Commit Graph

291 Commits

Author SHA1 Message Date
djm@openbsd.org ad60b1179c upstream: allow sshpkt_fatal() to take a varargs format; we'll
use this to give packet-related fatal error messages more context (esp. the
remote endpoint) ok markus@

OpenBSD-Commit-ID: de57211f9543426b515a8a10a4f481666b2b2a50
2019-01-20 09:02:20 +11:00
djm@openbsd.org 8a8183474c upstream: fix memory leak of ciphercontext when rekeying; bz#2942
Patch from Markus Schmidt; ok markus@

OpenBSD-Commit-ID: 7877f1b82e249986f1ef98d0ae76ce987d332bdd
2019-01-04 14:29:37 +11:00
djm@openbsd.org 0a843d9a0e upstream: move client/server SSH-* banners to buffers under
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
2018-12-27 14:38:22 +11:00
Darren Tucker c77bc73c91 Explicitly include openssl before zlib.
Some versions of OpenSSL have "free_func" in their headers, which zlib
typedefs.  Including openssl after zlib (eg via sshkey.h) results in
"syntax error before `free_func'", which this fixes.
2018-07-20 13:48:51 +10:00
djm@openbsd.org de2997a4cf upstream: memleaks; found by valgrind
OpenBSD-Commit-ID: 6c3ba22be53e753c899545f771e8399fc93cd844
2018-07-16 13:12:20 +10:00
markus@openbsd.org cecee2d607 upstream: client: switch to sshbuf API; ok djm@
OpenBSD-Commit-ID: 60cb0356114acc7625ab85105f6f6a7cd44a8d05
2018-07-10 15:14:26 +10:00
sf@openbsd.org 168b46f405 upstream: Revert previous two commits
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14;  author: sf;  commitid: yZVYKIRtUZWD9CmE;
 Rename COMP_DELAYED to COMP_ZLIB

 Only delayed compression is supported nowadays.

 ok markus@

date: 2018/07/06 09:05:01;  author: sf;  commitid: rEGuT5UgI9f6kddP;
 Remove leftovers from pre-authentication compression

 Support for this has been removed in 2016.
 COMP_DELAYED will be renamed in a later commit.

 ok markus@

OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
2018-07-10 15:13:41 +10:00
sf@openbsd.org ab39267fa1 upstream: Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.

ok markus@

OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
2018-07-10 15:13:40 +10:00
sf@openbsd.org 95db395d2e upstream: Remove leftovers from pre-authentication compression
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
2018-07-10 15:13:40 +10:00
sf@openbsd.org f28a4d5cd2 upstream: Remove unused ssh_packet_start_compression()
ok markus@

OpenBSD-Commit-ID: 9d34cf2f59aca5422021ae2857190578187dc2b4
2018-07-10 15:13:40 +10:00
djm@openbsd.org 854ae209f9 upstream: make ssh_remote_ipaddr() capable of being called after
the ssh->state has been torn down; bz#2773

OpenBSD-Commit-ID: 167f12523613ca3d16d7716a690e7afa307dc7eb
2018-06-01 14:20:12 +10:00
dtucker@openbsd.org 1da5934b86 upstream: If select() fails in ssh_packet_read_seqnr go directly to
the error path instead of trying to read from the socket on the way out,
which resets errno and causes the true error to be misreported.  ok djm@

OpenBSD-Commit-ID: 2614edaadbd05a957aa977728aa7a030af7c6f0a
2018-05-25 14:27:50 +10:00
Damien Miller 10479cc2a4 Many typo fixes from Karsten Weiss
Spotted using https://github.com/lucasdemarchi/codespell
2018-04-10 10:19:02 +10:00
djm@openbsd.org 349ecd4da3 upstream commit
pass kex->hostkey_alg and kex->hostkey_nid from pre-auth
to post-auth unpriviledged child processes; ok markus@

OpenBSD-Commit-ID: 4a35bc7af0a5f8a232d1361f79f4ebc376137302
2017-12-19 15:21:37 +11:00
dtucker@openbsd.org 48c23a39a8 upstream commit
Put remote client info back into the ClientAlive
connection termination message.  Based in part on diff from  lars.nooden at
gmail, ok djm

OpenBSD-Commit-ID: 80a0f619a29bbf2f32eb5297a69978a0e05d0ee0
2017-12-12 10:32:04 +11:00
dtucker@openbsd.org@openbsd.org 5db6fbf143 upstream commit
Add monotime_ts and monotime_tv that return monotonic
timespec and timeval respectively.  Replace calls to gettimeofday() in packet
timing with monotime_tv so that the callers will work over a clock step.
Should prevent integer overflow during clock steps reported by wangle6 at
huawei.com. "I like" markus@

OpenBSD-Commit-ID: 74d684264814ff806f197948b87aa732cb1b0b8a
2017-11-28 12:01:49 +11:00
djm@openbsd.org 35eb33fb95 upstream commit
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
2017-10-25 12:26:13 +11:00
djm@openbsd.org eb80e26a15 upstream commit
log debug messages sent to peer; ok deraadt markus

Upstream-ID: 3b4fdc0a06ea5083f61d96e20043000f477103d9
2017-10-20 12:01:03 +11:00
djm@openbsd.org dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
djm@openbsd.org 51676ec614 upstream commit
Allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default; ok dtucker@

Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
2017-07-24 14:48:47 +10:00
djm@openbsd.org 33f86265d7 upstream commit
don't pass pointer to struct sshcipher between privsep
processes, just redo the lookup in each using the already-passed cipher name.
bz#2704 based on patch from Brooks Davis; ok markus dtucker

Upstream-ID: 2eab434c09bdf549dafd7da3e32a0d2d540adbe0
2017-06-24 16:56:11 +10:00
dtucker@openbsd.org ad0531614c upstream commit
Add comments referring to the relevant RFC sections for
rekeying behaviour.

Upstream-ID: 6fc8e82485757a27633f9175ad00468f49a07d40
2017-06-10 16:39:09 +10:00
dtucker@openbsd.org 550c053168 upstream commit
Fix compression output stats broken in rev 1.201.  Patch
originally by Russell Coker via Debian bug #797964 and Christoph Biedl.  ok
djm@

Upstream-ID: 83a1903b95ec2e4ed100703debb4b4a313b01016
2017-06-07 11:31:15 +10:00
djm@openbsd.org 2d75d74272 upstream commit
some warnings spotted by clang; ok markus@

Upstream-ID: 24381d68ca249c5cee4388ceb0f383fa5b43991b
2017-06-01 16:24:31 +10:00
deraadt@openbsd.org dc5dc45662 upstream commit
These shutdown() SHUT_RDWR are not needed before close()
ok djm markus claudio

Upstream-ID: 36f13ae4ba10f5618cb9347933101eb4a98dbcb5
2017-06-01 14:54:46 +10:00
markus@openbsd.org 1e0cdf8efb upstream commit
clear session keys from memory; ok djm@

Upstream-ID: ecd178819868975affd5fd6637458b7c712b6a0f
2017-06-01 14:54:46 +10:00
djm@openbsd.org 2e58a69508 upstream commit
helps if I commit the correct version of the file. fix
missing return statement.

Upstream-ID: c86394a3beeb1ec6611e659bfa830254f325546c
2017-05-08 16:09:20 +10:00
djm@openbsd.org 7461a5bc57 upstream commit
I was too aggressive with the scalpel in the last commit;
unbreak sshd, spotted quickly by naddy@

Upstream-ID: fb7e75d2b2c7e6ca57dee00ca645e322dd49adbf
2017-05-08 10:23:17 +10:00
djm@openbsd.org acaf34fd82 upstream commit
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
2017-05-08 09:21:00 +10:00
naddy@openbsd.org 768405fddf upstream commit
remove miscellaneous SSH1 leftovers; ok markus@

Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
2017-05-08 09:18:27 +10:00
djm@openbsd.org 930e8d2827 upstream commit
obliterate ssh1.h and some dead code that used it

ok markus@

Upstream-ID: 1ca9159a9fb95618f9d51e069ac8e1131a087343
2017-05-01 10:05:06 +10:00
djm@openbsd.org dfa641f758 upstream commit
remove the (in)famous SSHv1 CRC compensation attack
detector.

Despite your cameo in The Matrix movies, you will not be missed.

ok markus

Upstream-ID: 44261fce51a56d93cdb2af7b6e184be629f667e0
2017-05-01 10:05:04 +10:00
djm@openbsd.org 3d6d09f2e9 upstream commit
remove SSHv1 support from packet and buffer APIs

ok markus@

Upstream-ID: bfc290053d40b806ecac46317d300677d80e1dc9
2017-05-01 10:05:02 +10:00
djm@openbsd.org 97f4d3083b upstream commit
remove compat20/compat13/compat15 variables

ok markus@

Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
2017-05-01 09:42:37 +10:00
djm@openbsd.org 56912dea6e upstream commit
unifdef WITH_SSH1 ok markus@

Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-05-01 09:37:40 +10:00
markus@openbsd.org 0fb1a617a0 upstream commit
Don't count the initial block twice when computing how
many bytes to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL

Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
2017-03-12 10:50:19 +11:00
djm@openbsd.org d7abb771bd upstream commit
small memleak: free fd_set on connection timeout (though
we are heading to exit anyway). From Tom Rix in bz#2683

Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
2017-02-28 17:10:41 +11:00
djm@openbsd.org 07edd7e953 upstream commit
add ssh_packet_set_log_preamble() to allow inclusion of a
preamble string in disconnect messages; ok markus@

Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
2017-02-04 10:08:15 +11:00
dtucker@openbsd.org c998bf0afa upstream commit
Make ssh_packet_set_rekey_limits take u32 for the number of
seconds until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned comparison
warning.

rekey_time is cast to int64 for the comparison which is a no-op
on OpenBSD, but should also do the right thing in -portable on
anything still using 32bit time_t (until the system time actually
wraps, anyway).

some early guidance deraadt@, ok djm@

Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
2017-02-03 14:34:25 +11:00
djm@openbsd.org 39af7b444d upstream commit
Add a per-packet input hook that is called with the
decrypted packet contents. This will be used for fuzzing; ok markus@

Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
2016-10-13 18:55:25 +11:00
markus@openbsd.org 8d05784785 upstream commit
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
server acts as a proxy, translates channel IDs and relays to the server. - no
filedescriptor passing necessary. - combined with unix-domain forwarding it's
even possible to run mux client   and server on different machines. feedback
& ok djm@

Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
2016-10-01 02:45:10 +10:00
djm@openbsd.org b7689155f3 upstream commit
put back some pre-auth zlib bits that I shouldn't have
removed - they are still used by the client. Spotted by naddy@

Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
2016-09-29 08:18:39 +10:00
djm@openbsd.org 4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
djm@openbsd.org 0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
markus@openbsd.org 28652bca29 upstream commit
move inbound NEWKEYS handling to kex layer; otherwise
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
with & ok djm@

Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
2016-09-21 11:03:55 +10:00
deraadt@openbsd.org 9136ec134c upstream commit
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
use those definitions rather than pulling <sys/param.h> and unknown namespace
pollution. ok djm markus dtucker

Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12 13:46:29 +10:00
markus@openbsd.org 06ce56b05d upstream commit
ssh_set_newkeys: print correct block counters on
rekeying; ok djm@

Upstream-ID: 32bb7a9cb9919ff5bab28d50ecef3a2b2045dd1e
2016-09-12 13:39:30 +10:00
djm@openbsd.org 4706c1d8c1 upstream commit
small refactor of cipher.c: make ciphercontext opaque to
callers feedback and ok markus@

Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
2016-08-09 09:06:52 +10:00
markus@openbsd.org b98a2a8348 upstream commit
Reduce timing attack against obsolete CBC modes by always
computing the MAC over a fixed size of data. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@

Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
2016-07-22 13:36:40 +10:00
djm@openbsd.org eb999a4590 upstream commit
Add some unsigned overflow checks for extra_pad. None of
these are reachable with the amount of padding that we use internally.
bz#2566, pointed out by Torben Hansen. ok markus@

Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
2016-07-18 16:11:46 +10:00