summaryrefslogtreecommitdiff
path: root/packet.c
AgeCommit message (Collapse)Author
2017-08-22Fix incoming compression statisticsRussell Coker
Bug-Debian: https://bugs.debian.org/797964 Forwarded: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-June/036077.html Last-Update: 2017-06-06 Patch-Name: fix-incoming-compression-statistics.patch
2017-03-12upstream commitmarkus@openbsd.org
Don't count the initial block twice when computing how many bytes to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
2017-02-28upstream commitdjm@openbsd.org
small memleak: free fd_set on connection timeout (though we are heading to exit anyway). From Tom Rix in bz#2683 Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
2017-02-04upstream commitdjm@openbsd.org
add ssh_packet_set_log_preamble() to allow inclusion of a preamble string in disconnect messages; ok markus@ Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
2017-02-03upstream commitdtucker@openbsd.org
Make ssh_packet_set_rekey_limits take u32 for the number of seconds until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning. rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway). some early guidance deraadt@, ok djm@ Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
2016-10-13upstream commitdjm@openbsd.org
Add a per-packet input hook that is called with the decrypted packet contents. This will be used for fuzzing; ok markus@ Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
2016-10-01upstream commitmarkus@openbsd.org
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@ Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
2016-09-29upstream commitdjm@openbsd.org
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@ Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
2016-09-29upstream commitdjm@openbsd.org
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@ Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29upstream commitdjm@openbsd.org
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-21upstream commitmarkus@openbsd.org
move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@ Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
2016-09-12upstream commitderaadt@openbsd.org
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12upstream commitmarkus@openbsd.org
ssh_set_newkeys: print correct block counters on rekeying; ok djm@ Upstream-ID: 32bb7a9cb9919ff5bab28d50ecef3a2b2045dd1e
2016-08-09upstream commitdjm@openbsd.org
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@ Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
2016-07-22upstream commitmarkus@openbsd.org
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@ Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
2016-07-18upstream commitdjm@openbsd.org
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@ Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
2016-07-15upstream commitdtucker@openbsd.org
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@ Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5
2016-07-08upstream commitdjm@openbsd.org
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms. Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified. This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@ Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b
2016-03-08upstream commitdjm@openbsd.org
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@ Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-02-18upstream commitdjm@openbsd.org
rekey refactor broke SSH1; spotted by Tom G. Christensen Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
2016-02-08upstream commitdjm@openbsd.org
refactor activation of rekeying This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves. Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@ Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
2016-02-05upstream commitdjm@openbsd.org
printf argument casts to avoid warnings on strict compilers Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
2016-01-30upstream commitdjm@openbsd.org
include packet type of non-data packets in debug3 output; ok markus dtucker Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
2016-01-30upstream commitdtucker@openbsd.org
Revert "account for packets buffered but not yet processed" change as it breaks for very small RekeyLimit values due to continuous rekeying. ok djm@ Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
2016-01-30upstream commitdtucker@openbsd.org
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm. Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
2016-01-30upstream commitdtucker@openbsd.org
Account for packets buffered but not yet processed when computing whether or not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@ Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
2016-01-27upstream commitmarkus@openbsd.org
remove roaming support; ok djm@ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2015-12-18upstream commitmmcc@openbsd.org
Remove NULL-checks before sshbuf_free(). ok djm@ Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
2015-12-18upstream commitdjm@openbsd.org
include remote port number in a few more messages; makes tying log messages together into a session a bit easier; bz#2503 ok dtucker@ Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
2015-12-11upstream commitmmcc@openbsd.org
Remove NULL-checks before free(). ok dtucker@ Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
2015-12-07upstream commitmarkus@openbsd.org
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@ Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-11-09upstream commitdjm@openbsd.org
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@ Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
2015-10-25upstream commitgsoares@openbsd.org
fix memory leak in error path ok djm@ Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35
2015-09-21upstream commitdjm@openbsd.org
fix possible hang on closed output; bz#2469 reported by Tomas Kuthan ok markus@ Upstream-ID: f7afd41810f8540f524284f1be6b970859f94fe3
2015-08-21upstream commitderaadt@openbsd.org
Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope ok krw millert Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
2015-07-29upstream commitdjm@openbsd.org
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@ Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
2015-05-10upstream commitdjm@openbsd.org
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to better report error conditions. Teach sshpkt_fatal() about ECONNRESET. Improves error messages on TCP connection resets. bz#2257 ok dtucker@
2015-04-29upstream commitdjm@openbsd.org
fix compilation with OPENSSL=no; ok dtucker@
2015-03-27upstream commitmarkus@openbsd.org
don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@
2015-03-23upstream commitjsg@openbsd.org
add back the changes from rev 1.206, djm reverted this by mistake in rev 1.207
2015-02-18repair --without-openssl; broken in refactorDamien Miller
2015-02-17upstream commitmarkus@openbsd.org
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
2015-02-11upstream commitdjm@openbsd.org
Some packet error messages show the address of the peer, but might be generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier. spotted in the wild via deraadt@ and tedu@
2015-02-11upstream commitjsg@openbsd.org
fix some leaks in error paths ok markus@
2015-01-30upstream commitdjm@openbsd.org
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
2015-01-29upstream commitdjm@openbsd.org
avoid fatal() calls in packet code makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
2015-01-26upstream commitderaadt@openbsd.org
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
2015-01-20upstream commitmarkus@openbsd.org
add experimental api for packet layer; ok djm@
2015-01-20upstream commitmarkus@openbsd.org
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
2015-01-15support --without-openssl at configure timeDamien Miller
Disables and removes dependency on OpenSSL. Many features don't work and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now.