- djm@cvs.openbsd.org 2011/08/02 01:22:11
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt Patch from mdb AT juniper.net; feedback and ok markus@
This commit is contained in:
parent
adb467fb69
commit
20bd4535c0
|
@ -17,6 +17,11 @@
|
|||
[gss-serv.c]
|
||||
prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
|
||||
report Adam Zabrock; ok djm@, deraadt@
|
||||
- djm@cvs.openbsd.org 2011/08/02 01:22:11
|
||||
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
|
||||
Add new SHA256 and SHA512 based HMAC modes from
|
||||
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
|
||||
Patch from mdb AT juniper.net; feedback and ok markus@
|
||||
|
||||
20110624
|
||||
- (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for
|
||||
|
|
6
mac.c
6
mac.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: mac.c,v 1.15 2008/06/13 00:51:47 dtucker Exp $ */
|
||||
/* $OpenBSD: mac.c,v 1.16 2011/08/02 01:22:11 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -57,6 +57,10 @@ struct {
|
|||
} macs[] = {
|
||||
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 },
|
||||
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 },
|
||||
{ "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 },
|
||||
{ "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 },
|
||||
{ "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 },
|
||||
{ "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 },
|
||||
{ "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 },
|
||||
{ "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 },
|
||||
{ "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
|
||||
|
|
15
myproposal.h
15
myproposal.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: myproposal.h,v 1.27 2010/09/01 22:42:13 djm Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.28 2011/08/02 01:22:11 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
|
@ -76,9 +76,18 @@
|
|||
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
|
||||
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
|
||||
#define KEX_DEFAULT_MAC \
|
||||
"hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \
|
||||
"hmac-md5," \
|
||||
"hmac-sha1," \
|
||||
"umac-64@openssh.com," \
|
||||
"hmac-sha2-256," \
|
||||
"hmac-sha2-256-96," \
|
||||
"hmac-sha2-512," \
|
||||
"hmac-sha2-512-96," \
|
||||
"hmac-ripemd160," \
|
||||
"hmac-ripemd160@openssh.com," \
|
||||
"hmac-sha1-96,hmac-md5-96"
|
||||
"hmac-sha1-96," \
|
||||
"hmac-md5-96"
|
||||
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
#define KEX_DEFAULT_LANG ""
|
||||
|
||||
|
|
8
ssh.1
8
ssh.1
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.319 2011/05/07 23:20:25 jmc Exp $
|
||||
.Dd $Mdocdate: May 7 2011 $
|
||||
.\" $OpenBSD: ssh.1,v 1.320 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -667,7 +667,9 @@ Both protocols support similar authentication methods,
|
|||
but protocol 2 is the default since
|
||||
it provides additional mechanisms for confidentiality
|
||||
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
|
||||
and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
|
||||
and integrity (hmac-md5, hmac-sha1,
|
||||
hmac-sha2-256, hmac-sha2-512,
|
||||
umac-64, hmac-ripemd160).
|
||||
Protocol 1 lacks a strong mechanism for ensuring the
|
||||
integrity of the connection.
|
||||
.Pp
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.152 2011/06/04 00:10:26 djm Exp $
|
||||
.Dd $Mdocdate: June 4 2011 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.153 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -793,7 +793,9 @@ Multiple algorithms must be comma-separated.
|
|||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
hmac-md5,hmac-sha1,umac-64@openssh.com,
|
||||
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
|
||||
hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
|
||||
hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,
|
||||
hmac-sha2-512-96
|
||||
.Ed
|
||||
.It Cm NoHostAuthenticationForLocalhost
|
||||
This option can be used if the home directory is shared across machines.
|
||||
|
|
7
sshd.8
7
sshd.8
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.262 2011/05/23 07:10:21 jmc Exp $
|
||||
.Dd $Mdocdate: May 23 2011 $
|
||||
.\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -314,7 +314,8 @@ The client selects the encryption algorithm
|
|||
to use from those offered by the server.
|
||||
Additionally, session integrity is provided
|
||||
through a cryptographic message authentication code
|
||||
(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
|
||||
(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160,
|
||||
hmac-sha2-256 or hmac-sha2-512).
|
||||
.Pp
|
||||
Finally, the server and the client enter an authentication dialog.
|
||||
The client tries to authenticate itself using
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $
|
||||
.Dd $Mdocdate: June 22 2011 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.135 2011/08/02 01:22:11 djm Exp $
|
||||
.Dd $Mdocdate: August 2 2011 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -655,7 +655,9 @@ Multiple algorithms must be comma-separated.
|
|||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
hmac-md5,hmac-sha1,umac-64@openssh.com,
|
||||
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
|
||||
hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
|
||||
hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
|
||||
hmac-sha2-512-96
|
||||
.Ed
|
||||
.It Cm Match
|
||||
Introduces a conditional block.
|
||||
|
|
Loading…
Reference in New Issue