#
1.315 |
|
31-May-2024 |
djm |
typos
|
#
1.314 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.313 |
|
18-Dec-2023 |
djm |
implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.312 |
|
28-Aug-2023 |
djm |
branches: 1.312.2; Add keystroke timing obfuscation to the client.
This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/
feedback/ok markus@
|
#
1.311 |
|
28-Aug-2023 |
djm |
Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.310 |
|
06-Apr-2023 |
djm |
remove redundant ssh!=NULL check; we'd already dereferenced it
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.309 |
|
03-Mar-2023 |
dtucker |
branches: 1.309.4; Ensure ms_remain is always initialized, similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.308 |
|
31-Aug-2022 |
djm |
whitespace
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.314 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.313 |
|
18-Dec-2023 |
djm |
implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.312 |
|
28-Aug-2023 |
djm |
branches: 1.312.2; Add keystroke timing obfuscation to the client.
This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/
feedback/ok markus@
|
#
1.311 |
|
28-Aug-2023 |
djm |
Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.310 |
|
06-Apr-2023 |
djm |
remove redundant ssh!=NULL check; we'd already dereferenced it
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.309 |
|
03-Mar-2023 |
dtucker |
branches: 1.309.4; Ensure ms_remain is always initialized, similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.308 |
|
31-Aug-2022 |
djm |
whitespace
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.313 |
|
18-Dec-2023 |
djm |
implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.312 |
|
28-Aug-2023 |
djm |
branches: 1.312.2; Add keystroke timing obfuscation to the client.
This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/
feedback/ok markus@
|
#
1.311 |
|
28-Aug-2023 |
djm |
Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.310 |
|
06-Apr-2023 |
djm |
remove redundant ssh!=NULL check; we'd already dereferenced it
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.309 |
|
03-Mar-2023 |
dtucker |
branches: 1.309.4; Ensure ms_remain is always initialized, similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.308 |
|
31-Aug-2022 |
djm |
whitespace
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.312 |
|
28-Aug-2023 |
djm |
Add keystroke timing obfuscation to the client.
This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/
feedback/ok markus@
|
#
1.311 |
|
28-Aug-2023 |
djm |
Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".
ok markus@
|
#
1.310 |
|
06-Apr-2023 |
djm |
remove redundant ssh!=NULL check; we'd already dereferenced it
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.309 |
|
03-Mar-2023 |
dtucker |
Ensure ms_remain is always initialized, similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.308 |
|
31-Aug-2022 |
djm |
whitespace
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.310 |
|
06-Apr-2023 |
djm |
remove redundant ssh!=NULL check; we'd already dereferenced it
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.309 |
|
03-Mar-2023 |
dtucker |
Ensure ms_remain is always initialized, similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.308 |
|
31-Aug-2022 |
djm |
whitespace
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.309 |
|
03-Mar-2023 |
dtucker |
Ensure ms_remain is always initialized, similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.308 |
|
31-Aug-2022 |
djm |
whitespace
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.308 |
|
31-Aug-2022 |
djm |
whitespace
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.307 |
|
22-Jan-2022 |
djm |
add a ssh_packet_process_read() function that reads from a fd directly into the transport input buffer.
Use this in the client and server mainloops to avoid unnecessary copying. It also lets us use a more greedy read size without penalty.
Yields a 2-3% performance gain on cipher-speed.sh (in a fairly unscientific test tbf)
feedback dtucker@ ok markus@
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.306 |
|
21-Jan-2022 |
djm |
correct comment and use local variable instead of long indirection; spotted by dtucker@
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.305 |
|
17-Jan-2022 |
djm |
when decompressing zlib compressed packets, use Z_SYNC_FLUSH instead of Z_PARTIAL_FLUSH as the latter is not actually specified as a valid mode for inflate(). There should be no practical change in behaviour as the compression side ensures a flush that should make all data available to the receiver in all cases.
repoted by lamm AT ibm.com via bz3372; ok markus
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.304 |
|
01-Jan-2022 |
jsg |
spelling ok dtucker@
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.303 |
|
25-Nov-2021 |
djm |
debug("func: ...") -> debug_f("...")
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.302 |
|
13-Nov-2021 |
deraadt |
replace select() with ppoll(), including converting timeval's to timespec's to make things easier. back and forth and ok; djm
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.301 |
|
16-Jul-2021 |
djm |
Explicitly check for and start time-based rekeying in the client and server mainloops.
Previously the rekey timeout could expire but rekeying would not start until a packet was sent or received. This could cause us to spin in select() on the rekey timeout if the connection was quiet.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.300 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.299 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.298 |
|
27-Nov-2020 |
djm |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.297 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.296 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.295 |
|
01-Jul-2020 |
markus |
free kex in ssh_packet_close; ok djm semarie
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.294 |
|
26-Jun-2020 |
semarie |
backout 1.293 fix kex mem-leak in ssh_packet_close at markus request
the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after calling ssh_packet_clear_keys())
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.293 |
|
24-Jun-2020 |
markus |
fix kex mem-leak in ssh_packet_close; ok djm
|
#
1.292 |
|
24-Jun-2020 |
markus |
fix ssh -O proxy w/mux which got broken by no longer making ssh->kex optional in packet.c revision 1.278 ok djm@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.291 |
|
06-Mar-2020 |
markus |
consistently check packet_timeout_ms against 0; ok djm
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.290 |
|
30-Jan-2020 |
djm |
have sshpkt_fatal() save/restore errno before we potentially call strerror() (via ssh_err()); ok dtucker
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.289 |
|
23-Jan-2020 |
dtucker |
Fix typo in comment.
|
#
1.288 |
|
23-Jan-2020 |
dtucker |
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.287 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.286 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.285 |
|
07-Jun-2019 |
dtucker |
Typo and spelling fixes in comments and error messages. Patch from knweiss at gmail.com via -portable.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.284 |
|
18-Apr-2019 |
dtucker |
Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.283 |
|
01-Mar-2019 |
djm |
in ssh_set_newkeys(), mention the direction that we're keying in debug messages. Previously it would be difficult to tell which direction it was talking about
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.282 |
|
21-Jan-2019 |
djm |
pass values used in KEX hash computation as sshbuf rather than pointer+len
suggested by me; implemented by markus@ ok me
|
#
1.281 |
|
21-Jan-2019 |
djm |
Make sshpkt_get_bignum2() allocate the bignum it is parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
|
#
1.280 |
|
19-Jan-2019 |
djm |
allow sshpkt_fatal() to take a varargs format; we'll use this to give packet-related fatal error messages more context (esp. the remote endpoint) ok markus@
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.279 |
|
04-Jan-2019 |
djm |
fix memory leak of ciphercontext when rekeying; bz#2942 Patch from Markus Schmidt; ok markus@
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.278 |
|
27-Dec-2018 |
djm |
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server.
Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.277 |
|
16-Jul-2018 |
djm |
memleaks; found by valgrind
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.276 |
|
09-Jul-2018 |
markus |
client: switch to sshbuf API; ok djm@
|
#
1.275 |
|
09-Jul-2018 |
sf |
Revert previous two commits
It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.274 |
|
06-Jul-2018 |
sf |
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
|
#
1.273 |
|
06-Jul-2018 |
sf |
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit.
ok markus@
|
#
1.272 |
|
06-Jul-2018 |
sf |
Remove unused ssh_packet_start_compression()
ok markus@
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.271 |
|
01-Jun-2018 |
djm |
make ssh_remote_ipaddr() capable of being called after the ssh->state has been torn down; bz#2773
|
#
1.270 |
|
25-May-2018 |
dtucker |
If select() fails in ssh_packet_read_seqnr go directly to the error path instead of trying to read from the socket on the way out, which resets errno and causes the true error to be misreported. ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.269 |
|
18-Dec-2017 |
djm |
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth to post-auth unpriviledged child processes; ok markus@
|
#
1.268 |
|
10-Dec-2017 |
dtucker |
Put remote client info back into the ClientAlive connection termination message. Based in part on diff from lars.nooden at gmail, ok djm
|
#
1.267 |
|
25-Nov-2017 |
dtucker |
Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
|
#
1.266 |
|
25-Oct-2017 |
djm |
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4)
ok markus@
|
#
1.265 |
|
13-Oct-2017 |
djm |
log debug messages sent to peer; ok deraadt markus
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.264 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.263 |
|
23-Jul-2017 |
djm |
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
|
#
1.262 |
|
24-Jun-2017 |
djm |
don't pass pointer to struct sshcipher between privsep processes, just redo the lookup in each using the already-passed cipher name. bz#2704 based on patch from Brooks Davis; ok markus dtucker
|
#
1.261 |
|
09-Jun-2017 |
dtucker |
Add comments referring to the relevant RFC sections for rekeying behaviour.
|
#
1.260 |
|
06-Jun-2017 |
dtucker |
Fix compression output stats broken in rev 1.201. Patch originally by Russell Coker via Debian bug #797964 and Christoph Biedl. ok djm@
|
#
1.259 |
|
01-Jun-2017 |
djm |
some warnings spotted by clang; ok markus@
|
#
1.258 |
|
31-May-2017 |
deraadt |
These shutdown() SHUT_RDWR are not needed before close() ok djm markus claudio
|
#
1.257 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.256 |
|
08-May-2017 |
djm |
helps if I commit the correct version of the file. fix missing return statement.
|
#
1.255 |
|
08-May-2017 |
djm |
I was too aggressive with the scalpel in the last commit; unbreak sshd, spotted quickly by naddy@
|
#
1.254 |
|
07-May-2017 |
djm |
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
|
#
1.253 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
#
1.252 |
|
30-Apr-2017 |
djm |
obliterate ssh1.h and some dead code that used it
ok markus@
|
#
1.251 |
|
30-Apr-2017 |
djm |
remove the (in)famous SSHv1 CRC compensation attack detector.
Despite your cameo in The Matrix movies, you will not be missed.
ok markus
|
#
1.250 |
|
30-Apr-2017 |
djm |
remove SSHv1 support from packet and buffer APIs
ok markus@
|
#
1.249 |
|
30-Apr-2017 |
djm |
remove compat20/compat13/compat15 variables
ok markus@
|
#
1.248 |
|
30-Apr-2017 |
djm |
unifdef WITH_SSH1 ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.247 |
|
11-Mar-2017 |
markus |
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
|
#
1.246 |
|
28-Feb-2017 |
djm |
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683
|
#
1.245 |
|
03-Feb-2017 |
djm |
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@
|
#
1.244 |
|
03-Feb-2017 |
dtucker |
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning.
rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway).
some early guidance deraadt@, ok djm@
|
#
1.243 |
|
11-Oct-2016 |
djm |
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@
|
#
1.242 |
|
30-Sep-2016 |
markus |
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
|
#
1.241 |
|
28-Sep-2016 |
djm |
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
|
#
1.240 |
|
28-Sep-2016 |
djm |
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
|
#
1.239 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.238 |
|
19-Sep-2016 |
markus |
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
|
#
1.237 |
|
12-Sep-2016 |
deraadt |
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
|
#
1.236 |
|
06-Sep-2016 |
markus |
ssh_set_newkeys: print correct block counters on rekeying; ok djm@
|
#
1.235 |
|
03-Aug-2016 |
djm |
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.234 |
|
18-Jul-2016 |
markus |
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
#
1.233 |
|
18-Jul-2016 |
djm |
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
|
#
1.232 |
|
15-Jul-2016 |
dtucker |
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
|
#
1.231 |
|
08-Jul-2016 |
djm |
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified.
This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
|
#
1.230 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.229 |
|
17-Feb-2016 |
djm |
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
#
1.228 |
|
08-Feb-2016 |
djm |
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves.
Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
|
#
1.227 |
|
04-Feb-2016 |
djm |
printf argument casts to avoid warnings on strict compilers
|
#
1.226 |
|
29-Jan-2016 |
djm |
include packet type of non-data packets in debug3 output; ok markus dtucker
|
#
1.225 |
|
29-Jan-2016 |
dtucker |
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
|
#
1.224 |
|
29-Jan-2016 |
dtucker |
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
#
1.223 |
|
29-Jan-2016 |
dtucker |
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
|
#
1.222 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.221 |
|
11-Dec-2015 |
mmcc |
Remove NULL-checks before sshbuf_free().
ok djm@
|
#
1.220 |
|
11-Dec-2015 |
djm |
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
#
1.219 |
|
10-Dec-2015 |
mmcc |
Remove NULL-checks before free().
ok dtucker@
|
#
1.218 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.217 |
|
08-Nov-2015 |
djm |
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@
|
#
1.216 |
|
21-Oct-2015 |
gsoares |
fix memory leak in error path ok djm@
|
#
1.215 |
|
21-Sep-2015 |
djm |
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@
|
#
1.214 |
|
20-Aug-2015 |
deraadt |
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.213 |
|
29-Jul-2015 |
djm |
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
#
1.212 |
|
01-May-2015 |
djm |
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
#
1.211 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.210 |
|
24-Mar-2015 |
markus |
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
|
#
1.209 |
|
11-Mar-2015 |
jsg |
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.208 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.207 |
|
11-Feb-2015 |
djm |
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
#
1.206 |
|
09-Feb-2015 |
jsg |
fix some leaks in error paths ok markus@
|
#
1.205 |
|
30-Jan-2015 |
djm |
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
|
#
1.204 |
|
28-Jan-2015 |
djm |
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
|
#
1.203 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.202 |
|
19-Jan-2015 |
markus |
add experimental api for packet layer; ok djm@
|
#
1.201 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.200 |
|
13-Jan-2015 |
markus |
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
|
#
1.199 |
|
24-Oct-2014 |
lteo |
Remove unnecessary include: netinet/in_systm.h is not needed by these programs.
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.198 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.197 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.196 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.195 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.194 |
|
28-Apr-2014 |
djm |
buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
|
#
1.193 |
|
01-Apr-2014 |
djm |
demote a debug3 to PACKET_DEBUG; ok markus@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.192 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.191 |
|
06-Dec-2013 |
markus |
new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
|
#
1.190 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.189 |
|
08-Nov-2013 |
djm |
use calloc for all structure allocations; from markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.188 |
|
12-Jul-2013 |
djm |
branches: 1.188.2; fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
|
#
1.187 |
|
01-Jun-2013 |
dtucker |
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@.
|
#
1.186 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.185 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.184 |
|
16-May-2013 |
dtucker |
Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
|
#
1.183 |
|
19-Apr-2013 |
djm |
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
|
#
1.182 |
|
11-Apr-2013 |
djm |
quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.181 |
|
10-Feb-2013 |
djm |
branches: 1.181.2; record "Received disconnect" messages at ERROR rather than INFO priority, since they are abnormal and result in a non-zero ssh exit status; patch from Iain Morgan in bz#2057; ok dtucker@
|
#
1.180 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.179 |
|
12-Dec-2012 |
markus |
reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
|
#
1.178 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.177 |
|
17-Sep-2012 |
markus |
clear old keys on rekeing; ok djm
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.176 |
|
25-Jan-2012 |
markus |
packet_read_poll() is not used anymore.
|
#
1.175 |
|
25-Jan-2012 |
markus |
do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying; ok dtucker@, djm@
|
#
1.174 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.173 |
|
06-May-2011 |
djm |
set traffic class for IPv6 traffic as we do for IPv4 TOS; patch from lionel AT mamane.lu via Colin Watson in bz#1855; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.172 |
|
13-Nov-2010 |
djm |
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
#
1.171 |
|
05-Nov-2010 |
djm |
whitespace KNF
|
#
1.170 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
#
1.169 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.168 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.167 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.166 |
|
27-Jun-2009 |
andreas |
packet_bacup_state() and packet_restore_state() will be used to temporarily save the current state ren resuming a suspended connection. ok markus@
|
#
1.165 |
|
12-Jun-2009 |
andreas |
Move some more statics into session_state ok markus@ djm@
|
#
1.164 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.163 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.162 |
|
27-May-2009 |
andreas |
Add packet_put_int64() and packet_get_int64(), part of a larger change from Martin Forssen. ok markus@
|
#
1.161 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.160 |
|
13-Feb-2009 |
markus |
check for enc !=NULL in packet_start_discard
|
#
1.159 |
|
26-Jan-2009 |
markus |
Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
|
#
1.158 |
|
21-Nov-2008 |
markus |
packet_disconnect() on padding error, too. should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 ok djm@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.157 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.156 |
|
04-Jul-2008 |
djm |
handle EINTR in packet_write_poll()l ok dtucker@
|
#
1.155 |
|
13-Jun-2008 |
deraadt |
compile on older gcc; no decl after code
|
#
1.154 |
|
12-Jun-2008 |
dtucker |
Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
#
1.153 |
|
19-May-2008 |
djm |
unbreak protocol keepalive timeouts bz#1465; ok dtucker@
|
#
1.152 |
|
08-May-2008 |
markus |
avoid extra malloc/copy/free when receiving data over the net; ~10% speedup for localhost-scp; ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.151 |
|
22-Feb-2008 |
dtucker |
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the keepalive timer (bz #1307). ok markus@
|
#
1.150 |
|
23-Jan-2008 |
dtucker |
Revert the change for bz #1307 as it causes connection aborts if an IGNORE packet arrives while we're waiting in packet_read_expect (and possibly elsewhere).
|
#
1.149 |
|
28-Dec-2007 |
dtucker |
Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the ServerAlive and ClientAlive timers. Prevents dropping a connection when these are enabled but the peer does not support our keepalives. bz #1307, ok djm@.
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.148 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
#
1.147 |
|
05-Jun-2007 |
djm |
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
|
#
1.146 |
|
31-May-2007 |
djm |
gc unreachable code; spotted by Tavis Ormandy
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.145 |
|
19-Sep-2006 |
markus |
client NULL deref on protocol error; Tavis Ormandy, Google Security Team
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.144 |
|
16-Sep-2006 |
djm |
branches: 1.144.2; limit maximum work performed by the CRC compensation attack detector, problem reported by Tavis Ormandy, Google Security Team; ok markus@ deraadt@
|
#
1.143 |
|
05-Aug-2006 |
dtucker |
Typo in comment
|
#
1.142 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.141 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.140 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.139 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.138 |
|
25-Jul-2006 |
stevesk |
move #include <sys/time.h> out of includes.h
|
#
1.137 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.136 |
|
17-Jul-2006 |
stevesk |
move #include <unistd.h> out of includes.h
|
#
1.135 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.134 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.133 |
|
08-Jul-2006 |
stevesk |
move #include <sys/socket.h> out of includes.h
|
#
1.132 |
|
05-Jul-2006 |
stevesk |
move #include <netinet/in.h> out of includes.h; ok deraadt@
|
#
1.131 |
|
30-Mar-2006 |
djm |
replace {GET,PUT}_XXBIT macros with functionally similar functions, silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@
|
#
1.130 |
|
25-Mar-2006 |
deraadt |
remove (char *) casts to a function that accepts void * for the arg
|
#
1.129 |
|
25-Mar-2006 |
deraadt |
needed casts (always will be needed)
|
#
1.128 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.127 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.126 |
|
22-Mar-2006 |
djm |
remove IV support from the CRC attack detector, OpenSSH has never used it - it only applied to IDEA-CFB, which we don't support. prompted by NetBSD Coverity report via elad AT netbsd.org; feedback markus@ "nuke it" deraadt@
|
#
1.125 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.124 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.123 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.122 |
|
13-Mar-2006 |
dtucker |
Set TCP_NODELAY for all connections not just "interactive" ones. Fixes poor performance and protocol stalls under some network conditions (mindrot bugs #556 and #981). Patch originally from markus@, ok djm@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.121 |
|
08-Feb-2006 |
stevesk |
branches: 1.121.2; move #include <netinet/in_systm.h> and <netinet/ip.h> out of includes.h; ok markus@
|
#
1.120 |
|
30-Oct-2005 |
djm |
no need to escape single quotes in comments, no binary change
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.119 |
|
28-Jul-2005 |
markus |
branches: 1.119.2; missing packet_init_compression(); from solar
|
#
1.118 |
|
25-Jul-2005 |
markus |
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.117 |
|
17-Jun-2005 |
djm |
make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.116 |
|
20-Oct-2004 |
markus |
branches: 1.116.2; disconnect for invalid (out of range) message types.
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.115 |
|
21-Jun-2004 |
avsm |
branches: 1.115.2; make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.114 |
|
14-Jun-2004 |
djm |
set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
|
#
1.113 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.112 |
|
23-Sep-2003 |
markus |
branches: 1.112.2; replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
#
1.111 |
|
19-Sep-2003 |
markus |
do not call packet_close on fatal; ok deraadt
|
#
1.110 |
|
19-Sep-2003 |
markus |
buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.109 |
|
10-Jul-2003 |
markus |
branches: 1.109.2; the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
|
#
1.108 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.107 |
|
10-Jun-2003 |
deraadt |
mostly ansi cleanup; pval ok
|
#
1.106 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.105 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.104 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.103 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.102 |
|
10-Dec-2002 |
markus |
branches: 1.102.2; static
|
#
1.101 |
|
10-Dec-2002 |
markus |
move tos handling to packet_set_tos; ok provos/henning/deraadt
|
#
1.100 |
|
21-Nov-2002 |
markus |
debug->debug2, unify debug messages
|
#
1.99 |
|
04-Nov-2002 |
markus |
log before send disconnect; ok djm@
|
#
1.98 |
|
23-Oct-2002 |
markus |
use %u for u_int
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.97 |
|
04-Jul-2002 |
deraadt |
branches: 1.97.2; blah blah minor nothing as i read and re-read and re-read...
|
#
1.96 |
|
23-Jun-2002 |
deraadt |
packet_get_int() returns unsigned for reason & seqnr
|
#
1.95 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.94 |
|
04-Jun-2002 |
markus |
remove __FUNCTION__
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.93 |
|
24-Mar-2002 |
markus |
branches: 1.93.2; debug->debug3 for extra padding
|
#
1.92 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.91 |
|
18-Mar-2002 |
markus |
export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
|
#
1.90 |
|
27-Feb-2002 |
stevesk |
remove unneeded casts in [gs]etsockopt(); ok markus@
|
#
1.89 |
|
24-Feb-2002 |
markus |
make 'cp' unsigned and merge with 'ucp'; ok stevesk@
|
#
1.88 |
|
14-Feb-2002 |
markus |
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
|
#
1.87 |
|
24-Jan-2002 |
stevesk |
need misc.h for set_nodelay()
|
#
1.86 |
|
24-Jan-2002 |
stevesk |
add set_nodelay() to set TCP_NODELAY on a socket (prep for nagle tuning). no nagle changes just yet; ok djm@ markus@
|
#
1.85 |
|
18-Jan-2002 |
stevesk |
unneeded cast cleanup; ok markus@
|
#
1.84 |
|
11-Jan-2002 |
markus |
handle received SSH2_MSG_UNIMPLEMENTED messages; ok djm@
|
#
1.83 |
|
29-Dec-2001 |
stevesk |
remove unneeded casts and some char->u_char cleanup; ok markus@
|
#
1.82 |
|
28-Dec-2001 |
markus |
packet_read* no longer return the packet length, since it's not used.
|
#
1.81 |
|
28-Dec-2001 |
markus |
buffer_get_bignum: int -> void
|
#
1.80 |
|
28-Dec-2001 |
markus |
packet_get_bignum* no longer returns a size
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
27-Dec-2001 |
markus |
get rid of packet_integrity_check, use packet_done() instead.
|
#
1.77 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.76 |
|
19-Dec-2001 |
stevesk |
change the buffer/packet interface to use void* vs. char*; ok markus@
|
#
1.75 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.74 |
|
05-Dec-2001 |
deraadt |
minor KNF
|
#
1.73 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.72 |
|
10-Nov-2001 |
markus |
remove extra debug()
|
#
1.71 |
|
07-Nov-2001 |
markus |
pad using the padding field from the ssh2 packet instead of sending extra ignore messages. tested against several other ssh servers.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.70 |
|
27-Sep-2001 |
markus |
branches: 1.70.2; missing called=1; chombier@mac.com
|
#
1.69 |
|
25-Jun-2001 |
markus |
update copyright for 2001
|
#
1.68 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.67 |
|
20-Jun-2001 |
markus |
move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE
|
#
1.66 |
|
12-Jun-2001 |
markus |
do not log() packet_set_maxsize
|
#
1.65 |
|
07-Jun-2001 |
markus |
use xxx_put_cstring()
|
#
1.64 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.63 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.62 |
|
28-May-2001 |
markus |
remove some lines, simplify.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.61 |
|
05-Apr-2001 |
markus |
branches: 1.61.2; fix whitespace: unexpand + trailing spaces.
|
#
1.60 |
|
05-Apr-2001 |
markus |
reset compress state per direction when rekeying.
|
#
1.59 |
|
04-Apr-2001 |
markus |
clear+free keys,iv for rekeying. + fix DH mem leaks. ok niels@
|
#
1.58 |
|
04-Apr-2001 |
markus |
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
|
#
1.57 |
|
03-Apr-2001 |
markus |
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
#
1.56 |
|
03-Mar-2001 |
millert |
Dynamically allocate fd_set; deraadt@ OK
|
#
1.55 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.54 |
|
28-Feb-2001 |
markus |
use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message use random content in ignore messages.
|
#
1.53 |
|
28-Feb-2001 |
markus |
in ssh protocol v2 use ignore messages for padding (instead of trailing \0).
|
#
1.52 |
|
27-Feb-2001 |
markus |
fix random padding
|
#
1.51 |
|
12-Feb-2001 |
deraadt |
deal with EAGAIN/EINTR selects which were skipped
|
#
1.50 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.49 |
|
08-Feb-2001 |
itojun |
sync with netbsd tree changes. - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
|
#
1.48 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.47 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.46 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.45 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.44 |
|
13-Jan-2001 |
markus |
reorder, typo
|
#
1.43 |
|
13-Jan-2001 |
markus |
split out keepalive from packet_interactive (from dale@accentre.com) set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too.
|
#
1.42 |
|
09-Jan-2001 |
markus |
allow TCP_NDELAY for ipv6; from netbsd via itojun@
|
#
1.41 |
|
02-Jan-2001 |
markus |
log remote ip on disconnect; PR 1600, from jcs@rt.fm
|
#
1.40 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.39 |
|
06-Dec-2000 |
markus |
disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.38 |
|
12-Oct-2000 |
markus |
branches: 1.38.2; remove unused
|
#
1.37 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.36 |
|
03-Oct-2000 |
markus |
hmac->mac
|
#
1.35 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.34 |
|
19-Aug-2000 |
deraadt |
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill@cs.sfu.ca
|
#
1.33 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.32 |
|
04-May-2000 |
markus |
branches: 1.32.2; clear padding in ssh2
|
#
1.31 |
|
01-May-2000 |
markus |
less debug, rm unused
|
#
1.30 |
|
30-Apr-2000 |
markus |
send debug messages in SSH2 format
|
#
1.29 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.28 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.27 |
|
12-Apr-2000 |
markus |
#include <ssl/foo.h> -> <openssh/foo.h>
|
#
1.26 |
|
04-Apr-2000 |
markus |
remove unused argument, split cipher_mask()
|
#
1.25 |
|
03-Apr-2000 |
markus |
ssh2 packet format
|
#
1.24 |
|
03-Apr-2000 |
markus |
channel layer support for ssh2
|
#
1.23 |
|
28-Mar-2000 |
markus |
replace big switch() with function tables (prepare for ssh2)
|
#
1.22 |
|
05-Feb-2000 |
markus |
missing xfree()
|
#
1.21 |
|
22-Jan-2000 |
deraadt |
getsockname() requires initialized tolen; andy@guildsoftware.com
|
#
1.20 |
|
20-Jan-2000 |
markus |
use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
#
1.19 |
|
04-Jan-2000 |
markus |
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
|
#
1.18 |
|
15-Dec-1999 |
markus |
"Connection closed by x.x.x.x": fatal() -> log()
|
#
1.17 |
|
02-Dec-1999 |
markus |
set loglevel for SSH_MSG_DISCONNECT to log(), not fatal()
|
#
1.16 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.15 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.14 |
|
23-Nov-1999 |
markus |
KNF part 1
|
#
1.13 |
|
22-Nov-1999 |
markus |
syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE
|
#
1.12 |
|
19-Nov-1999 |
markus |
SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit]
|
#
1.11 |
|
15-Nov-1999 |
markus |
remove support for cipher RC4
|
#
1.10 |
|
02-Nov-1999 |
markus |
replace assert() with error, fatal or packet_disconnect
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.9 |
|
05-Oct-1999 |
dugsong |
crc32 compensation attack fix from CORE-SDI. "it's not crypto..." -- deraadt@
|
#
1.8 |
|
03-Oct-1999 |
deraadt |
use SHUT_* symbols
|
#
1.7 |
|
01-Oct-1999 |
deraadt |
s/long/int/
|
#
1.6 |
|
30-Sep-1999 |
deraadt |
"ssh is a very large program" -- anonymous
|
#
1.5 |
|
30-Sep-1999 |
deraadt |
do not bother with dinosaur pacification
|
#
1.4 |
|
30-Sep-1999 |
deraadt |
cull more ancient garbage from pre-POSIX days
|
#
1.3 |
|
29-Sep-1999 |
dugsong |
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
|
#
1.2 |
|
28-Sep-1999 |
provos |
convert all uses of gmp to SSL bignum convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|