upstream: Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.
Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.
Antonio Larrosa [Fri, 23 Aug 2024 10:21:06 +0000 (12:21 +0200)]
Don't skip audit before exitting cleanup_exit
This fixes an issue where the SSH_CONNECTION_ABANDON event is not
audited because cleanup_exit overrides the regular _exit too soon and
as a result, failed auth attempts are not logged correctly.
The problem was introduced in 81c1099d22b81ebfd20a334ce986c4f753b0db29
where the code from upstream was merged before the audit_event call when
it should have been merged right before the _exit call in order to honor
the comment that just mentions an override of the exit value.
upstream: As defined in the RFC, the SSH protocol has negotiable
compression support (which is requested as the name "zlib"). Compression
starts very early in the session. Relative early in OpenSSH lifetime, privsep
was added to sshd, and this required a shared-memory hack so the two
processes could see what was going on in the dataflow. This shared-memory
hack was soon recognized as a tremendous complexity risk, because it put libz
(which very much trusts it's memory) in a dangerous place, and a new option
("zlib@openssh.com") was added begins compression after authentication (aka
delayed-compression). That change also permitted removal of the
shared-memory hack. Despite removal from the server, the old "zlib" support
remained in the client, to allow negotiation with non-OpenSSH daemons which
lack the delayed-compression option. This commit deletes support for the
older "zlib" option in the client. It reduces our featureset in a small way,
and encourages other servers to move to a better design. The SSH protocol is
different enough that compressed-key-material attacks like BEAST are
unlikely, but who wants to take the chance? We encourage other ssh servers
who care about optional compression support to add delayed-zlib support.
(Some already do "zlib@openssh.com") ok djm markus
Darren Tucker [Thu, 22 Aug 2024 10:36:12 +0000 (20:36 +1000)]
Move rekey test into valgrind-2.
Now that the rekey test has been optimized it's fast enough to not be in
its own valgrind test, so move it into valgrind-2, which is currently
the quickest of the others, bringing all of them to roughly the same
runtime of ~1.1 hours.
upstream: Use curve25519-sha256 kex where possible.
Except where we're explicitly testing a different kex, use
curve25519-sha256 since it's faster than the default and supported even
when configured without OpenSSL. Add a check to ensure that the kex we
intended to test is the one we actually tested. Speeds test up by ~5%.
upstream: Unnest rekey param parsing test and use ssh not sshd.
ssh uses the same parsing code, now has "-G" to dump its config and is
slightly faster to start up. This speeds up the test slightly (~5%) in the
common case but should help more during instrumented tests, eg under
valgrind, where startup costs are magnified.
djm@openbsd.org [Tue, 20 Aug 2024 03:48:30 +0000 (03:48 +0000)]
upstream: place shielded keys (i.e. keys at rest in RAM) into memory
allocated using mmap(3) with MAP_CONCEAL set. This prevents exposure of the
key material in coredumps, etc (this is in addition to other measures we take
in this area).
Philip Hands [Thu, 8 Aug 2024 11:01:47 +0000 (13:01 +0200)]
update copyright notices
Bump the year to 2024, but also reflect the fact that hands.com Ltd. has
been wound up in the UK, and its assets (including this copyright) have
now reverted to its owner, Philip Hands.
Philip Hands [Wed, 31 Jul 2024 21:28:36 +0000 (23:28 +0200)]
put the -i before -[pP] (matching man pages)
The man pages (ssh, sftp & ssh-copy-id) all list -i before the port
setting, so make the output match that order, which also seems more
natural with the port being next to the server.
- Previously no identity file is shown in "ssh" command output on the line "Now try logging into the..."
- This commit makes sure whenever "ssh-copy-id" with "-i" is invoked, it also reflects in "ssh" command
djm@openbsd.org [Thu, 15 Aug 2024 00:51:51 +0000 (00:51 +0000)]
upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.
DSA remains unconverted as it will be removed within six months.
Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).
The first argument should be the amount, the second argument should be the
element size. Fixing this also silences some gcc compiler warnings for
portable.
Spotted with Benny Baumann (BenBE at geshi dot org).
Multiple sshbuf structs can be linked through a parent/child relationship.
Make sure that a single sshbuf cannot be its own parent. If this would ever
happen, it would result in reference counting issues.
This is a cheap way of testing this with very little overhead. It does not
detect A->B->A linkages though for performance reason and the fact that it
takes a programming error for this to occur anyway.
Authored with Benny Baumann (BenBE at geshi dot org).
If a mux started with ControlPersist then later has a forwarding added using
mux proxy connection and the forwarding was used, then when the mux proxy
session terminates, the mux master process will send a channel close to the
server with a bad channel ID and crash the connection.
This was caused by my stupidly reusing c->remote_id for mux channel
associations when I should have just added another member to struct channel.
Samuel Thibault [Tue, 26 Mar 2024 21:15:08 +0000 (22:15 +0100)]
Fix detection of setres*id on GNU/Hurd
Like Linux, proper _SOURCE macros need to be set to get declarations of
various standard functions, notably setres*id. Now that Debian is using
-Werror=implicit-function-declaration this is really required. While at
it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses
the same glibc.
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
upstream: Instead of using possibly complex ssh_signal(), write all
the parts of the grace_alarm_handler() using the exact things allowed by the
signal-safe rules. This is a good rule of thumb: Handlers should be written
to either set a global volatile sig_atomic_t inspected from outside, and/or
directly perform only safe operations listed in our sigaction(2) manual page.
ok djm markus
upstream: Work around dbclient cipher/mac query bug.
Unlike earlier versions, recent Dropbear (at least v2024.85) requires
a host arg when querying supported ciphers and macs via "-c/-m
help". Earlier versions accept but do not require it, so always
provide it. If these queries fail, skip the test with a warning.
if querying for them fails since on some versions of Dropbear (at least
v2024.85) "-m help" doesn't seem to work. Enable all supported pubkey
algorithms in the server.
Darren Tucker [Wed, 19 Jun 2024 10:20:24 +0000 (20:20 +1000)]
Restart sshd after installing it for testing.
When installing an sshd built without OpenSSL the mismatch between
the running sshd and newly installed sshd-session will cause the
remainder of the test to fail.
projects / thirdparty / openssh-portable.git / log
