summaryrefslogtreecommitdiffstats
path: root/cleanup.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2016-02-17upstream commitjmc@openbsd.org1-2/+1
no need to state that protocol 2 is the default twice; Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
2016-02-17upstream commitdjm@openbsd.org3-15/+16
Replace list of ciphers and MACs adjacent to -1/-2 flag descriptions in ssh(1) with a strong recommendation not to use protocol 1. Add a similar warning to the Protocol option descriptions in ssh_config(5) and sshd_config(5); prompted by and ok mmcc@ Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2016-02-17upstream commitdjm@openbsd.org1-6/+12
add a "Close session" log entry (at loglevel=verbose) to correspond to the existing "Starting session" one. Also include the session id number to make multiplexed sessions more apparent. feedback and ok dtucker@ Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
2016-02-17upstream commitdjm@openbsd.org1-2/+3
include bad $SSH_CONNECTION in failure output Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
2016-02-17Rollback addition of va_start.Darren Tucker1-1/+0
va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however it has the wrong number of args and it's not usable in non-variadic functions anyway so it breaks things (for example Solaris 2.6 as reported by Tom G. Christensen).i ok djm@
2016-02-16Look for gethostbyname in libresolv and libnsl.Darren Tucker1-1/+3
Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
2016-02-16make existing ssh_malloc_init only for __OpenBSD__Damien Miller1-0/+2
2016-02-16upstream commitdjm@openbsd.org1-5/+5
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
2016-02-16upstream commitdtucker@openbsd.org13-13/+35
Add a function to enable security-related malloc_options. With and ok deraadt@, something similar has been in the snaps for a while. Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
2016-02-16sync ssh-copy-id with upstream 783ef08b0a75Damien Miller2-18/+40
2016-02-12upstream commitdjm@openbsd.org1-3/+5
avoid fatal() for PKCS11 tokens that present empty key IDs bz#1773, ok markus@ Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
2016-02-11upstream commitdjm@openbsd.org2-20/+15
sync crypto algorithm lists in ssh_config(5) and sshd_config(5) with current reality. bz#2527 Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
2016-02-11upstream commitdjm@openbsd.org1-11/+11
fix regression in openssh-6.8 sftp client: existing destination directories would incorrectly terminate recursive uploads; bz#2528 Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
2016-02-09upstream commitdjm@openbsd.org1-15/+4
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@ Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
2016-02-09upstream commitdjm@openbsd.org1-3/+6
don't attempt to percent_expand() already-canonicalised addresses, avoiding unnecessary failures when attempting to connect to scoped IPv6 addresses (that naturally contain '%' characters) Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
2016-02-08upstream commitdjm@openbsd.org7-74/+158
refactor activation of rekeying This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves. Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@ Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
2016-02-08upstream commitnaddy@openbsd.org1-7/+7
Only check errno if read() has returned an error. EOF is not an error. This fixes a problem where the mux master would sporadically fail to notice that the client had exited. ok mikeb@ djm@ Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
2016-02-08upstream commitjsg@openbsd.org1-2/+2
avoid an uninitialised value when NumberOfPasswordPrompts is 0 ok markus@ djm@ Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
2016-02-08upstream commitdjm@openbsd.org1-3/+6
mention internal DH-GEX fallback groups; bz#2302 Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
2016-02-08upstream commitdjm@openbsd.org1-3/+11
better description for MaxSessions; bz#2531 Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
2016-02-05avoid FreeBSD RCS Id in commentDamien Miller1-1/+2
Change old $FreeBSD version string in comment so it doesn't become an RCS ident downstream; requested by des AT des.no
2016-02-05upstream commitdjm@openbsd.org1-4/+6
printf argument casts to avoid warnings on strict compilers Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
2016-02-05upstream commitmillert@openbsd.org1-3/+4
Avoid ugly "DISPLAY "(null)" invalid; disabling X11 forwarding" message when DISPLAY is not set. This could also result in a crash on systems with a printf that doesn't handle NULL. OK djm@ Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
2016-02-04upstream commitdtucker@openbsd.org1-2/+4
Add regression test for RekeyLimit parsing of >32bit values (4G and 8G). Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
2016-01-30upstream commitdtucker@openbsd.org1-11/+1
Remove leftover roaming dead code. ok djm markus. Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
2016-01-30upstream commitdjm@openbsd.org1-2/+19
include packet type of non-data packets in debug3 output; ok markus dtucker Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
2016-01-30upstream commitdtucker@openbsd.org1-8/+3
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@ Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
2016-01-30upstream commitdtucker@openbsd.org5-27/+22
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm. Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
2016-01-30upstream commitdtucker@openbsd.org1-3/+8
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@ Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
2016-01-27upstream commitdjm@openbsd.org1-2/+2
change old $FreeBSD version string in comment so it doesn't become an RCS ident downstream; requested by des AT des.no Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
2016-01-27upstream commitdjm@openbsd.org1-11/+16
make the debug messages a bit more useful here Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
2016-01-27upstream commitjsg@openbsd.org1-2/+2
Zero a stack buffer with explicit_bzero() instead of memset() when returning from client_loop() for consistency with buffer_free()/sshbuf_free(). ok dtucker@ deraadt@ djm@ Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
2016-01-27upstream commitdtucker@openbsd.org1-1/+2
Include sys/time.h for gettimeofday. From sortie at maxsi.org. Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
2016-01-27upstream commitmarkus@openbsd.org2-2/+4
fd leaks; report Qualys Security Advisory team; ok deraadt@ Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
2016-01-27upstream commitmarkus@openbsd.org23-831/+37
remove roaming support; ok djm@ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27upstream commitderaadt@openbsd.org2-2/+2
Disable experimental client-side roaming support. Server side was disabled/gutted for years already, but this aspect was surprisingly forgotten. Thanks for report from Qualys Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
2016-01-27bump version numbersDamien Miller3-3/+3
2016-01-27openssh-7.1p2Damien Miller1-1/+1
2016-01-14forcibly disable roaming support in the clientDamien Miller2-6/+2
2016-01-14upstream commitdjm@openbsd.org4-70/+93
eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension; Reported by Thomas Hoger; ok deraadt@ Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
2016-01-13upstream commitdjm@openbsd.org2-11/+11
use explicit_bzero() more liberally in the buffer code; ok deraadt Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
2016-01-08Support Illumos/Solaris fine-grained privilegesDamien Miller11-10/+358
Includes a pre-auth privsep sandbox and several pledge() emulations. bz#2511, patch by Alex Wilson. ok dtucker@
2016-01-07upstream commitdjm@openbsd.org1-4/+3
fix three bugs in KRL code related to (unused) signature support: verification length was being incorrectly calculated, multiple signatures were being incorrectly processed and a NULL dereference that occurred when signatures were verified. Reported by Carl Jackson Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
2016-01-07upstream commitdjm@openbsd.org1-2/+1
unused prototype Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97
2016-01-07upstream commitguenther@openbsd.org1-1/+1
Use pread/pwrite instead separate lseek+read/write for lastlog. Cast to off_t before multiplication to avoid truncation on ILP32 ok kettenis@ mmcc@ Upstream-ID: fc40092568cd195719ddf1a00aa0742340d616cf
2016-01-07upstream commitsemarie@openbsd.org2-16/+13
adjust pledge promises for ControlMaster: when using "ask" or "autoask", the process will use ssh-askpass for asking confirmation. problem found by halex@ ok halex@ Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80
2015-12-18upstream commitdjm@openbsd.org1-4/+4
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515 Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
2015-12-18upstream commitdoug@openbsd.org1-2/+2
Add "id" to ssh-agent pledge for subprocess support. Found the hard way by Jan Johansson when using ssh-agent with X. Also, rearranged proc/exec and retval to match other pledge calls in the tree. ok djm@ Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db
2015-12-18upstream commitmmcc@openbsd.org8-66/+37
Remove NULL-checks before sshbuf_free(). ok djm@ Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
2015-12-18upstream commitdjm@openbsd.org2-23/+46
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@ Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e