| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the last version of OpenSSH which does not break compatibility
more than we can live with in a stable branch. Further commits will
follow to backport some bug fixes from newer versions.
The sshd breakage in the previous attempt was due to an upstream bug
(a 0 was changed to a 1 while refactoring send_rexec_state() in sshd.c)
which only manifested itself when sshd was built with SSH 1 support.
Approved by: re@
|
| |
|
|
| |
Approved by: re@
|
| |
|
|
|
|
|
|
| |
This is the last version of OpenSSH which does not break compatibility
more than we can live with in a stable branch. Further commits will
follow to backport some bug fixes from newer versions.
Approved by: re@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r289172:
Refactor the test/ Makefiles after recent changes to bsd.test.mk (r289158) and
netbsd-tests.test.mk (r289151)
- Eliminate explicit OBJTOP/SRCTOP setting
- Convert all ad hoc NetBSD test integration over to netbsd-tests.test.mk
- Remove unnecessary TESTSDIR setting
- Use SRCTOP where possible for clarity
r290254:
Remove unused variable (SRCDIR)
|
| |
|
|
|
|
|
|
|
|
| |
Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no
This will unbreak the build if libwrap has been removed from the system
PR: 210141
|
| |
|
|
|
|
|
|
|
| |
instructions.
Note this is a direct commit because head and stable/11 has OpenSSL 1.0.2
branch. However, it is based on r304320.
Requested by: julian
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Only bake krb5_config.h support in to ssh(3), etc if both MK_GSSAPI and
MK_KERBEROS_SUPPORT != no
This fixes the odd case where someone specified MK_GSSAPI=no and
MK_KERBEROS_SUPPORT=yes (which admittedly, probably doesn't make sense,
but the build system doesn't prevent this case today, and it didn't when
I filed the bug back in 2011 either).
PR: 159745
|
| | |
|
| |
|
|
|
|
|
| |
Note this is a direct commit because it is merged from OpenSSL upstream and
head (OpenSSL 1.0.2 branch) already has the same change:
https://github.com/openssl/openssl/commit/6206682
|
| |
|
|
|
|
|
|
|
|
| |
- Enable linker error when libcrypto.so contains a relocation against text.
- Add "Do not modify" comment to generated source files.
- Set CC environment variable for Perl scripts to enable AVX instructions.
- Update __FreeBSD_version to indicate libcrypto.so is position independent.
Note this is a direct commit because head has OpenSSL 1.0.2 branch but based
on r299389, r299462, r299464, r299479, and r299480.
|
| |
|
|
| |
Relnotes: yes
|
| |
|
|
|
|
|
|
| |
MFH (r296634): re-add aes-cbc to server-side default cipher list
MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679
Security: CVE-2016-3115
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Excerpt from CHANGES:
Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via
the version-flexible SSLv23_method() will need to explicitly call
either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client and
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
Approved by: re (marius, gjb), so (delphij)
|
| |
|
|
|
| |
Relnotes: yes
Approved by: re (so@ implicit)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MFH (r285975, r287143): register mergeinfo for security fixes
MFH (r294497, r294498, r295139): internal documentation
MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap
MFH (r294332): upgrade to openssh 6.8p1
MFH (r294367): update pam_ssh for api changes
MFH (r294909): switch usedns back on
MFH (r294336): upgrade to openssh 6.9p1
MFH (r294495): re-enable dsa keys
MFH (r294464): upgrade to openssh 7.0p1
MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb)
Relnotes: yes
|
| |
|
|
| |
Relnotes: yes
|
| |
|
|
| |
Remove the HPN and None cipher patches.
|
| |
|
|
| |
Replace unneeded manual dependency on header by adding it to SRCS.
|
| |
|
|
| |
Add more SUBDIR_PARALLEL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r289360:
Add temporary workaround for .MAKE being applied to _worldtmp, since
r251750.
r289361:
Consider top-level targets to be .PHONY as bmake won't build them otherwise
if a file with the same name is found in the directory.
r289378:
Mark sub-make targets as .MAKE and .PHONY to handle -n and always-build
properly.
r289430:
Remove .MAKE from targets that do more than just run sub-makes, such as
calling rm or mtree.
r289605:
Add missing .PHONY for parallel subdir target.
r289676:
Add some missing '+', .MAKE, and .PHONY modifiers.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Fix GOST engine cipher linkage by adding e_gost_err.c to SRCS so it
picks up undefined symbols, like "ERR_load_GOST_strings"
PR: 184805
Submitted by: Ivan IvanZhdanov <ivan.zhdanov@gmail.com>
Sponsored by: EMC / Isilon Storage Division
|
| |
|
|
| |
Define endianness for non-x86 platforms.
|
| |
|
|
| |
Replace afterinstall: hack from r111083 with 'make delete-old' functionality.
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.0.1p.
Approved by: re (gjb)
Relnotes: yes
|
| |
|
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1o.
Note it is instantly merged because it restores ABI compatibility broken by
the previous OpenSSL 1.0.1n.
Relnotes: yes
|
| |
|
|
| |
Merge OpenSSL 1.0.1n.
|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1m.
Relnotes: yes
|
| |
|
|
|
|
|
|
|
|
| |
Security: FreeBSD-SA-15:06.openssl
Security: CVE-2015-0209
Security: CVE-2015-0286
Security: CVE-2015-0287
Security: CVE-2015-0288
Security: CVE-2015-0289
Security: CVE-2015-0293
|
| |
|
|
| |
Update buildinf.h to make SSLeay_version(3) little bit more useful.
|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1l.
Relnotes: yes
|
| |
|
|
| |
Merge OpenSSL 1.0.1k.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
r264400:
NO_MAN= has been deprecated in favor of MAN= for some time, go ahead
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
r265836:
Remove last two NO_MAN= in the tree. In both of these cases, MAN= is
what is needed.
|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1j.
Relnotes: yes
|
| |
|
|
| |
Merge OpenSSL 1.0.1i.
|
| |
|
|
|
|
| |
Merge OpenSSL 1.0.1h.
Approved by: so (delphij)
|
| |
|
|
|
|
| |
Switch using the new $2b$ format by default, when bcrypt is used.
Relnotes: default Blowfish crypt(3) format have been changed to $2b$.
|
| |
|
|
| |
Fix order of libthr and libc in the global dso list for sshd.
|
| |
|
|
| |
This is "make tinderbox" clean.
|
| |
|
|
| |
MFH (r264308): restore p level in debugging output
|
| |
|
|
| |
Merge OpenSSL 1.0.1f and 1.0.1g.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refresh our implementation of OpenBSD's Blowfish password format.
Notable changes:
- Support of $2b$ password format to address a problem where very
long passwords (more than 256 characters, when an integer
overflow would happen and cause the length to wrap at 256).
- Updated pseudo code in comments to reflect the reality.
- Removed our local shortcut of processing magic string and rely
on the centralized and tigntened validation.
- Diff reduction from upstream.
For now we are still generating the older $2a$ format of password
but we will migrate to the new format once the format is formally
finalized.
|
| |
|
|
| |
MFH (r261340): enable sandboxing by default
|
| |
|
|
|
|
|
|
|
| |
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
|
| |
|
|
|
|
| |
that it should no longer be considered secure.
Approved by: re (gjb)
|
| |
|
|
|
|
|
|
|
|
| |
as static binaries, if desired. The one exception is sshd, which runs
into trouble due to libpam.a's includion of pam_ssh.
Make OpenSSH use LDNS if available. This allows it to verify signed
SSHFP records.
Approved by: re (blanket)
|
| |
|
|
| |
Approved by: re (blanket)
|
| |
|
|
|
|
| |
As of r249959, we want to build with IDEA support enabled
unconditionally. As this change removed the MK_IDEA flag, update these
Makefiles accordingly.
|
| |
|
|
| |
for a key revocation list and more fine-grained authentication control.
|
| | |
|
