| Age | Commit message (Collapse) | Author |
|---|
|
Don't count the initial block twice when computing how
many bytes to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
|
|
small memleak: free fd_set on connection timeout (though
we are heading to exit anyway). From Tom Rix in bz#2683
Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
|
|
add ssh_packet_set_log_preamble() to allow inclusion of a
preamble string in disconnect messages; ok markus@
Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
|
|
Make ssh_packet_set_rekey_limits take u32 for the number of
seconds until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned comparison
warning.
rekey_time is cast to int64 for the comparison which is a no-op
on OpenBSD, but should also do the right thing in -portable on
anything still using 32bit time_t (until the system time actually
wraps, anyway).
some early guidance deraadt@, ok djm@
Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
|
|
Add a per-packet input hook that is called with the
decrypted packet contents. This will be used for fuzzing; ok markus@
Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
|
|
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
server acts as a proxy, translates channel IDs and relays to the server. - no
filedescriptor passing necessary. - combined with unix-domain forwarding it's
even possible to run mux client and server on different machines. feedback
& ok djm@
Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
|
|
put back some pre-auth zlib bits that I shouldn't have
removed - they are still used by the client. Spotted by naddy@
Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
|
|
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
|
|
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd
for >10 years.
Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
|
|
move inbound NEWKEYS handling to kex layer; otherwise
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
with & ok djm@
Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
|
|
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
use those definitions rather than pulling <sys/param.h> and unknown namespace
pollution. ok djm markus dtucker
Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
|
|
ssh_set_newkeys: print correct block counters on
rekeying; ok djm@
Upstream-ID: 32bb7a9cb9919ff5bab28d50ecef3a2b2045dd1e
|
|
small refactor of cipher.c: make ciphercontext opaque to
callers feedback and ok markus@
Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
|
|
Reduce timing attack against obsolete CBC modes by always
computing the MAC over a fixed size of data. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
|
|
Add some unsigned overflow checks for extra_pad. None of
these are reachable with the amount of padding that we use internally.
bz#2566, pointed out by Torben Hansen. ok markus@
Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
|
|
Reduce the syslog level of some relatively common protocol
events from LOG_CRIT by replacing fatal() calls with logdie(). Part of
bz#2585, ok djm@
Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5
|
|
Improve crypto ordering for Encrypt-then-MAC (EtM) mode
MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then
checking the MAC. This gave rise to the possibility of creating a
side-channel oracle in the decryption step, though no such oracle has
been identified.
This adds a mac_check() function that computes and checks the MAC in
one pass, and uses it to advance MAC checking for EtM algorithms to
before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
Martin Albrecht. feedback and ok markus@
Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b
|
|
refactor canohost.c: move functions that cache results closer
to the places that use them (authn and session code). After this, no state is
cached in canohost.c
feedback and ok markus@
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
|
|
rekey refactor broke SSH1; spotted by Tom G. Christensen
Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
|
|
refactor activation of rekeying
This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.
Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@
Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
|
|
printf argument casts to avoid warnings on strict
compilers
Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
|
|
include packet type of non-data packets in debug3 output;
ok markus dtucker
Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
|
|
Revert "account for packets buffered but not yet
processed" change as it breaks for very small RekeyLimit values due to
continuous rekeying. ok djm@
Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
|
|
Allow RekeyLimits in excess of 4G up to 2**63 bits
(limited by the return type of scan_scaled). Part of bz#2521, ok djm.
Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
|
|
Account for packets buffered but not yet processed when
computing whether or not it is time to perform rekeying. bz#2521, based
loosely on a patch from olo at fb.com, ok djm@
Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
|
|
remove roaming support; ok djm@
Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
|
|
Remove NULL-checks before sshbuf_free().
ok djm@
Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
|
|
include remote port number in a few more messages; makes
tying log messages together into a session a bit easier; bz#2503 ok dtucker@
Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
|
|
Remove NULL-checks before free().
ok dtucker@
Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
|
|
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@
Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
|
|
fix OOB read in packet code caused by missing return
statement found by Ben Hawkes; ok markus@ deraadt@
Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
|
|
fix memory leak in error path ok djm@
Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35
|
|
fix possible hang on closed output; bz#2469 reported by Tomas
Kuthan ok markus@
Upstream-ID: f7afd41810f8540f524284f1be6b970859f94fe3
|
|
Do not cast result of malloc/calloc/realloc* if stdlib.h
is in scope ok krw millert
Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
|
|
include the peer's offer when logging a failure to
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
|
|
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal()
to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
Improves error messages on TCP connection resets. bz#2257
ok dtucker@
|
|
fix compilation with OPENSSL=no; ok dtucker@
|
|
don't leak 'setp' on error; noted by Nicholas Lemonias;
ok djm@
|
|
add back the changes from rev 1.206, djm reverted this by
mistake in rev 1.207
|
|
|
|
make rekey_limit for sshd w/privsep work; ok djm@
dtucker@
|
|
Some packet error messages show the address of the peer,
but might be generated after the socket to the peer has suffered a TCP reset.
In these cases, getpeername() won't work so cache the address earlier.
spotted in the wild via deraadt@ and tedu@
|
|
fix some leaks in error paths ok markus@
|
|
avoid more fatal/exit in the packet.c paths that
ssh-keyscan uses; feedback and "looks good" markus@
|
|
avoid fatal() calls in packet code makes ssh-keyscan more
reliable against server failures ok dtucker@ markus@
|
|
Reduce use of <sys/param.h> and transition to <limits.h>
throughout. ok djm markus
|
|
add experimental api for packet layer; ok djm@
|
|
update packet.c & isolate, introduce struct ssh a) switch
packet.c to buffer api and isolate per-connection info into struct ssh b)
(de)serialization of the state is moved from monitor to packet.c c) the old
packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
integrated into packet.c with and ok djm@
|
|
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
|
|
adapt mac.c to ssherr.h return codes (de-fatal) and
simplify dependencies ok djm@
|
