Commit Graph

133 Commits

Author SHA1 Message Date
djm@openbsd.org
f68312eb59
upstream: Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03

This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.

Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.

ok markus@ deraadt@

OpenBSD-Commit-ID: 02a8730a570b63fa8acd9913ec66353735dea42c
2024-09-02 22:32:44 +10:00
deraadt@openbsd.org
10ccf611ab
upstream: As defined in the RFC, the SSH protocol has negotiable
compression support (which is requested as the name "zlib"). Compression
starts very early in the session. Relative early in OpenSSH lifetime, privsep
was added to sshd, and this required a shared-memory hack so the two
processes could see what was going on in the dataflow.  This shared-memory
hack was soon recognized as a tremendous complexity risk, because it put libz
(which very much trusts it's memory) in a dangerous place, and a new option
("zlib@openssh.com") was added begins compression after authentication (aka
delayed-compression).  That change also permitted removal of the
shared-memory hack. Despite removal from the server, the old "zlib" support
remained in the client, to allow negotiation with non-OpenSSH daemons which
lack the delayed-compression option. This commit deletes support for the
older "zlib" option in the client. It reduces our featureset in a small way,
and encourages other servers to move to a better design. The SSH protocol is
different enough that compressed-key-material attacks like BEAST are
unlikely, but who wants to take the chance? We encourage other ssh servers
who care about optional compression support to add delayed-zlib support.
(Some already do "zlib@openssh.com") ok djm markus

OpenBSD-Commit-ID: 6df986f38e4ab389f795a6e39e7c6857a763ba72
2024-08-27 09:05:43 +10:00
djm@openbsd.org
aee5487825
upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned, so
we can make the algorithm available without the @openssh.com suffix too. ok
markus@ deraadt@

OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f
2024-08-23 09:27:35 +10:00
djm@openbsd.org
03e3de416e
upstream: Start the process of splitting sshd into separate
binaries. This step splits sshd into a listener and a session binary. More
splits are planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
2024-05-17 14:41:35 +10:00
djm@openbsd.org
4dbc5a363f
upstream: whitespace
OpenBSD-Commit-ID: b24680bc755b621ea801ff8edf6f0f02b68edae1
2024-02-19 18:40:09 +11:00
djm@openbsd.org
a7ed931cae
upstream: add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.

This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.

Full details in the PROTOCOL file

OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
2023-12-19 01:51:46 +11:00
djm@openbsd.org
1edb00c58f
upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
2023-12-19 01:51:11 +11:00
djm@openbsd.org
dce6d80d2e
upstream: Introduce a transport-level ping facility
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".

ok markus@

OpenBSD-Commit-ID: b6b3c4cb2084c62f85a8dc67cf74954015eb547f
2023-08-28 13:34:01 +10:00
dtucker@openbsd.org
9641753e0f
upstream: Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs.  Remove unused compat functions.
With & ok djm@.

OpenBSD-Commit-ID: f2f99da4aae2233cb18bf9c749320c5e040a9c7b
2023-03-06 23:31:52 +11:00
djm@openbsd.org
0fa3368322 upstream: Fix signature algorithm selection logic for
UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2
for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in initial
KEX. bz3375

Mostly by Dmitry Belyavskiy with some tweaks by me.

ok markus@

OpenBSD-Commit-ID: c17ba0c3236340d2c6a248158ebed042ac6a8029
2022-01-07 09:21:38 +11:00
djm@openbsd.org
94ae0c6f0e upstream: client side of host-bound pubkey authentication
Add kex->flags member to enable the publickey-hostbound-v00@openssh.com
authentication method.

Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.

Note: nothing in kex.c actually sets the new flag yet

ok markus@

OpenBSD-Commit-ID: 5a6fce8c6c8a77a80ee1526dc467d91036a5910d
2021-12-20 09:28:07 +11:00
djm@openbsd.org
b42c61d684 upstream: Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding

ok markus@

OpenBSD-Commit-ID: a9af29e33772b18e3e867c6fa8ab35e1694a81fe
2021-12-20 09:24:42 +11:00
djm@openbsd.org
3dd0c64e08 upstream: more strictly enforce KEX state-machine by banning packet
types once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via
oss-fuzz #30078).

ok markus@

OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
2021-02-01 09:57:28 +11:00
djm@openbsd.org
39be3dc209 upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_t
and use that instead of global variables containing copies of it. feedback/ok
markus@

OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68
2021-01-27 21:10:57 +11:00
djm@openbsd.org
2c71cec020 upstream: Update/replace the experimental post-quantim hybrid key
exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
2020-12-29 12:38:53 +11:00
djm@openbsd.org
aa623142e4 upstream: revert kex->flags cert hostkey downgrade back to a plain
key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.

ok markus@

OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
2020-10-07 13:34:11 +11:00
djm@openbsd.org
13cee44ef9 upstream: record when the host key checking code downgrades a
certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@

OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
2020-10-03 18:31:49 +10:00
Damien Miller
edd1d3a626 remove duplicate #includes
Prompted by Jakub Jelen
2019-10-02 10:54:28 +10:00
djm@openbsd.org
670104b923 upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@
OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
2019-09-06 17:54:21 +10:00
djm@openbsd.org
d05aaaaadc upstream: remove leakmalloc reference; we used this early when
refactoring but not since

OpenBSD-Commit-ID: bb28ebda8f7c490b87b37954044a6cdd43a7eb2c
2019-09-06 16:06:22 +10:00
djm@openbsd.org
bb956eaa94 upstream: pass most arguments to the KEX hash functions as sshbuf
rather than pointer+length; ok markus@

OpenBSD-Commit-ID: ef0c89c52ccc89817a13a5205725148a28492bf7
2019-01-23 13:02:02 +11:00
djm@openbsd.org
aaca72d6f1 upstream: rename kex->kem_client_pub -> kex->client_pub now that
KEM has been renamed to kexgen

from markus@ ok djm@

OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
2019-01-21 23:13:03 +11:00
djm@openbsd.org
71e67fff94 upstream: pass values used in KEX hash computation as sshbuf
rather than pointer+len

suggested by me; implemented by markus@ ok me

OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
2019-01-21 23:13:03 +11:00
djm@openbsd.org
4b83e2a2cc upstream: remove kex_derive_keys_bn wrapper; no unused since the
DH-like KEX methods have moved to KEM

from markus@ ok djm@

OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
2019-01-21 23:13:03 +11:00
djm@openbsd.org
92dda34e37 upstream: use KEM API for vanilla ECDH
from markus@ ok djm@

OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
2019-01-21 23:13:02 +11:00
djm@openbsd.org
9c9c97e14f upstream: use KEM API for vanilla DH KEX
from markus@ ok djm@

OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
2019-01-21 22:08:47 +11:00
djm@openbsd.org
2f6a9ddbbf upstream: use KEM API for vanilla c25519 KEX
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
2019-01-21 22:08:04 +11:00
djm@openbsd.org
dfd591618c upstream: Add support for a PQC KEX/KEM:
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
2019-01-21 22:07:02 +11:00
djm@openbsd.org
b1b2ff4ed5 upstream: factor out kex_verify_hostkey() - again, duplicated
almost exactly across client and server for several KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
2019-01-21 21:47:28 +11:00
djm@openbsd.org
bb39bafb6d upstream: factor out kex_load_hostkey() - this is duplicated in
both the client and server implementations for most KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
2019-01-21 21:47:28 +11:00
djm@openbsd.org
dec5e9d338 upstream: factor out kex_dh_compute_key() - it's shared between
plain DH KEX and DH GEX in both the client and server implementations

from markus@ ok djm@

OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
2019-01-21 21:47:28 +11:00
djm@openbsd.org
e93bd98eab upstream: factor out DH keygen; it's identical between the client
and the server

from markus@ ok djm@

OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
2019-01-21 21:47:28 +11:00
djm@openbsd.org
04c091fc19 upstream: remove last references to active_state
with & ok markus@

OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
2019-01-20 09:45:18 +11:00
djm@openbsd.org
0a843d9a0e upstream: move client/server SSH-* banners to buffers under
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
2018-12-27 14:38:22 +11:00
djm@openbsd.org
a6a0788cbb upstream: only consider the ext-info-c extension during the initial
KEX. It shouldn't be sent in subsequent ones, but if it is present we should
ignore it.

This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@

OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
2018-12-27 14:30:17 +11:00
Damien Miller
eef1447ddb repair !WITH_OPENSSL build 2018-07-13 11:41:33 +10:00
markus@openbsd.org
5467fbcb09 upstream: remove legacy key emulation layer; ok djm@
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
2018-07-12 13:18:25 +10:00
sf@openbsd.org
984bacfaac upstream: re-remove some pre-auth compression bits
This time, make sure to not remove things that are necessary for
pre-auth compression on the client. Add a comment that pre-auth
compression is still supported in the client.

ok markus@

OpenBSD-Commit-ID: 282c6fec7201f18a5c333bbb68d9339734d2f784
2018-07-11 09:52:08 +10:00
markus@openbsd.org
cb30cd4704 upstream: remove legacy buffer API emulation layer; ok djm@
OpenBSD-Commit-ID: 2dd5dc17cbc23195be4299fa93be2707a0e08ad9
2018-07-10 16:44:17 +10:00
sf@openbsd.org
168b46f405 upstream: Revert previous two commits
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14;  author: sf;  commitid: yZVYKIRtUZWD9CmE;
 Rename COMP_DELAYED to COMP_ZLIB

 Only delayed compression is supported nowadays.

 ok markus@

date: 2018/07/06 09:05:01;  author: sf;  commitid: rEGuT5UgI9f6kddP;
 Remove leftovers from pre-authentication compression

 Support for this has been removed in 2016.
 COMP_DELAYED will be renamed in a later commit.

 ok markus@

OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
2018-07-10 15:13:41 +10:00
sf@openbsd.org
ab39267fa1 upstream: Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.

ok markus@

OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
2018-07-10 15:13:40 +10:00
sf@openbsd.org
95db395d2e upstream: Remove leftovers from pre-authentication compression
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
2018-07-10 15:13:40 +10:00
djm@openbsd.org
312d2f2861 upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-04 23:51:52 +10:00
djm@openbsd.org
4ba0d54794 upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03 23:26:36 +10:00
markus@openbsd.org
2ae666a8fc upstream commit
protocol handlers all get struct ssh passed; ok djm@

Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
2017-05-31 10:50:05 +10:00
naddy@openbsd.org
768405fddf upstream commit
remove miscellaneous SSH1 leftovers; ok markus@

Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
2017-05-08 09:18:27 +10:00
djm@openbsd.org
b7689155f3 upstream commit
put back some pre-auth zlib bits that I shouldn't have
removed - they are still used by the client. Spotted by naddy@

Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
2016-09-29 08:18:39 +10:00
djm@openbsd.org
4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
djm@openbsd.org
b97739dc21 upstream commit
missing bit from previous commit

Upstream-ID: 438d5ed6338b28b46e822eb13eee448aca31df37
2016-09-24 05:39:37 +10:00
djm@openbsd.org
0e8eeec8e7 upstream commit
add support for additional fixed DH groups from
 draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
2016-05-02 20:39:32 +10:00