Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssh/dist Import 8.0:



details:   https://anonhg.NetBSD.org/src/rev/f25d3a4e51cd
branches:  trunk
changeset: 450616:f25d3a4e51cd
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Apr 20 17:13:53 2019 +0000

description:
Import 8.0:

Security
========

This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * scp(1): Relating to the above changes to scp(1); the scp protocol
   relies on the remote shell for wildcard expansion, so there is no
   infallible way for the client's wildcard matching to perfectly
   reflect the server's. If there is a difference between client and
   server wildcard expansion, the client may refuse files from the
   server. For this reason, we have provided a new "-T" flag to scp
   that disables these client-side checks at the risk of
   reintroducing the attack described above.

 * sshd(8): Remove support for obsolete "host/port" syntax. Slash-
   separated host/port was added in 2001 as an alternative to
   host:port syntax for the benefit of IPv6 users. These days there
   are establised standards for this like [::1]:22 and the slash
   syntax is easily mistaken for CIDR notation, which OpenSSH
   supports for some things. Remove the slash notation from
   ListenAddress and PermitOpen; bz#2335

Changes since OpenSSH 7.9
=========================

This release is focused on new features and internal refactoring.

New Features
------------

 * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
   PKCS#11 tokens.

 * ssh(1), sshd(8): Add experimental quantum-computing resistant
   key exchange method, based on a combination of Streamlined NTRU
   Prime 4591^761 and X25519.

 * ssh-keygen(1): Increase the default RSA key size to 3072 bits,
   following NIST Special Publication 800-57's guidance for a
   128-bit equivalent symmetric security level.

 * ssh(1): Allow "PKCS11Provider=none" to override later instances of
   the PKCS11Provider directive in ssh_config; bz#2974

 * sshd(8): Add a log message for situations where a connection is
   dropped for attempting to run a command but a sshd_config
   ForceCommand=internal-sftp restriction is in effect; bz#2960

 * ssh(1): When prompting whether to record a new host key, accept
   the key fingerprint as a synonym for "yes". This allows the user
   to paste a fingerprint obtained out of band at the prompt and
   have the client do the comparison for you.

 * ssh-keygen(1): When signing multiple certificates on a single
   command-line invocation, allow automatically incrementing the
   certificate serial number.

 * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
   the scp and sftp command-lines.

 * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
   command-line flags to increase the verbosity of output; pass
   verbose flags though to subprocesses, such as ssh-pkcs11-helper
   started from ssh-agent.

 * ssh-add(1): Add a "-T" option to allowing testing whether keys in
   an agent are usable by performing a signature and a verification.

 * sftp-server(8): Add a "lsetstat%openssh.com@localhost" protocol extension
   that replicates the functionality of the existing SSH2_FXP_SETSTAT
   operation but does not follow symlinks. bz#2067

 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
   they do not follow symlinks.

 * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
   the connection 4-tuple available to PAM modules that wish to use
   it in decision-making. bz#2741

 * sshd(8): Add a ssh_config "Match final" predicate Matches in same
   pass as "Match canonical" but doesn't require hostname
   canonicalisation be enabled. bz#2906

 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch
   commands; bz#2926

 * ssh-keygen(1): When printing certificate contents using
   "ssh-keygen -Lf /path/certificate", include the algorithm that
   the CA used to sign the cert.

Bugfixes
--------

 * sshd(8): Fix authentication failures when sshd_config contains
   "AuthenticationMethods any" inside a Match block that overrides
   a more restrictive default.

 * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount
   is enabled.

 * sshd(8): Fix two race conditions related to SIGHUP daemon restart.
   Remnant file descriptors in recently-forked child processes could
   block the parent sshd's attempt to listen(2) to the configured
   addresses. Also, the restarting parent sshd could exit before any
   child processes that were awaiting their re-execution state had
   completed reading it, leaving them in a fallback path.

 * ssh(1): Fix stdout potentially being redirected to /dev/null when
   ProxyCommand=- was in use.

 * sshd(8): Avoid sending SIGPIPE to child processes if they attempt
   to write to stderr after their parent processes have exited;
   bz#2071

 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
   and ConnectionAttempts directives - connection attempts after the
   first were ignoring the requested timeout; bz#2918

 * ssh-keyscan(1): Return a non-zero exit status if no keys were
   found; bz#2903

 * scp(1): Sanitize scp filenames to allow UTF-8 characters without
   terminal control sequences;  bz#2434

 * sshd(8): Fix confusion between ClientAliveInterval and time-based
   RekeyLimit that could cause connections to be incorrectly closed.
   bz#2757

 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
   handling at initial token login. The attempt to read the PIN
   could be skipped in some cases, particularly on devices with
   integrated PIN readers. This would lead to an inability to
   retrieve keys from these tokens. bz#2652

 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
   CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
   C_SignInit operation. bz#2638

 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that
   local configuration does not apply to jump hosts.

 * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
   public keys, not private.

 * ssh(1), sshd(8): be more strict in processing protocol banners,
   allowing \r characters only immediately before \n.

 * Various: fix a number of memory leaks, including bz#2942 and
   bz#2938

 * scp(1), sftp(1): fix calculation of initial bandwidth limits.
   Account for bytes written before the timer starts and adjust the
   schedule on which recalculations are performed. Avoids an initial
   burst of traffic and yields more accurate bandwidth limits;
   bz#2927

 * sshd(8): Only consider the ext-info-c extension during the initial
   key eschange. It shouldn't be sent in subsequent ones, but if it
   is present we should ignore it. This prevents sshd from sending a
   SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929

 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
   authorized_keys) and -R (remove host from authorized_keys) options
   may accept either a bare hostname or a [hostname]:port combo.
   bz#2935

 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936

 * sshd(8): Silence error messages when sshd fails to load some of
   the default host keys. Failure to load an explicitly-configured
   hostkey is still an error, and failure to load any host key is
   still fatal. pr/103

 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
   started with ControlPersist; prevents random ProxyCommand output
   from interfering with session output.

 * ssh(1): The ssh client was keeping a redundant ssh-agent socket
   (leftover from authentication) around for the life of the
   connection; bz#2912

 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
   PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
   were specified, then authentication would always fail for RSA keys
   as the monitor checks only the base key (not the signature
   algorithm) type against *AcceptedKeyTypes. bz#2746

 * ssh(1): Request correct signature types from ssh-agent when
   certificate keys and RSA-SHA2 signatures are in use.

Portability
-----------

 * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for
   token creation if it supports MsV1_0 S4U Logon.

 * sshd(8): On Cygwin, use custom user/group matching code that
   respects the OS' behaviour of case-insensitive matching.

 * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies
   the user environment if it's enabled; bz#2937

 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision
   with Microsoft's OpenSSH port.

 * Allow building against OpenSSL -dev (3.x)

 * Fix a number of build problems against version configurations and
   versions of OpenSSL. Including bz#2931 and bz#2921

 * Improve warnings in cygwin service setup. bz#2922

 * Remove hardcoded service name in cygwin setup. bz#2922

diffstat:

 crypto/external/bsd/openssh/dist/PROTOCOL.krl             |    16 +-
 crypto/external/bsd/openssh/dist/kexgen.c                 |   331 +++
 crypto/external/bsd/openssh/dist/kexsntrup4591761x25519.c |   217 ++
 crypto/external/bsd/openssh/dist/sntrup4591761.c          |  1081 +++++++++++++
 crypto/external/bsd/openssh/dist/sntrup4591761.sh         |    57 +
 5 files changed, 1695 insertions(+), 7 deletions(-)

diffs (truncated from 1745 to 300 lines):

diff -r 6875e86de116 -r f25d3a4e51cd crypto/external/bsd/openssh/dist/PROTOCOL.krl
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.krl     Sat Apr 20 11:28:53 2019 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.krl     Sat Apr 20 17:13:53 2019 +0000
@@ -36,6 +36,7 @@
 #define KRL_SECTION_EXPLICIT_KEY               2
 #define KRL_SECTION_FINGERPRINT_SHA1           3
 #define KRL_SECTION_SIGNATURE                  4
+#define KRL_SECTION_FINGERPRINT_SHA256         5
 
 2. Certificate section
 
@@ -127,18 +128,19 @@
 
 This section may appear multiple times.
 
-4. SHA1 fingerprint sections
+4. SHA1/SHA256 fingerprint sections
 
-These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke
-plain keys (i.e. not certificates) by listing their SHA1 hashes:
+These sections, identified as KRL_SECTION_FINGERPRINT_SHA1 and
+KRL_SECTION_FINGERPRINT_SHA256, revoke plain keys (i.e. not
+certificates) by listing their hashes:
 
        string  public_key_hash[0]
        ....
 
 This section must contain at least one "public_key_hash". The hash blob
-is obtained by taking the SHA1 hash of the public key blob. Hashes in
-this section must appear in numeric order, treating each hash as a big-
-endian integer.
+is obtained by taking the SHA1 or SHA256 hash of the public key blob.
+Hashes in this section must appear in numeric order, treating each hash
+as a big-endian integer.
 
 This section may appear multiple times.
 
@@ -166,4 +168,4 @@
 signatures. Signature sections are optional for KRLs distributed by
 trusted means.
 
-$OpenBSD: PROTOCOL.krl,v 1.4 2018/04/10 00:10:49 djm Exp $
+$OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $
diff -r 6875e86de116 -r f25d3a4e51cd crypto/external/bsd/openssh/dist/kexgen.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/external/bsd/openssh/dist/kexgen.c Sat Apr 20 17:13:53 2019 +0000
@@ -0,0 +1,331 @@
+/* $OpenBSD: kexgen.c,v 1.2 2019/01/23 00:30:41 djm Exp $ */
+/*
+ * Copyright (c) 2019 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+
+#include "sshkey.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "ssh2.h"
+#include "sshbuf.h"
+#include "digest.h"
+#include "ssherr.h"
+
+static int input_kex_gen_init(int, u_int32_t, struct ssh *);
+static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
+
+static int
+kex_gen_hash(
+    int hash_alg,
+    const struct sshbuf *client_version,
+    const struct sshbuf *server_version,
+    const struct sshbuf *client_kexinit,
+    const struct sshbuf *server_kexinit,
+    const struct sshbuf *server_host_key_blob,
+    const struct sshbuf *client_pub,
+    const struct sshbuf *server_pub,
+    const struct sshbuf *shared_secret,
+    u_char *hash, size_t *hashlen)
+{
+       struct sshbuf *b;
+       int r;
+
+       if (*hashlen < ssh_digest_bytes(hash_alg))
+               return SSH_ERR_INVALID_ARGUMENT;
+       if ((b = sshbuf_new()) == NULL)
+               return SSH_ERR_ALLOC_FAIL;
+       if ((r = sshbuf_put_stringb(b, client_version)) != 0 ||
+           (r = sshbuf_put_stringb(b, server_version)) != 0 ||
+           /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+           (r = sshbuf_put_u32(b, sshbuf_len(client_kexinit) + 1)) != 0 ||
+           (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
+           (r = sshbuf_putb(b, client_kexinit)) != 0 ||
+           (r = sshbuf_put_u32(b, sshbuf_len(server_kexinit) + 1)) != 0 ||
+           (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
+           (r = sshbuf_putb(b, server_kexinit)) != 0 ||
+           (r = sshbuf_put_stringb(b, server_host_key_blob)) != 0 ||
+           (r = sshbuf_put_stringb(b, client_pub)) != 0 ||
+           (r = sshbuf_put_stringb(b, server_pub)) != 0 ||
+           (r = sshbuf_putb(b, shared_secret)) != 0) {
+               sshbuf_free(b);
+               return r;
+       }
+#ifdef DEBUG_KEX
+       sshbuf_dump(b, stderr);
+#endif
+       if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
+               sshbuf_free(b);
+               return SSH_ERR_LIBCRYPTO_ERROR;
+       }
+       sshbuf_free(b);
+       *hashlen = ssh_digest_bytes(hash_alg);
+#ifdef DEBUG_KEX
+       dump_digest("hash", hash, *hashlen);
+#endif
+       return 0;
+}
+
+int
+kex_gen_client(struct ssh *ssh)
+{
+       struct kex *kex = ssh->kex;
+       int r;
+
+       switch (kex->kex_type) {
+       case KEX_DH_GRP1_SHA1:
+       case KEX_DH_GRP14_SHA1:
+       case KEX_DH_GRP14_SHA256:
+       case KEX_DH_GRP16_SHA512:
+       case KEX_DH_GRP18_SHA512:
+               r = kex_dh_keypair(kex);
+               break;
+       case KEX_ECDH_SHA2:
+               r = kex_ecdh_keypair(kex);
+               break;
+       case KEX_C25519_SHA256:
+               r = kex_c25519_keypair(kex);
+               break;
+       case KEX_KEM_SNTRUP4591761X25519_SHA512:
+               r = kex_kem_sntrup4591761x25519_keypair(kex);
+               break;
+       default:
+               r = SSH_ERR_INVALID_ARGUMENT;
+               break;
+       }
+       if (r != 0)
+               return r;
+       if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 ||
+           (r = sshpkt_put_stringb(ssh, kex->client_pub)) != 0 ||
+           (r = sshpkt_send(ssh)) != 0)
+               return r;
+       debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
+       ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_gen_reply);
+       return 0;
+}
+
+static int
+input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh)
+{
+       struct kex *kex = ssh->kex;
+       struct sshkey *server_host_key = NULL;
+       struct sshbuf *shared_secret = NULL;
+       struct sshbuf *server_blob = NULL;
+       struct sshbuf *tmp = NULL, *server_host_key_blob = NULL;
+       u_char *signature = NULL;
+       u_char hash[SSH_DIGEST_MAX_LENGTH];
+       size_t slen, hashlen;
+       int r;
+
+       /* hostkey */
+       if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+               goto out;
+       /* sshkey_fromb() consumes its buffer, so make a copy */
+       if ((tmp = sshbuf_fromb(server_host_key_blob)) == NULL) {
+               r = SSH_ERR_ALLOC_FAIL;
+               goto out;
+       }
+       if ((r = sshkey_fromb(tmp, &server_host_key)) != 0)
+               goto out;
+       if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
+               goto out;
+
+       /* Q_S, server public key */
+       /* signed H */
+       if ((r = sshpkt_getb_froms(ssh, &server_blob)) != 0 ||
+           (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
+           (r = sshpkt_get_end(ssh)) != 0)
+               goto out;
+
+       /* compute shared secret */
+       switch (kex->kex_type) {
+       case KEX_DH_GRP1_SHA1:
+       case KEX_DH_GRP14_SHA1:
+       case KEX_DH_GRP14_SHA256:
+       case KEX_DH_GRP16_SHA512:
+       case KEX_DH_GRP18_SHA512:
+               r = kex_dh_dec(kex, server_blob, &shared_secret);
+               break;
+       case KEX_ECDH_SHA2:
+               r = kex_ecdh_dec(kex, server_blob, &shared_secret);
+               break;
+       case KEX_C25519_SHA256:
+               r = kex_c25519_dec(kex, server_blob, &shared_secret);
+               break;
+       case KEX_KEM_SNTRUP4591761X25519_SHA512:
+               r = kex_kem_sntrup4591761x25519_dec(kex, server_blob,
+                   &shared_secret);
+               break;
+       default:
+               r = SSH_ERR_INVALID_ARGUMENT;
+               break;
+       }
+       if (r !=0 )
+               goto out;
+
+       /* calc and verify H */
+       hashlen = sizeof(hash);
+       if ((r = kex_gen_hash(
+           kex->hash_alg,
+           kex->client_version,
+           kex->server_version,
+           kex->my,
+           kex->peer,
+           server_host_key_blob,
+           kex->client_pub,
+           server_blob,
+           shared_secret,
+           hash, &hashlen)) != 0)
+               goto out;
+
+       if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen,
+           kex->hostkey_alg, ssh->compat)) != 0)
+               goto out;
+
+       if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
+               r = kex_send_newkeys(ssh);
+out:
+       explicit_bzero(hash, sizeof(hash));
+       explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
+       explicit_bzero(kex->sntrup4591761_client_key,
+           sizeof(kex->sntrup4591761_client_key));
+       sshbuf_free(server_host_key_blob);
+       free(signature);
+       sshbuf_free(tmp);
+       sshkey_free(server_host_key);
+       sshbuf_free(server_blob);
+       sshbuf_free(shared_secret);
+       sshbuf_free(kex->client_pub);
+       kex->client_pub = NULL;
+       return r;
+}
+
+int
+kex_gen_server(struct ssh *ssh)
+{
+       debug("expecting SSH2_MSG_KEX_ECDH_INIT");
+       ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_gen_init);
+       return 0;
+}
+
+static int
+input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh)
+{
+       struct kex *kex = ssh->kex;
+       struct sshkey *server_host_private, *server_host_public;
+       struct sshbuf *shared_secret = NULL;
+       struct sshbuf *server_pubkey = NULL;
+       struct sshbuf *client_pubkey = NULL;
+       struct sshbuf *server_host_key_blob = NULL;
+       u_char *signature = NULL, hash[SSH_DIGEST_MAX_LENGTH];
+       size_t slen, hashlen;
+       int r;
+
+       if ((r = kex_load_hostkey(ssh, &server_host_private,
+           &server_host_public)) != 0)
+               goto out;
+



Home | Main Index | Thread Index | Old Index