Commit Graph

105 Commits

Author SHA1 Message Date
djm@openbsd.org 7bdfc20516
upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.
DSA remains unconverted as it will be removed within six months.

Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).

ok tb@

OpenBSD-Commit-ID: d098744e89f1dc7e5952a6817bef234eced648b5
2024-08-15 12:07:59 +10:00
jsg@openbsd.org dcd79fa141
upstream: remove prototypes with no matching function; ok djm@
OpenBSD-Commit-ID: 6d9065dadea5f14a01bece0dbfe2fba1be31c693
2024-05-22 14:21:13 +10:00
djm@openbsd.org 03e3de416e
upstream: Start the process of splitting sshd into separate
binaries. This step splits sshd into a listener and a session binary. More
splits are planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
2024-05-17 14:41:35 +10:00
djm@openbsd.org 1edb00c58f
upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
2023-12-19 01:51:11 +11:00
djm@openbsd.org 7603ba7126
upstream: Add keystroke timing obfuscation to the client.
This attempts to hide inter-keystroke timings by sending interactive
traffic at fixed intervals (default: every 20ms) when there is only a
small amount of data being sent. It also sends fake "chaff" keystrokes
for a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword/

feedback/ok markus@

OpenBSD-Commit-ID: 02231ddd4f442212820976068c34a36e3c1b15be
2023-08-28 13:34:10 +10:00
djm@openbsd.org b30d32159d upstream: add a ssh_packet_process_read() function that reads from
a fd directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

OpenBSD-Commit-ID: df4112125bf79d8e38e79a77113e1b373078e632
2022-01-25 12:18:35 +11:00
djm@openbsd.org 073f45c236 upstream: Explicitly check for and start time-based rekeying in the
client and server mainloops.

Previously the rekey timeout could expire but rekeying would not start
until a packet was sent or received. This could cause us to spin in
select() on the rekey timeout if the connection was quiet.

ok markus@

OpenBSD-Commit-ID: 4356cf50d7900f3df0a8f2117d9e07c91b9ff987
2021-07-16 19:21:04 +10:00
markus@openbsd.org 714e1cbca1 upstream: sshpkt_fatal() does not return; ok djm
OpenBSD-Commit-ID: 7dfe847e28bd78208eb227b37f29f4a2a0929929
2020-03-13 13:13:30 +11:00
djm@openbsd.org 670104b923 upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@
OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
2019-09-06 17:54:21 +10:00
djm@openbsd.org 71e67fff94 upstream: pass values used in KEX hash computation as sshbuf
rather than pointer+len

suggested by me; implemented by markus@ ok me

OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
2019-01-21 23:13:03 +11:00
djm@openbsd.org 7be8572b32 upstream: Make sshpkt_get_bignum2() allocate the bignum it is
parsing rather than make the caller do it. Saves a lot of boilerplate code.

from markus@ ok djm@

OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
2019-01-21 21:47:28 +11:00
djm@openbsd.org ad60b1179c upstream: allow sshpkt_fatal() to take a varargs format; we'll
use this to give packet-related fatal error messages more context (esp. the
remote endpoint) ok markus@

OpenBSD-Commit-ID: de57211f9543426b515a8a10a4f481666b2b2a50
2019-01-20 09:02:20 +11:00
djm@openbsd.org 0fa174ebe1 upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
2019-01-20 09:02:10 +11:00
markus@openbsd.org 89dd615b8b upstream: ttymodes: switch to sshbuf API; ok djm@
OpenBSD-Commit-ID: 5df340c5965e822c9da21e19579d08dea3cbe429
2018-07-10 15:19:12 +10:00
sf@openbsd.org f28a4d5cd2 upstream: Remove unused ssh_packet_start_compression()
ok markus@

OpenBSD-Commit-ID: 9d34cf2f59aca5422021ae2857190578187dc2b4
2018-07-10 15:13:40 +10:00
dtucker@openbsd.org 48c23a39a8 upstream commit
Put remote client info back into the ClientAlive
connection termination message.  Based in part on diff from  lars.nooden at
gmail, ok djm

OpenBSD-Commit-ID: 80a0f619a29bbf2f32eb5297a69978a0e05d0ee0
2017-12-12 10:32:04 +11:00
djm@openbsd.org 35eb33fb95 upstream commit
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
2017-10-25 12:26:13 +11:00
djm@openbsd.org dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
markus@openbsd.org 1e0cdf8efb upstream commit
clear session keys from memory; ok djm@

Upstream-ID: ecd178819868975affd5fd6637458b7c712b6a0f
2017-06-01 14:54:46 +10:00
markus@openbsd.org 5f4082d886 upstream commit
sshd: pass struct ssh to auth functions; ok djm@

Upstream-ID: b00a80c3460884ebcdd14ef550154c761aebe488
2017-05-31 10:49:50 +10:00
naddy@openbsd.org 768405fddf upstream commit
remove miscellaneous SSH1 leftovers; ok markus@

Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
2017-05-08 09:18:27 +10:00
djm@openbsd.org 3d6d09f2e9 upstream commit
remove SSHv1 support from packet and buffer APIs

ok markus@

Upstream-ID: bfc290053d40b806ecac46317d300677d80e1dc9
2017-05-01 10:05:02 +10:00
djm@openbsd.org 97f4d3083b upstream commit
remove compat20/compat13/compat15 variables

ok markus@

Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
2017-05-01 09:42:37 +10:00
djm@openbsd.org 07edd7e953 upstream commit
add ssh_packet_set_log_preamble() to allow inclusion of a
preamble string in disconnect messages; ok markus@

Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
2017-02-04 10:08:15 +11:00
dtucker@openbsd.org c998bf0afa upstream commit
Make ssh_packet_set_rekey_limits take u32 for the number of
seconds until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned comparison
warning.

rekey_time is cast to int64 for the comparison which is a no-op
on OpenBSD, but should also do the right thing in -portable on
anything still using 32bit time_t (until the system time actually
wraps, anyway).

some early guidance deraadt@, ok djm@

Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
2017-02-03 14:34:25 +11:00
djm@openbsd.org 39af7b444d upstream commit
Add a per-packet input hook that is called with the
decrypted packet contents. This will be used for fuzzing; ok markus@

Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
2016-10-13 18:55:25 +11:00
markus@openbsd.org 8d05784785 upstream commit
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
server acts as a proxy, translates channel IDs and relays to the server. - no
filedescriptor passing necessary. - combined with unix-domain forwarding it's
even possible to run mux client   and server on different machines. feedback
& ok djm@

Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
2016-10-01 02:45:10 +10:00
djm@openbsd.org 0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
djm@openbsd.org 95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
djm@openbsd.org 19bcf2ea2d upstream commit
refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
2016-02-08 21:58:32 +11:00
dtucker@openbsd.org 921ff00b0a upstream commit
Allow RekeyLimits in excess of 4G up to 2**63 bits
 (limited by the return type of scan_scaled).  Part of bz#2521, ok djm.

Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
2016-01-30 11:19:13 +11:00
markus@openbsd.org a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
djm@openbsd.org a4b9e0f4e4 upstream commit
include remote port number in a few more messages; makes
 tying log messages together into a session a bit easier; bz#2503 ok dtucker@

Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
2015-12-18 14:50:10 +11:00
Tim Rice 910209203d cleaner way fix dispatch.h portion of commit
a88dd1da11
(some systems have sig_atomic_t in signal.h, some in sys/signal.h)
Sounds good to me djm@
2015-02-23 22:06:56 -08:00
Damien Miller 62f678dd51 nother sys/queue.h -> sys-queue.h fix
spotted by Tom Christensen
2015-02-24 09:02:54 +11:00
Damien Miller 773dda25e8 repair --without-openssl; broken in refactor 2015-02-18 22:29:32 +11:00
djm@openbsd.org 4509b5d4a4 upstream commit
avoid more fatal/exit in the packet.c paths that
 ssh-keyscan uses; feedback and "looks good" markus@
2015-01-30 12:18:59 +11:00
djm@openbsd.org fae7bbe544 upstream commit
avoid fatal() calls in packet code makes ssh-keyscan more
 reliable against server failures ok dtucker@ markus@
2015-01-29 09:08:07 +11:00
markus@openbsd.org f582f0e917 upstream commit
add experimental api for packet layer; ok djm@
2015-01-20 09:23:46 +11:00
markus@openbsd.org 3fdc88a0de upstream commit
move dispatch to struct ssh; ok djm@
2015-01-20 09:14:16 +11:00
markus@openbsd.org 091c302829 upstream commit
update packet.c & isolate, introduce struct ssh a) switch
 packet.c to buffer api and isolate per-connection info into struct ssh b)
 (de)serialization of the state is moved from monitor to packet.c c) the old
 packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
 integrated into packet.c with and ok djm@
2015-01-20 09:13:01 +11:00
Damien Miller c31a0cd5b3 - markus@cvs.openbsd.org 2014/05/03 17:20:34
[monitor.c packet.c packet.h]
     unbreak compression, by re-init-ing the compression code in the
     post-auth child. the new buffer code is more strict, and requires
     buffer_init() while the old code was happy after a bzero();
     originally from djm@
2014-05-15 14:37:39 +10:00
Damien Miller 633de33b19 - djm@cvs.openbsd.org 2014/04/28 03:09:18
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
     [ssh-keygen.c]
     buffer_get_string_ptr's return should be const to remind
     callers that futzing with it will futz with the actual buffer
     contents
2014-05-15 13:48:26 +10:00
Damien Miller ce98654674 - djm@cvs.openbsd.org 2013/07/12 00:19:59
[auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
     [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
     fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
2013-07-18 16:12:44 +10:00
Darren Tucker c53c2af173 - dtucker@cvs.openbsd.org 2013/05/16 02:00:34
[ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
     ssh_config.5 packet.h]
     Add an optional second argument to RekeyLimit in the client to allow
     rekeying based on elapsed time in addition to amount of traffic.
     with djm@ jmc@, ok djm
2013-05-16 20:28:16 +10:00
Damien Miller 72de982def - markus@cvs.openbsd.org 2012/01/25 19:40:09
[packet.c packet.h]
     packet_read_poll() is not used anymore.
2012-02-11 08:19:21 +11:00
Damien Miller d2ac5d74b4 - djm@cvs.openbsd.org 2011/05/06 21:14:05
[packet.c packet.h]
     set traffic class for IPv6 traffic as we do for IPv4 TOS;
     patch from lionel AT mamane.lu via Colin Watson in bz#1855;
     ok markus@
2011-05-15 08:43:13 +10:00
Damien Miller 0dac6fb6b2 - djm@cvs.openbsd.org 2010/11/13 23:27:51
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
     [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
     allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
     hardcoding lowdelay/throughput.

     bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-20 15:19:38 +11:00
Darren Tucker 8ccb7392e7 - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs
for missing headers and compiler warnings.
2010-09-10 12:28:24 +10:00
Damien Miller eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00