1. 13 Sep, 2018 2 commits
  2. 10 Apr, 2018 1 commit
  3. 07 Feb, 2018 1 commit
    • jsing@openbsd.org's avatar
      upstream commit · 7cd31632
      jsing@openbsd.org authored
      Remove all guards for calls to OpenSSL free functions -
      all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
      
      Prompted by dtucker@ asking about guards for RSA_free(), when looking at
      openssh-portable pr#84 on github.
      
      ok deraadt@ dtucker@
      
      OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
      7cd31632
  4. 31 May, 2017 1 commit
    • markus@openbsd.org's avatar
      upstream commit · 2ae666a8
      markus@openbsd.org authored
      protocol handlers all get struct ssh passed; ok djm@
      
      Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
      2ae666a8
  5. 02 May, 2016 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 0e8eeec8
      djm@openbsd.org authored
      add support for additional fixed DH groups from
       draft-ietf-curdle-ssh-kex-sha2-03
      
      diffie-hellman-group14-sha256 (2K group)
      diffie-hellman-group16-sha512 (4K group)
      diffie-hellman-group18-sha512 (8K group)
      
      based on patch from Mark D. Baushke and Darren Tucker
      ok markus@
      
      Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
      0e8eeec8
  6. 07 Dec, 2015 1 commit
    • markus@openbsd.org's avatar
      upstream commit · 76c9fbbe
      markus@openbsd.org authored
      implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
       (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
       draft-ssh-ext-info-04.txt; with & ok djm@
      
      Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
      76c9fbbe
  7. 26 Jan, 2015 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 5104db7c
      djm@openbsd.org authored
      correctly match ECDSA subtype (== curve) for
       offered/recevied host keys. Fixes connection-killing host key mismatches when
       a server offers multiple ECDSA keys with different curve type (an extremely
       unlikely configuration).
      
      ok markus, "looks mechanical" deraadt@
      5104db7c
  8. 20 Jan, 2015 1 commit
  9. 19 Jan, 2015 2 commits
    • markus@openbsd.org's avatar
      upstream commit · 57d10cbe
      markus@openbsd.org authored
      adapt kex to sshbuf and struct ssh; ok djm@
      57d10cbe
    • markus@openbsd.org's avatar
      upstream commit · 091c3028
      markus@openbsd.org authored
      update packet.c & isolate, introduce struct ssh a) switch
       packet.c to buffer api and isolate per-connection info into struct ssh b)
       (de)serialization of the state is moved from monitor to packet.c c) the old
       packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
       integrated into packet.c with and ok djm@
      091c3028
  10. 14 Jan, 2015 1 commit
    • Damien Miller's avatar
      support --without-openssl at configure time · 72ef7c14
      Damien Miller authored
      Disables and removes dependency on OpenSSL. Many features don't
      work and the set of crypto options is greatly restricted. This
      will only work on system with native arc4random or /dev/urandom.
      
      Considered highly experimental for now.
      72ef7c14
  11. 04 Feb, 2014 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2014/02/02 03:44:32 · a5103f41
      Damien Miller authored
           [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
           [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
           [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
           [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
           [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
           [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
           [sshd.c]
           convert memset of potentially-private data to explicit_bzero()
      a5103f41
  12. 12 Jan, 2014 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2014/01/12 08:13:13 · 91b580e4
      Damien Miller authored
           [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
           [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
           avoid use of OpenSSL BIGNUM type and functions for KEX with
           Curve25519 by adding a buffer_put_bignum2_from_string() that stores
           a string using the bignum encoding rules. Will make it easier to
           build a reduced-feature OpenSSH without OpenSSL in the future;
           ok markus@
      91b580e4
  13. 03 Nov, 2013 2 commits
  14. 20 Jul, 2013 1 commit
    • Damien Miller's avatar
      - markus@cvs.openbsd.org 2013/07/19 07:37:48 · 85b45e09
      Damien Miller authored
           [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
           [servconf.h session.c sshd.c sshd_config.5]
           add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
           or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
           ok djm@
      85b45e09
  15. 01 Jun, 2013 1 commit
    • Darren Tucker's avatar
      - djm@cvs.openbsd.org 2013/05/17 00:13:13 · a627d42e
      Darren Tucker authored
           [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
           ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
           gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
           auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
           servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
           auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
           sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
           kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
           kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
           monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
           ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
           sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
           ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
           dns.c packet.c readpass.c authfd.c moduli.c]
           bye, bye xfree(); ok markus@
      a627d42e
  16. 20 Nov, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/11/10 01:33:07 · 4499f4cc
      Damien Miller authored
           [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c]
           use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED.
           these have been around for years by this time. ok markus
      4499f4cc
  17. 26 Feb, 2010 1 commit
    • Damien Miller's avatar
      - OpenBSD CVS Sync · 0a80ca19
      Damien Miller authored
         - djm@cvs.openbsd.org 2010/02/26 20:29:54
           [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
           [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
           [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
           [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
           [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
           [sshconnect2.c sshd.8 sshd.c sshd_config.5]
           Add support for certificate key types for users and hosts.
      
           OpenSSH certificate key types are not X.509 certificates, but a much
           simpler format that encodes a public key, identity information and
           some validity constraints and signs it with a CA key. CA keys are
           regular SSH keys. This certificate style avoids the attack surface
           of X.509 certificates and is very easy to deploy.
      
           Certified host keys allow automatic acceptance of new host keys
           when a CA certificate is marked as sh/known_hosts.
           see VERIFYING HOST KEYS in ssh(1) for details.
      
           Certified user keys allow authentication of users when the signing
           CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
           FILE FORMAT" in sshd(8) for details.
      
           Certificates are minted using ssh-keygen(1), documentation is in
           the "CERTIFICATES" section of that manpage.
      
           Documentation on the format of certificates is in the file
           PROTOCOL.certkeys
      
           feedback and ok markus@
      0a80ca19
  18. 21 Jun, 2009 1 commit
  19. 07 Nov, 2006 1 commit
    • Darren Tucker's avatar
      - markus@cvs.openbsd.org 2006/11/06 21:25:28 · 0bc85579
      Darren Tucker authored
           [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
           ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
           add missing checks for openssl return codes; with & ok djm@
      0bc85579
  20. 04 Nov, 2006 1 commit
  21. 01 Sep, 2006 1 commit
    • Damien Miller's avatar
      - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c] · ded319cc
      Damien Miller authored
         [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
         [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
         [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
         [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
         [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
         [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
         [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
         [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
         [sshconnect1.c sshconnect2.c sshd.c rc4.diff]
         [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
         [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
         [openbsd-compat/port-uw.c]
         Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
         compile problems reported by rac AT tenzing.org
      ded319cc
  22. 05 Aug, 2006 1 commit
    • Damien Miller's avatar
      - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 · d7834353
      Damien Miller authored
           [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
           [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
           [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
           [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
           [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
           [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
           [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
           [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
           [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
           [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
           [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
           [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
           [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
           [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
           [serverloop.c session.c session.h sftp-client.c sftp-common.c]
           [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
           [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
           [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
           [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
           [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
           [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
           almost entirely get rid of the culture of ".h files that include .h files"
           ok djm, sort of ok stevesk
           makes the pain stop in one easy step
           NB. portable commit contains everything *except* removing includes.h, as
           that will take a fair bit more work as we move headers that are required
           for portability workarounds to defines.h. (also, this step wasn't "easy")
      d7834353
  23. 24 Jul, 2006 1 commit
    • Damien Miller's avatar
      - stevesk@cvs.openbsd.org 2006/07/22 20:48:23 · e3476ed0
      Damien Miller authored
           [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
           [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
           [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
           [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
           [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
           [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
           [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
           [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
           [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
           [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
           [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
           [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
           [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
           move #include <string.h> out of includes.h
      e3476ed0
  24. 26 Mar, 2006 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2006/03/25 13:17:03 · 57c30117
      Damien Miller authored
           [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
           [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
           [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
           [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
           [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
           [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
           [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
           [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
           [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
           [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
           [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
           [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
           [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
           [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
           [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
           [uidswap.c uuencode.c xmalloc.c]
           Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
           Theo nuked - our scripts to sync -portable need them in the files
      57c30117
  25. 25 Mar, 2006 1 commit
    • Damien Miller's avatar
      - deraadt@cvs.openbsd.org 2006/03/19 18:51:18 · b0fb6872
      Damien Miller authored
           [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
           [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
           [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
           [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
           [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
           [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
           [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
           [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
           [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
           [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
           [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
           [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
           [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
           [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
           [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
           [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
           [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
           [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
           [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
           [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
           [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
           [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
           [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
           RCSID() can die
      b0fb6872
  26. 05 Nov, 2005 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2005/11/04 05:15:59 · 19bb3a57
      Damien Miller authored
           [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
           remove hardcoded hash lengths in key exchange code, allowing
           implementation of KEX methods with different hashes (e.g. SHA-256);
           ok markus@ dtucker@ stevesk@
      19bb3a57
  27. 15 Jun, 2004 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2004/06/13 12:53:24 · f675fc49
      Damien Miller authored
           [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h]
           [ssh-keyscan.c sshconnect2.c sshd.c]
           implement diffie-hellman-group14-sha1 kex method (trivial extension to
           existing diffie-hellman-group1-sha1); ok markus@
      f675fc49
  28. 24 Feb, 2003 1 commit