Convert RSA and ECDSA key to the libcrypto EVP_PKEY API. DSA remains
unconverted as it will be removed within six months.

Based on patches originally from Dmitry Belyavskiy, but significantly
rework

Convert RSA and ECDSA key to the libcrypto EVP_PKEY API. DSA remains
unconverted as it will be removed within six months.

Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).

ok tb@

show more ...

remove prototypes with no matching function; ok djm@

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

show more ...

implement "strict key exchange" in ssh and sshd

This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

implement "strict key exchange" in ssh and sshd

This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.

Full details of the extension are in the PROTOCOL file.

with markus@

show more ...

Add keystroke timing obfuscation to the client.

This attempts to hide inter-keystroke timings by sending interactive
traffic at fixed intervals (default: every 20ms) when there is only a
small amoun

Add keystroke timing obfuscation to the client.

This attempts to hide inter-keystroke timings by sending interactive
traffic at fixed intervals (default: every 20ms) when there is only a
small amount of data being sent. It also sends fake "chaff" keystrokes
for a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword/

feedback/ok markus@

show more ...

add a ssh_packet_process_read() function that reads from a fd
directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use

add a ssh_packet_process_read() function that reads from a fd
directly into the transport input buffer.

Use this in the client and server mainloops to avoid unnecessary
copying. It also lets us use a more greedy read size without penalty.

Yields a 2-3% performance gain on cipher-speed.sh (in a fairly
unscientific test tbf)

feedback dtucker@ ok markus@

show more ...

Explicitly check for and start time-based rekeying in the client
and server mainloops.

Previously the rekey timeout could expire but rekeying would not start
until a packet was sent or received. Thi

Explicitly check for and start time-based rekeying in the client
and server mainloops.

Previously the rekey timeout could expire but rekeying would not start
until a packet was sent or received. This could cause us to spin in
select() on the rekey timeout if the connection was quiet.

ok markus@

show more ...

sshpkt_fatal() does not return; ok djm

fixes for !WITH_OPENSSL compilation; ok dtucker@

pass values used in KEX hash computation as sshbuf rather than
pointer+len

suggested by me; implemented by markus@ ok me

Make sshpkt_get_bignum2() allocate the bignum it is parsing rather
than make the caller do it. Saves a lot of boilerplate code.

from markus@ ok djm@

allow sshpkt_fatal() to take a varargs format; we'll use this to give
packet-related fatal error messages more context (esp. the remote endpoint)
ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

show more ...

ttymodes: switch to sshbuf API; ok djm@

Remove unused ssh_packet_start_compression()

ok markus@

Put remote client info back into the ClientAlive connection termination
message. Based in part on diff from lars.nooden at gmail, ok djm

add sshd_config RDomain keyword to place sshd and the subsequent
user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

show more ...

clear session keys from memory; ok djm@

sshd: pass struct ssh to auth functions; ok djm@

remove miscellaneous SSH1 leftovers; ok markus@

remove SSHv1 support from packet and buffer APIs

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

add ssh_packet_set_log_preamble() to allow inclusion of a preamble
string in disconnect messages; ok markus@

Make ssh_packet_set_rekey_limits take u32 for the number of seconds
until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned

Make ssh_packet_set_rekey_limits take u32 for the number of seconds
until rekeying (negative values are rejected at config parse time).
This allows the removal of some casts and a signed vs unsigned
comparison warning.

rekey_time is cast to int64 for the comparison which is a no-op
on OpenBSD, but should also do the right thing in -portable on
anything still using 32bit time_t (until the system time actually
wraps, anyway).

some early guidance deraadt@, ok djm@

show more ...