Commit Graph

86 Commits

Author SHA1 Message Date
djm@openbsd.org
21b6b5a06c upstream: add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default
KEXAlgorithms list (after the ECDH methods but before the prime-group DH
ones).

ok markus@

OpenBSD-Commit-ID: 22b77e27a04e497a10e22f138107579652854210
2021-11-10 17:32:18 +11:00
djm@openbsd.org
2344750250 upstream: After years of forewarning, disable the RSA/SHA-1
signature algorithm by default. It is feasible to create colliding SHA1
hashes, so we need to deprecate its use.

RSA/SHA-256/512 remains available and will be transparently selected
instead of RSA/SHA1 for most SSH servers released in the last five+
years. There is no need to regenerate RSA keys.

The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the
PubkeyAcceptedAlgorithms directives on the client and server.

ok dtucker deraadt

OpenBSD-Commit-ID: 189bcc4789c7254e09e23734bdd5def8354ff1d5
2021-08-30 09:58:15 +10:00
djm@openbsd.org
12ae8f95e2 upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@

OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
2020-10-03 14:34:06 +10:00
djm@openbsd.org
c3368a5d5e upstream: remove ssh-rsa (SHA1) from the list of allowed CA
signature algorithms ok markus

OpenBSD-Commit-ID: da3481fca8c81e6951f319a86b7be67502237f57
2020-01-25 11:27:29 +11:00
dtucker@openbsd.org
c4b3a12895 upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.

This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any).  ok djm@

OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
2020-01-23 14:40:15 +11:00
tedu@openbsd.org
6c30c9adbe upstream: remove diffie-hellman-group14-sha1 from default kex to
see what happens. general mostly ok

OpenBSD-Commit-ID: 216b7b8462d2ef5f4531f26cb2cb839b2153dad9
2020-01-22 17:17:51 +11:00
djm@openbsd.org
57634bfc57 upstream: sort sk-* methods behind their plain key methods cousins
for now

OpenBSD-Commit-ID: c97e22c2b28c0d12ee389b8b4ef5f2ada7908828
2019-12-20 14:23:54 +11:00
djm@openbsd.org
56584cce75 upstream: allow security keys to act as host keys as well as user
keys.

Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.

ok markus@

OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
2019-12-16 14:19:41 +11:00
djm@openbsd.org
75f7f22a43 upstream: add security key types to list of keys allowed to act as
CAs; spotted by Ron Frederick

OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
2019-12-11 19:11:07 +11:00
Damien Miller
478f4f98e4 remove all EC algs from proposals, no just sk ones
ok dtucker@
2019-11-19 08:52:24 +11:00
Damien Miller
6a7ef310da filter PUBKEY_DEFAULT_PK_ALG for ECC algorithms
Remove ECC algorithms from the PUBKEY_DEFAULT_PK_ALG list when
compiling without ECC support in libcrypto.
2019-11-18 22:23:05 +11:00
markus@openbsd.org
2c55744a56 upstream: enable ed25519 support; ok djm
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-13 08:54:09 +11:00
djm@openbsd.org
45f17a159a upstream: remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
OpenBSD-Commit-ID: 95a7cafad2a4665d57cabacc28031fabc0bea9fc
2019-11-01 13:33:44 +11:00
djm@openbsd.org
01a0670f69 upstream: Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need
a separate list for user keys.

feedback & ok markus@

OpenBSD-Commit-ID: 7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
2019-11-01 09:46:09 +11:00
Darren Tucker
850ec1773d Wrap OpenSSL bits in WITH_OPENSSL. 2019-10-28 16:27:53 +11:00
Darren Tucker
1ac98be872 Use the correct macro for SSH_ALLOWED_CA_SIGALGS. 2019-05-17 12:42:17 +10:00
Darren Tucker
633703babf Conditionalize ECDH methods in CA algos.
When building against an OpenSSL configured without ECC, don't include
those algos in CASignatureAlgorithms.  ok djm@
2019-05-17 10:50:29 +10:00
djm@openbsd.org
9b61130fbd upstream: openssh-7.9 accidentally reused the server's algorithm lists
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical
between the client and server, but the error accidentially disabled the
diffie-hellman-group-exchange-sha1 KEX method.

This fixes the client code to use the correct method list, but
because nobody complained, it also disables the
diffie-hellman-group-exchange-sha1 KEX method.

Reported by nuxi AT vault24.org via bz#2697; ok dtucker

OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
2019-02-24 10:51:46 +11:00
djm@openbsd.org
4cc259bac6 upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of
signature algorithms that are allowed for CA signatures. Notably excludes
ssh-dsa.

ok markus@

OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
2018-09-12 16:49:21 +10:00
djm@openbsd.org
4ba0d54794 upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03 23:26:36 +10:00
djm@openbsd.org
70c1218fc4 upstream commit
Don't offer CBC ciphers by default in the client. ok
markus@

Upstream-ID: 94c9ce8d0d1a085052e11c7f3307950fdc0901ef
2017-05-08 09:21:11 +10:00
djm@openbsd.org
0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
djm@openbsd.org
0493766d56 upstream commit
support plain curve25519-sha256 KEX algorithm now that it
is approaching standardisation (same algorithm is currently supported as
curve25519-sha256@libssh.org)

Upstream-ID: 5e2b6db2e72667048cf426da43c0ee3fc777baa2
2016-09-24 05:39:37 +10:00
djm@openbsd.org
da95318dbe upstream commit
remove 3des-cbc from the client's default proposal;
64-bit block ciphers are not safe in 2016 and we don't want to wait until
attacks like sweet32 are extended to SSH.

As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may
cause problems connecting to older devices using the defaults, but
it's highly likely that such devices already need explicit
configuration for KEX and hostkeys anyway.

ok deraadt, markus, dtucker

Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
2016-09-12 13:39:30 +10:00
djm@openbsd.org
0e8eeec8e7 upstream commit
add support for additional fixed DH groups from
 draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
2016-05-02 20:39:32 +10:00
djm@openbsd.org
714e367226 upstream commit
turn off more old crypto in the client: hmac-md5, ripemd,
 truncated HMACs, RC4, blowfish. ok markus@ dtucker@

Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
2016-02-09 16:32:07 +11:00
markus@openbsd.org
3da893fdec upstream commit
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed
 by naddy@

Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe
2015-12-07 12:39:20 +11:00
markus@openbsd.org
76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
markus@openbsd.org
3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org
bdfd29f60b upstream commit
turn off 1024 bit diffie-hellman-group1-sha1 key
 exchange method (already off in server, this turns it off in the client by
 default too) ok dtucker@

Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
2015-07-15 15:35:31 +10:00
djm@openbsd.org
c28fc62d78 upstream commit
delete support for legacy v00 certificates; "sure"
 markus@ dtucker@

Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
2015-07-15 15:35:09 +10:00
Damien Miller
599f01142a fix merge botch that left ",," in KEX algs 2015-05-29 18:03:15 +10:00
dtucker@openbsd.org
3ecde664c9 upstream commit
Reorder client proposal to prefer
 diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1.  ok djm@

Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
2015-05-28 13:53:14 +10:00
jsg@openbsd.org
39bfbf7caa upstream commit
Add back a backslash removed in rev 1.42 so
 KEX_SERVER_ENCRYPT will include aes again.

ok deraadt@
2015-04-29 18:14:21 +10:00
djm@openbsd.org
a22b9ef212 upstream commit
promote chacha20-poly1305@openssh.com to be the default
 cipher; ok markus
2015-03-27 12:00:43 +11:00
Damien Miller
2f3d1e7fb2 - (djm) [myproposal.h] Make curve25519 KEX dependent on
HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
2014-08-19 11:14:36 +10:00
Damien Miller
6262d760e0 - tedu@cvs.openbsd.org 2014/07/11 13:54:34
[myproposal.h]
     by popular demand, add back hamc-sha1 to server proposal for better compat
     with many clients still in use. ok deraadt
2014-07-17 09:52:07 +10:00
Darren Tucker
d7af0cc5bf - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
the proposal if the version of OpenSSL we're using doesn't support ECC.
2014-06-11 07:37:25 +10:00
Damien Miller
294c58a007 - naddy@cvs.openbsd.org 2014/04/30 19:07:48
[mac.c myproposal.h umac.c]
     UMAC can use our local fallback implementation of AES when OpenSSL isn't
     available.  Glue code straight from Ted Krovetz's original umac.c.
     ok markus@
2014-05-15 14:35:03 +10:00
Damien Miller
1f0311c7c7 - markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
2014-05-15 14:24:09 +10:00
Damien Miller
9235a030ad Three commits in one (since they touch the same heavily-diverged file
repeatedly):

   - markus@cvs.openbsd.org 2014/03/25 09:40:03
     [myproposal.h]
     trimm default proposals.

     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
     (arcfour), and the broken modes (CBC) from the default configuration
     (the patch only changes the default, all the modes are still available
     for the config files).

     ok djm@, reminded by tedu@ & naddy@ and discussed with many
   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
     [myproposal.h]
     The current sharing of myproposal[] between both client and server code
     makes the previous diff highly unpallatable.  We want to go in that
     direction for the server, but not for the client.  Sigh.
     Brought up by naddy.
   - markus@cvs.openbsd.org 2014/03/27 23:01:27
     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
     disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 13:17:20 +10:00
Damien Miller
5be9d9e3cb - markus@cvs.openbsd.org 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller
0fde8acdad - djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
     cipher "chacha20-poly1305@openssh.com" that combines Daniel
     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
     authenticated encryption mode.

     Inspired by and similar to Adam Langley's proposal for TLS:
     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
     but differs in layout used for the MAC calculation and the use of a
     second ChaCha20 instance to separately encrypt packet lengths.
     Details are in the PROTOCOL.chacha20poly1305 file.

     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
     ok markus@ naddy@
2013-11-21 14:12:23 +11:00
Darren Tucker
37bcef51b3 - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
   latter actually works before using it.  Fedora (at least) has NID_secp521r1
   that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
2013-11-09 18:39:25 +11:00
Darren Tucker
d94240b2f6 - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256. 2013-11-08 21:10:04 +11:00
Damien Miller
1e1242604e - markus@cvs.openbsd.org 2013/11/02 21:59:15
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
     use curve25519 for default key exchange (curve25519-sha256@libssh.org);
     initial patch from Aris Adamantiadis; ok djm@
2013-11-04 08:26:52 +11:00
Darren Tucker
b8ae92d08b - (dtucker) [myproposal.h] Make the conditional algorithm support consistent
and add some comments so it's clear what goes where.
2013-06-11 12:10:02 +10:00
Darren Tucker
97b62f41ad - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
the required OpenSSL support.  Patch from naddy at freebsd.
2013-06-11 11:47:24 +10:00
Darren Tucker
2ea9eb77a7 - (dtucker) Enable sha256 kex methods based on the presence of the necessary
functions, not from the openssl version.
2013-06-05 15:04:00 +10:00
Damien Miller
1d75abfe23 - markus@cvs.openbsd.org 2013/01/08 18:49:04
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
     [myproposal.h packet.c ssh_config.5 sshd_config.5]
     support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
     ok and feedback djm@
2013-01-09 16:12:19 +11:00