73a4776c6d19b
tb@openbsd.org [Sun, 20 Jan 2019 02:01:59 +0000 (02:01 +0000)]
upstream: Fix BN_is_prime_* calls in SSH, the API returns -1 on
error.
Found thanks to BoringSSL's commit
53409ee3d7595ed37da472bc73b010cd2c8a5ffd
by David Benjamin.
ok djm, dtucker
OpenBSD-Commit-ID:
1ee832be3c44b1337f76b8562ec6d203f3b072f8
dtucker@openbsd.org [Sun, 20 Jan 2019 01:12:40 +0000 (01:12 +0000)]
upstream: DH-GEX min value is now specified in RFC8270. ok djm@
OpenBSD-Commit-ID:
1229d0feb1d0ecefe05bf67a17578b263e991acc
Darren Tucker [Sun, 20 Jan 2019 22:22:36 +0000 (09:22 +1100)]
Check for cc before gcc.
Damien Miller [Sun, 20 Jan 2019 03:55:27 +0000 (14:55 +1100)]
last bits of old packet API / active_state global
Damien Miller [Sat, 19 Jan 2019 23:22:18 +0000 (10:22 +1100)]
remove PAM dependencies on old packet API
Damien Miller [Sat, 19 Jan 2019 22:58:45 +0000 (09:58 +1100)]
remove vestiges of old packet API from loginrec.c
Damien Miller [Sat, 19 Jan 2019 22:45:38 +0000 (09:45 +1100)]
depend
djm@openbsd.org [Sat, 19 Jan 2019 22:30:52 +0000 (22:30 +0000)]
upstream: fix error in refactor: use ssh_packet_disconnect() instead of
sshpkt_error(). The first one logs the error and exits (what we want) instead
of just logging and blundering on.
OpenBSD-Commit-ID:
39f51b43641dce9ce0f408ea6c0e6e077e2e91ae
djm@openbsd.org [Sat, 19 Jan 2019 21:45:31 +0000 (21:45 +0000)]
upstream: remove last traces of old packet API!
with & ok markus@
OpenBSD-Commit-ID:
9bd10437026423eb8245636ad34797a20fbafd7d
djm@openbsd.org [Sat, 19 Jan 2019 21:43:56 +0000 (21:43 +0000)]
upstream: remove last references to active_state
with & ok markus@
OpenBSD-Commit-ID:
78619a50ea7e4ca2f3b54d4658b3227277490ba2
djm@openbsd.org [Sat, 19 Jan 2019 21:43:07 +0000 (21:43 +0000)]
upstream: convert monitor.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
61ecd154bd9804461a0cf5f495a29d919e0014d5
djm@openbsd.org [Sat, 19 Jan 2019 21:42:30 +0000 (21:42 +0000)]
upstream: convert sshd.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
ea569d3eaf9b5cf1bad52779fbfa5fa0b28af891
djm@openbsd.org [Sat, 19 Jan 2019 21:41:53 +0000 (21:41 +0000)]
upstream: convert session.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
fae817207e23099ddd248960c984f7b7f26ea68e
djm@openbsd.org [Sat, 19 Jan 2019 21:41:18 +0000 (21:41 +0000)]
upstream: convert auth.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
7e10359f614ff522b52a3f05eec576257794e8e4
djm@openbsd.org [Sat, 19 Jan 2019 21:40:48 +0000 (21:40 +0000)]
upstream: convert serverloop.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
c92dd19b55457541478f95c0d6b318426d86d885
djm@openbsd.org [Sat, 19 Jan 2019 21:40:21 +0000 (21:40 +0000)]
upstream: convert the remainder of sshconnect2.c to new packet
API
with & ok markus@
OpenBSD-Commit-ID:
0986d324f2ceb5e8a12ac21c1bb10b3b4b1e0f71
djm@openbsd.org [Sat, 19 Jan 2019 21:39:12 +0000 (21:39 +0000)]
upstream: convert the remainder of clientloop.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
ce2fbbacb86a290f31da1e7bf04cddf2bdae3d1e
Damien Miller [Sat, 19 Jan 2019 22:44:53 +0000 (09:44 +1100)]
upstream: convert auth2.c to new packet API
OpenBSD-Commit-ID:
ed831bb95ad228c6791bc18b60ce7a2edef2c999
djm@openbsd.org [Sat, 19 Jan 2019 21:37:48 +0000 (21:37 +0000)]
upstream: convert servconf.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
126553aecca302c9e02fd77e333b9cb217e623b4
djm@openbsd.org [Sat, 19 Jan 2019 21:37:13 +0000 (21:37 +0000)]
upstream: convert channels.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
0b8279b56113cbd4011fc91315c0796b63dc862c
djm@openbsd.org [Sat, 19 Jan 2019 21:36:38 +0000 (21:36 +0000)]
upstream: convert sshconnect.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
222337cf6c96c347f1022d976fac74b4257c061f
djm@openbsd.org [Sat, 19 Jan 2019 21:36:06 +0000 (21:36 +0000)]
upstream: convert ssh.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
eb146878b24e85c2a09ee171afa6797c166a2e21
djm@openbsd.org [Sat, 19 Jan 2019 21:35:25 +0000 (21:35 +0000)]
upstream: convert mux.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
4e3893937bae66416e984b282d8f0f800aafd802
djm@openbsd.org [Sat, 19 Jan 2019 21:34:45 +0000 (21:34 +0000)]
upstream: convert sshconnect2.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
1cb869e0d6e03539f943235641ea070cae2ebc58
djm@openbsd.org [Sat, 19 Jan 2019 21:33:57 +0000 (21:33 +0000)]
upstream: convert clientloop.c to new packet API
with & ok markus@
OpenBSD-Commit-ID:
497b36500191f452a22abf283aa8d4a9abaee7fa
djm@openbsd.org [Sat, 19 Jan 2019 21:33:13 +0000 (21:33 +0000)]
upstream: allow sshpkt_fatal() to take a varargs format; we'll
use this to give packet-related fatal error messages more context (esp. the
remote endpoint) ok markus@
OpenBSD-Commit-ID:
de57211f9543426b515a8a10a4f481666b2b2a50
djm@openbsd.org [Sat, 19 Jan 2019 21:31:32 +0000 (21:31 +0000)]
upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.
with & ok markus@
OpenBSD-Commit-ID:
93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
tb@openbsd.org [Sat, 19 Jan 2019 04:15:56 +0000 (04:15 +0000)]
upstream: Print an \r in front of the password prompt so parts of
a password that was entered too early are likely clobbered by the prompt.
Idea from doas.
from and ok djm
"i like it" deraadt
OpenBSD-Commit-ID:
5fb97c68df6d8b09ab37f77bca1d84d799c4084e
Darren Tucker [Fri, 18 Jan 2019 00:09:01 +0000 (11:09 +1100)]
Add minimal fchownat and fchmodat implementations.
Darren Tucker [Thu, 17 Jan 2019 23:11:42 +0000 (12:11 +1300)]
Add a minimal implementation of utimensat().
djm@openbsd.org [Tue, 1 Jan 2019 22:20:16 +0000 (22:20 +0000)]
upstream: regress bits for banner processing refactor (this test was
depending on ssh returning a particular error message for banner parsing
failure)
reminded by bluhm@
OpenBSD-Regress-ID:
f24fc303d40931157431df589b386abf5e1be575
djm@openbsd.org [Thu, 17 Jan 2019 04:45:09 +0000 (04:45 +0000)]
upstream: tun_fwd_ifnames variable should b
=?UTF-8?q?e=20extern;=20from=20Hanno=20B=C3=B6ck?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenBSD-Commit-ID:
d53dede6e521161bf04d39d09947db6253a38271
djm@openbsd.org [Thu, 17 Jan 2019 04:20:53 +0000 (04:20 +0000)]
upstream: include time.h for time(3)/nanosleep(2); from Ian
McKellar
OpenBSD-Commit-ID:
6412ccd06a88f65b207a1089345f51fa1244ea51
djm@openbsd.org [Thu, 17 Jan 2019 01:50:24 +0000 (01:50 +0000)]
upstream: many of the global variables in this file can be made static;
patch from Markus Schmidt
OpenBSD-Commit-ID:
f3db619f67beb53257b21bac0e92b4fb7d5d5737
djm@openbsd.org [Wed, 16 Jan 2019 23:23:45 +0000 (23:23 +0000)]
upstream: Add "-h" flag to sftp chown/chgrp/chmod commands to
request they do not follow symlinks. Requires recently-committed
lsetstat@openssh.com extension on the server side.
ok markus@ dtucker@
OpenBSD-Commit-ID:
f93bb3f6f7eb2fb7ef1e59126e72714f1626d604
djm@openbsd.org [Wed, 16 Jan 2019 23:22:10 +0000 (23:22 +0000)]
upstream: add support for a "lsetstat@openssh.com" extension. This
replicates the functionality of the existing SSH2_FXP_SETSTAT operation but
does not follow symlinks. Based on a patch from Bert Haverkamp in bz#2067 but
with more attribute modifications supported.
ok markus@ dtucker@
OpenBSD-Commit-ID:
f7234f6e90db19655d55d936a115ee4ccb6aaf80
djm@openbsd.org [Fri, 4 Jan 2019 03:27:50 +0000 (03:27 +0000)]
upstream: eliminate function-static attempt counters for
passwd/kbdint authmethods by moving them to the client authctxt; Patch from
Markus Schmidt, ok markus@
OpenBSD-Commit-ID:
4df4404a5d5416eb056f68e0e2f4fa91ba3b3f7f
djm@openbsd.org [Fri, 4 Jan 2019 03:23:00 +0000 (03:23 +0000)]
upstream: fix memory leak of ciphercontext when rekeying; bz#2942
Patch from Markus Schmidt; ok markus@
OpenBSD-Commit-ID:
7877f1b82e249986f1ef98d0ae76ce987d332bdd
djm@openbsd.org [Tue, 1 Jan 2019 23:10:53 +0000 (23:10 +0000)]
upstream: static on global vars, const on handler tables that contain
function pointers; from Mike Frysinger
OpenBSD-Commit-ID:
7ef2305e50d3caa6326286db43cf2cfaf03960e0
djm@openbsd.org [Thu, 27 Dec 2018 23:02:11 +0000 (23:02 +0000)]
upstream: Request RSA-SHA2 signatures for
rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
OpenBSD-Commit-ID:
afc6f7ca216ccd821656d1c911d2a3deed685033
djm@openbsd.org [Thu, 27 Dec 2018 03:37:49 +0000 (03:37 +0000)]
upstream: ssh_packet_set_state() now frees ssh->kex implicitly, so
don't do explicit kex_free() beforehand
OpenBSD-Regress-ID:
f2f73bad47f62a2040ccba0a72cadcb12eda49cf
tedu@openbsd.org [Sat, 15 Dec 2018 00:50:21 +0000 (00:50 +0000)]
upstream: remove unused and problematic sudo clean. ok espie
OpenBSD-Regress-ID:
ca90c20a15a85b661e13e98b80c10e65cd662f7b
djm@openbsd.org [Thu, 27 Dec 2018 03:25:24 +0000 (03:25 +0000)]
upstream: move client/server SSH-* banners to buffers under
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
OpenBSD-Commit-ID:
1cc7885487a6754f63641d7d3279b0941890275b
dtucker@openbsd.org [Fri, 7 Dec 2018 04:36:09 +0000 (04:36 +0000)]
upstream: Fix calculation of initial bandwidth limits. Account for
written bytes before the initial timer check so that the first buffer written
is accounted. Set the threshold after which the timer is checked such that
the limit starts being computed as soon as possible, ie after the second
buffer is written. This prevents an initial burst of traffic and provides a
more accurate bandwidth limit. bz#2927, ok djm.
OpenBSD-Commit-ID:
ff3ef76e4e43040ec198c2718d5682c36b255cb6
djm@openbsd.org [Fri, 7 Dec 2018 03:39:40 +0000 (03:39 +0000)]
upstream: only consider the ext-info-c extension during the initial
KEX. It shouldn't be sent in subsequent ones, but if it is present we should
ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
OpenBSD-Commit-ID:
91564118547f7807030ec537480303e2371902f9
djm@openbsd.org [Fri, 7 Dec 2018 03:33:18 +0000 (03:33 +0000)]
upstream: fix option letter pasto in previous
OpenBSD-Commit-ID:
e26c8bf2f2a808f3c47960e1e490d2990167ec39
djm@openbsd.org [Fri, 7 Dec 2018 03:32:26 +0000 (03:32 +0000)]
upstream: mention that the ssh-keygen -F (find host in
authorized_keys) and -R (remove host from authorized_keys) options may accept
either a bare hostname or a [hostname]:port combo. bz#2935
OpenBSD-Commit-ID:
5535cf4ce78375968b0d2cd7aa316fa3eb176780
Damien Miller [Fri, 7 Dec 2018 04:41:16 +0000 (15:41 +1100)]
expose $SSH_CONNECTION in the PAM environment
Kevin Adler [Thu, 13 Dec 2018 04:12:45 +0000 (22:12 -0600)]
Don't pass loginmsg by address now that it's an sshbuf*
In
120a1ec74 , loginmsg was changed from the legacy Buffer type
to struct sshbuf*, but it missed changing calls to
sys_auth_allowed_user and sys_auth_record_login which passed
loginmsg by address. Now that it's a pointer, just pass it directly.
This only affects AIX, unless there are out of tree users.
djm@openbsd.org [Fri, 7 Dec 2018 02:31:20 +0000 (02:31 +0000)]
upstream: no need to allocate channels_pre/channels_post in
channel_init_channels() as we do it anyway in channel_handler_init() that we
call at the end of the function. Fix from Markus Schmidt via bz#2938
OpenBSD-Commit-ID:
74893638af49e3734f1e33a54af1b7ea533373ed
djm@openbsd.org [Fri, 30 Nov 2018 02:24:52 +0000 (02:24 +0000)]
upstream: don't attempt to connect to empty SSH_AUTH_SOCK; bz#293
OpenBSD-Commit-ID:
0e8fc8f19f14b21adef7109e0faa583d87c0e929
djm@openbsd.org [Wed, 28 Nov 2018 06:00:38 +0000 (06:00 +0000)]
upstream: don't truncate user or host name in "user@host's
OpenBSD-Commit-ID:
e6ca01a8d58004b7f2cac0b1b7ce8f87e425e360
jmc@openbsd.org [Fri, 23 Nov 2018 06:58:28 +0000 (06:58 +0000)]
upstream: tweak previous;
OpenBSD-Commit-ID:
08f096922eb00c98251501c193ff9e83fbb5de4f
Darren Tucker [Sun, 25 Nov 2018 10:44:05 +0000 (21:44 +1100)]
Include stdio.h for FILE if needed.
Darren Tucker [Sun, 25 Nov 2018 03:05:57 +0000 (14:05 +1100)]
Reverse order of OpenSSL init functions.
Darren Tucker [Sun, 25 Nov 2018 03:05:08 +0000 (14:05 +1100)]
Improve OpenSSL_add_all_algorithms check.
djm@openbsd.org [Fri, 23 Nov 2018 05:08:07 +0000 (05:08 +0000)]
upstream: add a ssh_config "Match final" predicate
Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus
OpenBSD-Commit-ID:
fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
dtucker@openbsd.org [Fri, 23 Nov 2018 02:53:57 +0000 (02:53 +0000)]
upstream: Remove now-unneeded ifdef SIGINFO around handler since it is
now always used for SIGUSR1 even when SIGINFO is not defined. This will make
things simpler in -portable.
OpenBSD-Regress-ID:
4ff0265b335820b0646d37beb93f036ded0dc43f
Darren Tucker [Fri, 23 Nov 2018 03:11:20 +0000 (14:11 +1100)]
Move RANDOM_SEED_SIZE outside ifdef.
Darren Tucker [Thu, 22 Nov 2018 08:59:28 +0000 (19:59 +1100)]
Resync with OpenBSD by pulling in an ifdef SIGINFO.
Damien Miller [Thu, 22 Nov 2018 23:45:20 +0000 (10:45 +1100)]
fix configure test for OpenSSL version
projects / thirdparty / openssh-portable.git / log
