Commit Graph

190 Commits

Author SHA1 Message Date
dtucker@openbsd.org 747691604d
upstream: Remove some set but otherwise unused variables, spotted
in -portable by clang 16's -Wunused-but-set-variable.  ok djm@

OpenBSD-Commit-ID: 3d943ddf2369b38fbf89f5f19728e7dc1daf3982
2022-11-07 22:22:15 +11:00
djm@openbsd.org 541667fe6d upstream: mark const string array contents const too, i.e. static
const char *array => static const char * const array from Mike Frysinger

OpenBSD-Commit-ID: a664e31ea6a795d7c81153274a5f47b22bdc9bc1
2022-02-02 10:38:59 +11:00
djm@openbsd.org 0fa3368322 upstream: Fix signature algorithm selection logic for
UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2
for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in initial
KEX. bz3375

Mostly by Dmitry Belyavskiy with some tweaks by me.

ok markus@

OpenBSD-Commit-ID: c17ba0c3236340d2c6a248158ebed042ac6a8029
2022-01-07 09:21:38 +11:00
djm@openbsd.org 3e16365a79 upstream: EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.

Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").

ok markus@

OpenBSD-Commit-ID: 4cdb2ca5017ec1ed7a9d33bda95c1d6a97b583b0
2021-12-20 09:28:07 +11:00
djm@openbsd.org b42c61d684 upstream: Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding

ok markus@

OpenBSD-Commit-ID: a9af29e33772b18e3e867c6fa8ab35e1694a81fe
2021-12-20 09:24:42 +11:00
djm@openbsd.org 31d8d231eb upstream: highly polished whitespace, mostly fixing spaces-for-tab
and bad indentation on continuation lines. Prompted by GHPR#185

OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
2021-04-03 17:23:02 +11:00
djm@openbsd.org 3dd0c64e08 upstream: more strictly enforce KEX state-machine by banning packet
types once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via
oss-fuzz #30078).

ok markus@

OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
2021-02-01 09:57:28 +11:00
djm@openbsd.org d983e1732b upstream: fix leak: was double allocating kex->session_id buffer
OpenBSD-Commit-ID: 3765f4cc3ae1df874dba9102a3588ba7b48b8183
2021-01-28 10:50:56 +11:00
djm@openbsd.org 39be3dc209 upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_t
and use that instead of global variables containing copies of it. feedback/ok
markus@

OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68
2021-01-27 21:10:57 +11:00
djm@openbsd.org 4ca6a1fac3 upstream: remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

OpenBSD-Commit-ID: 7c4f200e112dae6bcf99f5bae1a5629288378a06
2021-01-27 20:28:25 +11:00
Darren Tucker 48d0d7a4dd Disable sntrup761 if compiler doesn't support VLAs.
The sntrup761 code sourced from supercop uses variable length
arrays.  Although widely supported, they are not part of the ANSI
C89 spec so if the compiler does not support VLAs, disable the
sntrup761x25519-sha512@openssh.com KEX method by replacing the kex
functions with no-op ones similar to what we do in kexecdh.c.

This should allow OpenSSH to build with a plain C89 compiler again.
Spotted by tim@, ok djm@.
2021-01-26 14:48:07 +11:00
djm@openbsd.org 2c71cec020 upstream: Update/replace the experimental post-quantim hybrid key
exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
2020-12-29 12:38:53 +11:00
djm@openbsd.org 553b90feed upstream: fix minor memleak of kex->hostkey_alg on rekex
OpenBSD-Commit-ID: 2c3969c74966d4ccdfeff5e5f0df0791919aef50
2020-12-04 13:43:01 +11:00
djm@openbsd.org ac0364b85e upstream: typos: s/hex/kex/ in error messages
OpenBSD-Commit-ID: 43a026c9571dd779ec148de1829cf5a6b6651905
2020-12-04 13:43:01 +11:00
djm@openbsd.org 816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org 6d755706a0 upstream: some language improvements; ok markus
OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
2020-07-15 15:07:42 +10:00
djm@openbsd.org 5becbec023 upstream: use sshpkt_fatal() for kex_exchange_identification()
errors. This ensures that the logged errors are consistent with other
transport- layer errors and that the relevant IP addresses are logged. bz3129
ok dtucker@

OpenBSD-Commit-ID: 2c22891f0b9e1a6cd46771cedbb26ac96ec2e6ab
2020-03-14 19:39:30 +11:00
jsg@openbsd.org d5ba1c0327 upstream: change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
2020-02-28 12:26:28 +11:00
dtucker@openbsd.org 7f8e66fea8 upstream: Make zlib optional. This adds a "ZLIB" build time option
that allows building without zlib compression and associated options.  With
feedback from markus@, ok djm@

OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
2020-01-23 21:53:54 +11:00
Darren Tucker 6fc7e1c6fe Wrap poll.h includes in HAVE_POLL_H. 2019-10-28 16:27:53 +11:00
dtucker@openbsd.org c2cc25480b upstream: Correct type for end-of-list sentinel; fixes initializer
warnings on some platforms.  ok deraadt.

OpenBSD-Commit-ID: a990dbc2dac25bdfa07e79321349c73fd991efa2
2019-10-09 11:11:41 +11:00
naddy@openbsd.org 91a2135f32 upstream: Allow prepending a list of algorithms to the default set
by starting the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-08 14:49:04 +10:00
djm@openbsd.org 00865c2969 upstream: better error code for bad arguments; inspired by
OpenBSD-Commit-ID: dfc263b6041de7f0ed921a1de0b81ddebfab1e0a
2019-09-06 12:01:45 +10:00
djm@openbsd.org 76f09bd959 upstream: sprinkle in some explicit errors here, otherwise the
percolate all the way up to dispatch_run_fatal() and lose all meaninful
context

to help with bz#3063; ok dtucker@

OpenBSD-Commit-ID: 5b2da83bb1c4a3471444b7910b2120ae36438a0a
2019-09-05 20:07:12 +10:00
djm@openbsd.org 0ea332497b upstream: only send ext_info for KEX_INITIAL; bz#2929 ok dtucker
OpenBSD-Commit-ID: 00f5c6062f6863769f5447c6346f78c05d2e4a63
2019-09-05 20:07:12 +10:00
djm@openbsd.org 70edd73edc upstream: fix reversed arguments to kex_load_hostkey(); manifested as
errors in cert-hostkey.sh regress failures.

OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba
2019-01-21 23:13:53 +11:00
djm@openbsd.org aaca72d6f1 upstream: rename kex->kem_client_pub -> kex->client_pub now that
KEM has been renamed to kexgen

from markus@ ok djm@

OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
2019-01-21 23:13:03 +11:00
djm@openbsd.org 4b83e2a2cc upstream: remove kex_derive_keys_bn wrapper; no unused since the
DH-like KEX methods have moved to KEM

from markus@ ok djm@

OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
2019-01-21 23:13:03 +11:00
djm@openbsd.org dfd591618c upstream: Add support for a PQC KEX/KEM:
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
2019-01-21 22:07:02 +11:00
djm@openbsd.org b1b2ff4ed5 upstream: factor out kex_verify_hostkey() - again, duplicated
almost exactly across client and server for several KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
2019-01-21 21:47:28 +11:00
djm@openbsd.org bb39bafb6d upstream: factor out kex_load_hostkey() - this is duplicated in
both the client and server implementations for most KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
2019-01-21 21:47:28 +11:00
djm@openbsd.org 5ae3f6d314 upstream: save the derived session id in kex_derive_keys() rather
than making each kex method implementation do it.

from markus@ ok djm@

OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673
2019-01-21 21:47:28 +11:00
djm@openbsd.org 0a843d9a0e upstream: move client/server SSH-* banners to buffers under
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
2018-12-27 14:38:22 +11:00
djm@openbsd.org a6a0788cbb upstream: only consider the ext-info-c extension during the initial
KEX. It shouldn't be sent in subsequent ones, but if it is present we should
ignore it.

This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@

OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
2018-12-27 14:30:17 +11:00
sf@openbsd.org 168b46f405 upstream: Revert previous two commits
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14;  author: sf;  commitid: yZVYKIRtUZWD9CmE;
 Rename COMP_DELAYED to COMP_ZLIB

 Only delayed compression is supported nowadays.

 ok markus@

date: 2018/07/06 09:05:01;  author: sf;  commitid: rEGuT5UgI9f6kddP;
 Remove leftovers from pre-authentication compression

 Support for this has been removed in 2016.
 COMP_DELAYED will be renamed in a later commit.

 ok markus@

OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
2018-07-10 15:13:41 +10:00
sf@openbsd.org ab39267fa1 upstream: Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.

ok markus@

OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
2018-07-10 15:13:40 +10:00
sf@openbsd.org 95db395d2e upstream: Remove leftovers from pre-authentication compression
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
2018-07-10 15:13:40 +10:00
djm@openbsd.org 312d2f2861 upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-04 23:51:52 +10:00
djm@openbsd.org 4ba0d54794 upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03 23:26:36 +10:00
jsing@openbsd.org 7cd31632e3 upstream commit
Remove all guards for calls to OpenSSL free functions -
all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2018-02-08 09:26:27 +11:00
djm@openbsd.org 14b5c635d1 upstream commit
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2018-01-23 16:40:29 +11:00
djm@openbsd.org c948030d54 upstream commit
Do not require that unknown EXT_INFO extension values not
contain \0 characters. This would cause fatal connection errors if an
implementation sent e.g. string-encoded sub-values inside a value.

Reported by Denis Bider; ok markus@

Upstream-ID: 030e10fdc605563c040244c4b4f1d8ae75811a5c
2017-06-13 22:15:08 +10:00
markus@openbsd.org 2ae666a8fc upstream commit
protocol handlers all get struct ssh passed; ok djm@

Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
2017-05-31 10:50:05 +10:00
djm@openbsd.org 56912dea6e upstream commit
unifdef WITH_SSH1 ok markus@

Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-05-01 09:37:40 +10:00
Darren Tucker f2742a481f Remove SHA256 EVP wrapper implementation.
All supported versions of OpenSSL should now have SHA256 so remove our
EVP wrapper implementaion.  ok djm@
2017-03-29 10:50:31 +11:00
markus@openbsd.org 2adbe1e63b upstream commit
disallow KEXINIT before NEWKEYS; ok djm; report by
vegard.nossum at oracle.com

Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234
2017-03-17 17:12:44 +11:00
djm@openbsd.org 183ba55aaa upstream commit
fix regression in 7.4 server-sig-algs, where we were
accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@

Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
2017-03-10 15:35:39 +11:00
dtucker@openbsd.org 5a06b9e019 upstream commit
Plug some mem leaks mostly on error paths.  From jjelen
at redhat.com via bz#2687, ok djm@

Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
2017-03-10 15:35:38 +11:00
djm@openbsd.org 68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
markus@openbsd.org ec165c392c upstream commit
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn

Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
2016-10-13 18:55:25 +11:00