- (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
from jbasney at ncsa uiuc edu.
- (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
krb5-config if it's not in the location specified by --with-kerberos5.
Patch from jchadima at redhat.
dtucker [Fri, 28 Aug 2009 01:21:06 +0000 (01:21 +0000)]
- (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
size a compile-time option and set it to 64k on Cygwin, since Corinna
reports that it makes a significant difference to performance. ok djm@
dtucker [Fri, 28 Aug 2009 01:02:37 +0000 (01:02 +0000)]
- (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
the pty master on Solaris, since it never succeeds and can hang if large
amounts of data is sent to the slave (eg a copy-paste). Based on a patch
originally from Doke Scott, ok djm@
djm [Fri, 28 Aug 2009 00:40:30 +0000 (00:40 +0000)]
- (djm) [sshd_config.5] downgrade mention of login.conf to be an example
and mention PAM as another provider for ChallengeResponseAuthentication;
bz#1408; ok dtucker@
dtucker [Thu, 20 Aug 2009 06:20:50 +0000 (06:20 +0000)]
- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
dtucker [Thu, 20 Aug 2009 06:16:01 +0000 (06:16 +0000)]
- (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
using it since the type conflicts can cause problems on FreeBSD. Patch
from Jonathan Chen.
dtucker [Sun, 16 Aug 2009 23:35:22 +0000 (23:35 +0000)]
- (dtucker) [configure.ac] Check for headers before libraries for openssl an
zlib, which should make the errors slightly more meaningful on platforms
where there's separate "-devel" packages for those.
- (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
fits into 16 bits to work around a bug in glibc's resolver where it masks
off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
- dtucker@cvs.openbsd.org 2009/07/02 02:11:47
[ssh.c]
allow for long home dir paths (bz #1615). ok deraadt
(based in part on a patch from jchadima at redhat)
- andreas@cvs.openbsd.org 2009/06/27 09:35:06
[readconf.h readconf.c]
Add client option UseRoaming. It doesn't do anything yet but will
control whether the client tries to use roaming if enabled on the
server. From Martin Forssen.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:32:43
[roaming_common.c roaming.h]
It may be necessary to retransmit some data when resuming, so add it
to a buffer when roaming is enabled.
Most of this code was written by Martin Forssen, maf at appgate dot com.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:29:06
[packet.h packet.c]
packet_bacup_state() and packet_restore_state() will be used to
temporarily save the current state ren resuming a suspended connection.
ok markus@
dtucker [Mon, 22 Jun 2009 06:11:06 +0000 (06:11 +0000)]
- dtucker@cvs.openbsd.org 2009/06/22 05:39:28
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
alphabetize includes; reduces diff vs portable and style(9).
ok stevesk djm
(Id sync only; these were already in order in -portable)
dtucker [Sun, 21 Jun 2009 09:08:48 +0000 (09:08 +0000)]
- dtucker@cvs.openbsd.org 2009/06/21 09:04:03
[roaming.h roaming_common.c roaming_dummy.c]
Add tags for the benefit of the sync scripts
Also: pull in the changes for 1.1->1.2 missed in the previous sync.
dtucker [Sun, 21 Jun 2009 09:00:20 +0000 (09:00 +0000)]
- dtucker@cvs.openbsd.org 2009/06/21 07:37:15
[kexdhs.c kexgexs.c]
abort if key_sign fails, preventing possible null deref. Based on report
from Paolo Ganci, ok markus@ djm@
dtucker [Sun, 21 Jun 2009 08:58:46 +0000 (08:58 +0000)]
- andreas@cvs.openbsd.org 2009/06/12 20:43:22
[monitor.c packet.c]
Fix warnings found by chl@ and djm@ and change roaming_atomicio's
return type to match atomicio's
Diff from djm@, ok markus@
dtucker [Sun, 21 Jun 2009 08:53:53 +0000 (08:53 +0000)]
- andreas@cvs.openbsd.org 2009/05/28 16:50:16
[sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
monitor.c Added roaming.h roaming_common.c roaming_dummy.c]
Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@
Also, applied appropriate changes to Makefile.in
dtucker [Sun, 21 Jun 2009 08:17:19 +0000 (08:17 +0000)]
- andreas@cvs.openbsd.org 2009/05/28 16:50:16
[sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
monitor.c]
Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@
dtucker [Sun, 21 Jun 2009 08:16:26 +0000 (08:16 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:38:16
[sshconnect.h sshconnect.c]
Un-static ssh_exchange_identification(), part of a larger change from
Martin Forssen and needed for upcoming changes.
ok markus@
dtucker [Sun, 21 Jun 2009 08:15:25 +0000 (08:15 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:36:07
[packet.h packet.c]
Add packet_put_int64() and packet_get_int64(), part of a larger change
from Martin Forssen.
dtucker [Sun, 21 Jun 2009 08:13:57 +0000 (08:13 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:33:39
[clientloop.c]
Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger
change from Martin Forssen, maf at appgate dot com.
ok markus@
dtucker [Sun, 21 Jun 2009 08:12:20 +0000 (08:12 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:31:25
[canohost.h canohost.c]
Add clear_cached_addr(), needed for upcoming changes allowing the peer
address to change.
ok markus@
dtucker [Sun, 21 Jun 2009 07:56:51 +0000 (07:56 +0000)]
- stevesk@cvs.openbsd.org 2009/04/21 15:13:17
[sshd_config.5]
clarify we cd to user's home after chroot; ok markus@ on
earlier version; tweaks and ok jmc@
dtucker [Sun, 21 Jun 2009 07:50:15 +0000 (07:50 +0000)]
- tobias@cvs.openbsd.org 2009/03/23 19:38:04
[ssh-agent.c]
My previous commit didn't fix the problem at all, so stick at my first
version of the fix presented to dtucker.
Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
ok dtucker
dtucker [Sun, 21 Jun 2009 07:49:36 +0000 (07:49 +0000)]
- tobias@cvs.openbsd.org 2009/03/23 08:31:19
[ssh-agent.c]
Fixed a possible out-of-bounds memory access if the environment variable
SHELL is shorter than 3 characters.
with input by and ok dtucker
dtucker [Sun, 21 Jun 2009 07:48:52 +0000 (07:48 +0000)]
- jmc@cvs.openbsd.org 2009/03/19 15:15:09
[ssh.1]
for "Ciphers", just point the reader to the keyword in ssh_config(5), just
as we do for "MACs": this stops us getting out of sync when the lists
change;
fixes documentation/6102, submitted by Peter J. Philipp
alternative fix proposed by djm
ok markus
dtucker [Mon, 4 May 2009 02:52:47 +0000 (02:52 +0000)]
- (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include
variable declarations. Should prevent unused warnings anywhere it's set
(only Crays as far as I can tell) and be a no-op everywhere else.
tim [Wed, 18 Mar 2009 18:25:02 +0000 (18:25 +0000)]
- (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem
that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005.
Based on patch from vinschen at redhat com.
dtucker [Sun, 8 Mar 2009 00:40:27 +0000 (00:40 +0000)]
- (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
version of Cygwin. Patch from vinschen at redhat com.
dtucker [Sat, 7 Mar 2009 11:22:35 +0000 (11:22 +0000)]
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]
EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg
in openssl 0.9.6) so add an explicit test for it.
dtucker [Sat, 7 Mar 2009 01:01:47 +0000 (01:01 +0000)]
- (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add
EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c
to use them. Allows building with older OpenSSL versions.
dtucker [Fri, 6 Mar 2009 23:22:10 +0000 (23:22 +0000)]
- (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it
exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS
has a /dev/random).
djm [Thu, 5 Mar 2009 13:58:39 +0000 (13:58 +0000)]
- djm@cvs.openbsd.org 2009/03/05 11:30:50
[uuencode.c]
document what these functions do so I don't ever have to recuse into
b64_pton/ntop to remember their return values
djm [Thu, 5 Mar 2009 13:58:22 +0000 (13:58 +0000)]
- djm@cvs.openbsd.org 2009/03/05 07:18:19
[auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c]
[sshconnect2.c]
refactor the (disabled) Schnorr proof code to make it a little more
generally useful
djm [Sat, 21 Feb 2009 01:45:18 +0000 (01:45 +0000)]
- djm@cvs.openbsd.org 2009/02/18 04:31:21
[schnorr.c]
signature should hash over the entire group, not just the generator
(this is still disabled code)
djm [Mon, 16 Feb 2009 04:21:39 +0000 (04:21 +0000)]
- (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh]
[regress/putty-kex.sh regress/putty-transfer.sh] Downgrade disabled
interop tests from FATAL error to a warning. Allows some interop
tests to proceed if others are missing necessary prerequisites.
djm [Sat, 14 Feb 2009 05:33:09 +0000 (05:33 +0000)]
- djm@cvs.openbsd.org 2009/02/12 03:16:01
[serverloop.c]
tighten check for -R0:... forwarding: only allow dynamic allocation
if want_reply is set in the packet
djm [Sat, 14 Feb 2009 05:28:21 +0000 (05:28 +0000)]
- djm@cvs.openbsd.org 2009/02/12 03:00:56
[canohost.c canohost.h channels.c channels.h clientloop.c readconf.c]
[readconf.h serverloop.c ssh.c]
support remote port forwarding with a zero listen port (-R0:...) to
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@
djm [Sat, 14 Feb 2009 05:26:19 +0000 (05:26 +0000)]
- dtucker@cvs.openbsd.org 2009/02/02 11:15:14
[sftp.c]
Initialize a few variables to prevent spurious "may be used
uninitialized" warnings from newer gcc's. ok djm@
djm [Thu, 12 Feb 2009 02:12:21 +0000 (02:12 +0000)]
- (djm) [configure.ac loginrec.c] bz#1421: fix lastlog support for OSX.
OSX provides a getlastlogxbyname function that automates the reading of
a lastlog file. Also, the pututxline function will update lastlog so
there is no need for loginrec.c to do it explicitly. Collapse some
overly verbose code while I'm in there.
dtucker [Sun, 1 Feb 2009 11:19:54 +0000 (11:19 +0000)]
- (dtucker) [defines.h sshconnect.c] INET6_ADDRSTRLEN is now needed in
channels.c too, so move the definition for non-IP6 platforms to defines.h
where it can be shared.
tim [Thu, 29 Jan 2009 20:30:01 +0000 (20:30 +0000)]
- (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen.
If the CYGWIN environment variable is empty, the installer script
should not install the service with an empty CYGWIN variable, but
rather without setting CYGWNI entirely.
tim [Wed, 28 Jan 2009 20:50:04 +0000 (20:50 +0000)]
- (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen.
Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x.
The information given for the setting of the CYGWIN environment variable
is wrong for both releases so I just removed it, together with the
unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting.
djm [Wed, 28 Jan 2009 05:38:41 +0000 (05:38 +0000)]
- markus@cvs.openbsd.org 2009/01/26 09:58:15
[cipher.c cipher.h packet.c]
Work around the CPNI-957037 Plaintext Recovery Attack by always
reading 256K of data on packet size or HMAC errors (in CBC mode only).
Help, feedback and ok djm@
Feedback from Martin Albrecht and Paterson Kenny