summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/packet.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* remove SSHv1 support from packet and buffer APIsdjm2017-04-301-148/+1
| | | | ok markus@
* remove compat20/compat13/compat15 variablesdjm2017-04-301-289/+106
| | | | ok markus@
* unifdef WITH_SSH1djm2017-04-301-42/+1
| | | | ok markus@
* Don't count the initial block twice when computing how many bytesmarkus2017-03-111-3/+3
| | | | | to discard for the work around for the attacks against CBC-mode. ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
* small memleak: free fd_set on connection timeout (though we are heading todjm2017-02-281-3/+5
| | | | exit anyway). From Tom Rix in bz#2683
* add ssh_packet_set_log_preamble() to allow inclusion of a preambledjm2017-02-031-17/+45
| | | | string in disconnect messages; ok markus@
* Make ssh_packet_set_rekey_limits take u32 for the number of secondsdtucker2017-02-031-5/+5
| | | | | | | | | | | | | until rekeying (negative values are rejected at config parse time). This allows the removal of some casts and a signed vs unsigned comparison warning. rekey_time is cast to int64 for the comparison which is a no-op on OpenBSD, but should also do the right thing in -portable on anything still using 32bit time_t (until the system time actually wraps, anyway). some early guidance deraadt@, ok djm@
* Add a per-packet input hook that is called with the decrypted packetdjm2016-10-111-1/+16
| | | | contents. This will be used for fuzzing; ok markus@
* ssh proxy mux mode (-O proxy; idea from Simon Tatham):markus2016-09-301-2/+91
| | | | | | | | | - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
* put back some pre-auth zlib bits that I shouldn't have removed -djm2016-09-281-3/+4
| | | | they are still used by the client. Spotted by naddy@
* restore pre-auth compression support in the client -- the previousdjm2016-09-281-4/+3
| | | | | | | | | | commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@
* Remove support for pre-authentication compression. Doing compressiondjm2016-09-281-98/+6
| | | | | | | | | | | | | | | | | early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years.
* move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causesmarkus2016-09-191-4/+2
| | | | NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@
* Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitionsderaadt2016-09-121-5/+4
| | | | | rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
* ssh_set_newkeys: print correct block counters on rekeying; ok djm@markus2016-09-061-10/+13
|
* small refactor of cipher.c: make ciphercontext opaque to callersdjm2016-08-031-45/+43
| | | | feedback and ok markus@
* Reduce timing attack against obsolete CBC modes by always computingmarkus2016-07-181-14/+23
| | | | | | the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
* Add some unsigned overflow checks for extra_pad. None of thesedjm2016-07-181-5/+15
| | | | | are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@
* Reduce the syslog level of some relatively common protocol eventsdtucker2016-07-151-13/+8
| | | | | from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@
* Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.djm2016-07-081-18/+17
| | | | | | | | | | | | | | Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified. This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@
* refactor canohost.c: move functions that cache results closer to thedjm2016-03-071-4/+33
| | | | | | | places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
* rekey refactor broke SSH1; spotted by Tom G. Christensendjm2016-02-171-3/+3
|
* refactor activation of rekeyingdjm2016-02-081-39/+115
| | | | | | | | | | | This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves. Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
* printf argument casts to avoid warnings on strict compilersdjm2016-02-041-4/+6
|
* include packet type of non-data packets in debug3 output;djm2016-01-291-2/+19
| | | | ok markus dtucker
* Revert "account for packets buffered but not yet processed" change as itdtucker2016-01-291-8/+3
| | | | breaks for very small RekeyLimit values due to continuous rekeying. ok djm@
* Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the returndtucker2016-01-291-8/+11
| | | | type of scan_scaled). Part of bz#2521, ok djm.
* Account for packets buffered but not yet processed when computing whether ordtucker2016-01-291-3/+8
| | | | | not it is time to perform rekeying. bz#2521, based loosely on a patch from olo at fb.com, ok djm@
* remove roaming support; ok djm@markus2016-01-141-77/+7
|
* Remove NULL-checks before sshbuf_free().mmcc2015-12-111-9/+5
| | | | ok djm@
* include remote port number in a few more messages; makes tying logdjm2015-12-111-22/+44
| | | | messages together into a session a bit easier; bz#2503 ok dtucker@
* Remove NULL-checks before free().mmcc2015-12-101-9/+5
| | | | ok dtucker@
* implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)markus2015-12-041-2/+3
| | | | | based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
* fix OOB read in packet code caused by missing return statementdjm2015-11-081-1/+2
| | | | found by Ben Hawkes; ok markus@ deraadt@
* fix memory leak in error pathgsoares2015-10-211-2/+4
| | | | ok djm@
* fix possible hang on closed output; bz#2469 reported by Tomas Kuthandjm2015-09-211-2/+3
| | | | ok markus@
* Do not cast result of malloc/calloc/realloc* if stdlib.h is in scopederaadt2015-08-201-3/+3
| | | | ok krw millert
* include the peer's offer when logging a failure to negotiate adjm2015-07-291-1/+12
| | | | | mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
* refactor ssh_dispatch_run_fatal() to use sshpkt_fatal() to betterdjm2015-05-011-3/+13
| | | | | | | | report error conditions. Teach sshpkt_fatal() about ECONNRESET. Improves error messages on TCP connection resets. bz#2257 ok dtucker@
* fix compilation with OPENSSL=no; ok dtucker@djm2015-04-271-3/+13
|
* don't leak 'setp' on error; noted by Nicholas Lemonias; ok djm@markus2015-03-241-10/+13
|
* add back the changes from rev 1.206, djm reverted this by mistake injsg2015-03-111-2/+5
| | | | rev 1.207
* make rekey_limit for sshd w/privsep work; ok djm@ dtucker@markus2015-02-131-7/+11
|
* Some packet error messages show the address of the peer, but might bedjm2015-02-111-5/+7
| | | | | | | generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier. spotted in the wild via deraadt@ and tedu@
* fix some leaks in error pathsjsg2015-02-091-2/+5
| | | | ok markus@
* avoid more fatal/exit in the packet.c paths that ssh-keyscandjm2015-01-301-77/+143
| | | | uses; feedback and "looks good" markus@
* avoid fatal() calls in packet codedjm2015-01-281-18/+15
| | | | | makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-3/+3
| | | | ok djm markus
* add experimental api for packet layer; ok djm@markus2015-01-191-1/+3
|
* update packet.c & isolate, introduce struct sshmarkus2015-01-191-979/+1692
| | | | | | | | a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.