| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The use of CHAN_TCP_WINDOW_DEFAULT here was fixed in upstream OpenSSH
in CVS 1.4810, git 5baa170d771de9e95cf30b4c469ece684244cf3e:
- dtucker@cvs.openbsd.org 2007/12/28 22:34:47
[clientloop.c]
Use the correct packet maximum sizes for remote port and agent forwarding.
Prevents the server from killing the connection if too much data is queued
and an excessively large packet gets sent. bz #1360, ok djm@.
The change was lost due to the the way the original upstream HPN patch
modified this code. It was re-adding the original OpenSSH code and never
was properly fixed to use the new value.
MFC after: 2 weeks
Notes:
svn path=/head/; revision=280999
|
|
|
|
|
|
|
|
| |
PR: 193127
MFC after: 2 weeks
Notes:
svn path=/head/; revision=280360
|
|\
| |
| |
| | |
Notes:
svn path=/head/; revision=280297
|
| |
| |
| |
| |
| | |
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=280288
svn path=/vendor-crypto/openssl/1.0.1m/; revision=280289; tag=vendor/openssl/1.0.1m
|
|\|
| |
| |
| |
| |
| |
| |
| | |
MFC after: 1 week
Relnotes: yes
Notes:
svn path=/head/; revision=277270
|
| |
| |
| |
| |
| | |
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=277266
svn path=/vendor-crypto/openssl/1.0.1l/; revision=277267; tag=vendor/openssl/1.0.1l
|
|\|
| |
| |
| |
| |
| |
| | |
Fix build.
Notes:
svn path=/head/; revision=276863
|
| |
| |
| |
| |
| |
| |
| | |
https://github.com/openssl/openssl/commit/5c5e7e1a7eb114cf136e1ae4b6a413bc48ba41eb
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=276862
|
|\|
| |
| |
| | |
Notes:
svn path=/head/; revision=276861
|
| |
| |
| |
| |
| | |
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=276856
svn path=/vendor-crypto/openssl/1.0.1k/; revision=276858; tag=vendor/openssl/1.0.1k
|
|\|
| |
| |
| | |
Notes:
svn path=/head/; revision=273144
|
| |
| |
| |
| |
| | |
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=273138
svn path=/vendor-crypto/openssl/1.0.1j/; revision=273139; tag=vendor/openssl/1.0.1j
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PR: 156245
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=271284
|
|\|
| |
| |
| | |
Notes:
svn path=/head/; revision=269682
|
| |
| |
| |
| |
| | |
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=269670
svn path=/vendor-crypto/openssl/1.0.1i/; revision=269671; tag=vendor/openssl/1.0.1i
|
|\|
| |
| |
| |
| |
| |
| | |
Approved by: so (delphij)
Notes:
svn path=/head/; revision=267256
|
| |
| |
| |
| |
| |
| |
| |
| | |
Approved by: so (delphij)
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=267188
svn path=/vendor-crypto/openssl/1.0.1h/; revision=267189; tag=vendor/openssl/1.0.1h
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224,
CVE-2014-3470
Security: SA-14:14.openssl
Approved by: so
Notes:
svn path=/head/; revision=267102
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
avoid confusion.
Sponsored by: Multiplay
Notes:
svn path=/head/; revision=266465
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Obtained from: OpenBSD
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2014-0198
Notes:
svn path=/head/; revision=265985
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Obtained from: OpenBSD
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
Notes:
svn path=/head/; revision=265120
|
|\ \
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=264691
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
Notes:
svn path=/head/; revision=264400
|
| | |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=264308
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | | |
Approved by: benl (maintainer)
Notes:
svn path=/head/; revision=264278
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Approved by: benl (maintainer)
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=264271
svn path=/vendor-crypto/openssl/1.0.1g/; revision=264272; tag=vendor/openssl/1.0.1g
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix "Heartbleed" vulnerability and ECDSA Cache Side-channel
Attack in OpenSSL. [SA-14:06]
Notes:
svn path=/head/; revision=264265
|
|\ \ \
| | |/
| |/|
| | | |
Notes:
svn path=/head/; revision=263712
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
$FreeBSD$ tags and man page dates.
Add a post-merge script which reapplies these changes.
Run both scripts to normalize the existing code base. As a result, many
files which should have had $FreeBSD$ tags but didn't now have them.
Partly rewrite the upgrade instructions and remove the now outdated
list of tricks.
Notes:
svn path=/head/; revision=263691
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.
MFC after: 3 weeks
Notes:
svn path=/head/; revision=263234
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Approved by: des
Notes:
svn path=/head/; revision=261499
|
| | |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=261340
|
|\| |
| | |
| | |
| | | |
Notes:
svn path=/head/; revision=261320
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | | |
Approved by: so (delphij), benl (silence)
Notes:
svn path=/head/; revision=261037
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Approved by: so (delphij), benl (silence)
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=261035
svn path=/vendor-crypto/openssl/1.0.1f/; revision=261036; tag=vendor/openssl/1.0.1f
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Apply vendor commits:
197e0ea Fix for TLS record tampering bug. (CVE-2013-4353).
3462896 For DTLS we might need to retransmit messages from the
previous session so keep a copy of write context in DTLS
retransmission buffers instead of replacing it after
sending CCS. (CVE-2013-6450).
ca98926 When deciding whether to use TLS 1.2 PRF and record hash
algorithms use the version number in the corresponding
SSL_METHOD structure instead of the SSL structure. The
SSL structure version is sometimes inaccurate.
Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449).
Security: CVE-2013-4353
Security: CVE-2013-6449
Security: CVE-2013-6450
Notes:
svn path=/head/; revision=260403
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
RFC 4402 specifies the implementation of the gss_pseudo_random()
function for the krb5 mechanism (and the C bindings therein).
The implementation uses a PRF+ function that concatenates the output
of individual krb5 pseudo-random operations produced with a counter
and seed. The original implementation of this function in Heimdal
incorrectly encoded the counter as a little-endian integer, but the
RFC specifies the counter encoding as big-endian. The implementation
initializes the counter to zero, so the first block of output (16 octets,
for the modern AES enctypes 17 and 18) is unchanged. (RFC 4402 specifies
that the counter should begin at 1, but both existing implementations
begin with zero and it looks like the standard will be re-issued, with
test vectors, to begin at zero.)
This is upstream's commit f85652af868e64811f2b32b815d4198e7f9017f6,
from 13 October, 2013:
% Fix krb5's gss_pseudo_random() (n is big-endian)
%
% The first enctype RFC3961 prf output length's bytes are correct because
% the little- and big-endian representations of unsigned zero are the
% same. The second block of output was wrong because the counter was not
% being encoded as big-endian.
%
% This change could break applications. But those applications would not
% have been interoperating with other implementations anyways (in
% particular: MIT's).
Approved by: hrs (mentor, src committer)
MFC after: 3 days
Notes:
svn path=/head/; revision=259286
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Upgrade to OpenSSH 6.4p1.
Bump VersionAddendum.
Approved by: des
Notes:
svn path=/head/; revision=257954
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
Notes:
svn path=/head/; revision=255829
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
didn't use them. This will make future merges from the vendor tree much
easier.
Approved by: re (gjb)
Notes:
svn path=/head/; revision=255774
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | | |
Approved by: re (gjb)
Notes:
svn path=/head/; revision=255767
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
Approved by: re (blanket)
Notes:
svn path=/head/; revision=255461
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
branch but never merged to head. They were inadvertantly left out when
6.1p1 was merged to head. It didn't make any difference at the time,
because they were unused, but one of them is required for DNS-based host
key verification.
Approved by: re (blanket)
Notes:
svn path=/head/; revision=255422
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | | |
MFC after: 3 days
Notes:
svn path=/head/; revision=254278
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.
Requested by: zi
Approved by: benl
Notes:
svn path=/head/; revision=254107
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Reviewed by: dfr
Notes:
svn path=/head/; revision=252409
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
"sandbox" to "yes", but did not update the documentation to match.
Notes:
svn path=/head/; revision=252338
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
"sandbox" instead of "yes". In sandbox mode, the privsep child is unable
to load additional libraries and will therefore crash when trying to take
advantage of crypto offloading on CPUs that support it.
Notes:
svn path=/head/; revision=251088
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
socket to allow propagation of changes to a Heimdal Kerberos database
from the KDC master to the slave(s) work on IPv6 as well.
Update the stats logging to also handle IPv6 addresses.
Reported by: peter (found on FreeBSD cluster)
X-to-be-tested-by: peter
MFC after: 3 weeks
Notes:
svn path=/head/; revision=250782
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | | |
the issues that affected us.
Notes:
svn path=/head/; revision=250739
|