typos

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

implement "strict key exchange" in ssh and sshd

This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

branches: 1.312.2;
Add keystroke timing obfuscation to the client.

This attempts to hide inter-keystroke timings by sending interactive
traffic at fixed intervals (default: every 20ms) when there is only a
small amount of data being sent. It also sends fake "chaff" keystrokes
for a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword/

feedback/ok markus@

Introduce a transport-level ping facility

This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".

ok markus@

remove redundant ssh!=NULL check; we'd already dereferenced it

branches: 1.309.4;
Ensure ms_remain is always initialized, similar to what we do in
ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.

whitespace

add a ssh_packet_process_read() function that reads from a fd
directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

correct comment and use local variable instead of long indirection;
spotted by dtucker@

when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead
of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid
mode for inflate(). There should be no practical change in behaviour
as the compression side ensures a flush that should make all data
available to the receiver in all cases.

repoted by lamm AT ibm.com via bz3372; ok markus

spelling
ok dtucker@

debug("func: ...") -> debug_f("...")

replace select() with ppoll(), including converting timeval's to timespec's
to make things easier.
back and forth and ok; djm

Explicitly check for and start time-based rekeying in the client
and server mainloops.

Previously the rekey timeout could expire but rekeying would not start
until a packet was sent or received. This could cause us to spin in
select() on the rekey timeout if the connection was quiet.

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

Set the specified TOS/DSCP for interactive use prior to TCP connect.
The connection phase of the SSH session is time-sensitive (due to
server side login grace periods) and is frequently interactive (e.g.
entering passwords). The ultimate interactive/bulk TOS/DSCP will be
set after authentication completes.

ok dtucker@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

some language improvements; ok markus

free kex in ssh_packet_close; ok djm semarie

backout 1.293 fix kex mem-leak in ssh_packet_close at markus request

the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after
calling ssh_packet_clear_keys())

fix kex mem-leak in ssh_packet_close; ok djm

fix ssh -O proxy w/mux which got broken by no longer
making ssh->kex optional in packet.c revision 1.278
ok djm@

consistently check packet_timeout_ms against 0; ok djm

have sshpkt_fatal() save/restore errno before we potentially
call strerror() (via ssh_err()); ok dtucker

Fix typo in comment.

Make zlib optional. This adds a "ZLIB" build time option that allows
building without zlib compression and associated options. With feedback
from markus@, ok djm@

strdup may return NULL if memory allocation fails. Use the safer xstrdup
which fatals on allocation failures.

ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Typo and spelling fixes in comments and error messages. Patch from
knweiss at gmail.com via -portable.

Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol.
Patch from yumkam at gmail.com, ok deraadt.

in ssh_set_newkeys(), mention the direction that we're keying in debug
messages. Previously it would be difficult to tell which direction
it was talking about

pass values used in KEX hash computation as sshbuf rather than
pointer+len

suggested by me; implemented by markus@ ok me

Make sshpkt_get_bignum2() allocate the bignum it is parsing rather
than make the caller do it. Saves a lot of boilerplate code.

from markus@ ok djm@

allow sshpkt_fatal() to take a varargs format; we'll use this to give
packet-related fatal error messages more context (esp. the remote endpoint)
ok markus@

fix memory leak of ciphercontext when rekeying; bz#2942
Patch from Markus Schmidt; ok markus@

move client/server SSH-* banners to buffers under ssh->kex and factor
out the banner exchange. This eliminates some common code from the
client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

memleaks; found by valgrind

client: switch to sshbuf API; ok djm@

Revert previous two commits

It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Remove unused ssh_packet_start_compression()

ok markus@

make ssh_remote_ipaddr() capable of being called after the ssh->state
has been torn down; bz#2773

If select() fails in ssh_packet_read_seqnr go directly to the error path
instead of trying to read from the socket on the way out, which resets
errno and causes the true error to be misreported. ok djm@

pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth
unpriviledged child processes; ok markus@

Put remote client info back into the ClientAlive connection termination
message. Based in part on diff from lars.nooden at gmail, ok djm

Add monotime_ts and monotime_tv that return monotonic timespec and
timeval respectively. Replace calls to gettimeofday() in packet timing
with monotime_tv so that the callers will work over a clock step.
Should prevent integer overflow during clock steps reported by wangle6
at huawei.com. "I like" markus@

add sshd_config RDomain keyword to place sshd and the subsequent
user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

log debug messages sent to peer; ok deraadt markus

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value
and just use the operating system default; ok dtucker@

don't pass pointer to struct sshcipher between privsep processes,
just redo the lookup in each using the already-passed cipher name.
bz#2704 based on patch from Brooks Davis; ok markus dtucker

Add comments referring to the relevant RFC sections for rekeying
behaviour.

Fix compression output stats broken in rev 1.201. Patch originally by
Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@

some warnings spotted by clang; ok markus@

These shutdown() SHUT_RDWR are not needed before close()
ok djm markus claudio

clear session keys from memory; ok djm@

helps if I commit the correct version of the file. fix missing
return statement.

I was too aggressive with the scalpel in the last commit;
unbreak sshd, spotted quickly by naddy@

As promised in last release announcement: remove support for
Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

remove miscellaneous SSH1 leftovers; ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove the (in)famous SSHv1 CRC compensation attack detector.

Despite your cameo in The Matrix movies, you will not be missed.

ok markus

remove SSHv1 support from packet and buffer APIs

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

unifdef WITH_SSH1
ok markus@

Don't count the initial block twice when computing how many bytes
to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL

small memleak: free fd_set on connection timeout (though we are heading to
exit anyway). From Tom Rix in bz#2683

add ssh_packet_set_log_preamble() to allow inclusion of a preamble
string in disconnect messages; ok markus@

Make ssh_packet_set_rekey_limits take u32 for the number of seconds
until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned
comparison warning.

rekey_time is cast to int64 for the comparison which is a no-op
on OpenBSD, but should also do the right thing in -portable on
anything still using 32bit time_t (until the system time actually
wraps, anyway).

some early guidance deraadt@, ok djm@

Add a per-packet input hook that is called with the decrypted packet
contents. This will be used for fuzzing; ok markus@

ssh proxy mux mode (-O proxy; idea from Simon Tatham):
- mux client speaks the ssh-packet protocol directly over unix-domain socket.
- mux server acts as a proxy, translates channel IDs and relays to the server.
- no filedescriptor passing necessary.
- combined with unix-domain forwarding it's even possible to run mux client
and server on different machines.
feedback & ok djm@

put back some pre-auth zlib bits that I shouldn't have removed -
they are still used by the client. Spotted by naddy@

restore pre-auth compression support in the client -- the previous
commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Remove support for pre-authentication compression. Doing compression
early in the protocol probably seemed reasonable in the 1990s, but
today it's clearly a bad idea in terms of both cryptography (cf.
multiple compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes
NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

ssh_set_newkeys: print correct block counters on rekeying; ok djm@

small refactor of cipher.c: make ciphercontext opaque to callers
feedback and ok markus@

Reduce timing attack against obsolete CBC modes by always computing
the MAC over a fixed size of data.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
Martin Albrecht. ok djm@

Add some unsigned overflow checks for extra_pad. None of these
are reachable with the amount of padding that we use internally.
bz#2566, pointed out by Torben Hansen. ok markus@

Reduce the syslog level of some relatively common protocol events
from LOG_CRIT by replacing fatal() calls with logdie(). Part of
bz#2585, ok djm@

Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.

Previously we were computing the MAC, decrypting the packet and then
checking the MAC. This gave rise to the possibility of creating a
side-channel oracle in the decryption step, though no such oracle has
been identified.

This adds a mac_check() function that computes and checks the MAC in
one pass, and uses it to advance MAC checking for EtM algorithms to
before payload decryption.

Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
Martin Albrecht. feedback and ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

rekey refactor broke SSH1; spotted by Tom G. Christensen

refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

printf argument casts to avoid warnings on strict compilers

include packet type of non-data packets in debug3 output;
ok markus dtucker

Revert "account for packets buffered but not yet processed" change as it
breaks for very small RekeyLimit values due to continuous rekeying. ok djm@

Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return
type of scan_scaled). Part of bz#2521, ok djm.

Account for packets buffered but not yet processed when computing whether or
not it is time to perform rekeying. bz#2521, based loosely on a patch from
olo at fb.com, ok djm@

remove roaming support; ok djm@

Remove NULL-checks before sshbuf_free().

ok djm@

include remote port number in a few more messages; makes tying log
messages together into a session a bit easier; bz#2503 ok dtucker@

Remove NULL-checks before free().

ok dtucker@

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

fix OOB read in packet code caused by missing return statement
found by Ben Hawkes; ok markus@ deraadt@

fix memory leak in error path
ok djm@

fix possible hang on closed output; bz#2469 reported by Tomas Kuthan
ok markus@

Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope
ok krw millert

include the peer's offer when logging a failure to negotiate a
mutual set of algorithms (kex, pubkey, ciphers, etc.)
ok markus@

refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better
report error conditions. Teach sshpkt_fatal() about ECONNRESET.

Improves error messages on TCP connection resets. bz#2257

ok dtucker@

fix compilation with OPENSSL=no; ok dtucker@

don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@

add back the changes from rev 1.206, djm reverted this by mistake in
rev 1.207

make rekey_limit for sshd w/privsep work; ok djm@ dtucker@

Some packet error messages show the address of the peer, but might be
generated after the socket to the peer has suffered a TCP reset. In
these cases, getpeername() won't work so cache the address earlier.

spotted in the wild via deraadt@ and tedu@

fix some leaks in error paths
ok markus@

avoid more fatal/exit in the packet.c paths that ssh-keyscan
uses; feedback and "looks good" markus@

avoid fatal() calls in packet code
makes ssh-keyscan more reliable against server failures
ok dtucker@ markus@

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

add experimental api for packet layer; ok djm@

update packet.c & isolate, introduce struct ssh
a) switch packet.c to buffer api and isolate per-connection info into struct ssh
b) (de)serialization of the state is moved from monitor to packet.c
c) the old packet.c API is implemented in opacket.[ch]
d) compress.c/h is removed and integrated into packet.c
with and ok djm@

adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies
ok djm@

Remove unnecessary include: netinet/in_systm.h is not needed by these
programs.

ok deraadt@ millert@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.

with and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.

unbreak compression, by re-init-ing the compression code in the
post-auth child. the new buffer code is more strict, and requires
buffer_init() while the old code was happy after a bzero();
originally from djm@

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

buffer_get_string_ptr's return should be const to remind
callers that futzing with it will futz with the actual buffer
contents

demote a debug3 to PACKET_DEBUG; ok markus@

convert memset of potentially-private data to explicit_bzero()

new private key format, bcrypt as KDF by default; details in PROTOCOL.key;
feedback and lots help from djm; ok djm@

Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com"
that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC
to build an authenticated encryption mode.

Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.

Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@

use calloc for all structure allocations; from markus@

branches: 1.188.2;
fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@

Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.

bye, bye xfree(); ok markus@

Add RekeyLimit to sshd with the same syntax as the client allowing rekeying
based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.

Add an optional second argument to RekeyLimit in the client to allow
rekeying based on elapsed time in addition to amount of traffic.
with djm@ jmc@, ok djm

add the ability to query supported ciphers, MACs, key type and KEX
algorithms to ssh. Includes some refactoring of KEX and key type handling
to be table-driven; ok markus@

quiet disconnect notifications on the server from error() back to logit()
if it is a normal client closure; bz#2057 ok+feedback dtucker@

branches: 1.181.2;
record "Received disconnect" messages at ERROR rather than INFO priority,
since they are abnormal and result in a non-zero ssh exit status; patch
from Iain Morgan in bz#2057; ok dtucker@

support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@

reset incoming_packet buffer for each new packet in EtM-case, too;
this happens if packets are parsed only parially (e.g. ignore
messages sent when su/sudo turn off echo); noted by sthen/millert

add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
that change the packet format and compute the MAC over the encrypted
message (including the packet size) instead of the plaintext data;
these EtM modes are considered more secure and used by default.
feedback and ok djm@

clear old keys on rekeing; ok djm

packet_read_poll() is not used anymore.

do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying;
ok dtucker@, djm@

fix some harmless and/or unreachable int overflows;
reported Xi Wang, ok markus@

set traffic class for IPv6 traffic as we do for IPv4 TOS;
patch from lionel AT mamane.lu via Colin Watson in bz#1855;
ok markus@

allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
hardcoding lowdelay/throughput.

bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@

whitespace KNF

Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.

Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).

Certificate host and user keys using the new ECDSA key types are supported.

Note that this code has not been tested for interoperability and may be
subject to change.

feedback and ok markus@

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.

Use the new API in a few sensitive places.

* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.

s/timing_safe_cmp/timingsafe_bcmp/g

implement a timing_safe_cmp() function to compare memory without leaking
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@

packet_bacup_state() and packet_restore_state() will be used to
temporarily save the current state ren resuming a suspended connection.
ok markus@

Move some more statics into session_state
ok markus@ djm@

Fix warnings found by chl@ and djm@ and change roaming_atomicio's
return type to match atomicio's
Diff from djm@, ok markus@

Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@

Add packet_put_int64() and packet_get_int64(), part of a larger change
from Martin Forssen.
ok markus@

Put the globals in packet.c into a struct and don't access it directly
from other files. No functional changes.
ok markus@ djm@

check for enc !=NULL in packet_start_discard

Work around the CPNI-957037 Plaintext Recovery Attack by always
reading 256K of data on packet size or HMAC errors (in CBC mode only).
Help, feedback and ok djm@
Feedback from Martin Albrecht and Paterson Kenny

packet_disconnect() on padding error, too. should reduce the success
probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18
ok djm@

sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@

handle EINTR in packet_write_poll()l ok dtucker@

compile on older gcc; no decl after code

Make keepalive timeouts apply while waiting for a packet, particularly during
key renegotiation (bz #1363). With djm and Matt Day, ok djm@

unbreak protocol keepalive timeouts bz#1465; ok dtucker@

avoid extra malloc/copy/free when receiving data over the net;
~10% speedup for localhost-scp; ok djm@

Allow all SSH2 packet types, including UNIMPLEMENTED to reset the
keepalive timer (bz #1307). ok markus@

Revert the change for bz #1307 as it causes connection aborts if an IGNORE
packet arrives while we're waiting in packet_read_expect (and possibly
elsewhere).

Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the
ServerAlive and ClientAlive timers. Prevents dropping a connection
when these are enabled but the peer does not support our keepalives.
bz #1307, ok djm@.

Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must
specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on one
of its underlying hash algorithms is found to be vulnerable to a new attack.
http://www.ietf.org/rfc/rfc4418.txt

in conjunction with and OK djm@

Preserve MAC ctx between packets, saving 2xhash calls per-packet.
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5

patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
committing at his request)

gc unreachable code; spotted by Tavis Ormandy

client NULL deref on protocol error; Tavis Ormandy, Google Security Team

branches: 1.144.2;
limit maximum work performed by the CRC compensation attack detector,
problem reported by Tavis Ormandy, Google Security Team;
ok markus@ deraadt@

Typo in comment

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <sys/time.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <sys/socket.h> out of includes.h

move #include <netinet/in.h> out of includes.h; ok deraadt@

replace {GET,PUT}_XXBIT macros with functionally similar functions,
silencing a heap of lint warnings. also allows them to use
__bounded__ checking which can't be applied to macros; requested
by and feedback from deraadt@

remove (char *) casts to a function that accepts void * for the arg

needed casts (always will be needed)

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

remove IV support from the CRC attack detector, OpenSSH has never used
it - it only applied to IDEA-CFB, which we don't support.
prompted by NetBSD Coverity report via elad AT netbsd.org;
feedback markus@ "nuke it" deraadt@

spacing

in a switch (), break after return or goto is stupid

RCSID() can die

Set TCP_NODELAY for all connections not just "interactive" ones. Fixes
poor performance and protocol stalls under some network conditions (mindrot
bugs #556 and #981). Patch originally from markus@, ok djm@

branches: 1.121.2;
move #include <netinet/in_systm.h> and <netinet/ip.h> out of
includes.h; ok markus@

no need to escape single quotes in comments, no binary change

branches: 1.119.2;
missing packet_init_compression(); from solar

add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.

this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@

make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.116.2;
disconnect for invalid (out of range) message types.

branches: 1.115.2;
make ssh -Wshadow clean, no functional changes
markus@ ok

set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@

improve some code lint did not like; djm millert ok

branches: 1.112.2;
replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

do not call packet_close on fatal; ok deraadt

buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471

branches: 1.109.2;
the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
blowfish, etc, so enforce a 1GB limit for small blocksizes.

int -> u_int; ok djm@, deraadt@, mouring@

mostly ansi cleanup; pval ok

rename log() into logit() to avoid name conflict. markus ok, from netbsd

reapply rekeying chage, tested by henning@, ok djm@

backout rekeying changes (for 3.6.1)

rekeying bugfixes and automatic rekeying:

* both client and server rekey _automatically_
(a) after 2^31 packets, because after 2^32 packets
the sequence number for packets wraps
(b) after 2^(blocksize_in_bits/4) blocks
(see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt)
(a) and (b) are _enabled_ by default, and only disabled for known
openssh versions, that don't support rekeying properly.
* client option 'RekeyLimit'
* do not reply to requests during rekeying

branches: 1.102.2;
static

move tos handling to packet_set_tos; ok provos/henning/deraadt

debug->debug2, unify debug messages

log before send disconnect; ok djm@

use %u for u_int

branches: 1.97.2;
blah blah minor nothing as i read and re-read and re-read...

packet_get_int() returns unsigned for reason & seqnr

make the monitor sync the transfer ssh1 session key;
transfer keycontext only for RC4 (this is still depends on EVP
implementation details and is broken).

remove __FUNCTION__

branches: 1.93.2;
debug->debug3 for extra padding

KNF whitespace

export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep

remove unneeded casts in [gs]etsockopt(); ok markus@

make 'cp' unsigned and merge with 'ucp'; ok stevesk@

hide some more implementation details of cipher.[ch] and prepares for move
to EVP, ok deraadt@

need misc.h for set_nodelay()

add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning).
no nagle changes just yet; ok djm@ markus@

unneeded cast cleanup; ok markus@

handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@

remove unneeded casts and some char->u_char cleanup; ok markus@

packet_read* no longer return the packet length, since it's not used.

buffer_get_bignum: int -> void

packet_get_bignum* no longer returns a size

s/packet_done/packet_check_eom/ (end-of-message); ok djm@

get rid of packet_integrity_check, use packet_done() instead.

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

change the buffer/packet interface to use void* vs. char*; ok markus@

basic KNF done while i was looking for something else

minor KNF

make it compile with more strict prototype checking

remove extra debug()

pad using the padding field from the ssh2 packet instead of sending
extra ignore messages. tested against several other ssh servers.

branches: 1.70.2;
missing called=1; chombier@mac.com

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

move from channel_stop_listening to channel_free_all,
call channel_free_all before calling waitpid() in serverloop.
fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE

do not log() packet_set_maxsize

use xxx_put_cstring()

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

remove some lines, simplify.

branches: 1.61.2;
fix whitespace: unexpand + trailing spaces.

reset compress state per direction when rekeying.

clear+free keys,iv for rekeying.
+ fix DH mem leaks. ok niels@

don't sent multiple kexinit-requests.
send newkeys, block while waiting for newkeys.
fix comments.

undo parts of recent my changes: main part of keyexchange does not
need dispatch-callbacks, since application data is delayed until
the keyexchange completes (if i understand the drafts correctly).

add some infrastructure for re-keying.

Dynamically allocate fd_set; deraadt@ OK

KNF

use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message
use random content in ignore messages.

in ssh protocol v2 use ignore messages for padding (instead of trailing \0).

fix random padding

deal with EAGAIN/EINTR selects which were skipped

1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

unexpand and remove end-of-line whitespace; ok markus@

remove duplicate #include's; ok markus@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

reorder, typo

split out keepalive from packet_interactive (from dale@accentre.com)
set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.

allow TCP_NDELAY for ipv6; from netbsd via itojun@

log remote ip on disconnect; PR 1600, from jcs@rt.fm

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0

branches: 1.38.2;
remove unused

new cipher framework

hmac->mac

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to
libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca

OpenBSD tag

branches: 1.32.2;
clear padding in ssh2

less debug, rm unused

send debug messages in SSH2 format

whitespace cleanup

check payload for (illegal) extra data

#include <ssl/foo.h> -> <openssh/foo.h>

remove unused argument, split cipher_mask()

ssh2 packet format

channel layer support for ssh2

replace big switch() with function tables (prepare for ssh2)

missing xfree()

getsockname() requires initialized tolen; andy@guildsoftware.com

use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
from Holger.Trapp@Informatik.TU-Chemnitz.DE

ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features:
sshd allows multiple ListenAddress and Port options. note that libwrap is
not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and
fujiwara@rcac.tdi.co.jp)

"Connection closed by x.x.x.x": fatal() -> log()

set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()

KNF, final part 3

much more KNF

KNF part 1

syslog changes:
* Unified Logmessage for all auth-types, for success and for failed
* Standard connections get only ONE line in the LOG when level==LOG:
Auth-attempts are logged only, if authentication is:
a) successfull or
b) with passwd or
c) we had more than AUTH_FAIL_LOG failues
* many log() became verbose()
* old behaviour with level=VERBOSE

SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@
[hope this time my ISP stays alive during commit]

remove support for cipher RC4

replace assert() with error, fatal or packet_disconnect

crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@

use SHUT_* symbols

s/long/int/

"ssh is a very large program" -- anonymous

do not bother with dinosaur pacification

cull more ancient garbage from pre-POSIX days

update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages

convert all uses of gmp to SSL bignum
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

implement "strict key exchange" in ssh and sshd

This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

branches: 1.312.2;
Add keystroke timing obfuscation to the client.

This attempts to hide inter-keystroke timings by sending interactive
traffic at fixed intervals (default: every 20ms) when there is only a
small amount of data being sent. It also sends fake "chaff" keystrokes
for a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword/

feedback/ok markus@

Introduce a transport-level ping facility

This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".

ok markus@

remove redundant ssh!=NULL check; we'd already dereferenced it

branches: 1.309.4;
Ensure ms_remain is always initialized, similar to what we do in
ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.

whitespace

add a ssh_packet_process_read() function that reads from a fd
directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

correct comment and use local variable instead of long indirection;
spotted by dtucker@

when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead
of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid
mode for inflate(). There should be no practical change in behaviour
as the compression side ensures a flush that should make all data
available to the receiver in all cases.

repoted by lamm AT ibm.com via bz3372; ok markus

spelling
ok dtucker@

debug("func: ...") -> debug_f("...")

replace select() with ppoll(), including converting timeval's to timespec's
to make things easier.
back and forth and ok; djm

Explicitly check for and start time-based rekeying in the client
and server mainloops.

Previously the rekey timeout could expire but rekeying would not start
until a packet was sent or received. This could cause us to spin in
select() on the rekey timeout if the connection was quiet.

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

Set the specified TOS/DSCP for interactive use prior to TCP connect.
The connection phase of the SSH session is time-sensitive (due to
server side login grace periods) and is frequently interactive (e.g.
entering passwords). The ultimate interactive/bulk TOS/DSCP will be
set after authentication completes.

ok dtucker@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

some language improvements; ok markus

free kex in ssh_packet_close; ok djm semarie

backout 1.293 fix kex mem-leak in ssh_packet_close at markus request

the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after
calling ssh_packet_clear_keys())

fix kex mem-leak in ssh_packet_close; ok djm

fix ssh -O proxy w/mux which got broken by no longer
making ssh->kex optional in packet.c revision 1.278
ok djm@

consistently check packet_timeout_ms against 0; ok djm

have sshpkt_fatal() save/restore errno before we potentially
call strerror() (via ssh_err()); ok dtucker

Fix typo in comment.

Make zlib optional. This adds a "ZLIB" build time option that allows
building without zlib compression and associated options. With feedback
from markus@, ok djm@

strdup may return NULL if memory allocation fails. Use the safer xstrdup
which fatals on allocation failures.

ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Typo and spelling fixes in comments and error messages. Patch from
knweiss at gmail.com via -portable.

Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol.
Patch from yumkam at gmail.com, ok deraadt.

in ssh_set_newkeys(), mention the direction that we're keying in debug
messages. Previously it would be difficult to tell which direction
it was talking about

pass values used in KEX hash computation as sshbuf rather than
pointer+len

suggested by me; implemented by markus@ ok me

Make sshpkt_get_bignum2() allocate the bignum it is parsing rather
than make the caller do it. Saves a lot of boilerplate code.

from markus@ ok djm@

allow sshpkt_fatal() to take a varargs format; we'll use this to give
packet-related fatal error messages more context (esp. the remote endpoint)
ok markus@

fix memory leak of ciphercontext when rekeying; bz#2942
Patch from Markus Schmidt; ok markus@

move client/server SSH-* banners to buffers under ssh->kex and factor
out the banner exchange. This eliminates some common code from the
client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

memleaks; found by valgrind

client: switch to sshbuf API; ok djm@

Revert previous two commits

It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Remove unused ssh_packet_start_compression()

ok markus@

make ssh_remote_ipaddr() capable of being called after the ssh->state
has been torn down; bz#2773

If select() fails in ssh_packet_read_seqnr go directly to the error path
instead of trying to read from the socket on the way out, which resets
errno and causes the true error to be misreported. ok djm@

pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth
unpriviledged child processes; ok markus@

Put remote client info back into the ClientAlive connection termination
message. Based in part on diff from lars.nooden at gmail, ok djm

Add monotime_ts and monotime_tv that return monotonic timespec and
timeval respectively. Replace calls to gettimeofday() in packet timing
with monotime_tv so that the callers will work over a clock step.
Should prevent integer overflow during clock steps reported by wangle6
at huawei.com. "I like" markus@

add sshd_config RDomain keyword to place sshd and the subsequent
user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

log debug messages sent to peer; ok deraadt markus

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value
and just use the operating system default; ok dtucker@

don't pass pointer to struct sshcipher between privsep processes,
just redo the lookup in each using the already-passed cipher name.
bz#2704 based on patch from Brooks Davis; ok markus dtucker

Add comments referring to the relevant RFC sections for rekeying
behaviour.

Fix compression output stats broken in rev 1.201. Patch originally by
Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@

some warnings spotted by clang; ok markus@

These shutdown() SHUT_RDWR are not needed before close()
ok djm markus claudio

clear session keys from memory; ok djm@

helps if I commit the correct version of the file. fix missing
return statement.

I was too aggressive with the scalpel in the last commit;
unbreak sshd, spotted quickly by naddy@

As promised in last release announcement: remove support for
Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

remove miscellaneous SSH1 leftovers; ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove the (in)famous SSHv1 CRC compensation attack detector.

Despite your cameo in The Matrix movies, you will not be missed.

ok markus

remove SSHv1 support from packet and buffer APIs

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

unifdef WITH_SSH1
ok markus@

Don't count the initial block twice when computing how many bytes
to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL

small memleak: free fd_set on connection timeout (though we are heading to
exit anyway). From Tom Rix in bz#2683

add ssh_packet_set_log_preamble() to allow inclusion of a preamble
string in disconnect messages; ok markus@

Make ssh_packet_set_rekey_limits take u32 for the number of seconds
until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned
comparison warning.

rekey_time is cast to int64 for the comparison which is a no-op
on OpenBSD, but should also do the right thing in -portable on
anything still using 32bit time_t (until the system time actually
wraps, anyway).

some early guidance deraadt@, ok djm@

Add a per-packet input hook that is called with the decrypted packet
contents. This will be used for fuzzing; ok markus@

ssh proxy mux mode (-O proxy; idea from Simon Tatham):
- mux client speaks the ssh-packet protocol directly over unix-domain socket.
- mux server acts as a proxy, translates channel IDs and relays to the server.
- no filedescriptor passing necessary.
- combined with unix-domain forwarding it's even possible to run mux client
and server on different machines.
feedback & ok djm@

put back some pre-auth zlib bits that I shouldn't have removed -
they are still used by the client. Spotted by naddy@

restore pre-auth compression support in the client -- the previous
commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Remove support for pre-authentication compression. Doing compression
early in the protocol probably seemed reasonable in the 1990s, but
today it's clearly a bad idea in terms of both cryptography (cf.
multiple compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes
NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

ssh_set_newkeys: print correct block counters on rekeying; ok djm@

small refactor of cipher.c: make ciphercontext opaque to callers
feedback and ok markus@

Reduce timing attack against obsolete CBC modes by always computing
the MAC over a fixed size of data.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
Martin Albrecht. ok djm@

Add some unsigned overflow checks for extra_pad. None of these
are reachable with the amount of padding that we use internally.
bz#2566, pointed out by Torben Hansen. ok markus@

Reduce the syslog level of some relatively common protocol events
from LOG_CRIT by replacing fatal() calls with logdie(). Part of
bz#2585, ok djm@

Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.

Previously we were computing the MAC, decrypting the packet and then
checking the MAC. This gave rise to the possibility of creating a
side-channel oracle in the decryption step, though no such oracle has
been identified.

This adds a mac_check() function that computes and checks the MAC in
one pass, and uses it to advance MAC checking for EtM algorithms to
before payload decryption.

Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
Martin Albrecht. feedback and ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

rekey refactor broke SSH1; spotted by Tom G. Christensen

refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

printf argument casts to avoid warnings on strict compilers

include packet type of non-data packets in debug3 output;
ok markus dtucker

Revert "account for packets buffered but not yet processed" change as it
breaks for very small RekeyLimit values due to continuous rekeying. ok djm@

Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return
type of scan_scaled). Part of bz#2521, ok djm.

Account for packets buffered but not yet processed when computing whether or
not it is time to perform rekeying. bz#2521, based loosely on a patch from
olo at fb.com, ok djm@

remove roaming support; ok djm@

Remove NULL-checks before sshbuf_free().

ok djm@

include remote port number in a few more messages; makes tying log
messages together into a session a bit easier; bz#2503 ok dtucker@

Remove NULL-checks before free().

ok dtucker@

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

fix OOB read in packet code caused by missing return statement
found by Ben Hawkes; ok markus@ deraadt@

fix memory leak in error path
ok djm@

fix possible hang on closed output; bz#2469 reported by Tomas Kuthan
ok markus@

Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope
ok krw millert

include the peer's offer when logging a failure to negotiate a
mutual set of algorithms (kex, pubkey, ciphers, etc.)
ok markus@

refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better
report error conditions. Teach sshpkt_fatal() about ECONNRESET.

Improves error messages on TCP connection resets. bz#2257

ok dtucker@

fix compilation with OPENSSL=no; ok dtucker@

don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@

add back the changes from rev 1.206, djm reverted this by mistake in
rev 1.207

make rekey_limit for sshd w/privsep work; ok djm@ dtucker@

Some packet error messages show the address of the peer, but might be
generated after the socket to the peer has suffered a TCP reset. In
these cases, getpeername() won't work so cache the address earlier.

spotted in the wild via deraadt@ and tedu@

fix some leaks in error paths
ok markus@

avoid more fatal/exit in the packet.c paths that ssh-keyscan
uses; feedback and "looks good" markus@

avoid fatal() calls in packet code
makes ssh-keyscan more reliable against server failures
ok dtucker@ markus@

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

add experimental api for packet layer; ok djm@

update packet.c & isolate, introduce struct ssh
a) switch packet.c to buffer api and isolate per-connection info into struct ssh
b) (de)serialization of the state is moved from monitor to packet.c
c) the old packet.c API is implemented in opacket.[ch]
d) compress.c/h is removed and integrated into packet.c
with and ok djm@

adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies
ok djm@

Remove unnecessary include: netinet/in_systm.h is not needed by these
programs.

ok deraadt@ millert@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.

with and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.

unbreak compression, by re-init-ing the compression code in the
post-auth child. the new buffer code is more strict, and requires
buffer_init() while the old code was happy after a bzero();
originally from djm@

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

buffer_get_string_ptr's return should be const to remind
callers that futzing with it will futz with the actual buffer
contents

demote a debug3 to PACKET_DEBUG; ok markus@

convert memset of potentially-private data to explicit_bzero()

new private key format, bcrypt as KDF by default; details in PROTOCOL.key;
feedback and lots help from djm; ok djm@

Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com"
that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC
to build an authenticated encryption mode.

Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.

Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@

use calloc for all structure allocations; from markus@

branches: 1.188.2;
fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@

Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.

bye, bye xfree(); ok markus@

Add RekeyLimit to sshd with the same syntax as the client allowing rekeying
based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.

Add an optional second argument to RekeyLimit in the client to allow
rekeying based on elapsed time in addition to amount of traffic.
with djm@ jmc@, ok djm

add the ability to query supported ciphers, MACs, key type and KEX
algorithms to ssh. Includes some refactoring of KEX and key type handling
to be table-driven; ok markus@

quiet disconnect notifications on the server from error() back to logit()
if it is a normal client closure; bz#2057 ok+feedback dtucker@

branches: 1.181.2;
record "Received disconnect" messages at ERROR rather than INFO priority,
since they are abnormal and result in a non-zero ssh exit status; patch
from Iain Morgan in bz#2057; ok dtucker@

support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@

reset incoming_packet buffer for each new packet in EtM-case, too;
this happens if packets are parsed only parially (e.g. ignore
messages sent when su/sudo turn off echo); noted by sthen/millert