in _ssh_order_hostkeyalgs() consider ECDSA curve type when arranging
the hostkey algorithms. AFAIK this code is unused in OpenSSH, but I
guess others are using it

based on GHPR387 from Pawel Jakub D

in _ssh_order_hostkeyalgs() consider ECDSA curve type when arranging
the hostkey algorithms. AFAIK this code is unused in OpenSSH, but I
guess others are using it

based on GHPR387 from Pawel Jakub Dawidek

show more ...

pull post-quantum ML-KEM/x25519 key exchange out from compile-time
flag now than an IANA codepoint has been assigned for the algorithm.

Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot

pull post-quantum ML-KEM/x25519 key exchange out from compile-time
flag now than an IANA codepoint has been assigned for the algorithm.

Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot.

ok markus@

show more ...

Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03

This is b

Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03

This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.

Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.

ok markus@ deraadt@

show more ...

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

show more ...

adapt ssh_api.c code for kex-strict

from markus@ ok me

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

show more ...

make ssh_free(NULL) a no-op

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing).

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

show more ...

free kex in ssh_packet_close; ok djm semarie

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature opera

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

show more ...

Plug mem leaks on error paths, based in part on github pr#120 from
David Carlier. ok djm@.

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

merge kexkem[cs] into kexgen

from markus@ ok djm@

use KEM API for vanilla ECDH

from markus@ ok djm@

use KEM API for vanilla DH KEX

from markus@ ok djm@

use KEM API for vanilla c25519 KEX

Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default

Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

show more ...

remove last references to active_state

with & ok markus@

move client/server SSH-* banners to buffers under ssh->kex and factor
out the banner exchange. This eliminates some common code from the
client and server.

Also be more strict about handling \r char

move client/server SSH-* banners to buffers under ssh->kex and factor
out the banner exchange. This eliminates some common code from the
client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

show more ...

remove compat20/compat13/compat15 variables

ok markus@