summaryrefslogtreecommitdiffstats
path: root/kex.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Add experimental support for hybrid post-quantum key exchangedjm@openbsd.org2024-09-021-1/+10
| | | | | | | | | | | | | | | | | | ML-KEM768 with ECDH/X25519 from the Internet-draft: https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This is based on previous patches from markus@ but adapted to use the final FIPS203 standard ML-KEM using a formally-verified implementation from libcrux. Note this key exchange method is still a draft and thus subject to change. It is therefore disabled by default; set MLKEM=yes to build it. We're making it available now to make it easy for other SSH implementations to test against it. ok markus@ deraadt@ OpenBSD-Commit-ID: 02a8730a570b63fa8acd9913ec66353735dea42c
* upstream: As defined in the RFC, the SSH protocol has negotiablederaadt@openbsd.org2024-08-271-3/+1
| | | | | | | | | | | | | | | | | | | | | | compression support (which is requested as the name "zlib"). Compression starts very early in the session. Relative early in OpenSSH lifetime, privsep was added to sshd, and this required a shared-memory hack so the two processes could see what was going on in the dataflow. This shared-memory hack was soon recognized as a tremendous complexity risk, because it put libz (which very much trusts it's memory) in a dangerous place, and a new option ("zlib@openssh.com") was added begins compression after authentication (aka delayed-compression). That change also permitted removal of the shared-memory hack. Despite removal from the server, the old "zlib" support remained in the client, to allow negotiation with non-OpenSSH daemons which lack the delayed-compression option. This commit deletes support for the older "zlib" option in the client. It reduces our featureset in a small way, and encourages other servers to move to a better design. The SSH protocol is different enough that compressed-key-material attacks like BEAST are unlikely, but who wants to take the chance? We encourage other ssh servers who care about optional compression support to add delayed-zlib support. (Some already do "zlib@openssh.com") ok djm markus OpenBSD-Commit-ID: 6df986f38e4ab389f795a6e39e7c6857a763ba72
* upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned, sodjm@openbsd.org2024-08-231-2/+3
| | | | | | | we can make the algorithm available without the @openssh.com suffix too. ok markus@ deraadt@ OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f
* upstream: Start the process of splitting sshd into separatedjm@openbsd.org2024-05-171-2/+7
| | | | | | | | | | | | | | | | | | | | binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out. OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
* upstream: whitespacedjm@openbsd.org2024-02-191-5/+5
| | | | OpenBSD-Commit-ID: b24680bc755b621ea801ff8edf6f0f02b68edae1
* upstream: add "ext-info-in-auth@openssh.com" extensiondjm@openbsd.org2023-12-181-1/+6
| | | | | | | | | | | | | | | This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to. This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated. Full details in the PROTOCOL file OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
* upstream: implement "strict key exchange" in ssh and sshddjm@openbsd.org2023-12-181-1/+2
| | | | | | | | | | | | This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. with markus@ OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
* upstream: Introduce a transport-level ping facilitydjm@openbsd.org2023-08-281-1/+2
| | | | | | | | | | | This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". ok markus@ OpenBSD-Commit-ID: b6b3c4cb2084c62f85a8dc67cf74954015eb547f
* upstream: Refactor creation of KEX proposal.dtucker@openbsd.org2023-03-061-1/+4
| | | | | | | | | | This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@. OpenBSD-Commit-ID: f2f99da4aae2233cb18bf9c749320c5e040a9c7b
* upstream: Fix signature algorithm selection logic fordjm@openbsd.org2022-01-061-1/+3
| | | | | | | | | | | | | UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 Mostly by Dmitry Belyavskiy with some tweaks by me. ok markus@ OpenBSD-Commit-ID: c17ba0c3236340d2c6a248158ebed042ac6a8029
* upstream: client side of host-bound pubkey authenticationdjm@openbsd.org2021-12-191-3/+5
| | | | | | | | | | | | | | Add kex->flags member to enable the publickey-hostbound-v00@openssh.com authentication method. Use the new hostbound method in client if the kex->flags flag was set, and include the inital KEX hostkey in the userauth request. Note: nothing in kex.c actually sets the new flag yet ok markus@ OpenBSD-Commit-ID: 5a6fce8c6c8a77a80ee1526dc467d91036a5910d
* upstream: Record session ID, host key and sig at intital KEXdjm@openbsd.org2021-12-191-1/+4
| | | | | | | | These will be used later for agent session ID / hostkey binding ok markus@ OpenBSD-Commit-ID: a9af29e33772b18e3e867c6fa8ab35e1694a81fe
* upstream: more strictly enforce KEX state-machine by banning packetdjm@openbsd.org2021-01-311-1/+2
| | | | | | | | | | types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078). ok markus@ OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
* upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_tdjm@openbsd.org2021-01-271-3/+2
| | | | | | | and use that instead of global variables containing copies of it. feedback/ok markus@ OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68
* upstream: Update/replace the experimental post-quantim hybrid keydjm@openbsd.org2020-12-291-7/+7
| | | | | | | | | | | | | | | | | | | | exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default) OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
* upstream: revert kex->flags cert hostkey downgrade back to a plaindjm@openbsd.org2020-10-071-5/+3
| | | | | | | | | key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less plumbing. ok markus@ OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
* upstream: record when the host key checking code downgrades adjm@openbsd.org2020-10-031-3/+5
| | | | | | | | certificate host key to a plain key. This occurs when the user connects to a host with a certificate host key but no corresponding CA key configured in known_hosts; feedback and ok markus@ OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
* remove duplicate #includesDamien Miller2019-10-021-12/+3
| | | | Prompted by Jakub Jelen
* upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@djm@openbsd.org2019-09-061-1/+13
| | | | OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
* upstream: remove leakmalloc reference; we used this early whendjm@openbsd.org2019-09-061-5/+1
| | | | | | refactoring but not since OpenBSD-Commit-ID: bb28ebda8f7c490b87b37954044a6cdd43a7eb2c
* upstream: pass most arguments to the KEX hash functions as sshbufdjm@openbsd.org2019-01-231-2/+2
| | | | | | rather than pointer+length; ok markus@ OpenBSD-Commit-ID: ef0c89c52ccc89817a13a5205725148a28492bf7
* upstream: rename kex->kem_client_pub -> kex->client_pub now thatdjm@openbsd.org2019-01-211-15/+4
| | | | | | | | KEM has been renamed to kexgen from markus@ ok djm@ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
* upstream: pass values used in KEX hash computation as sshbufdjm@openbsd.org2019-01-211-11/+11
| | | | | | | | rather than pointer+len suggested by me; implemented by markus@ ok me OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
* upstream: remove kex_derive_keys_bn wrapper; no unused since thedjm@openbsd.org2019-01-211-2/+1
| | | | | | | | DH-like KEX methods have moved to KEM from markus@ ok djm@ OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
* upstream: use KEM API for vanilla ECDHdjm@openbsd.org2019-01-211-6/+6
| | | | | | from markus@ ok djm@ OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
* upstream: use KEM API for vanilla DH KEXdjm@openbsd.org2019-01-211-4/+6
| | | | | | from markus@ ok djm@ OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
* upstream: use KEM API for vanilla c25519 KEXdjm@openbsd.org2019-01-211-1/+6
| | | | OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
* upstream: Add support for a PQC KEX/KEM:djm@openbsd.org2019-01-211-4/+21
| | | | | | | | | | | | sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@ OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
* upstream: factor out kex_verify_hostkey() - again, duplicateddjm@openbsd.org2019-01-211-1/+2
| | | | | | | | almost exactly across client and server for several KEX methods. from markus@ ok djm@ OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
* upstream: factor out kex_load_hostkey() - this is duplicated indjm@openbsd.org2019-01-211-1/+2
| | | | | | | | both the client and server implementations for most KEX methods. from markus@ ok djm@ OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
* upstream: factor out kex_dh_compute_key() - it's shared betweendjm@openbsd.org2019-01-211-3/+4
| | | | | | | | plain DH KEX and DH GEX in both the client and server implementations from markus@ ok djm@ OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
* upstream: factor out DH keygen; it's identical between the clientdjm@openbsd.org2019-01-211-1/+2
| | | | | | | | and the server from markus@ ok djm@ OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
* upstream: remove last references to active_statedjm@openbsd.org2019-01-191-3/+3
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
* upstream: move client/server SSH-* banners to buffers underdjm@openbsd.org2018-12-271-8/+12
| | | | | | | | | | | | | ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@ OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
* upstream: only consider the ext-info-c extension during the initialdjm@openbsd.org2018-12-271-1/+2
| | | | | | | | | | KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@ OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
* repair !WITH_OPENSSL buildDamien Miller2018-07-131-0/+2
|
* upstream: remove legacy key emulation layer; ok djm@markus@openbsd.org2018-07-121-2/+1
| | | | OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
* upstream: re-remove some pre-auth compression bitssf@openbsd.org2018-07-111-1/+2
| | | | | | | | | | This time, make sure to not remove things that are necessary for pre-auth compression on the client. Add a comment that pre-auth compression is still supported in the client. ok markus@ OpenBSD-Commit-ID: 282c6fec7201f18a5c333bbb68d9339734d2f784
* upstream: remove legacy buffer API emulation layer; ok djm@markus@openbsd.org2018-07-101-2/+1
| | | | OpenBSD-Commit-ID: 2dd5dc17cbc23195be4299fa93be2707a0e08ad9
* upstream: Revert previous two commitssf@openbsd.org2018-07-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
* upstream: Rename COMP_DELAYED to COMP_ZLIBsf@openbsd.org2018-07-101-2/+2
| | | | | | | | Only delayed compression is supported nowadays. ok markus@ OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
* upstream: Remove leftovers from pre-authentication compressionsf@openbsd.org2018-07-101-3/+2
| | | | | | | | | Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
* upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org2018-07-041-2/+2
| | | | | | | | | | | | | | | | signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
* upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org2018-07-031-2/+2
| | | | | | | | | | | | | | | | | | | | | | | In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
* upstream commitmarkus@openbsd.org2017-05-311-3/+3
| | | | | | protocol handlers all get struct ssh passed; ok djm@ Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
* upstream commitnaddy@openbsd.org2017-05-081-4/+1
| | | | | | remove miscellaneous SSH1 leftovers; ok markus@ Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
* upstream commitdjm@openbsd.org2016-09-291-2/+3
| | | | | | | put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@ Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
* upstream commitdjm@openbsd.org2016-09-281-3/+2
| | | | | | | | | | | | | restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@ Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
* upstream commitdjm@openbsd.org2016-09-231-12/+13
| | | | | | missing bit from previous commit Upstream-ID: 438d5ed6338b28b46e822eb13eee448aca31df37
* upstream commitdjm@openbsd.org2016-05-021-3/+9
| | | | | | | | | | | | | | add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@ Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 17:44:16 +0100