Commit Graph

165 Commits

Author SHA1 Message Date
djm@openbsd.org 70edd73edc upstream: fix reversed arguments to kex_load_hostkey(); manifested as
errors in cert-hostkey.sh regress failures.

OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba
2019-01-21 23:13:53 +11:00
djm@openbsd.org aaca72d6f1 upstream: rename kex->kem_client_pub -> kex->client_pub now that
KEM has been renamed to kexgen

from markus@ ok djm@

OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
2019-01-21 23:13:03 +11:00
djm@openbsd.org 4b83e2a2cc upstream: remove kex_derive_keys_bn wrapper; no unused since the
DH-like KEX methods have moved to KEM

from markus@ ok djm@

OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
2019-01-21 23:13:03 +11:00
djm@openbsd.org dfd591618c upstream: Add support for a PQC KEX/KEM:
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
2019-01-21 22:07:02 +11:00
djm@openbsd.org b1b2ff4ed5 upstream: factor out kex_verify_hostkey() - again, duplicated
almost exactly across client and server for several KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
2019-01-21 21:47:28 +11:00
djm@openbsd.org bb39bafb6d upstream: factor out kex_load_hostkey() - this is duplicated in
both the client and server implementations for most KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
2019-01-21 21:47:28 +11:00
djm@openbsd.org 5ae3f6d314 upstream: save the derived session id in kex_derive_keys() rather
than making each kex method implementation do it.

from markus@ ok djm@

OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673
2019-01-21 21:47:28 +11:00
djm@openbsd.org 0a843d9a0e upstream: move client/server SSH-* banners to buffers under
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
2018-12-27 14:38:22 +11:00
djm@openbsd.org a6a0788cbb upstream: only consider the ext-info-c extension during the initial
KEX. It shouldn't be sent in subsequent ones, but if it is present we should
ignore it.

This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@

OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
2018-12-27 14:30:17 +11:00
sf@openbsd.org 168b46f405 upstream: Revert previous two commits
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14;  author: sf;  commitid: yZVYKIRtUZWD9CmE;
 Rename COMP_DELAYED to COMP_ZLIB

 Only delayed compression is supported nowadays.

 ok markus@

date: 2018/07/06 09:05:01;  author: sf;  commitid: rEGuT5UgI9f6kddP;
 Remove leftovers from pre-authentication compression

 Support for this has been removed in 2016.
 COMP_DELAYED will be renamed in a later commit.

 ok markus@

OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
2018-07-10 15:13:41 +10:00
sf@openbsd.org ab39267fa1 upstream: Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.

ok markus@

OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
2018-07-10 15:13:40 +10:00
sf@openbsd.org 95db395d2e upstream: Remove leftovers from pre-authentication compression
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
2018-07-10 15:13:40 +10:00
djm@openbsd.org 312d2f2861 upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-04 23:51:52 +10:00
djm@openbsd.org 4ba0d54794 upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03 23:26:36 +10:00
jsing@openbsd.org 7cd31632e3 upstream commit
Remove all guards for calls to OpenSSL free functions -
all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2018-02-08 09:26:27 +11:00
djm@openbsd.org 14b5c635d1 upstream commit
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2018-01-23 16:40:29 +11:00
djm@openbsd.org c948030d54 upstream commit
Do not require that unknown EXT_INFO extension values not
contain \0 characters. This would cause fatal connection errors if an
implementation sent e.g. string-encoded sub-values inside a value.

Reported by Denis Bider; ok markus@

Upstream-ID: 030e10fdc605563c040244c4b4f1d8ae75811a5c
2017-06-13 22:15:08 +10:00
markus@openbsd.org 2ae666a8fc upstream commit
protocol handlers all get struct ssh passed; ok djm@

Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
2017-05-31 10:50:05 +10:00
djm@openbsd.org 56912dea6e upstream commit
unifdef WITH_SSH1 ok markus@

Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-05-01 09:37:40 +10:00
Darren Tucker f2742a481f Remove SHA256 EVP wrapper implementation.
All supported versions of OpenSSL should now have SHA256 so remove our
EVP wrapper implementaion.  ok djm@
2017-03-29 10:50:31 +11:00
markus@openbsd.org 2adbe1e63b upstream commit
disallow KEXINIT before NEWKEYS; ok djm; report by
vegard.nossum at oracle.com

Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234
2017-03-17 17:12:44 +11:00
djm@openbsd.org 183ba55aaa upstream commit
fix regression in 7.4 server-sig-algs, where we were
accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@

Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
2017-03-10 15:35:39 +11:00
dtucker@openbsd.org 5a06b9e019 upstream commit
Plug some mem leaks mostly on error paths.  From jjelen
at redhat.com via bz#2687, ok djm@

Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
2017-03-10 15:35:38 +11:00
djm@openbsd.org 68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
markus@openbsd.org ec165c392c upstream commit
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn

Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
2016-10-13 18:55:25 +11:00
djm@openbsd.org b7689155f3 upstream commit
put back some pre-auth zlib bits that I shouldn't have
removed - they are still used by the client. Spotted by naddy@

Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
2016-09-29 08:18:39 +10:00
djm@openbsd.org 4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
djm@openbsd.org 0493766d56 upstream commit
support plain curve25519-sha256 KEX algorithm now that it
is approaching standardisation (same algorithm is currently supported as
curve25519-sha256@libssh.org)

Upstream-ID: 5e2b6db2e72667048cf426da43c0ee3fc777baa2
2016-09-24 05:39:37 +10:00
djm@openbsd.org 1622649b7a upstream commit
correctly return errors from kex_send_ext_info(). Fix from
Sami Farin via https://github.com/openssh/openssh-portable/pull/50

Upstream-ID: c85999af28aaecbf92cfa2283381df81e839b42c
2016-09-22 05:59:35 +10:00
markus@openbsd.org 28652bca29 upstream commit
move inbound NEWKEYS handling to kex layer; otherwise
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
with & ok djm@

Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
2016-09-21 11:03:55 +10:00
djm@openbsd.org 130f5df4fa upstream commit
list all supported signature algorithms in the
server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly)
Ron Frederick; ok markus@

Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd
2016-09-13 09:33:24 +10:00
deraadt@openbsd.org 9136ec134c upstream commit
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
use those definitions rather than pulling <sys/param.h> and unknown namespace
pollution. ok djm markus dtucker

Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12 13:46:29 +10:00
markus@openbsd.org e5e8d9114a upstream commit
update ext_info_c every time we receive a kexinit msg;
fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis &
Mancha; ok djm@

Upstream-ID: 2ceaa1076e19dbd3542254b4fb8e42d608f28856
2016-09-12 13:39:30 +10:00
Damien Miller bd5f2b78b6 missing openssl/dh.h 2016-07-15 20:02:27 +10:00
djm@openbsd.org 0e8eeec8e7 upstream commit
add support for additional fixed DH groups from
 draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
2016-05-02 20:39:32 +10:00
djm@openbsd.org 19bcf2ea2d upstream commit
refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
2016-02-08 21:58:32 +11:00
markus@openbsd.org a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
djm@openbsd.org 271df8185d upstream commit
unbreak connections with peers that set
 first_kex_follows; fix from Matt Johnston va bz#2515

Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
2015-12-18 14:50:49 +11:00
mmcc@openbsd.org d59ce08811 upstream commit
Remove NULL-checks before free().

ok dtucker@

Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
2015-12-11 13:23:14 +11:00
markus@openbsd.org 76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
djm@openbsd.org d87063d9ba upstream commit
send SSH2_MSG_UNIMPLEMENTED replies to unexpected
 messages during KEX; bz#2949, ok dtucker@

Upstream-ID: 2b3abdff344d53c8d505f45c83a7b12e84935786
2015-11-16 11:31:38 +11:00
djm@openbsd.org 179c353f56 upstream commit
free the correct IV length, don't assume it's always the
 cipher blocksize; ok dtucker@

Upstream-ID: c260d9e5ec73628d9ff4b067fbb060eff5a7d298
2015-10-14 03:22:09 +11:00
djm@openbsd.org 9690b78b78 upstream commit
Improve printing of KEX offers and decisions

The debug output now labels the client and server offers and the
negotiated options. ok markus@

Upstream-ID: 8db921b3f92a4565271b1c1fbce6e7f508e1a2cb
2015-08-22 11:17:08 +10:00
djm@openbsd.org f9eca249d4 upstream commit
Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-30 12:32:16 +10:00
djm@openbsd.org 5cefe76910 upstream commit
fix bug in previous; was printing incorrect string for
 failed host key algorithms negotiation

Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
2015-07-29 19:35:43 +10:00
djm@openbsd.org f319912b0d upstream commit
include the peer's offer when logging a failure to
 negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@

Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
2015-07-29 19:35:42 +10:00
djm@openbsd.org 44a8e7ce6f upstream commit
don't try to cleanup NULL KEX proposals in
 kex_prop_free(); found by Jukka Taimisto and Markus Hietava
2015-04-29 18:14:20 +10:00
Damien Miller 4df590cf8d make unit tests work for !OPENSSH_HAS_ECC 2015-03-11 10:02:39 +11:00
djm@openbsd.org 25f5f78d8b upstream commit
fix ssh protocol 1, spotted by miod@
2015-01-30 12:16:33 +11:00
djm@openbsd.org 5104db7cbd upstream commit
correctly match ECDSA subtype (== curve) for
 offered/recevied host keys. Fixes connection-killing host key mismatches when
 a server offers multiple ECDSA keys with different curve type (an extremely
 unlikely configuration).

ok markus, "looks mechanical" deraadt@
2015-01-27 00:00:57 +11:00