diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | mac.c | 6 | ||||
| -rw-r--r-- | myproposal.h | 15 | ||||
| -rw-r--r-- | ssh.1 | 8 | ||||
| -rw-r--r-- | ssh_config.5 | 8 | ||||
| -rw-r--r-- | sshd.8 | 7 | ||||
| -rw-r--r-- | sshd_config.5 | 8 |
7 files changed, 41 insertions, 16 deletions
| @@ -17,6 +17,11 @@ | |||
| 17 | [gss-serv.c] | 17 | [gss-serv.c] |
| 18 | prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); | 18 | prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); |
| 19 | report Adam Zabrock; ok djm@, deraadt@ | 19 | report Adam Zabrock; ok djm@, deraadt@ |
| 20 | - djm@cvs.openbsd.org 2011/08/02 01:22:11 | ||
| 21 | [mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] | ||
| 22 | Add new SHA256 and SHA512 based HMAC modes from | ||
| 23 | http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt | ||
| 24 | Patch from mdb AT juniper.net; feedback and ok markus@ | ||
| 20 | 25 | ||
| 21 | 20110624 | 26 | 20110624 |
| 22 | - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for | 27 | - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: mac.c,v 1.15 2008/06/13 00:51:47 dtucker Exp $ */ | 1 | /* $OpenBSD: mac.c,v 1.16 2011/08/02 01:22:11 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -57,6 +57,10 @@ struct { | |||
| 57 | } macs[] = { | 57 | } macs[] = { |
| 58 | { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, | 58 | { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, |
| 59 | { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, | 59 | { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, |
| 60 | { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, | ||
| 61 | { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, | ||
| 62 | { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, | ||
| 63 | { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, | ||
| 60 | { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, | 64 | { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, |
| 61 | { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, | 65 | { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, |
| 62 | { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, | 66 | { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, |
diff --git a/myproposal.h b/myproposal.h index 2c43607a7..aeb5201dc 100644 --- a/myproposal.h +++ b/myproposal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: myproposal.h,v 1.27 2010/09/01 22:42:13 djm Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.28 2011/08/02 01:22:11 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| @@ -76,9 +76,18 @@ | |||
| 76 | "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ | 76 | "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ |
| 77 | "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" | 77 | "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" |
| 78 | #define KEX_DEFAULT_MAC \ | 78 | #define KEX_DEFAULT_MAC \ |
| 79 | "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \ | 79 | "hmac-md5," \ |
| 80 | "hmac-sha1," \ | ||
| 81 | "umac-64@openssh.com," \ | ||
| 82 | "hmac-sha2-256," \ | ||
| 83 | "hmac-sha2-256-96," \ | ||
| 84 | "hmac-sha2-512," \ | ||
| 85 | "hmac-sha2-512-96," \ | ||
| 86 | "hmac-ripemd160," \ | ||
| 80 | "hmac-ripemd160@openssh.com," \ | 87 | "hmac-ripemd160@openssh.com," \ |
| 81 | "hmac-sha1-96,hmac-md5-96" | 88 | "hmac-sha1-96," \ |
| 89 | "hmac-md5-96" | ||
| 90 | |||
| 82 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" | 91 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" |
| 83 | #define KEX_DEFAULT_LANG "" | 92 | #define KEX_DEFAULT_LANG "" |
| 84 | 93 | ||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh.1,v 1.319 2011/05/07 23:20:25 jmc Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.320 2011/08/02 01:22:11 djm Exp $ |
| 37 | .Dd $Mdocdate: May 7 2011 $ | 37 | .Dd $Mdocdate: August 2 2011 $ |
| 38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -667,7 +667,9 @@ Both protocols support similar authentication methods, | |||
| 667 | but protocol 2 is the default since | 667 | but protocol 2 is the default since |
| 668 | it provides additional mechanisms for confidentiality | 668 | it provides additional mechanisms for confidentiality |
| 669 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) | 669 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) |
| 670 | and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). | 670 | and integrity (hmac-md5, hmac-sha1, |
| 671 | hmac-sha2-256, hmac-sha2-512, | ||
| 672 | umac-64, hmac-ripemd160). | ||
| 671 | Protocol 1 lacks a strong mechanism for ensuring the | 673 | Protocol 1 lacks a strong mechanism for ensuring the |
| 672 | integrity of the connection. | 674 | integrity of the connection. |
| 673 | .Pp | 675 | .Pp |
diff --git a/ssh_config.5 b/ssh_config.5 index 694ff814e..a782d6f41 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh_config.5,v 1.152 2011/06/04 00:10:26 djm Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.153 2011/08/02 01:22:11 djm Exp $ |
| 37 | .Dd $Mdocdate: June 4 2011 $ | 37 | .Dd $Mdocdate: August 2 2011 $ |
| 38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -793,7 +793,9 @@ Multiple algorithms must be comma-separated. | |||
| 793 | The default is: | 793 | The default is: |
| 794 | .Bd -literal -offset indent | 794 | .Bd -literal -offset indent |
| 795 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 795 | hmac-md5,hmac-sha1,umac-64@openssh.com, |
| 796 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | 796 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96, |
| 797 | hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512, | ||
| 798 | hmac-sha2-512-96 | ||
| 797 | .Ed | 799 | .Ed |
| 798 | .It Cm NoHostAuthenticationForLocalhost | 800 | .It Cm NoHostAuthenticationForLocalhost |
| 799 | This option can be used if the home directory is shared across machines. | 801 | This option can be used if the home directory is shared across machines. |
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd.8,v 1.262 2011/05/23 07:10:21 jmc Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $ |
| 37 | .Dd $Mdocdate: May 23 2011 $ | 37 | .Dd $Mdocdate: August 2 2011 $ |
| 38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -314,7 +314,8 @@ The client selects the encryption algorithm | |||
| 314 | to use from those offered by the server. | 314 | to use from those offered by the server. |
| 315 | Additionally, session integrity is provided | 315 | Additionally, session integrity is provided |
| 316 | through a cryptographic message authentication code | 316 | through a cryptographic message authentication code |
| 317 | (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160). | 317 | (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, |
| 318 | hmac-sha2-256 or hmac-sha2-512). | ||
| 318 | .Pp | 319 | .Pp |
| 319 | Finally, the server and the client enter an authentication dialog. | 320 | Finally, the server and the client enter an authentication dialog. |
| 320 | The client tries to authenticate itself using | 321 | The client tries to authenticate itself using |
diff --git a/sshd_config.5 b/sshd_config.5 index f78452c85..a6c378792 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.135 2011/08/02 01:22:11 djm Exp $ |
| 37 | .Dd $Mdocdate: June 22 2011 $ | 37 | .Dd $Mdocdate: August 2 2011 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -655,7 +655,9 @@ Multiple algorithms must be comma-separated. | |||
| 655 | The default is: | 655 | The default is: |
| 656 | .Bd -literal -offset indent | 656 | .Bd -literal -offset indent |
| 657 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 657 | hmac-md5,hmac-sha1,umac-64@openssh.com, |
| 658 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | 658 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96, |
| 659 | hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, | ||
| 660 | hmac-sha2-512-96 | ||
| 659 | .Ed | 661 | .Ed |
| 660 | .It Cm Match | 662 | .It Cm Match |
| 661 | Introduces a conditional block. | 663 | Introduces a conditional block. |