| Commit message (Collapse) | Author | Age | Files | Lines | ||
|---|---|---|---|---|---|---|
| ... | ||||||
| * | unblock SIGSEGV before raising it |   deraadt | 2014-06-25 | 1 | -1/+2 | |
| | | | | | ok djm | |||||
| * | when copying local->remote fails during read, don't send uninitialised |   djm | 2014-06-24 | 1 | -3/+7 | |
| | | | | | heap to the remote end. Reported by Jann Horn | |||||
| * | don't fatal() when hostname canonicalisation fails with a | djm | 2014-06-24 | 1 | -5/+9 | |
| | | | | | | | ProxyCommand in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion) | |||||
| * | New key API: refactor key-related functions to be more library-like, | djm | 2014-06-24 | 2 | -0/+4011 | |
| | | | | | | | | | | existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. | |||||
| * | New key API: refactor key-related functions to be more library-like, | djm | 2014-06-24 | 42 | -4438/+1688 | |
| | | | | | | | | | | existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. | |||||
| * | fix bug in KRL generation: multiple consecutive revoked certificate | djm | 2014-06-24 | 1 | -1/+2 | |
| | | | | | | | | serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted. | |||||
| * | The ssh_get_bignum functions must accept the same range of bignums |   naddy | 2014-06-18 | 1 | -4/+6 | |
| | | | | | | | the corresponding ssh_put_bignum functions create. This fixes the use of 16384-bit RSA keys (bug reported by Eivind Evensen). ok djm@ | |||||
| * | Now that we have a dedicated getentropy(2) system call for |   matthew | 2014-06-18 | 1 | -2/+8 | |
| | | | | | | | | arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace sandbox. ok djm | |||||
| * | permit SYS_getentropy | deraadt | 2014-06-13 | 1 | -1/+2 | |
| | | | | | from matthew | |||||
| * | Group ECC functions together to make things a little easier in -portable. |   dtucker | 2014-06-10 | 1 | -4/+4 | |
| | | | | | "doesn't bother me" deraadt@ | |||||
| * | fix inverted test that caused PKCS#11 keys that were explicitly listed | djm | 2014-06-05 | 1 | -2/+2 | |
| | | | | | not to be preferred. Reported by Dirk-Willem van Gulik | |||||
| * | Zap extra whitespace. |   logan | 2014-05-05 | 1 | -2/+2 | |
| | | | | | OK from djm@ and dtucker@ | |||||
| * | unbreak compression, by re-init-ing the compression code in the |   markus | 2014-05-03 | 3 | -3/+26 | |
| | | | | | | | post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@ | |||||
| * | revert __bounded change; it causes way more problems for portable than | djm | 2014-05-02 | 9 | -43/+43 | |
| | | | | | it solves; pointed out by dtucker@ | |||||
| * | UMAC can use our local fallback implementation of AES when OpenSSL isn't | naddy | 2014-04-30 | 4 | -21/+21 | |
| | | | | | | available. Glue code straight from Ted Krovetz's original umac.c. ok markus@ | |||||
| * | New buffer API; the first installment of the conversion/replacement | djm | 2014-04-30 | 13 | -714/+1969 | |
| | | | | | | | | | | | | | of OpenSSH's internals to make them usable as a standalone library. This includes a set of wrappers to make it compatible with the existing buffer API so replacement can occur incrementally. With and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review. | |||||
| * | Don't attempt to append a nul quote char to the filename. Should prevent | dtucker | 2014-04-29 | 1 | -2/+2 | |
| | | | | | | fatal'ing with "el_insertstr failed" when there's a single quote char somewhere in the string. bz#2238, ok markus@ | |||||
| * | Move nulling of variable next to where it's freed. ok markus@ | dtucker | 2014-04-29 | 1 | -2/+2 | |
| | | ||||||
| * | make compiling against OpenSSL optional (make OPENSSL=no); | markus | 2014-04-29 | 28 | -87/+492 | |
| | | | | | | reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm | |||||
| * | re-add our own aesctr implementation; ok djm@ | markus | 2014-04-29 | 4 | -0/+1380 | |
| | | ||||||
| * | bz#1818 - don't send channel success/failre replies on channels that | djm | 2014-04-29 | 2 | -4/+4 | |
| | | | | | | have sent a close already; analysis and patch from Simon Tatham; ok markus@ | |||||
| * | buffer_get_string_ptr's return should be const to remind | djm | 2014-04-28 | 9 | -27/+30 | |
| | | | | | | callers that futzing with it will futz with the actual buffer contents | |||||
| * | don't record duplicate IdentityFiles | djm | 2014-04-23 | 1 | -1/+12 | |
| | | ||||||
| * | zap eol whitespace; |   jmc | 2014-04-22 | 1 | -6/+6 | |
| | | ||||||
| * | Document sftp upload resume. | logan | 2014-04-22 | 1 | -8/+29 | |
| | | | | | OK from djm@, with feedback from okan@. | |||||
| * | comment out the .if (${KERBEROS5:L} block for now, breaks the build |   henning | 2014-04-22 | 1 | -6/+6 | |
| | | | | | | once the bsd.own.mk KERBEROS5 is removed otherwise. this way suggested by theo. | |||||
| * | Sort the sftp command list. | logan | 2014-04-22 | 1 | -3/+3 | |
| | | | | | OK from djm@ | |||||
| * | Implement sftp upload resume support. | logan | 2014-04-21 | 3 | -28/+57 | |
| | | | | | | OK from djm@, with input from guenther@, mlarkin@ and okan@ | |||||
| * | Add support for SSHFP DNS records for ED25519 key types. | logan | 2014-04-20 | 3 | -5/+12 | |
| | | | | | OK from djm@ | |||||
| * | add a canonical 6.6 + curve25519 bignum fix fake version that I can | djm | 2014-04-20 | 1 | -1/+2 | |
| | | | | | recommend people use ahead of the openssh-6.7 release | |||||
| * | use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on | djm | 2014-04-20 | 3 | -31/+46 | |
| | | | | | strict-alignment architectures; reported by and ok stsp@ | |||||
| * | delete .xr to hosts.equiv. there's still an unfortunate amount of |   tedu | 2014-04-19 | 1 | -3/+2 | |
| | | | | | documentation referring to rhosts equivalency in here. | |||||
| * | remove some really old rsh references | tedu | 2014-04-19 | 1 | -17/+3 | |
| | | ||||||
| * | Delete futile calls to RAND_seed. ok djm | tedu | 2014-04-19 | 2 | -26/+2 | |
| | | ||||||
| * | missing wildcard; pointed out by naddy@ | djm | 2014-04-19 | 1 | -2/+2 | |
| | | ||||||
| * | OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections | djm | 2014-04-18 | 5 | -7/+28 | |
| | | | | | | | | | | | using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the spec properly. Disable this KEX method when speaking to one of the affected versions. reported by Aris Adamantiadis; ok markus@ | |||||
| * | remove the identity files from this manpage - ssh-agent doesn't deal | djm | 2014-04-16 | 1 | -37/+16 | |
| | | | | | | with them at all and the same information is duplicated in ssh-add.1 (which does deal with them); prodded by deraadt@ | |||||
| * | skip leading zero bytes in buffer_put_bignum2_from_string(); | djm | 2014-04-16 | 1 | -1/+4 | |
| | | | | | reported by jan AT mojzis.com; ok markus@ | |||||
| * | avoid crash at exit: check that pmonitor!=NULL before dereferencing; | djm | 2014-04-12 | 1 | -2/+3 | |
| | | | | | bz#2225, patch from kavi AT juniper.net | |||||
| * | demote a debug3 to PACKET_DEBUG; ok markus@ | djm | 2014-04-01 | 1 | -3/+3 | |
| | | ||||||
| * | When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any | djm | 2014-04-01 | 1 | -17/+27 | |
| | | | | | | | | | | certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. Reported by mcv21 AT cam.ac.uk | |||||
| * | include fingerprint of key not found | djm | 2014-04-01 | 1 | -6/+8 | |
| | | | | | use arc4random_buf() instead of loop+arc4random() | |||||
| * | ssh has a target painted on it's back, so use -fstack-protector-all | deraadt | 2014-03-31 | 1 | -1/+2 | |
| | | | | | dtucker mentioned that -portable does this | |||||
| * | the text for the -K option was inserted in the wrong place in -r1.108; | jmc | 2014-03-31 | 1 | -6/+6 | |
| | | | | | fix From: Matthew Clarke | |||||
| * | sync available and default algorithms, improve algorithm list formatting | naddy | 2014-03-28 | 2 | -61/+149 | |
| | | | | | help from jmc@ and schwarze@, ok deraadt@ | |||||
| * | disable weak proposals in sshd, but keep them in ssh; ok djm@ | markus | 2014-03-27 | 4 | -27/+47 | |
| | | ||||||
| * | remove libwrap support. ok deraadt djm mfriedl | tedu | 2014-03-26 | 3 | -41/+4 | |
| | | ||||||
| * | The current sharing of myproposal[] between both client and server code | deraadt | 2014-03-26 | 1 | -5/+20 | |
| | | | | | | | makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. | |||||
| * | use __bounded(...) attribute recently added to sys/cdefs.h instead of | djm | 2014-03-26 | 9 | -41/+41 | |
| | | | | | | | longform __attribute__(__bounded(...)); for brevity and a warning free compilation with llvm/clan | |||||
| * | trimm default proposals. | markus | 2014-03-25 | 1 | -20/+5 | |
| | | | | | | | | | | This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many | |||||
 |
index : wireguard-openbsd | |
| WireGuard implementation for the OpenBSD kernel | Matt Dunwoodie |
| summaryrefslogtreecommitdiffstats |