| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES CTR mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have CTR, so this is no longer needed. ok djm@
|
| |
|
|
|
|
|
| |
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES GCM mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have GCM, so this is no longer needed. ok djm@
|
| | |
|
| |
|
|
|
|
| |
and bad indentation on continuation lines. Prompted by GHPR#185
OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
|
| |
|
|
|
|
|
|
|
|
|
| |
rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc which was
standardized in RFC4253 (2006), has been deprecated and disabled by default
since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.
This will reduce the amount of work the cipher/kex regression tests need
to do by a little bit. ok markus@ djm@
OpenBSD-Commit-ID: fb460acc18290a998fd70910b19c29b4e4f199ad
|
| |
|
|
|
|
| |
part of a larger diff at a2k20
OpenBSD-Commit-ID: a4609b7263284f95c9417ef60ed7cdbb7bf52cfd
|
| |
|
|
| |
OpenBSD-Commit-ID: 166ea64f6d84f7bac5636dbd38968592cb5eb924
|
| |
|
|
|
|
|
|
|
|
| |
While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.
ok deraadt@ djm@
OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
|
| |
|
|
|
|
|
| |
that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
|
| |
|
|
| |
OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
|
| |
|
|
| |
Polyfill missing API with replacement functions extracted from LibreSSL
|
| |
|
|
|
|
| |
OpenSSH; feedback and ok tb@ jsing@ markus@
OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
|
| |
|
|
| |
Patch from hongxu.jia at windriver.com, ok djm@
|
| |
|
|
|
|
|
|
|
| |
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@
OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
|
| |
|
|
| |
OpenBSD-Commit-ID: 674edd214d0a7332dd4623c9cf8117301b012890
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove all guards for calls to OpenSSL free functions -
all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.
ok deraadt@ dtucker@
OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
|
| |
|
|
|
|
|
| |
avoid unused variable warnings for !WITH_OPENSSL; patch from
Marcus Folkesson
OpenBSD-Commit-ID: c01d27a3f907acdc3dd4ea48170fac3ba236d229
|
| |
|
|
|
|
|
| |
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
|
| |
|
|
|
|
|
| |
another tentacle: cipher_set_key_string() was only ever
used for SSHv1
Upstream-ID: 7fd31eb6c48946f7e7cc12af0699fe8eb637e94a
|
| |
|
|
|
|
|
| |
fixup setting ciphercontext->plaintext (lost in SSHv1 purge),
though it isn't really used for much anymore.
Upstream-ID: 859b8bce84ff4865b32097db5430349d04b9b747
|
| |
|
|
|
|
| |
remove SSHv1 ciphers; ok markus@
Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
|
| |
|
|
|
|
| |
unifdef WITH_SSH1 ok markus@
Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
|
| |
|
|
| |
ok dtucker@
|
| |
|
|
|
|
|
| |
small refactor of cipher.c: make ciphercontext opaque to
callers feedback and ok markus@
Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
|
| |
|
|
| |
bz#2466 ok dtucker@
|
| |
|
|
|
|
|
|
| |
Remove NULL-checks before free().
ok dtucker@
Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
|
| |
|
|
|
| |
make non-OpenSSL aes-ctr work on sshd w/ privsep; ok
markus@
|
| |
|
|
| |
needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
[auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
[cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
[digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
[hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
[ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
[ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
[sshconnect2.c sshd.c sshkey.c sshkey.h
[openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.
NB. This commit also removes portable OpenSSH support for OpenSSL
<0.9.8e.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
[kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
[roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
[ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm
|
| |
|
|
|
|
| |
[cipher.c mac.c]
remove some logging that makes ssh debugging output very verbose;
ok markus
|
| |
|
|
|
|
|
|
|
|
|
| |
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
[buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
[kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
[monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
[ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c]
convert memset of potentially-private data to explicit_bzero()
|
| |
|
|
|
| |
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
replace openssl MD5 with our ssh_digest_*; ok djm@
|
| |
|
|
|
|
|
|
|
|
| |
[cipher.c cipher.h kex.c kex.h kexgexc.c]
Add a special case for the DH group size for 3des-cbc, which has an
effective strength much lower than the key size. This causes problems
with some cryptlib implementations, which don't support group sizes larger
than 4k but also don't use the largest group size it does support as
specified in the RFC. Based on a patch from Petr Lautrbach at Redhat,
reduced by me with input from Markus. ok djm@ markus@
|
| |
|
|
|
|
|
| |
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
[ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
default; details in PROTOCOL.key; feedback and lots help from djm;
ok djm@
|
| |
|
|
|
|
|
|
| |
[cipher.c]
correct bzero of chacha20+poly1305 key context. bz#2177 from
Loganaden Velvindron @ AfriNIC
Also make it a memset for consistency with the rest of cipher.c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
|
| |
|
|
|
|
| |
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
dns.c packet.c readpass.c authfd.c moduli.c]
bye, bye xfree(); ok markus@
|
| |
|
|
|
|
|
|
| |
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
[key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
add the ability to query supported ciphers, MACs, key type and KEX
algorithms to ssh. Includes some refactoring of KEX and key type handling
to be table-driven; ok markus@
|
| |
|
|
|
|
| |
[Makefile.in acss.c acss.h cipher-acss.c cipher.c]
[openbsd-compat/openssl-compat.h]
remove ACSS, now that it is gone from libcrypto too
|
| |
|
|
|
| |
[cipher.c]
improve error message for integrity failure in AES-GCM modes; ok markus@
|
| |
|
|
|
| |
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
cipher compat code to openssl-compat.h
|
| |
|
|
|
|
|
| |
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
[myproposal.h packet.c ssh_config.5 sshd_config.5]
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
ok and feedback djm@
|
| | |
|
| |
|
|
| |
compat code for older OpenSSL
|
| |
|
|
|
|
|
|
|
|
| |
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
[packet.c ssh_config.5 sshd_config.5]
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
that change the packet format and compute the MAC over the encrypted
message (including the packet size) instead of the plaintext data;
these EtM modes are considered more secure and used by default.
feedback and ok djm@
|
| |
|
|
|
|
|
|
| |
[cipher.c cipher.h packet.c]
Work around the CPNI-957037 Plaintext Recovery Attack by always
reading 256K of data on packet size or HMAC errors (in CBC mode only).
Help, feedback and ok djm@
Feedback from Martin Albrecht and Paterson Kenny
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
[auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
[auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
[buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
[cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
[compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
[groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
[key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
[monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
[monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
[readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
[serverloop.c session.c session.h sftp-client.c sftp-common.c]
[sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
[ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
[uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
[loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step
NB. portable commit contains everything *except* removing includes.h, as
that will take a fair bit more work as we move headers that are required
for portability workarounds to defines.h. (also, this step wasn't "easy")
|
