upstream: update the Streamlined NTRU Prime code from the "ref"
implementation in SUPERCOP 20201130 to the "compact" implementation in
SUPERCOP 20240808. The new version is substantially faster. Thanks to Daniel
J Bernstein for pointing out the new implementation (and of course for
writing it).
Damien Miller [Mon, 9 Sep 2024 07:30:38 +0000 (17:30 +1000)]
declare defeat trying to detect C89 compilers
I can't find a reliable way to detect the features the ML-KEM code
requires in configure. Give up for now and use VLA support (that we
can detect) as a proxy for "old compiler" and turn off ML-KEM if
it isn't supported.
Damien Miller [Mon, 9 Sep 2024 06:06:21 +0000 (16:06 +1000)]
test for compiler feature needed for ML-KEM
The ML-KEM implementation we uses need the compiler to support
C99-style named struct initialisers (e.g foo = {.bar = 1}). We
still support (barely) building OpenSSH with older compilers, so
add a configure test for this.
upstream: make parsing user@host consistently look for the last '@' in
the string rather than the first. This makes it possible to use usernames
that contain '@' characters.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
upstream: Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.
Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.
Antonio Larrosa [Fri, 23 Aug 2024 10:21:06 +0000 (12:21 +0200)]
Don't skip audit before exitting cleanup_exit
This fixes an issue where the SSH_CONNECTION_ABANDON event is not
audited because cleanup_exit overrides the regular _exit too soon and
as a result, failed auth attempts are not logged correctly.
The problem was introduced in 81c1099d22b81ebfd20a334ce986c4f753b0db29
where the code from upstream was merged before the audit_event call when
it should have been merged right before the _exit call in order to honor
the comment that just mentions an override of the exit value.
upstream: As defined in the RFC, the SSH protocol has negotiable
compression support (which is requested as the name "zlib"). Compression
starts very early in the session. Relative early in OpenSSH lifetime, privsep
was added to sshd, and this required a shared-memory hack so the two
processes could see what was going on in the dataflow. This shared-memory
hack was soon recognized as a tremendous complexity risk, because it put libz
(which very much trusts it's memory) in a dangerous place, and a new option
("zlib@openssh.com") was added begins compression after authentication (aka
delayed-compression). That change also permitted removal of the
shared-memory hack. Despite removal from the server, the old "zlib" support
remained in the client, to allow negotiation with non-OpenSSH daemons which
lack the delayed-compression option. This commit deletes support for the
older "zlib" option in the client. It reduces our featureset in a small way,
and encourages other servers to move to a better design. The SSH protocol is
different enough that compressed-key-material attacks like BEAST are
unlikely, but who wants to take the chance? We encourage other ssh servers
who care about optional compression support to add delayed-zlib support.
(Some already do "zlib@openssh.com") ok djm markus
Darren Tucker [Thu, 22 Aug 2024 10:36:12 +0000 (20:36 +1000)]
Move rekey test into valgrind-2.
Now that the rekey test has been optimized it's fast enough to not be in
its own valgrind test, so move it into valgrind-2, which is currently
the quickest of the others, bringing all of them to roughly the same
runtime of ~1.1 hours.
upstream: Use curve25519-sha256 kex where possible.
Except where we're explicitly testing a different kex, use
curve25519-sha256 since it's faster than the default and supported even
when configured without OpenSSL. Add a check to ensure that the kex we
intended to test is the one we actually tested. Speeds test up by ~5%.
upstream: Unnest rekey param parsing test and use ssh not sshd.
ssh uses the same parsing code, now has "-G" to dump its config and is
slightly faster to start up. This speeds up the test slightly (~5%) in the
common case but should help more during instrumented tests, eg under
valgrind, where startup costs are magnified.
djm@openbsd.org [Tue, 20 Aug 2024 03:48:30 +0000 (03:48 +0000)]
upstream: place shielded keys (i.e. keys at rest in RAM) into memory
allocated using mmap(3) with MAP_CONCEAL set. This prevents exposure of the
key material in coredumps, etc (this is in addition to other measures we take
in this area).
Philip Hands [Thu, 8 Aug 2024 11:01:47 +0000 (13:01 +0200)]
update copyright notices
Bump the year to 2024, but also reflect the fact that hands.com Ltd. has
been wound up in the UK, and its assets (including this copyright) have
now reverted to its owner, Philip Hands.
Philip Hands [Wed, 31 Jul 2024 21:28:36 +0000 (23:28 +0200)]
put the -i before -[pP] (matching man pages)
The man pages (ssh, sftp & ssh-copy-id) all list -i before the port
setting, so make the output match that order, which also seems more
natural with the port being next to the server.
- Previously no identity file is shown in "ssh" command output on the line "Now try logging into the..."
- This commit makes sure whenever "ssh-copy-id" with "-i" is invoked, it also reflects in "ssh" command
djm@openbsd.org [Thu, 15 Aug 2024 00:51:51 +0000 (00:51 +0000)]
upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.
DSA remains unconverted as it will be removed within six months.
Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).
The first argument should be the amount, the second argument should be the
element size. Fixing this also silences some gcc compiler warnings for
portable.
Spotted with Benny Baumann (BenBE at geshi dot org).
Multiple sshbuf structs can be linked through a parent/child relationship.
Make sure that a single sshbuf cannot be its own parent. If this would ever
happen, it would result in reference counting issues.
This is a cheap way of testing this with very little overhead. It does not
detect A->B->A linkages though for performance reason and the fact that it
takes a programming error for this to occur anyway.
Authored with Benny Baumann (BenBE at geshi dot org).
If a mux started with ControlPersist then later has a forwarding added using
mux proxy connection and the forwarding was used, then when the mux proxy
session terminates, the mux master process will send a channel close to the
server with a bad channel ID and crash the connection.
This was caused by my stupidly reusing c->remote_id for mux channel
associations when I should have just added another member to struct channel.
projects / thirdparty / openssh-portable.git / log
