summaryrefslogtreecommitdiff
path: root/kex.c
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Limit number of entries in SSH2_MSG_EXT_INFOdtucker@openbsd.org2023-03-121-1/+6
| | | | | | | request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@ OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09
* upstream: Delete obsolete /* ARGSUSED */ lint comments.guenther@openbsd.org2023-03-081-3/+1
| | | | | | ok miod@ millert@ OpenBSD-Commit-ID: 7be168a570264d59e96a7d2d22e927d45fee0e4c
* upstream: Refactor creation of KEX proposal.dtucker@openbsd.org2023-03-061-1/+58
| | | | | | | | | | This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@. OpenBSD-Commit-ID: f2f99da4aae2233cb18bf9c749320c5e040a9c7b
* upstream: fatal out if allocating banner string fails to avoiddtucker@openbsd.org2023-03-011-2/+2
| | | | | | potential null deref later in sscanf. Spotted by Coverity, ok deraadt@ OpenBSD-Commit-ID: 74e8d228ac00552e96e9e968dfcccf8dd1f46ad5
* upstream: Remove now-unused compat bit SSH_BUG_RSASIGMD5. The codedtucker@openbsd.org2023-02-171-5/+1
| | | | | | | to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@ OpenBSD-Commit-ID: 6330935fbe23dd00be79891505e06d1ffdac7cda
* upstream: Remove some set but otherwise unused variables, spotteddtucker@openbsd.org2022-11-071-3/+3
| | | | | | in -portable by clang 16's -Wunused-but-set-variable. ok djm@ OpenBSD-Commit-ID: 3d943ddf2369b38fbf89f5f19728e7dc1daf3982
* upstream: mark const string array contents const too, i.e. staticdjm@openbsd.org2022-02-021-2/+2
| | | | | | const char *array => static const char * const array from Mike Frysinger OpenBSD-Commit-ID: a664e31ea6a795d7c81153274a5f47b22bdc9bc1
* upstream: Fix signature algorithm selection logic fordjm@openbsd.org2022-01-071-1/+23
| | | | | | | | | | | | | UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 Mostly by Dmitry Belyavskiy with some tweaks by me. ok markus@ OpenBSD-Commit-ID: c17ba0c3236340d2c6a248158ebed042ac6a8029
* upstream: EXT_INFO negotiation of hostbound pubkey authdjm@openbsd.org2021-12-201-2/+20
| | | | | | | | | | | | the EXT_INFO packet gets a new publickey-hostbound@openssh.com to advertise the hostbound public key method. Client side support to parse this feature flag and set the kex->flags indicator if the expected version is offered (currently "0"). ok markus@ OpenBSD-Commit-ID: 4cdb2ca5017ec1ed7a9d33bda95c1d6a97b583b0
* upstream: Record session ID, host key and sig at intital KEXdjm@openbsd.org2021-12-201-1/+3
| | | | | | | | These will be used later for agent session ID / hostkey binding ok markus@ OpenBSD-Commit-ID: a9af29e33772b18e3e867c6fa8ab35e1694a81fe
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-2/+2
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: more strictly enforce KEX state-machine by banning packetdjm@openbsd.org2021-02-011-2/+2
| | | | | | | | | | types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078). ok markus@ OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
* upstream: fix leak: was double allocating kex->session_id bufferdjm@openbsd.org2021-01-281-4/+6
| | | | OpenBSD-Commit-ID: 3765f4cc3ae1df874dba9102a3588ba7b48b8183
* upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_tdjm@openbsd.org2021-01-271-10/+12
| | | | | | | and use that instead of global variables containing copies of it. feedback/ok markus@ OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68
* upstream: remove global variable used to stash compat flags and use thedjm@openbsd.org2021-01-271-2/+2
| | | | | | purpose-built ssh->compat variable instead; feedback/ok markus@ OpenBSD-Commit-ID: 7c4f200e112dae6bcf99f5bae1a5629288378a06
* Disable sntrup761 if compiler doesn't support VLAs.Darren Tucker2021-01-261-0/+2
| | | | | | | | | | | The sntrup761 code sourced from supercop uses variable length arrays. Although widely supported, they are not part of the ANSI C89 spec so if the compiler does not support VLAs, disable the sntrup761x25519-sha512@openssh.com KEX method by replacing the kex functions with no-op ones similar to what we do in kexecdh.c. This should allow OpenSSH to build with a plain C89 compiler again. Spotted by tim@, ok djm@.
* upstream: Update/replace the experimental post-quantim hybrid keydjm@openbsd.org2020-12-291-2/+2
| | | | | | | | | | | | | | | | | | | | exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default) OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
* upstream: fix minor memleak of kex->hostkey_alg on rekexdjm@openbsd.org2020-12-041-1/+2
| | | | OpenBSD-Commit-ID: 2c3969c74966d4ccdfeff5e5f0df0791919aef50
* upstream: typos: s/hex/kex/ in error messagesdjm@openbsd.org2020-12-041-3/+3
| | | | OpenBSD-Commit-ID: 43a026c9571dd779ec148de1829cf5a6b6651905
* upstream: use the new variant log macros instead of prependingdjm@openbsd.org2020-10-181-53/+47
| | | | | | __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
* upstream: some language improvements; ok markusdjm@openbsd.org2020-07-151-3/+3
| | | | OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
* upstream: use sshpkt_fatal() for kex_exchange_identification()djm@openbsd.org2020-03-141-3/+11
| | | | | | | | errors. This ensures that the logged errors are consistent with other transport- layer errors and that the relevant IP addresses are logged. bz3129 ok dtucker@ OpenBSD-Commit-ID: 2c22891f0b9e1a6cd46771cedbb26ac96ec2e6ab
* upstream: change explicit_bzero();free() to freezero()jsg@openbsd.org2020-02-281-3/+2
| | | | | | | | | | While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry. ok deraadt@ djm@ OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
* upstream: Make zlib optional. This adds a "ZLIB" build time optiondtucker@openbsd.org2020-01-231-2/+5
| | | | | | | that allows building without zlib compression and associated options. With feedback from markus@, ok djm@ OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
* Wrap poll.h includes in HAVE_POLL_H.Darren Tucker2019-10-281-0/+2
|
* upstream: Correct type for end-of-list sentinel; fixes initializerdtucker@openbsd.org2019-10-091-2/+2
| | | | | | warnings on some platforms. ok deraadt. OpenBSD-Commit-ID: a990dbc2dac25bdfa07e79321349c73fd991efa2
* upstream: Allow prepending a list of algorithms to the default setnaddy@openbsd.org2019-09-081-3/+12
| | | | | | | | | | | by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
* upstream: better error code for bad arguments; inspired bydjm@openbsd.org2019-09-061-2/+5
| | | | OpenBSD-Commit-ID: dfc263b6041de7f0ed921a1de0b81ddebfab1e0a
* upstream: sprinkle in some explicit errors here, otherwise thedjm@openbsd.org2019-09-051-20/+60
| | | | | | | | | percolate all the way up to dispatch_run_fatal() and lose all meaninful context to help with bz#3063; ok dtucker@ OpenBSD-Commit-ID: 5b2da83bb1c4a3471444b7910b2120ae36438a0a
* upstream: only send ext_info for KEX_INITIAL; bz#2929 ok dtuckerdjm@openbsd.org2019-09-051-3/+4
| | | | OpenBSD-Commit-ID: 00f5c6062f6863769f5447c6346f78c05d2e4a63
* upstream: fix reversed arguments to kex_load_hostkey(); manifested asdjm@openbsd.org2019-01-211-2/+2
| | | | | | errors in cert-hostkey.sh regress failures. OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba
* upstream: rename kex->kem_client_pub -> kex->client_pub now thatdjm@openbsd.org2019-01-211-2/+2
| | | | | | | | KEM has been renamed to kexgen from markus@ ok djm@ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
* upstream: remove kex_derive_keys_bn wrapper; no unused since thedjm@openbsd.org2019-01-211-18/+1
| | | | | | | | DH-like KEX methods have moved to KEM from markus@ ok djm@ OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
* upstream: Add support for a PQC KEX/KEM:djm@openbsd.org2019-01-211-2/+5
| | | | | | | | | | | | sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@ OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
* upstream: factor out kex_verify_hostkey() - again, duplicateddjm@openbsd.org2019-01-211-1/+17
| | | | | | | | almost exactly across client and server for several KEX methods. from markus@ ok djm@ OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
* upstream: factor out kex_load_hostkey() - this is duplicated indjm@openbsd.org2019-01-211-1/+19
| | | | | | | | both the client and server implementations for most KEX methods. from markus@ ok djm@ OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
* upstream: save the derived session id in kex_derive_keys() ratherdjm@openbsd.org2019-01-211-1/+9
| | | | | | | | than making each kex method implementation do it. from markus@ ok djm@ OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673
* upstream: move client/server SSH-* banners to buffers underdjm@openbsd.org2018-12-271-27/+267
| | | | | | | | | | | | | ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@ OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
* upstream: only consider the ext-info-c extension during the initialdjm@openbsd.org2018-12-271-2/+4
| | | | | | | | | | KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@ OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
* upstream: Revert previous two commitssf@openbsd.org2018-07-101-1/+3
| | | | | | | | | | | | | | | | | | | | | | It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
* upstream: Rename COMP_DELAYED to COMP_ZLIBsf@openbsd.org2018-07-101-2/+2
| | | | | | | | Only delayed compression is supported nowadays. ok markus@ OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
* upstream: Remove leftovers from pre-authentication compressionsf@openbsd.org2018-07-101-3/+1
| | | | | | | | | Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
* upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org2018-07-041-17/+78
| | | | | | | | | | | | | | | | signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
* upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org2018-07-031-12/+5
| | | | | | | | | | | | | | | | | | | | | | | In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
* upstream commitjsing@openbsd.org2018-02-081-5/+3
| | | | | | | | | | | | Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards. Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github. ok deraadt@ dtucker@ OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
* upstream commitdjm@openbsd.org2018-01-231-6/+2
| | | | | | | | | | | | | Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations. ok markus@ OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
* upstream commitdjm@openbsd.org2017-06-131-5/+13
| | | | | | | | | | Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value. Reported by Denis Bider; ok markus@ Upstream-ID: 030e10fdc605563c040244c4b4f1d8ae75811a5c
* upstream commitmarkus@openbsd.org2017-05-311-10/+6
| | | | | | protocol handlers all get struct ssh passed; ok djm@ Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
* upstream commitdjm@openbsd.org2017-05-011-42/+1
| | | | | | unifdef WITH_SSH1 ok markus@ Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
* Remove SHA256 EVP wrapper implementation.Darren Tucker2017-03-291-8/+0
| | | | | All supported versions of OpenSSL should now have SHA256 so remove our EVP wrapper implementaion. ok djm@
View Lorry Controller Status