summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitouslyDarren Tucker2014-01-232-3/+9
| | | | | incompatible with OpenBSD's despite post-dating it by more than a decade. Declare it as broken, and document FreeBSD's as the same. ok djm@
* - (tim) [session.c] Improve error reporting on set_id().Tim Rice2014-01-232-1/+4
|
* - (djm) [configure.ac aclocal.m4] More tests to detect fallout fromDamien Miller2014-01-223-6/+67
| | | | | | | platform hardening options: include some long long int arithmatic to detect missing support functions for -ftrapv in libgcc and equivalents, actually test linking when -ftrapv is supplied and set either both -pie/-fPIE or neither. feedback and ok dtucker@
* - (djm) [configure.ac] Unless specifically requested, only attemptDamien Miller2014-01-222-9/+30
| | | | to build Position Independent Executables on gcc >= 4.x; ok dtucker
* - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if aDamien Miller2014-01-222-1/+7
| | | | | platform that is expected to use the reuse-argv style setproctitle hack surprises us by providing a setproctitle in libc; ok dtucker
* - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILEDamien Miller2014-01-212-4/+29
| | | | | and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of detecting toolchain-related problems; ok dtucker
* - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introducedTim Rice2014-01-213-7/+8
| | | | with sftp chroot support. Move set_id call after chroot.
* - (dtucker) [aclocal.m4] Differentiate between compile-time and link-timeDarren Tucker2014-01-212-3/+5
| | | | tests in the configure output. ok djm.
* - (dtucker) [configure.ac] Make PIE a configure-time option which defaultsDarren Tucker2014-01-212-4/+27
| | | | | | to on platforms where it's known to be reliably detected and off elsewhere. Works around platforms such as FreeBSD 9.1 where it does not interop with -ftrapv (it seems to work but fails when trying to link ssh). ok djm@
* - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms thatDamien Miller2014-01-202-26/+6
| | | | skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
* - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the KerberosDarren Tucker2014-01-202-0/+9
| | | | | implementation does not have krb5_cc_new_unique, similar to what we do in auth-krb5.c.
* - djm@cvs.openbsd.org 2014/01/20 00:08:48Damien Miller2014-01-202-1/+8
| | | | | [digest.c] memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
* - dtucker@cvs.openbsd.org 2014/01/19 11:21:51Darren Tucker2014-01-192-3/+7
| | | | | | [addrmatch.c] Cast the sizeof to socklen_t so it'll work even if the supplied len is negative. Suggested by and ok djm, ok deraadt.
* - djm@cvs.openbsd.org 2014/01/19 04:48:08Darren Tucker2014-01-192-4/+7
| | | | | [ssh_config.5] fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
* - dtucker@cvs.openbsd.org 2014/01/19 04:17:29Darren Tucker2014-01-193-7/+12
| | | | | | | [canohost.c addrmatch.c] Cast socklen_t when comparing to size_t and use socklen_t to iterate over the ip options, both to prevent signed/unsigned comparison warnings. Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
* - dtucker@cvs.openbsd.org 2014/01/18 09:36:26Darren Tucker2014-01-192-2/+6
| | | | | | | [session.c] explicitly define USE_PIPES to 1 to prevent redefinition warnings in portable on platforms that use pipes for everything. From redhat @ redhat.
* - dtucker@cvs.openbsd.org 2014/01/17 06:23:24Darren Tucker2014-01-192-3/+9
| | | | | [sftp-server.c] fix log message statvfs. ok djm
* - (dtucker) [sandbox-capsicum.c] Correct some error messages and make theDarren Tucker2014-01-182-3/+6
| | | | | return value check for cap_enter() consistent with the other uses in FreeBSD. From by Loganaden Velvindron @ AfriNIC via bz#2140.
* - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,Darren Tucker2014-01-182-3/+15
| | | | | | | | | | | optind) are defined in getopt.h already. Unfortunately they are defined as "declspec(dllimport)" for historical reasons, because the GNU linker didn't allow auto-import on PE/COFF targets way back when. The problem is the dllexport attributes collide with the definitions in the various source files in OpenSSH, which obviousy define the variables without declspec(dllimport). The least intrusive way to get rid of these warnings is to disable warnings for GCC compiler attributes when building on Cygwin. Patch from vinschen at redhat.com.
* - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing functionDarren Tucker2014-01-182-1/+11
| | | | | | declarations that stopped being included when we stopped including <windows.h> from openbsd-compat/bsd-cygwin_util.h. Patch from vinschen at redhat.com.
* - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. PatchDarren Tucker2014-01-182-0/+8
| | | | from vinschen at redhat.com
* - (dtucker) [defines.h] Move our definitions of uintXX_t types down to afterDarren Tucker2014-01-172-8/+11
| | | | | they're defined if we have to define them ourselves. Fixes builds on old AIX.
* - (dtucker) [readconf.c] Wrap paths.h inside an ifdef. Allows building onDarren Tucker2014-01-172-1/+5
| | | | Solaris.
* - (dtucker) [configure.ac] Have --without-toolchain-hardening not turn offDarren Tucker2014-01-172-3/+4
| | | | stack-protector since that has a separate flag that's been around a while.
* - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.Darren Tucker2014-01-172-2/+15
|
* - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if weDarren Tucker2014-01-172-3/+5
| | | | need them to cut down on the name collisions.
* - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.cDarren Tucker2014-01-174-10/+63
| | | | | | openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs to be useful (and for the regression tests to pass) on platforms that have statfs and fstatfs. ok djm@
* - (dtucker) Fix typo in #ifndef.Darren Tucker2014-01-172-2/+3
|
* - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.cDarren Tucker2014-01-175-4/+57
| | | | | openbsd-compat/openssl-compat.h] Add compatibility layer for older openssl versions. ok djm@
* - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]Damien Miller2014-01-1711-13/+147
| | | | | | | [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c] [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
* - dtucker@cvs.openbsd.org 2014/01/17 05:26:41Darren Tucker2014-01-172-3/+4
| | | | | [digest.c] remove unused includes. ok djm@
* - djm@cvs.openbsd.org 2014/01/17 00:21:06Darren Tucker2014-01-172-1/+5
| | | | | [sftp-client.c] signed/unsigned comparison warning fix; from portable (Id sync only)
* - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions intoDarren Tucker2014-01-172-3/+11
| | | | separate lines and alphabetize for easier diffing of changes.
* - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms thatDarren Tucker2014-01-172-1/+10
| | | | don't have them.
* - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include insideDarren Tucker2014-01-172-1/+5
| | | | #ifdef HAVE_STDINT_H.
* - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] IncludeDarren Tucker2014-01-177-0/+14
| | | | includes.h to pull in all of the compatibility stuff.
* - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.Darren Tucker2014-01-172-1/+4
|
* - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.Darren Tucker2014-01-172-1/+4
|
* - (dtucker) [loginrec.c] Cast to the types specfied in the formatDarren Tucker2014-01-172-1/+4
| | | | specification to prevent warnings.
* - (djm) [sftp-client.c] signed/unsigned comparison fixDamien Miller2014-01-172-1/+6
|
* - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchainDarren Tucker2014-01-163-9/+58
| | | | | | hardening flags including -fstack-protector-strong. These default to on if the toolchain supports them, but there is a configure-time knob (--without-hardening) to disable them if necessary. ok djm@
* - (djm) [README] update release notes URL.Damien Miller2014-01-162-2/+3
|
* - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller2014-01-164-4/+6
| | | | [contrib/suse/openssh.spec] Crank RPM spec version numbers.
* - djm@cvs.openbsd.org 2014/01/16 07:32:00Damien Miller2014-01-162-2/+5
| | | | | [version.h] openssh-6.5
* - djm@cvs.openbsd.org 2014/01/16 07:31:09Damien Miller2014-01-162-2/+9
| | | | | | [sftp-client.c] needless and incorrect cast to size_t can break resumption of large download; patch from tobias@
* - djm@cvs.openbsd.org 2014/01/12 08:13:13Damien Miller2014-01-1214-48/+147
| | | | | | | | | | [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c] [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c] avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
* - djm@cvs.openbsd.org 2014/01/10 05:59:19Damien Miller2014-01-122-1/+8
| | | | | [sshd_config] the /etc/ssh/ssh_host_ed25519_key is loaded by default too
* - djm@cvs.openbsd.org 2014/01/09 23:26:48Damien Miller2014-01-103-3/+15
| | | | | | [sshconnect.c sshd.c] ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, deranged and might make some attacks on KEX easier; ok markus@
* - djm@cvs.openbsd.org 2014/01/09 23:20:00Damien Miller2014-01-1027-235/+458
| | | | | | | | | | | [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
* - guenther@cvs.openbsd.org 2014/01/09 03:26:00Damien Miller2014-01-102-2/+11
| | | | | | | | | [sftp-common.c] When formating the time for "ls -l"-style output, show dates in the future with the year, and rearrange a comparison to avoid a potentional signed arithmetic overflow that would give the wrong result. ok djm@