Commit Graph

198 Commits

Author SHA1 Message Date
Damien Miller
bcd00abd84 - markus@cvs.openbsd.org 2013/12/06 13:34:54
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
     [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
     default; details in PROTOCOL.key; feedback and lots help from djm;
     ok djm@
2013-12-07 10:41:55 +11:00
Damien Miller
0fde8acdad - djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
     cipher "chacha20-poly1305@openssh.com" that combines Daniel
     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
     authenticated encryption mode.

     Inspired by and similar to Adam Langley's proposal for TLS:
     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
     but differs in layout used for the MAC calculation and the use of a
     second ChaCha20 instance to separately encrypt packet lengths.
     Details are in the PROTOCOL.chacha20poly1305 file.

     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
     ok markus@ naddy@
2013-11-21 14:12:23 +11:00
Damien Miller
6c81fee693 - djm@cvs.openbsd.org 2013/11/08 00:39:15
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
     [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
     [sftp-client.c sftp-glob.c]
     use calloc for all structure allocations; from markus@
2013-11-08 12:19:55 +11:00
Damien Miller
ce98654674 - djm@cvs.openbsd.org 2013/07/12 00:19:59
[auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
     [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
     fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
2013-07-18 16:12:44 +10:00
Darren Tucker
b759c9c2ef - dtucker@cvs.openbsd.org 2013/06/01 13:15:52
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
     channels.c sandbox-systrace.c]
     Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
     keepalives and rekeying will work properly over clock steps.  Suggested by
     markus@, "looks good" djm@.
2013-06-02 07:46:16 +10:00
Darren Tucker
a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Darren Tucker
5f96f3b4be - dtucker@cvs.openbsd.org 2013/05/16 04:09:14
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
     sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
     rekeying based on traffic volume or time.  ok djm@, help & ok jmc@ for the man
     page.
2013-05-16 20:29:28 +10:00
Darren Tucker
c53c2af173 - dtucker@cvs.openbsd.org 2013/05/16 02:00:34
[ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
     ssh_config.5 packet.h]
     Add an optional second argument to RekeyLimit in the client to allow
     rekeying based on elapsed time in addition to amount of traffic.
     with djm@ jmc@, ok djm
2013-05-16 20:28:16 +10:00
Damien Miller
ea11119eee - djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
     add the ability to query supported ciphers, MACs, key type and KEX
     algorithms to ssh. Includes some refactoring of KEX and key type handling
     to be table-driven; ok markus@
2013-04-23 19:24:32 +10:00
Damien Miller
d5edefd27a - djm@cvs.openbsd.org 2013/04/11 02:27:50
[packet.c]
     quiet disconnect notifications on the server from error() back to logit()
     if it is a normal client closure; bz#2057 ok+feedback dtucker@
2013-04-23 15:21:39 +10:00
Damien Miller
894926ebd8 - djm@cvs.openbsd.org 2013/02/10 23:35:24
[packet.c]
     record "Received disconnect" messages at ERROR rather than INFO priority,
     since they are abnormal and result in a non-zero ssh exit status; patch
     from Iain Morgan in bz#2057; ok dtucker@
2013-02-12 11:03:58 +11:00
Damien Miller
1d75abfe23 - markus@cvs.openbsd.org 2013/01/08 18:49:04
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
     [myproposal.h packet.c ssh_config.5 sshd_config.5]
     support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
     ok and feedback djm@
2013-01-09 16:12:19 +11:00
Damien Miller
8c05da3326 - markus@cvs.openbsd.org 2012/12/12 16:45:52
[packet.c]
     reset incoming_packet buffer for each new packet in EtM-case, too;
     this happens if packets are parsed only parially (e.g. ignore
     messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-13 07:18:59 +11:00
Damien Miller
af43a7ac2d - markus@cvs.openbsd.org 2012/12/11 22:31:18
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
     [packet.c ssh_config.5 sshd_config.5]
     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
     that change the packet format and compute the MAC over the encrypted
     message (including the packet size) instead of the plaintext data;
     these EtM modes are considered more secure and used by default.
     feedback and ok djm@
2012-12-12 10:46:31 +11:00
Darren Tucker
302889a1b0 - markus@cvs.openbsd.org 2012/09/17 13:04:11
[packet.c]
     clear old keys on rekeing; ok djm
2012-10-05 10:42:53 +10:00
Damien Miller
54c38d24c6 - (djm) [packet.c] bz#1963: Fix IPQoS not being set on non-mapped v4-in-v6
addressed connections. ok dtucker@
2012-03-09 10:28:07 +11:00
Damien Miller
72de982def - markus@cvs.openbsd.org 2012/01/25 19:40:09
[packet.c packet.h]
     packet_read_poll() is not used anymore.
2012-02-11 08:19:21 +11:00
Damien Miller
1de2cfe9a9 - markus@cvs.openbsd.org 2012/01/25 19:26:43
[packet.c]
     do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying;
     ok dtucker@, djm@
2012-02-11 08:18:43 +11:00
Damien Miller
8ed4de8f1d - djm@cvs.openbsd.org 2011/12/07 05:44:38
[auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
     fix some harmless and/or unreachable int overflows;
     reported Xi Wang, ok markus@
2011-12-19 10:52:50 +11:00
Damien Miller
23f425b48b - (djm) [packet.c] unbreak portability #endif 2011-05-15 08:58:15 +10:00
Damien Miller
d2ac5d74b4 - djm@cvs.openbsd.org 2011/05/06 21:14:05
[packet.c packet.h]
     set traffic class for IPv6 traffic as we do for IPv4 TOS;
     patch from lionel AT mamane.lu via Colin Watson in bz#1855;
     ok markus@
2011-05-15 08:43:13 +10:00
Darren Tucker
4b6cbf7aab - (dtucker) [packet.c] Remove redundant local declaration of "int tos". 2010-11-24 10:46:37 +11:00
Damien Miller
0dac6fb6b2 - djm@cvs.openbsd.org 2010/11/13 23:27:51
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
     [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
     allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
     hardcoding lowdelay/throughput.

     bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-20 15:19:38 +11:00
Damien Miller
7a221a1591 - djm@cvs.openbsd.org 2010/11/05 02:46:47
[packet.c]
     whitespace KNF
2010-11-20 15:14:29 +11:00
Damien Miller
6af914a15c - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
   [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
   platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 11:39:26 +10:00
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
da108ece68 - djm@cvs.openbsd.org 2010/08/31 09:58:37
[auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c]
     [packet.h ssh-dss.c ssh-rsa.c]
     Add buffer_get_cstring() and related functions that verify that the
     string extracted from the buffer contains no embedded \0 characters*
     This prevents random (possibly malicious) crap from being appended to
     strings where it would not be noticed if the string is used with
     a string(3) function.

     Use the new API in a few sensitive places.

     * actually, we allow a single one at the end of the string for now because
     we don't know how many deployed implementations get this wrong, but don't
     count on this to remain indefinitely.
2010-08-31 22:36:39 +10:00
Damien Miller
ea1651c98e - djm@cvs.openbsd.org 2010/07/13 23:13:16
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c]
     [ssh-rsa.c]
     s/timing_safe_cmp/timingsafe_bcmp/g
2010-07-16 13:58:37 +10:00
Damien Miller
8a0268f1b3 - djm@cvs.openbsd.org 2010/07/13 11:52:06
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
     [packet.c ssh-rsa.c]
     implement a timing_safe_cmp() function to compare memory without leaking
     timing information by short-circuiting like memcmp() and use it for
     some of the more sensitive comparisons (though nothing high-value was
     readily attackable anyway); "looks ok" markus@
2010-07-16 13:57:51 +10:00
Damien Miller
ea43742e77 pull in 5.3 release changes from branch:
20090926
 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
         [contrib/suse/openssh.spec] Update for release
 - (djm) [README] update relnotes URL
 - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
 - (djm) Release 5.3p1
2009-10-02 11:49:03 +10:00
Darren Tucker
e841eb0654 - andreas@cvs.openbsd.org 2009/06/27 09:29:06
[packet.h packet.c]
     packet_bacup_state() and packet_restore_state() will be used to
     temporarily save the current state ren resuming a suspended connection.
     ok markus@
2009-07-06 07:11:13 +10:00
Darren Tucker
7b935c79f4 - andreas@cvs.openbsd.org 2009/06/12 20:58:32
[packet.c]
     Move some more statics into session_state
     ok markus@ djm@
2009-06-21 18:59:36 +10:00
Darren Tucker
b422afa41f - andreas@cvs.openbsd.org 2009/06/12 20:43:22
[monitor.c packet.c]
     Fix warnings found by chl@ and djm@ and change roaming_atomicio's
     return type to match atomicio's
     Diff from djm@, ok markus@
2009-06-21 18:58:46 +10:00
Darren Tucker
c5564e1c4c - andreas@cvs.openbsd.org 2009/05/28 16:50:16
[sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
     monitor.c Added roaming.h roaming_common.c roaming_dummy.c]
     Keep track of number of bytes read and written. Needed for upcoming
     changes. Most code from Martin Forssen, maf at appgate dot com.
     ok markus@
     Also, applied appropriate changes to Makefile.in
2009-06-21 18:53:53 +10:00
Darren Tucker
761c38918a - andreas@cvs.openbsd.org 2009/05/27 06:38:16
[sshconnect.h sshconnect.c]
     Un-static ssh_exchange_identification(), part of a larger change from
     Martin Forssen and needed for upcoming changes.
     ok markus@
2009-06-21 18:16:26 +10:00
Darren Tucker
f7288d77e4 - andreas@cvs.openbsd.org 2009/05/27 06:31:25
[canohost.h canohost.c]
     Add clear_cached_addr(), needed for upcoming changes allowing the peer
     address to change.
     ok markus@
2009-06-21 18:12:20 +10:00
Damien Miller
61433bec80 - markus@cvs.openbsd.org 2009/02/13 11:50:21
[packet.c]
     check for enc !=NULL in packet_start_discard
2009-02-14 16:35:01 +11:00
Damien Miller
13ae44ce58 - markus@cvs.openbsd.org 2009/01/26 09:58:15
[cipher.c cipher.h packet.c]
     Work around the CPNI-957037 Plaintext Recovery Attack by always
     reading 256K of data on packet size or HMAC errors (in CBC mode only).
     Help, feedback and ok djm@
     Feedback from Martin Albrecht and Paterson Kenny
2009-01-28 16:38:41 +11:00
Darren Tucker
99d11a3ed2 - markus@cvs.openbsd.org 2008/11/21 15:47:38
[packet.c]
     packet_disconnect() on padding error, too.  should reduce the success
     probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18
     ok djm@
2008-12-01 21:40:48 +11:00
Damien Miller
b61f3fc31f - markus@cvs.openbsd.org 2008/07/10 18:08:11
[clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c]
     sync v1 and v2 traffic accounting; add it to sshd, too;
     ok djm@, dtucker@
2008-07-11 17:36:48 +10:00
Damien Miller
d874fa517b - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/07/04 23:08:25
     [packet.c]
     handle EINTR in packet_write_poll()l ok dtucker@
2008-07-05 09:40:56 +10:00
Damien Miller
d8968adb5f - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h]
[packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c]
   [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on
   some platforms (HP nonstop) it is a distinct errno;
   bz#1467 reported by sconeu AT yahoo.com; ok dtucker@
2008-07-04 23:10:49 +10:00
Darren Tucker
99bb7619d4 - deraadt@cvs.openbsd.org 2008/06/13 09:44:36
[packet.c]
     compile on older gcc; no decl after code
2008-06-13 22:02:50 +10:00
Darren Tucker
3fc464efdc - dtucker@cvs.openbsd.org 2008/06/12 20:38:28
[sshd.c sshconnect.c packet.h misc.c misc.h packet.c]
     Make keepalive timeouts apply while waiting for a packet, particularly
     during key renegotiation (bz #1363).  With djm and Matt Day, ok djm@
2008-06-13 06:42:45 +10:00
Darren Tucker
136e56f689 - djm@cvs.openbsd.org 2008/05/19 06:14:02
[packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@
2008-06-08 12:49:30 +10:00
Damien Miller
db255cad05 - markus@cvs.openbsd.org 2008/05/08 06:59:01
[bufaux.c buffer.h channels.c packet.c packet.h]
     avoid extra malloc/copy/free when receiving data over the net;
     ~10% speedup for localhost-scp; ok djm@
2008-05-19 14:59:37 +10:00
Damien Miller
58226f6068 - dtucker@cvs.openbsd.org 2008/02/22 20:44:02
[clientloop.c packet.c packet.h serverloop.c]
     Allow all SSH2 packet types, including UNIMPLEMENTED to reset the
     keepalive timer (bz #1307).  ok markus@
2008-03-07 18:33:30 +11:00
Damien Miller
5ed3d575f9 - dtucker@cvs.openbsd.org 2008/01/23 01:56:54
[clientloop.c packet.c serverloop.c]
     Revert the change for bz #1307 as it causes connection aborts if an IGNORE
     packet arrives while we're waiting in packet_read_expect (and possibly
     elsewhere).
2008-02-10 22:27:47 +11:00
Darren Tucker
d6725f04e2 - dtucker@cvs.openbsd.org 2007/12/28 15:32:24
[clientloop.c serverloop.c packet.c]
     Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the
     ServerAlive and ClientAlive timers.  Prevents dropping a connection
     when these are enabled but the peer does not support our keepalives.
     bz #1307, ok djm@.
2007-12-29 02:45:07 +11:00
Damien Miller
e45796f7b4 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
     must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
     compared to hmac-md5. Represents a different approach to message
     authentication to that of HMAC that may be beneficial if HMAC based on
     one of its underlying hash algorithms is found to be vulnerable to a
     new attack.  http://www.ietf.org/rfc/rfc4418.txt
     in conjunction with and OK djm@
2007-06-11 14:01:42 +10:00