Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

remove ext-info-* in the kex.c code, not in callers; with/ok markus@

add "ext-info-in-auth@openssh.com" extension

This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.

This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.

Full details in the PROTOCOL file

implement "strict key exchange" in ssh and sshd

This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

s/%.100s/%s/ in SSH- banner construction as there's no reason to
limit its size: the version string bring included is a compile time
constant going into an allocated banner string.

branches: 1.181.2;
Introduce a transport-level ping facility

This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".

ok markus@

Log errors in kex_exchange_identification() with level verbose instead
of error to reduce preauth log spam. All of those get logged with a more
generic error message by sshpkt_fatal().

feedback from sthen@
ok djm@

fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed
sessions to ignore SIGINT under some circumstances. Reported by /
feedback naddy@, ok dtucker@

branches: 1.178.4;
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request.
This is already constrained by the maximum SSH packet size but this
makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Refactor creation of KEX proposal.

This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs. Remove unused compat functions.
With & ok djm@.

fatal out if allocating banner string fails to avoid potential null
deref later in sscanf. Spotted by Coverity, ok deraadt@

Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this
was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed. "burn it all" djm@

Remove some set but otherwise unused variables, spotted in -portable by
clang 16's -Wunused-but-set-variable. ok djm@

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

Fix signature algorithm selection logic for UpdateHostkeys on the
server side. The previous code tried to prefer RSA/SHA2 for hostkey
proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in
initial KEX. bz3375

Mostly by Dmitry Belyavskiy with some tweaks by me.

ok markus@

EXT_INFO negotiation of hostbound pubkey auth

the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.

Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").

ok markus@

Record session ID, host key and sig at intital KEX

These will be used later for agent session ID / hostkey binding

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

more strictly enforce KEX state-machine by banning packet types
once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz
via oss-fuzz #30078).

ok markus@

fix leak: was double allocating kex->session_id buffer

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

fix minor memleak of kex->hostkey_alg on rekex

typos: s/hex/kex/ in error messages

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

some language improvements; ok markus

use sshpkt_fatal() for kex_exchange_identification() errors.
This ensures that the logged errors are consistent with other transport-
layer errors and that the relevant IP addresses are logged. bz3129
ok dtucker@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Make zlib optional. This adds a "ZLIB" build time option that allows
building without zlib compression and associated options. With feedback
from markus@, ok djm@

Correct type for end-of-list sentinel; fixes initializer warnings on
some platforms. ok deraadt.

Allow prepending a list of algorithms to the default set by starting
the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

better error code for bad arguments; inspired by
https://github.com/openssh/openssh-portable/pull/144 by Ed Maste

sprinkle in some explicit errors here, otherwise the percolate all
the way up to dispatch_run_fatal() and lose all meaninful context

to help with bz#3063; ok dtucker@

only send ext_info for KEX_INITIAL; bz#2929 ok dtucker

fix reversed arguments to kex_load_hostkey(); manifested as errors in
cert-hostkey.sh regress failures.

rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed
to kexgen

from markus@ ok djm@

remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX
methods have moved to KEM

from markus@ ok djm@

Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

factor out kex_verify_hostkey() - again, duplicated almost exactly
across client and server for several KEX methods.

from markus@ ok djm@

factor out kex_load_hostkey() - this is duplicated in both the client and
server implementations for most KEX methods.

from markus@ ok djm@

save the derived session id in kex_derive_keys() rather than making each
kex method implementation do it.

from markus@ ok djm@

move client/server SSH-* banners to buffers under ssh->kex and factor
out the banner exchange. This eliminates some common code from the
client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

only consider the ext-info-c extension during the initial KEX. It shouldn't
be sent in subsequent ones, but if it is present we should ignore it.

This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@

Revert previous two commits

It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

Improve strictness and control over RSA-SHA2 signature types:

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

Remove all guards for calls to OpenSSL free functions - all of these
functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

Do not require that unknown EXT_INFO extension values not contain
\0 characters. This would cause fatal connection errors if an
implementation sent e.g. string-encoded sub-values inside a value.

Reported by Denis Bider; ok markus@

protocol handlers all get struct ssh passed; ok djm@

unifdef WITH_SSH1
ok markus@

disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com

fix regression in 7.4 server-sig-algs, where we were accidentally
excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@

Plug some mem leaks mostly on error paths. From jjelen at redhat.com
via bz#2687, ok djm@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Unregister the KEXINIT handler after message has been received.
Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed.
Reported by shilei-c at 360.cn

put back some pre-auth zlib bits that I shouldn't have removed -
they are still used by the client. Spotted by naddy@

restore pre-auth compression support in the client -- the previous
commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

support plain curve25519-sha256 KEX algorithm now that it is
approaching standardisation (same algorithm is currently supported
as curve25519-sha256@libssh.org)

correctly return errors from kex_send_ext_info(). Fix from Sami Farin
via https://github.com/openssh/openssh-portable/pull/50

move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes
NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@

list all supported signature algorithms in the server-sig-algs
Reported by mb AT smartftp.com in bz#2547 and (independantly)
Ron Frederick; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

update ext_info_c every time we receive a kexinit msg; fixes sending of
ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@

branches: 1.118.4;
add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

branches: 1.117.2;
refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

remove roaming support; ok djm@

unbreak connections with peers that set first_kex_follows;
fix from Matt Johnston va bz#2515

Remove NULL-checks before free().

ok dtucker@

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during
KEX; bz#2949, ok dtucker@

free the correct IV length, don't assume it's always the cipher
blocksize; ok dtucker@

Improve printing of KEX offers and decisions

The debug output now labels the client and server offers and the
negotiated options. ok markus@

Allow ssh_config and sshd_config kex parameters options be prefixed
by a '+' to indicate that the specified items be appended to the
default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

fix bug in previous; was printing incorrect string for failed
host key algorithms negotiation

include the peer's offer when logging a failure to negotiate a
mutual set of algorithms (kex, pubkey, ciphers, etc.)
ok markus@

don't try to cleanup NULL KEX proposals in kex_prop_free();
found by Jukka Taimisto and Markus Hietava

fix ssh protocol 1, spotted by miod@

correctly match ECDSA subtype (== curve) for offered/recevied
host keys. Fixes connection-killing host key mismatches when
a server offers multiple ECDSA keys with different curve type
(an extremely unlikely configuration).

ok markus, "looks mechanical" deraadt@

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

adapt kex to sshbuf and struct ssh; ok djm@

move dispatch to struct ssh; ok djm@

update packet.c & isolate, introduce struct ssh
a) switch packet.c to buffer api and isolate per-connection info into struct ssh
b) (de)serialization of the state is moved from monitor to packet.c
c) the old packet.c API is implemented in opacket.[ch]
d) compress.c/h is removed and integrated into packet.c
with and ok djm@

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

convert memset of potentially-private data to explicit_bzero()

dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
ok dtucker@, noted by mancha

Add a special case for the DH group size for 3des-cbc, which has an
effective strength much lower than the key size. This causes problems
with some cryptlib implementations, which don't support group sizes larger
than 4k but also don't use the largest group size it does support as
specified in the RFC. Based on a patch from Petr Lautrbach at Redhat,
reduced by me with input from Markus. ok djm@ markus@

avoid use of OpenSSL BIGNUM type and functions for KEX with
Curve25519 by adding a buffer_put_bignum2_from_string() that stores
a string using the bignum encoding rules. Will make it easier to
build a reduced-feature OpenSSH without OpenSSL in the future;
ok markus@

Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@

Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@

use curve25519 for default key exchange (curve25519-sha256@libssh.org);
initial patch from Aris Adamantiadis; ok djm@

bye, bye xfree(); ok markus@

remove duplicated list entry pointed out by naddy@

add the ability to query supported ciphers, MACs, key type and KEX
algorithms to ssh. Includes some refactoring of KEX and key type handling
to be table-driven; ok markus@

support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@

add some comments about better handling first-KEX-follows notifications
from the server. Nothing uses these right now. No binary change

add a KexAlgorithms knob to the client and server configuration to allow
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.

ok markus@

ECDH/ECDSA compliance fix: these methods vary the hash function they use
(SHA256/384/512) depending on the length of the curve in use. The previous
code incorrectly used SHA256 in all cases.

This fix will cause authentication failure when using 384 or 521-bit curve
keys if one peer hasn't been upgraded and the other has. (256-bit curve
keys work ok). In particular you may need to specify HostkeyAlgorithms
when connecting to a server that has not been upgraded from an upgraded
client.

ok naddy@

Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.

Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).

Certificate host and user keys using the new ECDSA key types are supported.

Note that this code has not been tested for interoperability and may be
subject to change.

feedback and ok markus@

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.

Use the new API in a few sensitive places.

* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.

Let the client detect if the server supports roaming by looking
for the resume@appgate.com kex algorithm.
ok markus@

Move the KEX_COOKIE_LEN define to kex.h
ok markus@

OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our
replacement anymore

Preserve MAC ctx between packets, saving 2xhash calls per-packet.
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5

patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
committing at his request)

tidy: KNF, ARGSUSED and u_int

spaces

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

spacing

spacing

RCSID() can die

Implement the diffie-hellman-group-exchange-sha256 key exchange method
using the SHA256 code in libc (and wrapper to make it into an OpenSSL
EVP), interop tested against CVS PuTTY

branches: 1.65.2;
remove hardcoded hash lengths in key exchange code, allowing
implementation of KEX methods with different hashes (e.g. SHA-256);
ok markus@ dtucker@ stevesk@

branches: 1.64.2;
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.

this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@

knf says that a 2nd level indent is four (not three or five) spaces

spacing

make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.60.2; 1.60.4;
make ssh -Wshadow clean, no functional changes
markus@ ok

implement diffie-hellman-group14-sha1 kex method (trivial extension to
existing diffie-hellman-group1-sha1); ok markus@

don't overwrite what we are trying to compute

kill some more tiny files; ok deraadt@

branches: 1.56.2;
unexpand and delete whitespace at EOL; ok markus@

branches: 1.55.2;
bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself

branches: 1.54.2;
split kex into client and server code, no need to link
server code into the client; ok provos@

add support for key exchange guesses; based on work by
avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@

debug->debug2, unify debug messages

branches: 1.51.2;
cat to (void) when output from buffer_get_X is ignored

'monitor' variable clashes with at least one lame platform (NeXT). Renamed
to 'pmonitor'. provos@

branches: 1.49.2;
generate a new cookie for each SSH2_MSG_KEXINIT message we send out

integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@

add some const EVP_MD for openssl-0.9.7

don't allow garbage after payload.

hide some more implementation details of cipher.[ch] and prepares for move
to EVP, ok deraadt@

restore kexinit handler if we reset the dispatcher, this unbreaks rekeying
s/kex_clear_dispatch/kex_reset_dispatch/

use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@

a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED'
dispatch_range(): set handler for a ranges message types
use dispatch_protocol_ignore() for authentication requests after
successful authentication (the drafts requirement).
serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.

remove plen from the dispatch fn. it's no longer used.

packet_read* no longer return the packet length, since it's not used.

s/packet_done/packet_check_eom/ (end-of-message); ok djm@

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

minor KNF

branches: 1.36.2;
update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

allow interop with weaker key generation used by ssh-2.0.x, x < 10

branches: 1.33.2;
fix whitespace: unexpand + trailing spaces.

clear+free keys,iv for rekeying.
+ fix DH mem leaks. ok niels@

parse full kexinit packet.
make server-side more robust, too.

more robust rekeying
don't send channel data after rekeying is started.

enable server side rekeying + some rekey related clientup.
todo: we should not send any non-KEX messages after we send KEXINIT

don't sent multiple kexinit-requests.
send newkeys, block while waiting for newkeys.
fix comments.

undo parts of recent my changes: main part of keyexchange does not
need dispatch-callbacks, since application data is delayed until
the keyexchange completes (if i understand the drafts correctly).

add some infrastructure for re-keying.

move kex to kex*.c, used dispatch_set() callbacks for kex. should
make rekeying easier.

prepare for rekeying: move DH code to dh.c

forgot to include min and max params in hash, okay markus@

add PreferredAuthentications

generate a 2*need size (~300 instead of 1024/2048) random private
exponent during the DH key agreement. according to Niels (the great
german advisor) this is safe since /etc/primes contains strong
primes only.

References:
P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
agreement with short exponents, In Advances in Cryptology
- EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.

1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

unexpand and remove end-of-line whitespace; ok markus@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

missing free; thanks stevesk@pobox.com

fix prototypes; from stevesk@pobox.com

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

compute diffie-hellman in parallel between server and client. okay markus@

add support for RSA to SSH2. please test.

there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.

you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.

SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.

IdentityFile2, HostDsaKey and DSAAuthentication are obsolete.
you can use multiple IdentityFile and HostKey for all types of keys.

the option DSAAuthentication is replaced by PubkeyAuthetication.

branches: 1.12.2;
new cipher framework

First rough implementation of the diffie-hellman group exchange. The
client can ask the server for bigger groups to perform the diffie-hellman
in, thus increasing the attack complexity when using ciphers with longer
keys. University of Windsor provided network, T the company.

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

strtok() --> strsep(). (niels@ ok)

OpenBSD tag

split kexinit/kexdh, factor out common code

branches: 1.6.2;
bug compat w/ ssh-2.0.13 x11, split out bugs

whitespace cleanup

#include <ssl/foo.h> -> <openssh/foo.h>

check for reasonable public DH values

less debugging output

DSA, keyexchange, algorithm agreement for ssh2

remove ext-info-* in the kex.c code, not in callers; with/ok markus@

add "ext-info-in-auth@openssh.com" extension

This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.

This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.

Full details in the PROTOCOL file

implement "strict key exchange" in ssh and sshd

This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

s/%.100s/%s/ in SSH- banner construction as there's no reason to
limit its size: the version string bring included is a compile time
constant going into an allocated banner string.

branches: 1.181.2;
Introduce a transport-level ping facility

This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".

ok markus@

Log errors in kex_exchange_identification() with level verbose instead
of error to reduce preauth log spam. All of those get logged with a more
generic error message by sshpkt_fatal().

feedback from sthen@
ok djm@

fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed
sessions to ignore SIGINT under some circumstances. Reported by /
feedback naddy@, ok dtucker@

branches: 1.178.4;
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request.
This is already constrained by the maximum SSH packet size but this
makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Refactor creation of KEX proposal.

This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs. Remove unused compat functions.
With & ok djm@.

fatal out if allocating banner string fails to avoid potential null
deref later in sscanf. Spotted by Coverity, ok deraadt@

Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this
was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed. "burn it all" djm@

Remove some set but otherwise unused variables, spotted in -portable by
clang 16's -Wunused-but-set-variable. ok djm@

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

Fix signature algorithm selection logic for UpdateHostkeys on the
server side. The previous code tried to prefer RSA/SHA2 for hostkey
proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in
initial KEX. bz3375

Mostly by Dmitry Belyavskiy with some tweaks by me.

ok markus@

EXT_INFO negotiation of hostbound pubkey auth

the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.

Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").

ok markus@

Record session ID, host key and sig at intital KEX

These will be used later for agent session ID / hostkey binding

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

more strictly enforce KEX state-machine by banning packet types
once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz
via oss-fuzz #30078).

ok markus@

fix leak: was double allocating kex->session_id buffer

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

fix minor memleak of kex->hostkey_alg on rekex

typos: s/hex/kex/ in error messages

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

some language improvements; ok markus

use sshpkt_fatal() for kex_exchange_identification() errors.
This ensures that the logged errors are consistent with other transport-
layer errors and that the relevant IP addresses are logged. bz3129
ok dtucker@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Make zlib optional. This adds a "ZLIB" build time option that allows
building without zlib compression and associated options. With feedback
from markus@, ok djm@

Correct type for end-of-list sentinel; fixes initializer warnings on
some platforms. ok deraadt.

Allow prepending a list of algorithms to the default set by starting
the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

better error code for bad arguments; inspired by
https://github.com/openssh/openssh-portable/pull/144 by Ed Maste

sprinkle in some explicit errors here, otherwise the percolate all
the way up to dispatch_run_fatal() and lose all meaninful context

to help with bz#3063; ok dtucker@

only send ext_info for KEX_INITIAL; bz#2929 ok dtucker

fix reversed arguments to kex_load_hostkey(); manifested as errors in
cert-hostkey.sh regress failures.

rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed
to kexgen

from markus@ ok djm@

remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX
methods have moved to KEM

from markus@ ok djm@

Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

factor out kex_verify_hostkey() - again, duplicated almost exactly
across client and server for several KEX methods.

from markus@ ok djm@

factor out kex_load_hostkey() - this is duplicated in both the client and
server implementations for most KEX methods.

from markus@ ok djm@

save the derived session id in kex_derive_keys() rather than making each
kex method implementation do it.

from markus@ ok djm@

move client/server SSH-* banners to buffers under ssh->kex and factor
out the banner exchange. This eliminates some common code from the
client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

only consider the ext-info-c extension during the initial KEX. It shouldn't
be sent in subsequent ones, but if it is present we should ignore it.

This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@

Revert previous two commits

It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

Improve strictness and control over RSA-SHA2 signature types:

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

Remove all guards for calls to OpenSSL free functions - all of these
functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

Do not require that unknown EXT_INFO extension values not contain
\0 characters. This would cause fatal connection errors if an
implementation sent e.g. string-encoded sub-values inside a value.

Reported by Denis Bider; ok markus@

protocol handlers all get struct ssh passed; ok djm@

unifdef WITH_SSH1
ok markus@

disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com

fix regression in 7.4 server-sig-algs, where we were accidentally
excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@

Plug some mem leaks mostly on error paths. From jjelen at redhat.com
via bz#2687, ok djm@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Unregister the KEXINIT handler after message has been received.
Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed.
Reported by shilei-c at 360.cn

put back some pre-auth zlib bits that I shouldn't have removed -
they are still used by the client. Spotted by naddy@

restore pre-auth compression support in the client -- the previous
commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

support plain curve25519-sha256 KEX algorithm now that it is
approaching standardisation (same algorithm is currently supported
as curve25519-sha256@libssh.org)

correctly return errors from kex_send_ext_info(). Fix from Sami Farin
via https://github.com/openssh/openssh-portable/pull/50

move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes
NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@

list all supported signature algorithms in the server-sig-algs
Reported by mb AT smartftp.com in bz#2547 and (independantly)
Ron Frederick; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

update ext_info_c every time we receive a kexinit msg; fixes sending of
ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@

branches: 1.118.4;
add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

branches: 1.117.2;
refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

remove roaming support; ok djm@

unbreak connections with peers that set first_kex_follows;
fix from Matt Johnston va bz#2515

Remove NULL-checks before free().

ok dtucker@

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during
KEX; bz#2949, ok dtucker@

free the correct IV length, don't assume it's always the cipher
blocksize; ok dtucker@

Improve printing of KEX offers and decisions

The debug output now labels the client and server offers and the
negotiated options. ok markus@

Allow ssh_config and sshd_config kex parameters options be prefixed
by a '+' to indicate that the specified items be appended to the
default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

fix bug in previous; was printing incorrect string for failed
host key algorithms negotiation

include the peer's offer when logging a failure to negotiate a
mutual set of algorithms (kex, pubkey, ciphers, etc.)
ok markus@

don't try to cleanup NULL KEX proposals in kex_prop_free();
found by Jukka Taimisto and Markus Hietava

fix ssh protocol 1, spotted by miod@

correctly match ECDSA subtype (== curve) for offered/recevied
host keys. Fixes connection-killing host key mismatches when
a server offers multiple ECDSA keys with different curve type
(an extremely unlikely configuration).

ok markus, "looks mechanical" deraadt@

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

adapt kex to sshbuf and struct ssh; ok djm@

move dispatch to struct ssh; ok djm@

update packet.c & isolate, introduce struct ssh
a) switch packet.c to buffer api and isolate per-connection info into struct ssh
b) (de)serialization of the state is moved from monitor to packet.c
c) the old packet.c API is implemented in opacket.[ch]
d) compress.c/h is removed and integrated into packet.c
with and ok djm@

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

convert memset of potentially-private data to explicit_bzero()

dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
ok dtucker@, noted by mancha

Add a special case for the DH group size for 3des-cbc, which has an
effective strength much lower than the key size. This causes problems
with some cryptlib implementations, which don't support group sizes larger
than 4k but also don't use the largest group size it does support as
specified in the RFC. Based on a patch from Petr Lautrbach at Redhat,
reduced by me with input from Markus. ok djm@ markus@

avoid use of OpenSSL BIGNUM type and functions for KEX with
Curve25519 by adding a buffer_put_bignum2_from_string() that stores
a string using the bignum encoding rules. Will make it easier to
build a reduced-feature OpenSSH without OpenSSL in the future;
ok markus@

Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@

Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@

use curve25519 for default key exchange (curve25519-sha256@libssh.org);
initial patch from Aris Adamantiadis; ok djm@

bye, bye xfree(); ok markus@

remove duplicated list entry pointed out by naddy@

add the ability to query supported ciphers, MACs, key type and KEX
algorithms to ssh. Includes some refactoring of KEX and key type handling
to be table-driven; ok markus@

support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@

add some comments about better handling first-KEX-follows notifications
from the server. Nothing uses these right now. No binary change

add a KexAlgorithms knob to the client and server configuration to allow
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.

ok markus@

ECDH/ECDSA compliance fix: these methods vary the hash function they use
(SHA256/384/512) depending on the length of the curve in use. The previous
code incorrectly used SHA256 in all cases.

This fix will cause authentication failure when using 384 or 521-bit curve
keys if one peer hasn't been upgraded and the other has. (256-bit curve
keys work ok). In particular you may need to specify HostkeyAlgorithms
when connecting to a server that has not been upgraded from an upgraded
client.

ok naddy@

Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.

Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).

Certificate host and user keys using the new ECDSA key types are supported.

Note that this code has not been tested for interoperability and may be
subject to change.

feedback and ok markus@

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.

Use the new API in a few sensitive places.

* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.

Let the client detect if the server supports roaming by looking
for the resume@appgate.com kex algorithm.
ok markus@

Move the KEX_COOKIE_LEN define to kex.h
ok markus@

OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our
replacement anymore

Preserve MAC ctx between packets, saving 2xhash calls per-packet.
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5

patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
committing at his request)

tidy: KNF, ARGSUSED and u_int

spaces

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

spacing

spacing

RCSID() can die

Implement the diffie-hellman-group-exchange-sha256 key exchange method
using the SHA256 code in libc (and wrapper to make it into an OpenSSL
EVP), interop tested against CVS PuTTY

branches: 1.65.2;
remove hardcoded hash lengths in key exchange code, allowing
implementation of KEX methods with different hashes (e.g. SHA-256);
ok markus@ dtucker@ stevesk@

branches: 1.64.2;
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.

this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@

knf says that a 2nd level indent is four (not three or five) spaces

spacing

make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.60.2; 1.60.4;
make ssh -Wshadow clean, no functional changes
markus@ ok

implement diffie-hellman-group14-sha1 kex method (trivial extension to
existing diffie-hellman-group1-sha1); ok markus@

don't overwrite what we are trying to compute

kill some more tiny files; ok deraadt@

branches: 1.56.2;
unexpand and delete whitespace at EOL; ok markus@

branches: 1.55.2;
bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself

branches: 1.54.2;
split kex into client and server code, no need to link
server code into the client; ok provos@

add support for key exchange guesses; based on work by
avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@

debug->debug2, unify debug messages

branches: 1.51.2;
cat to (void) when output from buffer_get_X is ignored

'monitor' variable clashes with at least one lame platform (NeXT). Renamed
to 'pmonitor'. provos@

branches: 1.49.2;
generate a new cookie for each SSH2_MSG_KEXINIT message we send out

integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@

add some const EVP_MD for openssl-0.9.7

don't allow garbage after payload.

hide some more implementation details of cipher.[ch] and prepares for move
to EVP, ok deraadt@

restore kexinit handler if we reset the dispatcher, this unbreaks rekeying
s/kex_clear_dispatch/kex_reset_dispatch/

use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@

a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED'
dispatch_range(): set handler for a ranges message types
use dispatch_protocol_ignore() for authentication requests after
successful authentication (the drafts requirement).
serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.

remove plen from the dispatch fn. it's no longer used.

packet_read* no longer return the packet length, since it's not used.

s/packet_done/packet_check_eom/ (end-of-message); ok djm@

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

minor KNF

branches: 1.36.2;
update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

allow interop with weaker key generation used by ssh-2.0.x, x < 10

branches: 1.33.2;
fix whitespace: unexpand + trailing spaces.

clear+free keys,iv for rekeying.
+ fix DH mem leaks. ok niels@

parse full kexinit packet.
make server-side more robust, too.

more robust rekeying
don't send channel data after rekeying is started.

enable server side rekeying + some rekey related clientup.
todo: we should not send any non-KEX messages after we send KEXINIT

don't sent multiple kexinit-requests.
send newkeys, block while waiting for newkeys.
fix comments.

undo parts of recent my changes: main part of keyexchange does not
need dispatch-callbacks, since application data is delayed until
the keyexchange completes (if i understand the drafts correctly).

add some infrastructure for re-keying.

move kex to kex*.c, used dispatch_set() callbacks for kex. should
make rekeying easier.

prepare for rekeying: move DH code to dh.c

forgot to include min and max params in hash, okay markus@

add PreferredAuthentications

generate a 2*need size (~300 instead of 1024/2048) random private
exponent during the DH key agreement. according to Niels (the great
german advisor) this is safe since /etc/primes contains strong
primes only.

References:
P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
agreement with short exponents, In Advances in Cryptology
- EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.

1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

unexpand and remove end-of-line whitespace; ok markus@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

missing free; thanks stevesk@pobox.com

fix prototypes; from stevesk@pobox.com

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

compute diffie-hellman in parallel between server and client. okay markus@

add support for RSA to SSH2. please test.

there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.

you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.

SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.

IdentityFile2, HostDsaKey and DSAAuthentication are obsolete.
you can use multiple IdentityFile and HostKey for all types of keys.

the option DSAAuthentication is replaced by PubkeyAuthetication.

branches: 1.12.2;
new cipher framework

First rough implementation of the diffie-hellman group exchange. The
client can ask the server for bigger groups to perform the diffie-hellman
in, thus increasing the attack complexity when using ciphers with longer
keys. University of Windsor provided network, T the company.

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

strtok() --> strsep(). (niels@ ok)

OpenBSD tag

split kexinit/kexdh, factor out common code

branches: 1.6.2;
bug compat w/ ssh-2.0.13 x11, split out bugs

whitespace cleanup

#include <ssl/foo.h> -> <openssh/foo.h>

check for reasonable public DH values

less debugging output

DSA, keyexchange, algorithm agreement for ssh2

add "ext-info-in-auth@openssh.com" extension

This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.

This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.

Full details in the PROTOCOL file

implement "strict key exchange" in ssh and sshd

This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

s/%.100s/%s/ in SSH- banner construction as there's no reason to
limit its size: the version string bring included is a compile time
constant going into an allocated banner string.

branches: 1.181.2;
Introduce a transport-level ping facility

This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".

ok markus@

Log errors in kex_exchange_identification() with level verbose instead
of error to reduce preauth log spam. All of those get logged with a more
generic error message by sshpkt_fatal().

feedback from sthen@
ok djm@

fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed
sessions to ignore SIGINT under some circumstances. Reported by /
feedback naddy@, ok dtucker@

branches: 1.178.4;
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request.
This is already constrained by the maximum SSH packet size but this
makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Refactor creation of KEX proposal.

This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs. Remove unused compat functions.
With & ok djm@.

fatal out if allocating banner string fails to avoid potential null
deref later in sscanf. Spotted by Coverity, ok deraadt@

Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this
was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed. "burn it all" djm@

Remove some set but otherwise unused variables, spotted in -portable by
clang 16's -Wunused-but-set-variable. ok djm@

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

Fix signature algorithm selection logic for UpdateHostkeys on the
server side. The previous code tried to prefer RSA/SHA2 for hostkey
proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in
initial KEX. bz3375

Mostly by Dmitry Belyavskiy with some tweaks by me.

ok markus@

EXT_INFO negotiation of hostbound pubkey auth

the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.

Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").

ok markus@

Record session ID, host key and sig at intital KEX

These will be used later for agent session ID / hostkey binding

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

more strictly enforce KEX state-machine by banning packet types
once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz
via oss-fuzz #30078).

ok markus@

fix leak: was double allocating kex->session_id buffer

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

fix minor memleak of kex->hostkey_alg on rekex

typos: s/hex/kex/ in error messages

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

some language improvements; ok markus

use sshpkt_fatal() for kex_exchange_identification() errors.
This ensures that the logged errors are consistent with other transport-
layer errors and that the relevant IP addresses are logged. bz3129
ok dtucker@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Make zlib optional. This adds a "ZLIB" build time option that allows
building without zlib compression and associated options. With feedback
from markus@, ok djm@

Correct type for end-of-list sentinel; fixes initializer warnings on
some platforms. ok deraadt.

Allow prepending a list of algorithms to the default set by starting
the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

better error code for bad arguments; inspired by
https://github.com/openssh/openssh-portable/pull/144 by Ed Maste

sprinkle in some explicit errors here, otherwise the percolate all
the way up to dispatch_run_fatal() and lose all meaninful context

to help with bz#3063; ok dtucker@

only send ext_info for KEX_INITIAL; bz#2929 ok dtucker

fix reversed arguments to kex_load_hostkey(); manifested as errors in
cert-hostkey.sh regress failures.

rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed
to kexgen

from markus@ ok djm@

remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX
methods have moved to KEM

from markus@ ok djm@

Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

factor out kex_verify_hostkey() - again, duplicated almost exactly
across client and server for several KEX methods.

from markus@ ok djm@

factor out kex_load_hostkey() - this is duplicated in both the client and
server implementations for most KEX methods.

from markus@ ok djm@

save the derived session id in kex_derive_keys() rather than making each
kex method implementation do it.

from markus@ ok djm@

move client/server SSH-* banners to buffers under ssh->kex and factor
out the banner exchange. This eliminates some common code from the
client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

only consider the ext-info-c extension during the initial KEX. It shouldn't
be sent in subsequent ones, but if it is present we should ignore it.

This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@

Revert previous two commits

It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

Improve strictness and control over RSA-SHA2 signature types:

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

Remove all guards for calls to OpenSSL free functions - all of these
functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

Do not require that unknown EXT_INFO extension values not contain
\0 characters. This would cause fatal connection errors if an
implementation sent e.g. string-encoded sub-values inside a value.

Reported by Denis Bider; ok markus@

protocol handlers all get struct ssh passed; ok djm@

unifdef WITH_SSH1
ok markus@

disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com

fix regression in 7.4 server-sig-algs, where we were accidentally
excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@

Plug some mem leaks mostly on error paths. From jjelen at redhat.com
via bz#2687, ok djm@