1. 04 Dec, 2013 1 commit
  2. 21 Nov, 2013 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/11/21 00:45:44 · 0fde8acd
      Damien Miller authored
           [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
           [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
           [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
           [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
           cipher "chacha20-poly1305@openssh.com" that combines Daniel
           Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
           authenticated encryption mode.
           Inspired by and similar to Adam Langley's proposal for TLS:
           but differs in layout used for the MAC calculation and the use of a
           second ChaCha20 instance to separately encrypt packet lengths.
           Details are in the PROTOCOL.chacha20poly1305 file.
           Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
           ok markus@ naddy@
  3. 17 Oct, 2013 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/10/17 00:30:13 · f29238e6
      Damien Miller authored
           [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c]
           fsync@openssh.com protocol extension for sftp-server
           client support to allow calling fsync() faster successful transfer
           patch mostly by imorgan AT nas.nasa.gov; bz#1798
           "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@
  4. 09 Jan, 2013 2 commits
  5. 11 Dec, 2012 1 commit
    • Damien Miller's avatar
      - markus@cvs.openbsd.org 2012/12/11 22:31:18 · af43a7ac
      Damien Miller authored
           [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
           [packet.c ssh_config.5 sshd_config.5]
           add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
           that change the packet format and compute the MAC over the encrypted
           message (including the packet size) instead of the plaintext data;
           these EtM modes are considered more secure and used by default.
           feedback and ok djm@
  6. 04 Dec, 2010 1 commit
    • Darren Tucker's avatar
      - djm@cvs.openbsd.org 2010/12/04 00:18:01 · af1f9092
      Darren Tucker authored
           [sftp-server.c sftp.1 sftp-client.h sftp.c PROTOCOL sftp-client.c]
           add a protocol extension to support a hard link operation. It is
           available through the "ln" command in the client. The old "ln"
           behaviour of creating a symlink is available using its "-s" option
           or through the preexisting "symlink" command; based on a patch from
           miklos AT szeredi.hu in bz#1555; ok markus@
  7. 31 Aug, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/08/31 11:54:45 · eb8b60e3
      Damien Miller authored
           [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
           [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
           [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
           [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
           [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
           [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
           [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
           Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
           host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
           better performance than plain DH and DSA at the same equivalent symmetric
           key length, as well as much shorter keys.
           Only the mandatory sections of RFC5656 are implemented, specifically the
           three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
           ECDSA. Point compression (optional in RFC5656 is NOT implemented).
           Certificate host and user keys using the new ECDSA key types are supported.
           Note that this code has not been tested for interoperability and may be
           subject to change.
           feedback and ok markus@
  8. 26 Feb, 2010 1 commit
    • Damien Miller's avatar
      - OpenBSD CVS Sync · 0a80ca19
      Damien Miller authored
         - djm@cvs.openbsd.org 2010/02/26 20:29:54
           [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
           [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
           [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
           [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
           [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
           [sshconnect2.c sshd.8 sshd.c sshd_config.5]
           Add support for certificate key types for users and hosts.
           OpenSSH certificate key types are not X.509 certificates, but a much
           simpler format that encodes a public key, identity information and
           some validity constraints and signs it with a CA key. CA keys are
           regular SSH keys. This certificate style avoids the attack surface
           of X.509 certificates and is very easy to deploy.
           Certified host keys allow automatic acceptance of new host keys
           when a CA certificate is marked as sh/known_hosts.
           see VERIFYING HOST KEYS in ssh(1) for details.
           Certified user keys allow authentication of users when the signing
           CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
           FILE FORMAT" in sshd(8) for details.
           Certificates are minted using ssh-keygen(1), documentation is in
           the "CERTIFICATES" section of that manpage.
           Documentation on the format of certificates is in the file
           feedback and ok markus@
  9. 09 Jan, 2010 1 commit
  10. 08 Jan, 2010 1 commit
  11. 14 Feb, 2009 1 commit
  12. 05 Jul, 2008 1 commit
  13. 02 Jul, 2008 1 commit
  14. 29 Jun, 2008 2 commits
  15. 12 Jun, 2008 1 commit
  16. 10 Jun, 2008 1 commit
    • Darren Tucker's avatar
      - djm@cvs.openbsd.org 2008/06/10 22:15:23 · 8901fa9c
      Darren Tucker authored
           [PROTOCOL ssh.c serverloop.c]
           Add a no-more-sessions@openssh.com global request extension that the
           client sends when it knows that it will never request another session
           (i.e. when session multiplexing is disabled). This allows a server to
           disallow further session requests and terminate the session.
           Why would a non-multiplexing client ever issue additional session
           requests? It could have been attacked with something like SSH'jack:
           feedback & ok markus
  17. 09 Jun, 2008 3 commits
  18. 19 May, 2008 1 commit