Damien Miller [Wed, 4 Dec 2013 23:25:51 +0000 (10:25 +1100)]
- djm@cvs.openbsd.org 2013/12/02 03:09:22
[key.c]
make key_to_blob() return a NULL blob on failure; part of
bz#2175 from Loganaden Velvindron @ AfriNIC
Damien Miller [Wed, 4 Dec 2013 23:22:03 +0000 (10:22 +1100)]
- deraadt@cvs.openbsd.org 2013/11/26 19:15:09
[pkcs11.h]
cleanup 1 << 31 idioms. Resurrection of this issue pointed out by
Eitan Adler ok markus for ssh, implies same change in kerberosV
Damien Miller [Wed, 4 Dec 2013 23:20:52 +0000 (10:20 +1100)]
- jmc@cvs.openbsd.org 2013/11/26 12:14:54
[ssh.1 ssh.c]
- put -Q in the right place
- Ar was a poor choice for the arguments to -Q. i've chosen an
admittedly equally poor Cm, at least consistent with the rest
of the docs. also no need for multiple instances
- zap a now redundant Nm
- usage() sync
Damien Miller [Wed, 4 Dec 2013 23:19:54 +0000 (10:19 +1100)]
- deraadt@cvs.openbsd.org 2013/11/25 18:04:21
[ssh.1 ssh.c]
improve -Q usage and such. One usage change is that the option is now
case-sensitive
ok dtucker markus djm
Damien Miller [Thu, 21 Nov 2013 03:26:18 +0000 (14:26 +1100)]
- djm@cvs.openbsd.org 2013/11/21 03:18:51
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
[regress/try-ciphers.sh]
use new "ssh -Q cipher-auth" query to obtain lists of authenticated
encryption ciphers instead of specifying them manually; ensures that
the new chacha20poly1305@openssh.com mode is tested;
ok markus@ and naddy@ as part of the diff to add
chacha20poly1305@openssh.com
Damien Miller [Thu, 21 Nov 2013 03:25:15 +0000 (14:25 +1100)]
- djm@cvs.openbsd.org 2013/11/21 03:16:47
[regress/modpipe.c]
use unsigned long long instead of u_int64_t here to avoid warnings
on some systems portable OpenSSH is built on.
Damien Miller [Thu, 21 Nov 2013 03:24:08 +0000 (14:24 +1100)]
- naddy@cvs.openbsd.org 2013/11/18 05:09:32
[regress/forward-control.sh]
bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164)
to successfully run this; ok djm@
(ID sync only; our timeouts are already longer)
Damien Miller [Thu, 21 Nov 2013 03:12:23 +0000 (14:12 +1100)]
- djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Damien Miller [Thu, 21 Nov 2013 02:57:15 +0000 (13:57 +1100)]
- deraadt@cvs.openbsd.org 2013/11/20 20:54:10
[canohost.c clientloop.c match.c readconf.c sftp.c]
unsigned casts for ctype macros where neccessary
ok guenther millert markus
Damien Miller [Thu, 21 Nov 2013 02:56:28 +0000 (13:56 +1100)]
- djm@cvs.openbsd.org 2013/11/20 02:19:01
[sshd.c]
delay closure of in/out fds until after "Bad protocol version
identification..." message, as get_remote_ipaddr/get_remote_port
require them open.
Damien Miller [Thu, 21 Nov 2013 02:55:43 +0000 (13:55 +1100)]
- dtucker@cvs.openbsd.org 2013/11/08 11:15:19
[bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
[uidswap.c] Include stdlib.h for free() as per the man page.
Darren Tucker [Sat, 9 Nov 2013 07:39:25 +0000 (18:39 +1100)]
- (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
latter actually works before using it. Fedora (at least) has NID_secp521r1
that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
Darren Tucker [Sat, 9 Nov 2013 05:55:03 +0000 (16:55 +1100)]
- dtucker@cvs.openbsd.org 2013/11/09 05:41:34
[regress/test-exec.sh regress/rekey.sh]
Use smaller test data files to speed up tests. Grow test datafiles
where necessary for a specific test.
Darren Tucker [Fri, 8 Nov 2013 13:19:22 +0000 (00:19 +1100)]
- (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
rather than testing and generating each key, call ssh-keygen -A.
Patch from vinschen at redhat.com.
Darren Tucker [Fri, 8 Nov 2013 13:17:41 +0000 (00:17 +1100)]
- (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
and pass in TEST_ENV. Unknown options cause stderr to get polluted
and the stderr-data test to fail.
Darren Tucker [Fri, 8 Nov 2013 07:54:38 +0000 (18:54 +1100)]
- (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
arc4random_stir for platforms that have arc4random but don't have
arc4random_stir (right now this is only OpenBSD -current).
Damien Miller [Fri, 8 Nov 2013 01:16:49 +0000 (12:16 +1100)]
- dtucker@cvs.openbsd.org 2013/11/07 11:58:27
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
Darren Tucker [Thu, 7 Nov 2013 11:33:48 +0000 (22:33 +1100)]
- (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
variable. It's no longer used now that we get the supported MACs from
ssh -Q.
Darren Tucker [Thu, 7 Nov 2013 04:21:19 +0000 (15:21 +1100)]
- dtucker@cvs.openbsd.org 2013/11/07 02:48:38
[regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
Use ssh -Q instead of hardcoding lists of ciphers or MACs.
Darren Tucker [Thu, 7 Nov 2013 04:04:44 +0000 (15:04 +1100)]
- dtucker@cvs.openbsd.org 2013/11/07 00:12:05
[regress/rekey.sh]
Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
the GCM ciphers.
Damien Miller [Thu, 7 Nov 2013 02:32:51 +0000 (13:32 +1100)]
- markus@cvs.openbsd.org 2013/11/04 11:51:16
[monitor.c]
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
RCSID sync only; I thought this was a merge botch and fixed it already
Damien Miller [Sun, 3 Nov 2013 20:41:48 +0000 (07:41 +1100)]
- markus@cvs.openbsd.org 2013/11/02 20:03:54
[ssh-pkcs11.c]
support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
fixes bz#1908; based on patch from Laurent Barbe; ok djm
Darren Tucker [Sun, 3 Nov 2013 05:30:46 +0000 (16:30 +1100)]
- (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
From OpenSMTPD where it prevents "implicit declaration" warnings (it's
a no-op in OpenSSH). From chl at openbsd.
Damien Miller [Fri, 25 Oct 2013 23:07:56 +0000 (10:07 +1100)]
- djm@cvs.openbsd.org 2013/10/25 23:04:51
[ssh.c]
fix crash when using ProxyCommand caused by previous commit - was calling
freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
Damien Miller [Fri, 25 Oct 2013 23:05:46 +0000 (10:05 +1100)]
- (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
unnecessary arc4random_stir() calls. The only ones left are to ensure
that the PRNG gets a different state after fork() for platforms that
have broken the API.
Damien Miller [Thu, 24 Oct 2013 10:03:17 +0000 (21:03 +1100)]
- djm@cvs.openbsd.org 2013/10/24 08:19:36
[ssh.c]
fix bug introduced in hostname canonicalisation commit: don't try to
resolve hostnames when a ProxyCommand is set unless the user has forced
canonicalisation; spotted by Iain Morgan
Damien Miller [Thu, 24 Oct 2013 10:02:56 +0000 (21:02 +1100)]
- dtucker@cvs.openbsd.org 2013/10/24 00:51:48
[readconf.c servconf.c ssh_config.5 sshd_config.5]
Disallow empty Match statements and add "Match all" which matches
everything. ok djm, man page help jmc@
Damien Miller [Thu, 24 Oct 2013 10:02:26 +0000 (21:02 +1100)]
- dtucker@cvs.openbsd.org 2013/10/24 00:49:49
[moduli.c]
Periodically print progress and, if possible, expected time to completion
when screening moduli for DH groups. ok deraadt djm
Damien Miller [Wed, 23 Oct 2013 23:53:02 +0000 (10:53 +1100)]
- (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
rather than full client name which may be of form user@REALM;
patch from Miguel Sanders; ok dtucker@
Damien Miller [Wed, 23 Oct 2013 05:31:31 +0000 (16:31 +1100)]
- djm@cvs.openbsd.org 2013/10/23 04:16:22
[ssh-keygen.c]
Make code match documentation: relative-specified certificate expiry time
should be relative to current time and not the validity start time.
Reported by Petr Lautrbach; ok deraadt@
Damien Miller [Wed, 23 Oct 2013 05:30:51 +0000 (16:30 +1100)]
- djm@cvs.openbsd.org 2013/10/23 03:03:07
[readconf.c]
Hostname may have %h sequences that should be expanded prior to Match
evaluation; spotted by Iain Morgan
Damien Miller [Wed, 23 Oct 2013 05:29:40 +0000 (16:29 +1100)]
- djm@cvs.openbsd.org 2013/10/20 06:19:28
[readconf.c ssh_config.5]
rename "command" subclause of the recently-added "Match" keyword to
"exec"; it's shorter, clearer in intent and we might want to add the
ability to match against the command being executed at the remote end in
the future.
Damien Miller [Thu, 17 Oct 2013 22:05:41 +0000 (09:05 +1100)]
- djm@cvs.openbsd.org 2013/10/09 23:44:14
[regress/Makefile regress/sftp-perm.sh]
regression test for sftp request white/blacklisting and readonly mode.
Damien Miller [Thu, 17 Oct 2013 00:48:52 +0000 (11:48 +1100)]
- djm@cvs.openbsd.org 2013/10/17 00:30:13
[PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c]
fsync@openssh.com protocol extension for sftp-server
client support to allow calling fsync() faster successful transfer
patch mostly by imorgan AT nas.nasa.gov; bz#1798
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@
Damien Miller [Thu, 17 Oct 2013 00:48:13 +0000 (11:48 +1100)]
- djm@cvs.openbsd.org 2013/10/16 22:49:39
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
s/canonicalise/canonicalize/ for consistency with existing spelling,
e.g. authorized_keys; pointed out by naddy@
Damien Miller [Thu, 17 Oct 2013 00:47:23 +0000 (11:47 +1100)]
- djm@cvs.openbsd.org 2013/10/16 02:31:47
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
[sshconnect.c sshconnect.h]
Implement client-side hostname canonicalisation to allow an explicit
search path of domain suffixes to use to convert unqualified host names
to fully-qualified ones for host key matching.
This is particularly useful for host certificates, which would otherwise
need to list unqualified names alongside fully-qualified ones (and this
causes a number of problems).
"looks fine" markus@
Damien Miller [Tue, 15 Oct 2013 01:14:12 +0000 (12:14 +1100)]
- djm@cvs.openbsd.org 2013/10/14 23:28:23
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
refactor client config code a little:
add multistate option partsing to readconf.c, similar to servconf.c's
existing code.
move checking of options that accept "none" as an argument to readconf.c
add a lowercase() function and use it instead of explicit tolower() in
loops
part of a larger diff that was ok markus@
Damien Miller [Tue, 15 Oct 2013 01:13:05 +0000 (12:13 +1100)]
- djm@cvs.openbsd.org 2013/10/14 22:22:05
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@
projects / thirdparty / openssh-portable.git / log
