#
1.186 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.185 |
|
08-Jan-2024 |
djm |
remove ext-info-* in the kex.c code, not in callers; with/ok markus@
|
#
1.184 |
|
18-Dec-2023 |
djm |
add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated.
Full details in the PROTOCOL file
|
#
1.183 |
|
18-Dec-2023 |
djm |
implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
|
#
1.182 |
|
11-Oct-2023 |
djm |
s/%.100s/%s/ in SSH- banner construction as there's no reason to limit its size: the version string bring included is a compile time constant going into an allocated banner string.
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.181 |
|
28-Aug-2023 |
djm |
branches: 1.181.2; Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.180 |
|
21-Aug-2023 |
tobhe |
Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal().
feedback from sthen@ ok djm@
|
#
1.179 |
|
18-Aug-2023 |
djm |
fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
branches: 1.178.4; Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.185 |
|
08-Jan-2024 |
djm |
remove ext-info-* in the kex.c code, not in callers; with/ok markus@
|
#
1.184 |
|
18-Dec-2023 |
djm |
add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated.
Full details in the PROTOCOL file
|
#
1.183 |
|
18-Dec-2023 |
djm |
implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
|
#
1.182 |
|
11-Oct-2023 |
djm |
s/%.100s/%s/ in SSH- banner construction as there's no reason to limit its size: the version string bring included is a compile time constant going into an allocated banner string.
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.181 |
|
28-Aug-2023 |
djm |
branches: 1.181.2; Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.180 |
|
21-Aug-2023 |
tobhe |
Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal().
feedback from sthen@ ok djm@
|
#
1.179 |
|
18-Aug-2023 |
djm |
fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
branches: 1.178.4; Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.184 |
|
18-Dec-2023 |
djm |
add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated.
Full details in the PROTOCOL file
|
#
1.183 |
|
18-Dec-2023 |
djm |
implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
|
#
1.182 |
|
11-Oct-2023 |
djm |
s/%.100s/%s/ in SSH- banner construction as there's no reason to limit its size: the version string bring included is a compile time constant going into an allocated banner string.
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.181 |
|
28-Aug-2023 |
djm |
branches: 1.181.2; Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.180 |
|
21-Aug-2023 |
tobhe |
Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal().
feedback from sthen@ ok djm@
|
#
1.179 |
|
18-Aug-2023 |
djm |
fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
branches: 1.178.4; Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.182 |
|
11-Oct-2023 |
djm |
s/%.100s/%s/ in SSH- banner construction as there's no reason to limit its size: the version string bring included is a compile time constant going into an allocated banner string.
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.181 |
|
28-Aug-2023 |
djm |
Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.180 |
|
21-Aug-2023 |
tobhe |
Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal().
feedback from sthen@ ok djm@
|
#
1.179 |
|
18-Aug-2023 |
djm |
fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.181 |
|
28-Aug-2023 |
djm |
Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.180 |
|
21-Aug-2023 |
tobhe |
Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal().
feedback from sthen@ ok djm@
|
#
1.179 |
|
18-Aug-2023 |
djm |
fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.180 |
|
21-Aug-2023 |
tobhe |
Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal().
feedback from sthen@ ok djm@
|
#
1.179 |
|
18-Aug-2023 |
djm |
fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.179 |
|
18-Aug-2023 |
djm |
fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.178 |
|
12-Mar-2023 |
dtucker |
Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.177 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.176 |
|
06-Mar-2023 |
dtucker |
Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.175 |
|
28-Feb-2023 |
dtucker |
fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.174 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.173 |
|
07-Nov-2022 |
dtucker |
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.172 |
|
01-Feb-2022 |
djm |
mark const string array contents const too, i.e. static const char *array => static const char * const array from Mike Frysinger
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.171 |
|
06-Jan-2022 |
djm |
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.170 |
|
19-Dec-2021 |
djm |
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0").
ok markus@
|
#
1.169 |
|
19-Dec-2021 |
djm |
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.168 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.167 |
|
31-Jan-2021 |
djm |
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078).
ok markus@
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.166 |
|
27-Jan-2021 |
djm |
fix leak: was double allocating kex->session_id buffer
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.165 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.164 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.163 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.162 |
|
04-Dec-2020 |
djm |
fix minor memleak of kex->hostkey_alg on rekex
|
#
1.161 |
|
04-Dec-2020 |
djm |
typos: s/hex/kex/ in error messages
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.160 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.159 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.158 |
|
13-Mar-2020 |
djm |
use sshpkt_fatal() for kex_exchange_identification() errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.157 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.156 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.155 |
|
08-Oct-2019 |
dtucker |
Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt.
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.154 |
|
06-Sep-2019 |
naddy |
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.153 |
|
06-Sep-2019 |
djm |
better error code for bad arguments; inspired by https://github.com/openssh/openssh-portable/pull/144 by Ed Maste
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.152 |
|
05-Sep-2019 |
djm |
sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context
to help with bz#3063; ok dtucker@
|
#
1.151 |
|
05-Sep-2019 |
djm |
only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.150 |
|
21-Jan-2019 |
djm |
fix reversed arguments to kex_load_hostkey(); manifested as errors in cert-hostkey.sh regress failures.
|
#
1.149 |
|
21-Jan-2019 |
djm |
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen
from markus@ ok djm@
|
#
1.148 |
|
21-Jan-2019 |
djm |
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM
from markus@ ok djm@
|
#
1.147 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.146 |
|
21-Jan-2019 |
djm |
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods.
from markus@ ok djm@
|
#
1.145 |
|
21-Jan-2019 |
djm |
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods.
from markus@ ok djm@
|
#
1.144 |
|
21-Jan-2019 |
djm |
save the derived session id in kex_derive_keys() rather than making each kex method implementation do it.
from markus@ ok djm@
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.143 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.142 |
|
07-Dec-2018 |
djm |
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.141 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.140 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.139 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.138 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
#
1.137 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.136 |
|
07-Feb-2018 |
jsing |
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github.
ok deraadt@ dtucker@
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
#
1.135 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.134 |
|
13-Jun-2017 |
djm |
Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
|
#
1.133 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.132 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.131 |
|
15-Mar-2017 |
markus |
disallow KEXINIT before NEWKEYS; ok djm; report by vegard.nossum at oracle.com
|
#
1.130 |
|
10-Mar-2017 |
djm |
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
|
#
1.129 |
|
10-Mar-2017 |
dtucker |
Plug some mem leaks mostly on error paths. From jjelen at redhat.com via bz#2687, ok djm@
|
#
1.128 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.127 |
|
10-Oct-2016 |
markus |
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn
|
#
1.126 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.125 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.124 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.123 |
|
21-Sep-2016 |
djm |
correctly return errors from kex_send_ext_info(). Fix from Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
#
1.122 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.121 |
|
12-Sep-2016 |
djm |
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
|
#
1.120 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.119 |
|
06-Sep-2016 |
markus |
update ext_info_c every time we receive a kexinit msg; fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis & Mancha; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.118 |
|
02-May-2016 |
djm |
branches: 1.118.4; add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.117 |
|
08-Feb-2016 |
djm |
branches: 1.117.2; refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.116 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.115 |
|
13-Dec-2015 |
djm |
unbreak connections with peers that set first_kex_follows; fix from Matt Johnston va bz#2515
|
#
1.114 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.113 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.112 |
|
13-Nov-2015 |
djm |
send SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during KEX; bz#2949, ok dtucker@
|
#
1.111 |
|
13-Oct-2015 |
djm |
free the correct IV length, don't assume it's always the cipher blocksize; ok dtucker@
|
#
1.110 |
|
21-Aug-2015 |
djm |
Improve printing of KEX offers and decisions
The debug output now labels the client and server offers and the negotiated options. ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.109 |
|
30-Jul-2015 |
djm |
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
#
1.108 |
|
29-Jul-2015 |
djm |
fix bug in previous; was printing incorrect string for failed host key algorithms negotiation
|
#
1.107 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.106 |
|
17-Apr-2015 |
djm |
don't try to cleanup NULL KEX proposals in kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.105 |
|
30-Jan-2015 |
djm |
fix ssh protocol 1, spotted by miod@
|
#
1.104 |
|
26-Jan-2015 |
djm |
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration).
ok markus, "looks mechanical" deraadt@
|
#
1.103 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.102 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.101 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.100 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.99 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.98 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.97 |
|
25-Jan-2014 |
markus |
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) ok dtucker@, noted by mancha
|
#
1.96 |
|
25-Jan-2014 |
dtucker |
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
|
#
1.95 |
|
12-Jan-2014 |
djm |
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
|
#
1.94 |
|
09-Jan-2014 |
djm |
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
|
#
1.93 |
|
07-Nov-2013 |
dtucker |
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
|
#
1.92 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.91 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.90 |
|
19-Apr-2013 |
djm |
remove duplicated list entry pointed out by naddy@
|
#
1.89 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.88 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.87 |
|
17-Aug-2012 |
djm |
add some comments about better handling first-KEX-follows notifications from the server. Nothing uses these right now. No binary change
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.86 |
|
22-Sep-2010 |
djm |
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
ok markus@
|
#
1.85 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.84 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.83 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.82 |
|
24-Oct-2009 |
andreas |
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.81 |
|
27-May-2009 |
andreas |
Move the KEX_COOKIE_LEN define to kex.h ok markus@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.80 |
|
06-Sep-2008 |
djm |
OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our replacement anymore
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.79 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.78 |
|
30-May-2007 |
djm |
tidy: KNF, ARGSUSED and u_int
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.77 |
|
21-Jan-2007 |
stevesk |
spaces
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.76 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.75 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.74 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.70 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.69 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.68 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.67 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.66 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.65 |
|
04-Nov-2005 |
djm |
branches: 1.65.2; remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.64 |
|
25-Jul-2005 |
markus |
branches: 1.64.2; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.63 |
|
17-Jul-2005 |
djm |
knf says that a 2nd level indent is four (not three or five) spaces
|
#
1.62 |
|
16-Jul-2005 |
djm |
spacing
|
#
1.61 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.60 |
|
21-Jun-2004 |
avsm |
branches: 1.60.2; 1.60.4; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.59 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.58 |
|
09-May-2004 |
djm |
don't overwrite what we are trying to compute
|
#
1.57 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.56 |
|
21-Nov-2003 |
djm |
branches: 1.56.2; unexpand and delete whitespace at EOL; ok markus@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.55 |
|
01-Apr-2003 |
markus |
branches: 1.55.2; bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; tested by ho@ and myself
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.54 |
|
16-Feb-2003 |
markus |
branches: 1.54.2; split kex into client and server code, no need to link server code into the client; ok provos@
|
#
1.53 |
|
02-Feb-2003 |
markus |
add support for key exchange guesses; based on work by avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
|
#
1.52 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.51 |
|
24-Jun-2002 |
markus |
branches: 1.51.2; cat to (void) when output from buffer_get_X is ignored
|
#
1.50 |
|
15-May-2002 |
mouring |
'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.49 |
|
26-Mar-2002 |
markus |
branches: 1.49.2; generate a new cookie for each SSH2_MSG_KEXINIT message we send out
|
#
1.48 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.47 |
|
28-Feb-2002 |
markus |
add some const EVP_MD for openssl-0.9.7
|
#
1.46 |
|
23-Feb-2002 |
markus |
don't allow garbage after payload.
|
#
1.45 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.44 |
|
11-Feb-2002 |
markus |
restore kexinit handler if we reset the dispatcher, this unbreaks rekeying s/kex_clear_dispatch/kex_reset_dispatch/
|
#
1.43 |
|
25-Jan-2002 |
markus |
use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@
|
#
1.42 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.41 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.40 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.39 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.38 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.37 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.36 |
|
25-Jun-2001 |
markus |
branches: 1.36.2; update copyright for 2001
|
#
1.35 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.34 |
|
30-Apr-2001 |
markus |
allow interop with weaker key generation used by ssh-2.0.x, x < 10
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
05-Apr-2001 |
markus |
branches: 1.33.2; fix whitespace: unexpand + trailing spaces.
|
#
1.32 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.31 |
|
04-Apr-2001 |
markus |
parse full kexinit packet. make server-side more robust, too.
|
#
1.30 |
|
04-Apr-2001 |
markus |
more robust rekeying don't send channel data after rekeying is started.
|
#
1.29 |
|
04-Apr-2001 |
markus |
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
|
#
1.28 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.27 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.26 |
|
03-Apr-2001 |
markus |
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
|
#
1.25 |
|
29-Mar-2001 |
markus |
prepare for rekeying: move DH code to dh.c
|
#
1.24 |
|
28-Mar-2001 |
provos |
forgot to include min and max params in hash, okay markus@
|
#
1.23 |
|
10-Mar-2001 |
markus |
add PreferredAuthentications
|
#
1.22 |
|
05-Mar-2001 |
markus |
generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only.
References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
#
1.21 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.20 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.19 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.18 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.17 |
|
08-Jan-2001 |
markus |
missing free; thanks stevesk@pobox.com
|
#
1.16 |
|
20-Dec-2000 |
markus |
fix prototypes; from stevesk@pobox.com
|
#
1.15 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.14 |
|
15-Dec-2000 |
provos |
compute diffie-hellman in parallel between server and client. okay markus@
|
#
1.13 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.12 |
|
11-Oct-2000 |
markus |
branches: 1.12.2; new cipher framework
|
#
1.11 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.10 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.9 |
|
10-Jul-2000 |
ho |
strtok() --> strsep(). (niels@ ok)
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
08-May-2000 |
markus |
branches: 1.6.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.5 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.4 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.3 |
|
12-Apr-2000 |
markus |
check for reasonable public DH values
|
#
1.2 |
|
12-Apr-2000 |
markus |
less debugging output
|
#
1.1 |
|
03-Apr-2000 |
markus |
DSA, keyexchange, algorithm agreement for ssh2
|