summaryrefslogtreecommitdiff
path: root/cipher.c
AgeCommit message (Collapse)Author
2018-02-26upstream: Add experimental support for PQC XMSS keys (Extendedmarkus@openbsd.org
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-13upstream: remove space before tabdjm@openbsd.org
OpenBSD-Commit-ID: 674edd214d0a7332dd4623c9cf8117301b012890
2018-02-08upstream commitjsing@openbsd.org
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards. Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github. ok deraadt@ dtucker@ OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2017-11-03upstream commitdjm@openbsd.org@openbsd.org
avoid unused variable warnings for !WITH_OPENSSL; patch from Marcus Folkesson OpenBSD-Commit-ID: c01d27a3f907acdc3dd4ea48170fac3ba236d229
2017-05-08upstream commitdjm@openbsd.org
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@ Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
2017-05-08upstream commitdjm@openbsd.org
another tentacle: cipher_set_key_string() was only ever used for SSHv1 Upstream-ID: 7fd31eb6c48946f7e7cc12af0699fe8eb637e94a
2017-05-01upstream commitdjm@openbsd.org
fixup setting ciphercontext->plaintext (lost in SSHv1 purge), though it isn't really used for much anymore. Upstream-ID: 859b8bce84ff4865b32097db5430349d04b9b747
2017-05-01upstream commitdjm@openbsd.org
remove SSHv1 ciphers; ok markus@ Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
2017-05-01upstream commitdjm@openbsd.org
unifdef WITH_SSH1 ok markus@ Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2016-10-28Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSLDamien Miller
ok dtucker@
2016-08-09upstream commitdjm@openbsd.org
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@ Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
2016-07-15disable ciphers not supported by OpenSSLDamien Miller
bz#2466 ok dtucker@
2015-12-11upstream commitmmcc@openbsd.org
Remove NULL-checks before free(). ok dtucker@ Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
2015-01-14upstream commitdjm@openbsd.org
make non-OpenSSL aes-ctr work on sshd w/ privsep; ok markus@
2014-07-21- (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bitsDarren Tucker
needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
2014-05-27 - (djm) [cipher.c] Fix merge botch.Damien Miller
2014-05-15 - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
2014-02-24 - djm@cvs.openbsd.org 2014/02/07 06:55:54Damien Miller
[cipher.c mac.c] remove some logging that makes ssh debugging output very verbose; ok markus
2014-02-04 - djm@cvs.openbsd.org 2014/02/02 03:44:32Damien Miller
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c] [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c] [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c] [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c] [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c] [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c] [sshd.c] convert memset of potentially-private data to explicit_bzero()
2014-02-04 - markus@cvs.openbsd.org 2014/01/27 19:18:54Damien Miller
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c] replace openssl MD5 with our ssh_digest_*; ok djm@
2014-01-26 - dtucker@cvs.openbsd.org 2014/01/25 10:12:50Damien Miller
[cipher.c cipher.h kex.c kex.h kexgexc.c] Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
2013-12-07 - markus@cvs.openbsd.org 2013/12/06 13:34:54Damien Miller
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
2013-12-05 - djm@cvs.openbsd.org 2013/12/02 03:13:14Damien Miller
[cipher.c] correct bzero of chacha20+poly1305 key context. bz#2177 from Loganaden Velvindron @ AfriNIC Also make it a memset for consistency with the rest of cipher.c
2013-11-21 - djm@cvs.openbsd.org 2013/11/21 00:45:44Damien Miller
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
2013-11-08 - dtucker@cvs.openbsd.org 2013/11/07 11:58:27Damien Miller
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
2013-06-02 - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
2013-04-23 - djm@cvs.openbsd.org 2013/04/19 01:06:50Damien Miller
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
2013-02-12 - djm@cvs.openbsd.org 2013/01/26 06:11:05Damien Miller
[Makefile.in acss.c acss.h cipher-acss.c cipher.c] [openbsd-compat/openssl-compat.h] remove ACSS, now that it is gone from libcrypto too
2013-01-12 - djm@cvs.openbsd.org 2013/01/12 11:22:04Damien Miller
[cipher.c] improve error message for integrity failure in AES-GCM modes; ok markus@
2013-01-09 - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]Damien Miller
Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little cipher compat code to openssl-compat.h
2013-01-09 - markus@cvs.openbsd.org 2013/01/08 18:49:04Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] [myproposal.h packet.c ssh_config.5 sshd_config.5] support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
2012-12-13 - (djm) [cipher.c] Fix missing prototype for compat codeDamien Miller
2012-12-13 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain ourDamien Miller
compat code for older OpenSSL
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:31:18Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
2009-01-28 - markus@cvs.openbsd.org 2009/01/26 09:58:15Damien Miller
[cipher.c cipher.h packet.c] Work around the CPNI-957037 Plaintext Recovery Attack by always reading 256K of data on packet size or HMAC errors (in CBC mode only). Help, feedback and ok djm@ Feedback from Martin Albrecht and Paterson Kenny
2006-08-05 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42Damien Miller
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy")
2006-07-24 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23Damien Miller
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c] [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c] [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c] [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c] [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c] [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c] [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c] [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c] [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c] [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c] [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c] move #include <string.h> out of includes.h
2006-03-26 - djm@cvs.openbsd.org 2006/03/25 13:17:03Damien Miller
[atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c] [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c] [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c] [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c] [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c] [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c] [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c] [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c] [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c] [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c] [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c] [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] [uidswap.c uuencode.c xmalloc.c] Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
2006-03-26 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18Damien Miller
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c] [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c] [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c] [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c] [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c] [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c] [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c] [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c] [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c] [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c] [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c] [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c] [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c] [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c] [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c] RCSID() can die
2005-12-19 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.acDarren Tucker
openbsd-compat/openssl-compat.h] Check for and work around broken AES ciphers >128bit on (some) Solaris 10 systems. ok djm@
2005-07-17 - djm@cvs.openbsd.org 2005/07/16 01:35:24Damien Miller
[auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c] [sshconnect.c] spacing
2005-06-17 - (dtucker) [cipher.c openbsd-compat/openbsd-compat.hDarren Tucker
openbsd-compat/openssl-compat.c] only include openssl compat stuff where it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by and ok tim@ ---------------------------------------------------------------------- automatically CVS: CVS: Committing in . CVS: CVS: Modified Files: ----------------------------------------------------------------------
2005-06-17 - djm@cvs.openbsd.org 2005/06/17 02:44:33Damien Miller
[auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c] [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c] [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c] [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c] [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c] make this -Wsign-compare clean; ok avsm@ markus@ NB. auth1.c changes not committed yet (conflicts with uncommitted sync) NB2. more work may be needed to make portable Wsign-compare clean
2005-06-16 - dtucker@cvs.openbsd.org 2005/06/09 13:43:49Damien Miller
[cipher.c] Correctly initialize end of array sentinel; ok djm@ (Id sync only, change already in portable)
2005-06-09 - (dtucker) [cipher.c openbsd-compat/Makefile.inDarren Tucker
openbsd-compat/openbsd-compat.{c,h} openbsd-compat/openssl-compat.h] Move compatibility code for supporting older OpenSSL versions to the compat layer. Suggested by and "no objection" djm@
2005-05-26 - djm@cvs.openbsd.org 2005/05/23 23:32:46Damien Miller
[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
2005-01-24 - djm@cvs.openbsd.org 2005/01/23 10:18:12Darren Tucker
[cipher.c] config option "Ciphers" should be case-sensitive; ok dtucker@
2005-01-20 - djm@cvs.openbsd.org 2004/12/22 02:13:19Darren Tucker
[cipher-ctr.c cipher.c] remove fallback AES support for old OpenSSL, as OpenBSD has had it for many years now; ok deraadt@ (Id sync only: Portable will continue to support older OpenSSLs)
2004-08-12 - markus@cvs.openbsd.org 2004/07/28 09:40:29Darren Tucker
[auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c sshconnect1.c] more s/illegal/invalid/