Commit Graph

6190 Commits

Author SHA1 Message Date
Damien Miller
846dc7f21c - djm@cvs.openbsd.org 2013/01/12 11:23:53
[regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
     test AES-GCM modes; feedback markus@
2013-01-12 22:46:26 +11:00
Damien Miller
c20eb8b8ea - djm@cvs.openbsd.org 2013/01/12 11:22:04
[cipher.c]
     improve error message for integrity failure in AES-GCM modes; ok markus@
2013-01-12 22:41:26 +11:00
Damien Miller
1422c0887c - djm@cvs.openbsd.org 2013/01/09 05:40:17
[ssh-keygen.c]
     correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 16:44:54 +11:00
Damien Miller
d522c68872 - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
   cipher compat code to openssl-compat.h
2013-01-09 16:42:47 +11:00
Damien Miller
1d75abfe23 - markus@cvs.openbsd.org 2013/01/08 18:49:04
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
     [myproposal.h packet.c ssh_config.5 sshd_config.5]
     support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
     ok and feedback djm@
2013-01-09 16:12:19 +11:00
Damien Miller
aa7ad3039c - jmc@cvs.openbsd.org 2013/01/04 19:26:38
[sftp-server.8 sftp-server.c]
     sftp-server.8: add argument name to -d
     sftp-server.c: add -d to usage()
     ok djm
2013-01-09 15:58:21 +11:00
Damien Miller
ec77c954c8 - djm@cvs.openbsd.org 2013/01/03 23:22:58
[ssh-keygen.c]
     allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
     ok markus@
2013-01-09 15:58:00 +11:00
Damien Miller
502ab0eff1 - djm@cvs.openbsd.org 2013/01/03 12:54:49
[sftp-server.8 sftp-server.c]
     allow specification of an alternate start directory for sftp-server(8)
     "I like this" markus@
2013-01-09 15:57:36 +11:00
Damien Miller
3739c8f041 - djm@cvs.openbsd.org 2013/01/03 12:49:01
[PROTOCOL]
     fix description of MAC calculation for EtM modes; ok markus@
2013-01-09 15:57:16 +11:00
Damien Miller
441384453c - djm@cvs.openbsd.org 2013/01/03 05:49:36
[servconf.h]
     add a couple of ServerOptions members that should be copied to the privsep
     child (for consistency, in this case they happen only to be accessed in
     the monitor); ok dtucker@
2013-01-09 15:56:45 +11:00
Damien Miller
697485d50a - djm@cvs.openbsd.org 2013/01/02 00:33:49
[PROTOCOL.agent]
     correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
     bz#2051 from david AT lechnology.com
2013-01-09 15:56:13 +11:00
Damien Miller
73298f420e - djm@cvs.openbsd.org 2013/01/02 00:32:07
[clientloop.c mux.c]
     channel_setup_local_fwd_listener() returns 0 on failure, not -ve
     bz#2055 reported by mathieu.lacage AT gmail.com
2013-01-09 15:55:50 +11:00
Damien Miller
4e14a58f3f - dtucker@cvs.openbsd.org 2012/12/14 05:26:43
[auth.c]
     use correct string in error message; from rustybsd at gmx.fr
2013-01-09 15:54:48 +11:00
Darren Tucker
0fc77297e6 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress
tests will work with VPATH directories.
2012-12-17 15:59:42 +11:00
Damien Miller
13cbff1e00 - (djm) [cipher.c] Fix missing prototype for compat code 2012-12-13 08:25:07 +11:00
Damien Miller
25a02b0c95 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
compat code for older OpenSSL
2012-12-13 08:18:56 +11:00
Damien Miller
8c05da3326 - markus@cvs.openbsd.org 2012/12/12 16:45:52
[packet.c]
     reset incoming_packet buffer for each new packet in EtM-case, too;
     this happens if packets are parsed only parially (e.g. ignore
     messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-13 07:18:59 +11:00
Damien Miller
faabeb6b36 - (djm) [regress/Makefile] fix t-exec rule 2012-12-12 12:51:54 +11:00
Damien Miller
37461d7391 - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip 2012-12-12 12:37:32 +11:00
Damien Miller
37834afe7b - (djm) [mac.c] fix merge botch 2012-12-12 11:00:37 +11:00
Damien Miller
ec7ce9ace4 - markus@cvs.openbsd.org 2012/12/11 23:12:13
[try-ciphers.sh]
     add hmac-ripemd160-etm@openssh.com
2012-12-12 10:55:32 +11:00
Damien Miller
1fb593a3f1 - markus@cvs.openbsd.org 2012/12/11 22:42:11
[regress/Makefile regress/modpipe.c regress/integrity.sh]
     test the integrity of the packets; with djm@
2012-12-12 10:54:37 +11:00
Damien Miller
1a45b63d7b - markus@cvs.openbsd.org 2012/12/11 22:32:56
[regress/try-ciphers.sh]
     add etm modes
2012-12-12 10:52:07 +11:00
Damien Miller
74f13bdf26 - sthen@cvs.openbsd.org 2012/12/11 22:51:45
[mac.c]
     fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 10:46:53 +11:00
Damien Miller
af43a7ac2d - markus@cvs.openbsd.org 2012/12/11 22:31:18
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
     [packet.c ssh_config.5 sshd_config.5]
     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
     that change the packet format and compute the MAC over the encrypted
     message (including the packet size) instead of the plaintext data;
     these EtM modes are considered more secure and used by default.
     feedback and ok djm@
2012-12-12 10:46:31 +11:00
Damien Miller
6a1937eac5 - markus@cvs.openbsd.org 2012/12/11 22:16:21
[monitor.c]
     drain the log messages after receiving the keystate from the unpriv
     child. otherwise it might block while sending. ok djm@
2012-12-12 10:44:38 +11:00
Darren Tucker
3e1027cd1f - dtucker@cvs.openbsd.org 2012/12/07 01:51:35
[serverloop.c]
     Cast signal to int for logging.  A no-op on openbsd (they're always ints)
     but will prevent warnings in portable.  ok djm@
2012-12-07 13:07:46 +11:00
Darren Tucker
8a96522482 - markus@cvs.openbsd.org 2012/12/05 15:42:52
[ssh-add.c]
     prevent double-free of comment; ok djm@
2012-12-07 13:07:02 +11:00
Darren Tucker
f9333d5246 - jmc@cvs.openbsd.org 2012/12/03 08:33:03
[ssh-add.1 sshd_config.5]
     tweak previous;
2012-12-07 13:06:13 +11:00
Darren Tucker
3dfb877046 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
[regress/keys-command.sh]
     Fix some problems with the keys-command test:
      - use string comparison rather than numeric comparison
      - check for existing KEY_COMMAND file and don't clobber if it exists
      - clean up KEY_COMMAND file if we do create it.
      - check that KEY_COMMAND is executable (which it won't be if eg /var/run
        is mounted noexec).
     ok djm.
2012-12-07 13:03:10 +11:00
Tim Rice
96ce9a1e45 20121205
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-04 07:50:03 -08:00
Damien Miller
8b48982a56 - (djm) [configure.ac] Revert previous. configure.ac already does this
for us.
2012-12-03 12:35:55 +11:00
Damien Miller
03af12e930 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
debugging. ok dtucker@
2012-12-03 11:55:53 +11:00
Damien Miller
55aca027ed - djm@cvs.openbsd.org 2012/12/03 00:14:06
[auth2-chall.c ssh-keygen.c]
     Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 11:25:30 +11:00
Damien Miller
999bd2d259 - djm@cvs.openbsd.org 2012/12/02 20:47:48
[Makefile regress/forward-control.sh]
     regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 10:13:39 +11:00
Damien Miller
771c43cee6 - djm@cvs.openbsd.org 2012/11/22 22:49:30
[regress/Makefile regress/keys-command.sh]
     regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 10:12:13 +11:00
Damien Miller
6618e92509 - djm@cvs.openbsd.org 2012/10/19 05:10:42
[regress/cert-userkey.sh]
     include a serial number when generating certs
2012-12-03 10:09:04 +11:00
Damien Miller
fa51d8b6b2 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48
[regress/cipher-speed.sh regress/try-ciphers.sh]
     Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 10:08:25 +11:00
Damien Miller
d27a026ab7 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30
[regress/multiplex.sh]
     Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 10:06:37 +11:00
Damien Miller
15b05cfa17 - djm@cvs.openbsd.org 2012/12/02 20:34:10
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
     [monitor.c monitor.h]
     Fixes logging of partial authentication when privsep is enabled
     Previously, we recorded "Failed xxx" since we reset authenticated before
     calling auth_log() in auth2.c. This adds an explcit "Partial" state.

     Add a "submethod" to auth_log() to report which submethod is used
     for keyboard-interactive.

     Fix multiple authentication when one of the methods is
     keyboard-interactive.

     ok markus@
2012-12-03 09:53:20 +11:00
Damien Miller
aa5b3f8314 - djm@cvs.openbsd.org 2012/12/02 20:46:11
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
     [sshd_config.5]
     make AllowTcpForwarding accept "local" and "remote" in addition to its
     current "yes"/"no" to allow the server to specify whether just local or
     remote TCP forwarding is enabled. ok markus@
2012-12-03 09:50:54 +11:00
Damien Miller
33a813613a - djm@cvs.openbsd.org 2012/12/02 20:42:15
[ssh-add.1 ssh-add.c]
     make deleting explicit keys "ssh-add -d" symmetric with adding keys -
     try to delete the corresponding certificate too and respect the -k option
     to allow deleting of the key only; feedback and ok markus@
2012-12-03 09:50:24 +11:00
Damien Miller
cb6b68b209 - djm@cvs.openbsd.org 2012/12/02 20:26:11
[ssh_config.5 sshconnect2.c]
     Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
     This allows control of which keys are offered from tokens using
     IdentityFile. ok markus@
2012-12-03 09:49:52 +11:00
Damien Miller
cf6ef137b5 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-12-03 09:37:56 +11:00
Damien Miller
6f3b362fa8 - djm@cvs.openbsd.org 2012/11/14 02:32:15
[ssh-keygen.c]
     allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 19:04:33 +11:00
Damien Miller
1e85469fcb - djm@cvs.openbsd.org 2012/11/14 02:24:27
[auth2-pubkey.c]
     fix username passed to helper program
     prepare stdio fds before closefrom()

     spotted by landry@
2012-11-14 19:04:02 +11:00
Damien Miller
0120c41d6b - jmc@cvs.openbsd.org 2012/09/26 17:34:38
[moduli.5]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-11-07 08:36:00 +11:00
Damien Miller
d5c3d4c0ca - eric@cvs.openbsd.org 2011/11/28 08:46:27
[moduli.5]
     fix formula
     ok djm@
2012-11-07 08:35:38 +11:00
Darren Tucker
737f7aff36 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
don't have it.  Spotted by tim@.
2012-11-05 17:07:43 +11:00
Darren Tucker
f96ff18a92 - (dtucker) [uidswap.c openbsd-compat/Makefile.in
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
   openbsd-compat/openbsd-compat.h]  Move the fallback code for setting uids
   and gids from uidswap.c to the compat library, which allows it to work with
   the new setresuid calls in auth2-pubkey.  with tim@, ok djm@
2012-11-05 17:04:37 +11:00