Commit Graph

6205 Commits

Author SHA1 Message Date
Darren Tucker
4db380701d - (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into
platform.c
2010-11-05 12:41:13 +11:00
Darren Tucker
920612e45a - (dtucker) [platform.c platform.h session.c] Add a platform hook to run
after the user's groups are established and move the selinux calls into it.
2010-11-05 12:36:15 +11:00
Darren Tucker
97528353c2 - (dtucker) [configure.ac platform.{c,h} session.c
openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support.
   Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
   ok djm@
2010-11-05 12:03:05 +11:00
Damien Miller
34ee4204c6 - (djm) [loginrec.c loginrec.h] Use correct uid_t/pid_t types instead of
int. Should fix bz#1817 cleanly; ok dtucker@
2010-11-05 10:52:37 +11:00
Damien Miller
0733121194 - djm@cvs.openbsd.org 2010/11/04 02:45:34
[sftp-server.c]
     umask should be parsed as octal. reported by candland AT xmission.com;
     ok markus@
2010-11-05 10:20:31 +11:00
Damien Miller
55fa56505b - jmc@cvs.openbsd.org 2010/10/28 18:33:28
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     knock out some "-*- nroff -*-" lines;
2010-11-05 10:20:14 +11:00
Damien Miller
b472a90d4c - djm@cvs.openbsd.org 2010/10/28 11:22:09
[authfile.c key.c key.h ssh-keygen.c]
     fix a possible NULL deref on loading a corrupt ECDH key

     store ECDH group information in private keys files as "named groups"
     rather than as a set of explicit group parameters (by setting
     the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and
     retrieves the group's OpenSSL NID that we need for various things.
2010-11-05 10:19:49 +11:00
Damien Miller
3a0e9f6479 - djm@cvs.openbsd.org 2010/09/22 12:26:05
[regress/Makefile regress/kextype.sh]
     regress test for each of the key exchange algorithms that we support
2010-11-05 10:16:34 +11:00
Darren Tucker
54b1f3121d - (dtucker) [defines.h] Use SIZE_T_MAX for SIZE_MAX for platforms that have a
native one.
2010-10-25 16:54:28 +11:00
Tim Rice
bdd3e67c19 - (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with
1.12 to unbreak Solaris build.
   ok djm@
2010-10-24 18:35:55 -07:00
Darren Tucker
7bc236de21 - (dtucker) [defines.h] Add SIZE_MAX for the benefit of platforms that don't
have it.
2010-10-24 11:58:43 +11:00
Darren Tucker
d633fef471 - (dtucker) [regress/cert-userkey.sh] Disable ECC-based tests on platforms
which don't have ECC support in libcrypto.
2010-10-24 11:33:07 +11:00
Darren Tucker
bfd9b1be41 - (dtucker) [regress/cert-hostkey.sh] Disable ECC-based tests on platforms
which don't have ECC support in libcrypto.
2010-10-24 11:19:26 +11:00
Darren Tucker
d78739ab90 - sthen@cvs.openbsd.org 2010/10/23 22:06:12
[sftp.c]
     escape '[' in filename tab-completion; fix a type while there.
     ok djm@
2010-10-24 10:56:32 +11:00
Darren Tucker
a53939332d - (dtucker) [includes.h] Add missing ifdef GLOB_HAS_GL_STATV to fix build. 2010-10-24 10:47:30 +11:00
Damien Miller
6fd2d7de4b - djm@cvs.openbsd.org 2010/08/31 12:24:09
[regress/cert-hostkey.sh regress/cert-userkey.sh]
     tests for ECDSA certificates
2010-10-21 15:27:14 +11:00
Damien Miller
68512c0341 - OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2010/10/12 02:22:24
     [mux.c]
     Typo in confirmation message.  bz#1827, patch from imorgan at nas nasa gov
2010-10-21 15:21:11 +11:00
Damien Miller
9c0c31d2db - (djm) [sshconnect.c] Need signal.h for prototype for kill(2) 2010-10-12 13:30:44 +11:00
Damien Miller
47e57bfab4 - (djm) [canohost.c] Zero a4 instead of addr to better match type.
bz#1825, reported by foo AT mailinator.com
2010-10-12 13:28:12 +11:00
Damien Miller
1f78980099 - (djm) [configure.ac] Use = instead of == in shell tests. Patch from
dr AT vasco.com
2010-10-11 22:35:22 +11:00
Damien Miller
88b844f19b - (djm) [openbsd-compat/Makefile.in] Actually link timingsafe_bcmp 2010-10-07 22:19:23 +11:00
Damien Miller
80e9953938 - (djm) [cipher-acss.c] Add missing header. 2010-10-07 22:12:08 +11:00
Damien Miller
37f4f1892f - (djm) [openbsd-compat/glob.c] restore ARG_MAX compat code. 2010-10-07 22:10:38 +11:00
Damien Miller
45fcdaa1cf - djm@cvs.openbsd.org 2010/10/06 21:10:21
[sshconnect.c]
     swapped args to kill(2)
2010-10-07 22:07:58 +11:00
Damien Miller
a41ccca643 - djm@cvs.openbsd.org 2010/10/06 06:39:28
[clientloop.c ssh.c sshconnect.c sshconnect.h]
     kill proxy command on fatal() (we already kill it on clean exit);
     ok markus@
2010-10-07 22:07:32 +11:00
Damien Miller
38d9a965bf - djm@cvs.openbsd.org 2010/10/05 05:13:18
[sftp.c sshconnect.c]
     use default shell /bin/sh if $SHELL is ""; ok markus@
2010-10-07 22:07:11 +11:00
Damien Miller
9a3d0dc062 - djm@cvs.openbsd.org 2010/10/01 23:05:32
[cipher-3des1.c cipher-bf1.c cipher-ctr.c openbsd-compat/openssl-compat.h]
     adapt to API changes in openssl-1.0.0a
     NB. contains compat code to select correct API for older OpenSSL
2010-10-07 22:06:42 +11:00
Damien Miller
195dbaff7a - (djm) [ssh-agent.c] Fix type for curve name. 2010-10-07 22:05:11 +11:00
Damien Miller
2738361878 sadly, two typos on one line is not my best record 2010-10-07 22:00:24 +11:00
Damien Miller
faca8ccd4d unbreak previous 2010-10-07 21:59:40 +11:00
Damien Miller
c54b02c4eb - djm@cvs.openbsd.org 2010/09/30 11:04:51
[servconf.c]
     prevent free() of string in .rodata when overriding AuthorizedKeys in
     a Match block; patch from rein AT basefarm.no
2010-10-07 21:40:17 +11:00
Damien Miller
68e2e56ea9 - djm@cvs.openbsd.org 2010/09/26 22:26:33
[sftp.c]
     when performing an "ls" in columnated (short) mode, only call
     ioctl(TIOCGWINSZ) once to get the window width instead of per-
     filename
2010-10-07 21:39:55 +11:00
Damien Miller
a6e121aaa0 - djm@cvs.openbsd.org 2010/09/25 09:30:16
[sftp.c configure.ac openbsd-compat/glob.c openbsd-compat/glob.h]
     make use of new glob(3) GLOB_KEEPSTAT extension to save extra server
     rountrips to fetch per-file stat(2) information.
     NB. update openbsd-compat/ glob(3) implementation from OpenBSD libc to
     match.
2010-10-07 21:39:17 +11:00
Damien Miller
aa18063baf - matthew@cvs.openbsd.org 2010/09/24 13:33:00
[misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h]
     [openbsd-compat/timingsafe_bcmp.c]
     Add timingsafe_bcmp(3) to libc, mention that it's already in the
     kernel in kern(9), and remove it from OpenSSH.
     ok deraadt@, djm@
     NB. re-added under openbsd-compat/ for portable OpenSSH
2010-10-07 21:25:27 +11:00
Damien Miller
2beb32f290 - jmc@cvs.openbsd.org 2010/09/23 13:36:46
[scp.1 sftp.1]
     add KexAlgorithms to the -o list;
2010-09-24 22:16:03 +10:00
Damien Miller
56883e194f - jmc@cvs.openbsd.org 2010/09/23 13:34:43
[sftp.c]
     add [-l limit] to usage();
2010-09-24 22:15:39 +10:00
Damien Miller
65e42f87fe - djm@cvs.openbsd.org 2010/09/22 22:58:51
[atomicio.c atomicio.h misc.c misc.h scp.c sftp-client.c]
     [sftp-client.h sftp.1 sftp.c]
     add an option per-read/write callback to atomicio

     factor out bandwidth limiting code from scp(1) into a generic bandwidth
     limiter that can be attached using the atomicio callback mechanism

     add a bandwidth limit option to sftp(1) using the above
     "very nice" markus@
2010-09-24 22:15:11 +10:00
Damien Miller
7fe2b1fec3 - jmc@cvs.openbsd.org 2010/09/22 08:30:08
[ssh.1 ssh_config.5]
     ssh.1: add kexalgorithms to the -o list
     ssh_config.5: format the kexalgorithms in a more consistent
     (prettier!) way
     ok djm
2010-09-24 22:11:53 +10:00
Damien Miller
d5f62bf280 - djm@cvs.openbsd.org 2010/09/22 05:01:30
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
     [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
     add a KexAlgorithms knob to the client and server configuration to allow
     selection of which key exchange methods are used by ssh(1) and sshd(8)
     and their order of preference.
     ok markus@
2010-09-24 22:11:14 +10:00
Damien Miller
603134e077 - djm@cvs.openbsd.org 2010/09/20 07:19:27
[mux.c]
     "atomically" create the listening mux socket by binding it on a temorary
     name and then linking it into position after listen() has succeeded.
     this allows the mux clients to determine that the server socket is
     either ready or stale without races. stale server sockets are now
     automatically removed
     ok deraadt
2010-09-24 22:07:55 +10:00
Damien Miller
18e1cab1a1 - djm@cvs.openbsd.org 2010/09/20 04:54:07
[jpake.c]
     missing #include
2010-09-24 22:07:17 +10:00
Damien Miller
f7540cd5c4 - djm@cvs.openbsd.org 2010/09/20 04:50:53
[jpake.c schnorr.c]
     check that received values are smaller than the group size in the
     disabled and unfinished J-PAKE code.
     avoids catastrophic security failure found by Sebastien Martini
2010-09-24 22:03:24 +10:00
Damien Miller
857b02e37f - djm@cvs.openbsd.org 2010/09/20 04:41:47
[ssh.c]
     install a SIGCHLD handler to reap expiried child process; ok markus@
2010-09-24 22:02:56 +10:00
Damien Miller
881adf74eb - jmc@cvs.openbsd.org 2010/09/19 21:30:05
[sftp.1]
     more wacky macro fixing;
2010-09-24 22:01:54 +10:00
Damien Miller
1ca9469318 - djm@cvs.openbsd.org 2010/09/11 21:44:20
[ssh.1]
     mention RFC 5656 for ECC stuff
2010-09-24 22:01:22 +10:00
Damien Miller
6186bbc7fb - naddy@cvs.openbsd.org 2010/09/10 15:19:29
[ssh-keygen.1]
     * mention ECDSA in more places
     * less repetition in FILES section
     * SSHv1 keys are still encrypted with 3DES
     help and ok jmc@
2010-09-24 22:00:54 +10:00
Darren Tucker
8ccb7392e7 - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs
for missing headers and compiler warnings.
2010-09-10 12:28:24 +10:00
Damien Miller
6af914a15c - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
   [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
   platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 11:39:26 +10:00
Damien Miller
041ab7c1e7 - djm@cvs.openbsd.org 2010/09/09 10:45:45
[kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c]
     ECDH/ECDSA compliance fix: these methods vary the hash function they use
     (SHA256/384/512) depending on the length of the curve in use. The previous
     code incorrectly used SHA256 in all cases.

     This fix will cause authentication failure when using 384 or 521-bit curve
     keys if one peer hasn't been upgraded and the other has. (256-bit curve
     keys work ok). In particular you may need to specify HostkeyAlgorithms
     when connecting to a server that has not been upgraded from an upgraded
     client.

     ok naddy@
2010-09-10 11:23:34 +10:00
Damien Miller
3796ab47d3 - deraadt@cvs.openbsd.org 2010/09/08 04:13:31
[compress.c]
     work around name-space collisions some buggy compilers (looking at you
     gcc, at least in earlier versions, but this does not forgive your current
     transgressions) seen between zlib and openssl
     ok djm
2010-09-10 11:20:59 +10:00