I can't find a reliable way to detect the features the ML-KEM code
requires in configure. Give up for now and use VLA support (that we
can detect) as a proxy for "old compiler" and turn off ML-KEM if
it isn't supported.
The ML-KEM implementation we uses need the compiler to support
C99-style named struct initialisers (e.g foo = {.bar = 1}). We
still support (barely) building OpenSSH with older compilers, so
add a configure test for this.
compile-time flag now than an IANA codepoint has been assigned for the
algorithm.
Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot.
ok markus@
OpenBSD-Commit-ID: 9f50a0fae7d7ae8b27fcca11f8dc6f979207451a
the string rather than the first. This makes it possible to use usernames
that contain '@' characters.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Prompted by Max Zettlmeißl; feedback/ok millert@
OpenBSD-Commit-ID: 0b16eec246cda15469ebdcf3b1e2479810e394c5
shortnames (e.g "rsa") in user-interface code and require full SSH protocol
names (e.g. "ssh-rsa") everywhere else.
Prompted by bz3725; ok markus@
OpenBSD-Commit-ID: b3d8de9dac37992eab78adbf84fab2fe0d84b187
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.
Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.
ok markus@ deraadt@
OpenBSD-Commit-ID: 02a8730a570b63fa8acd9913ec66353735dea42c
This fixes an issue where the SSH_CONNECTION_ABANDON event is not
audited because cleanup_exit overrides the regular _exit too soon and
as a result, failed auth attempts are not logged correctly.
The problem was introduced in 81c1099d22
where the code from upstream was merged before the audit_event call when
it should have been merged right before the _exit call in order to honor
the comment that just mentions an override of the exit value.
compression support (which is requested as the name "zlib"). Compression
starts very early in the session. Relative early in OpenSSH lifetime, privsep
was added to sshd, and this required a shared-memory hack so the two
processes could see what was going on in the dataflow. This shared-memory
hack was soon recognized as a tremendous complexity risk, because it put libz
(which very much trusts it's memory) in a dangerous place, and a new option
("zlib@openssh.com") was added begins compression after authentication (aka
delayed-compression). That change also permitted removal of the
shared-memory hack. Despite removal from the server, the old "zlib" support
remained in the client, to allow negotiation with non-OpenSSH daemons which
lack the delayed-compression option. This commit deletes support for the
older "zlib" option in the client. It reduces our featureset in a small way,
and encourages other servers to move to a better design. The SSH protocol is
different enough that compressed-key-material attacks like BEAST are
unlikely, but who wants to take the chance? We encourage other ssh servers
who care about optional compression support to add delayed-zlib support.
(Some already do "zlib@openssh.com") ok djm markus
OpenBSD-Commit-ID: 6df986f38e4ab389f795a6e39e7c6857a763ba72
we can make the algorithm available without the @openssh.com suffix too. ok
markus@ deraadt@
OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f
Now that the rekey test has been optimized it's fast enough to not be in
its own valgrind test, so move it into valgrind-2, which is currently
the quickest of the others, bringing all of them to roughly the same
runtime of ~1.1 hours.
Also verify that the Cipher or MAC we intended to use is actually the one
selected during the test.
OpenBSD-Regress-ID: ff43fed30552afe23d1364526fe8cf88cbfafe1d
Except where we're explicitly testing a different kex, use
curve25519-sha256 since it's faster than the default and supported even
when configured without OpenSSL. Add a check to ensure that the kex we
intended to test is the one we actually tested. Speeds test up by ~5%.
OpenBSD-Regress-ID: 3b27fcc2ae953cb08fd82a0d3155c498b226d6e0
up tests by about 10% in the common case, hopefully more when instrumented
with something like valgrind.
OpenBSD-Regress-ID: 7bf9292b4803357efcf0baf7cfbdc8521f212da1
Used unless overridden by a command-line flag, which simplifies some of
the ssh command lines.
OpenBSD-Regress-ID: e7cffa57027088e10336e412b34113969f88cb87
All of the rekey tests use it (otherwise the encrypted byte counts would
not match) so this lets us simplify the command lines.
OpenBSD-Regress-ID: dab7ce10f4cf6c68827eb8658141272aab3ea262
curve25519-sha256@libssh.org is the pre-standardization name for the same
thing, so remove it as a duplicate. Speeds up test by a tiny amount.
OpenBSD-Regress-ID: 5a5ee5fa1595a6e140b1cc16040bedf5996a5715
ssh uses the same parsing code, now has "-G" to dump its config and is
slightly faster to start up. This speeds up the test slightly (~5%) in the
common case but should help more during instrumented tests, eg under
valgrind, where startup costs are magnified.
OpenBSD-Regress-ID: 07c3acaf4c728e641033071f4441afc88141b0d0
than a constant (this makes no difference in practice because the length is
always the same); reported by martin AT nmkd.net
OpenBSD-Commit-ID: 4aecce232c2fe9b16e9217ff6bcb3c848d853e7e
allocated using mmap(3) with MAP_CONCEAL set. This prevents exposure of the
key material in coredumps, etc (this is in addition to other measures we take
in this area).
ok deraadt@
OpenBSD-Commit-ID: cbbae59f337a00c9858d6358bc65f74e62261369
clarify that rsa-sha2-512 is the default signature scheme when RSA is in use.
Based on GHPR505 from SebastianRzk
OpenBSD-Commit-ID: 1d90df71636a04601685d2a10a8233bcc8d4f4c5
Bump the year to 2024, but also reflect the fact that hands.com Ltd. has
been wound up in the UK, and its assets (including this copyright) have
now reverted to its owner, Philip Hands.
SSH-Copy-ID-Upstream: 0e4c4d072747a6568b11a790c29dd1b4ce663d7f
The man pages (ssh, sftp & ssh-copy-id) all list -i before the port
setting, so make the output match that order, which also seems more
natural with the port being next to the server.
SSH-Copy-ID-Upstream: 34d5d614172c78f9a42249466c4b81975b8883a1
