Commit Graph

413 Commits

Author SHA1 Message Date
Darren Tucker
6c8a246437 Replace mkinstalldirs with mkdir -p.
Check for MIKDIR_P and use it instead of mkinstalldirs.  Should fix "mkdir:
cannot create directory:... File exists" during "make install".
Patch from eb at emlix.com.
2017-12-01 17:13:34 +11:00
Darren Tucker
79226e5413 Remove RSA1 host key generation.
SSH1 support is now gone, remove SSH1 key generation.
Patch from eb at emlix.com.
2017-12-01 16:55:35 +11:00
Damien Miller
878e029797 Split platform_sys_dir_uid into its own file
platform.o is too heavy for libssh.a use; it calls into the server on
many platforms. Move just the function needed by misc.c into its own
file.
2017-08-25 13:25:01 +10:00
Damien Miller
07949bfe91 misc.c needs functions from platform.c now 2017-08-23 20:13:18 +10:00
djm@openbsd.org
83fa3a0448 upstream commit
remove post-SSHv1 removal dead code from rsa.c and merge
the remaining bit that it still used into ssh-rsa.c; ok markus

Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
2017-07-21 14:17:32 +10:00
Damien Miller
6bdf70f01e clean up regress files and add a .gitignore 2017-05-09 18:41:54 -07:00
djm@openbsd.org
dfa641f758 upstream commit
remove the (in)famous SSHv1 CRC compensation attack
detector.

Despite your cameo in The Matrix movies, you will not be missed.

ok markus

Upstream-ID: 44261fce51a56d93cdb2af7b6e184be629f667e0
2017-05-01 10:05:04 +10:00
djm@openbsd.org
e6882463a8 upstream commit
remove SSH1 make flag and associated files ok markus@

Upstream-ID: ba9feacc5787337c413db7cf26ea3d53f854cfef
2017-05-01 10:04:59 +10:00
djm@openbsd.org
cdccebdf85 upstream commit
remove SSHv1 ciphers; ok markus@

Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
2017-05-01 10:04:58 +10:00
Darren Tucker
f2742a481f Remove SHA256 EVP wrapper implementation.
All supported versions of OpenSSL should now have SHA256 so remove our
EVP wrapper implementaion.  ok djm@
2017-03-29 10:50:31 +11:00
Darren Tucker
b1b22dd0df Plumb conversion test into makefile. 2017-03-14 14:19:36 +11:00
Darren Tucker
f5907982f4 Add a "unit" target to run only unit tests. 2017-03-14 13:38:15 +11:00
Darren Tucker
47b8c99ab3 Check for utf8 local support before testing it.
Check for utf8 local support and if not found, do not attempt to run the
utf8 tests.  Suggested by djm@
2016-12-08 15:48:34 +11:00
djm@openbsd.org
0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
Damien Miller
6ee4f1c01e hook match and utf8 unittests up to Makefile 2016-08-23 16:33:48 +10:00
markus@openbsd.org
6cb6dcffe1 upstream commit
remove ssh1 server code; ok djm@

Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-08-14 11:19:14 +10:00
Darren Tucker
e8b58f48fb Explicitly specify source files for regress tools.
Since adding $(REGRESSLIBS), $? is wrong because it includes only the
changed source files.  $< seems like it'd be right however it doesn't
seem to work on some non-GNU makes, so do what works everywhere.
2016-07-18 17:22:49 +10:00
Darren Tucker
c71ba790c3 Add dependency on libs for unit tests.
Makes "./configure && make tests" work again.  ok djm@
2016-07-18 15:43:25 +10:00
Darren Tucker
8199d0311a Correct location for kexfuzz in clean target. 2016-07-18 13:47:39 +10:00
Darren Tucker
5c02dd1262 Map umac_ctx struct name too.
Prevents size mismatch linker warnings on Solaris 11.
2016-07-15 14:19:24 +10:00
Darren Tucker
57b4ee04ca Move platform_disable_tracing into its own file.
Prevents link errors resolving the extern "options" when platform.o
gets linked into ssh-agent when building --with-pam.
2016-06-15 11:29:24 +10:00
Darren Tucker
0fb7f59853 Move prctl PR_SET_DUMPABLE into platform.c.
This should make it easier to add additional platform support such as
Solaris (bz#2584).
2016-06-09 16:23:07 +10:00
Darren Tucker
05c6574652 Fix utf->utf8 typo. 2016-06-06 11:33:43 +10:00
schwarze@openbsd.org
0e059cdf5f upstream commit
To prevent screwing up terminal settings when printing to
 the terminal, for ASCII and UTF-8, escape bytes not forming characters and
 bytes forming non-printable characters with vis(3) VIS_OCTAL. For other
 character sets, abort printing of the current string in these cases.  In
 particular, * let scp(1) respect the local user's LC_CTYPE locale(1); *
 sanitize data received from the remote host; * sanitize filenames, usernames,
 and similar data even locally; * take character display widths into account
 for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

Upstream-ID: e66afbc94ee396ddcaffd433b9a3b80f387647e0
2016-06-06 11:27:38 +10:00
Darren Tucker
732b463d37 Pass supported malloc options to connect-privsep.
This allows us to activate only the supported options during the malloc
option portion of the connect-privsep test.
2016-03-14 16:04:23 +11:00
Damien Miller
7b40ef6c2e make a regress-binaries target
Easier to build all the regression/unit test binaries in one pass
than going through all of ${REGRESS_BINARIES}
2016-03-08 14:12:58 -08:00
Damien Miller
af0bb38ffd hook unittests/misc/kexfuzz into build 2016-03-04 15:12:26 +11:00
Damien Miller
1acc058d0a Disable tests where fs perms are incorrect
Some tests have strict requirements on the filesystem permissions
for certain files and directories. This adds a regress/check-perm
tool that copies the relevant logic from sshd to exactly test
the paths in question. This lets us skip tests when the local
filesystem doesn't conform to our expectations rather than
continuing and failing the test run.

ok dtucker@
2016-02-23 17:40:16 +11:00
markus@openbsd.org
a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
Damien Miller
4626cbaf78 Support Illumos/Solaris fine-grained privileges
Includes a pre-auth privsep sandbox and several pledge()
emulations. bz#2511, patch by Alex Wilson.

ok dtucker@
2016-01-08 14:29:12 +11:00
jmc@openbsd.org
69fead5d7c upstream commit
remove slogin links; ok deraadt markus djm

Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730
2015-11-09 14:25:39 +11:00
deraadt@openbsd.org
2539dce2a0 upstream commit
Change all tame callers to namechange to pledge(2).

Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
2015-10-14 03:22:08 +11:00
Damien Miller
9846a2f406 hook tame(2) sandbox up to build
OpenBSD only for now
2015-10-08 04:30:48 +11:00
Darren Tucker
cfffbdb10f Use ssh-keygen -A when generating host keys.
Use ssh-keygen -A instead of per-keytype invocations when generating host
keys.  Add tests when doing host-key-force since we can't use ssh-keygen -A
since it can't specify alternate locations.  bz#2459, ok djm@
2015-09-14 16:24:21 +10:00
Tim Rice
e6b950341d Revert "Work around finicky USL linker so netcat will build."
This reverts commit d1db656021.

No longer needed with commit 678e473e2a
2015-02-25 09:56:48 -08:00
Tim Rice
d1db656021 Work around finicky USL linker so netcat will build. 2015-02-24 10:42:08 -08:00
Tim Rice
2e13a1e4d2 mkdir kex unit test directory so testing out of tree builds works 2015-02-21 18:08:51 -08:00
Damien Miller
7faaa32da8 mkdir hostkey and bitmap unit test directories 2015-02-22 07:58:25 +11:00
Damien Miller
e89c780886 hook up hostkeys unittest to portable Makefiles 2015-02-17 10:04:55 +11:00
Damien Miller
1ca3e2155a fix kex test 2015-01-20 10:11:31 +11:00
markus@openbsd.org
c78a578107 upstream commit
finally enable the KEX tests I wrote some years ago...
2015-01-20 09:50:34 +11:00
markus@openbsd.org
f582f0e917 upstream commit
add experimental api for packet layer; ok djm@
2015-01-20 09:23:46 +11:00
markus@openbsd.org
091c302829 upstream commit
update packet.c & isolate, introduce struct ssh a) switch
 packet.c to buffer api and isolate per-connection info into struct ssh b)
 (de)serialization of the state is moved from monitor to packet.c c) the old
 packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
 integrated into packet.c with and ok djm@
2015-01-20 09:13:01 +11:00
Damien Miller
45c0fd70bb make bitmap test compile 2015-01-15 22:08:23 +11:00
djm@openbsd.org
d333f89abf upstream commit
unit tests for KRL bitmap
2015-01-15 21:39:18 +11:00
Damien Miller
72ef7c148c support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.

Considered highly experimental for now.
2015-01-15 02:28:36 +11:00
djm@openbsd.org
a165bab605 upstream commit
avoid BIGNUM in KRL code by using a simple bitmap;
 feedback and ok markus
2015-01-15 02:22:18 +11:00
Damien Miller
293cac52dc include and use OpenBSD netcat in regress/ 2014-12-23 08:38:12 +11:00
Damien Miller
41c8de2c00 - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@ 2014-08-30 16:23:06 +10:00
Damien Miller
aa6598ebb3 - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too. 2014-08-21 10:47:54 +10:00