File: bcrypt_pbkdf.c
Notes:
blf_enc() takes a number of 64-bit blocks to encrypt, but using
sizeof(uint64_t) in the calculation triggers a warning with
clang 10 because the actual data type is uint32_t. Pass
BCRYPT_BLOCKS / 2 for the number of blocks like libc bcrypt(3)
does.
Ref: 04a2240bd8Fixes#562
Credit:
Viktor Szakats
file: ssh_client_fuzzer.cc
notes: the session needs blocking mode turned on to avoid EAGAIN being returned from libssh2_session_handshake()
credit:
Will Cosgrove, reviewed by Michael Buckley
* kex.c: kex_agree_instr() improve string reading
file: kex.c
notes: if haystack isn't null terminated we should use memchr() not strchar(). We should also make sure we don't walk off the end of the buffer.
credit:
Will Cosgrove, reviewed by Michael Buckley
File: kex.c
Notes:
Moved the macro LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY outside of the LIBSSH2_ECDSA since it's also now used by the ED25519 code.
Sha 256, 384 and 512 need to be defined for all backends now even if they aren't used directly. I believe this is already the case, but just a heads up.
Credit:
Stefan-Ghinea
The old function would set the least significant bits in
the most significant byte instead of the most significant bits.
The old function would also zero pad too much bits in the
most significant byte. This lead to a reduction of key space
in the most significant byte according to the following listing:
- 8 bits reduced to 0 bits => eg. 2048 bits to 2040 bits DH key
- 7 bits reduced to 1 bits => eg. 2047 bits to 2041 bits DH key
- 6 bits reduced to 2 bits => eg. 2046 bits to 2042 bits DH key
- 5 bits reduced to 3 bits => eg. 2045 bits to 2043 bits DH key
No change would occur for the case of 4 significant bits.
For 1 to 3 significant bits in the most significant byte
the DH key would actually be expanded instead of reduced:
- 3 bits expanded to 5 bits => eg. 2043 bits to 2045 bits DH key
- 2 bits expanded to 6 bits => eg. 2042 bits to 2046 bits DH key
- 1 bits expanded to 7 bits => eg. 2041 bits to 2047 bits DH key
There is no case of 0 significant bits in the most significant byte
since this would be a case of 8 significant bits in the next byte.
At the moment only the following case applies due to a fixed
DH key size value currently being used in libssh2:
The DH group_order is fixed to 256 (bytes) which leads to a
2047 bits DH key size by calculating (256 * 8) - 1.
This means the DH keyspace was previously reduced from 2047 bits
to 2041 bits (while the top and bottom bits are always set), so the
keyspace is actually always reduced from 2045 bits to 2039 bits.
All of this is only relevant for Windows versions supporting the
WinCNG backend (Vista or newer) before Windows 10 version 1903.
Closes#521
Files: kex.c
Notes:
Added key exchange group16-sha512 and group18-sha512. As a result did the following:
Abstracted diffie_hellman_sha256() to diffie_hellman_sha_algo() which is now algorithm agnostic and takes the algorithm as a parameter since we needed sha512 support. Unfortunately it required some helper functions but they are simple.
Deleted diffie_hellman_sha1()
Deleted diffie_hellman_sha1 specific macro
Cleaned up some formatting
Defined sha384 in os400 and wincng backends
Defined LIBSSH2_DH_MAX_MODULUS_BITS to abort the connection if we receive too large of p from the server doing sha1 key exchange.
Reorder the default key exchange list to match OpenSSH and improve security
Credit:
Will Cosgrove
File:
Makefile.am
Notes:
No longer conditionally include OpenSSL specific test files, they aren't run if we're not building against OpenSSL 1.1.x anyway.
Credit:
Daniel Stenberg
Files:
.travis.yml, configure.ac, ossfuzz
Notes:
This adds support for an OSS-Fuzz fuzzing target in ssh2_client_fuzzer,
which is a cut down example of ssh2.c. Future enhancements can improve
coverage.
Credit:
Max Dymond
Files:
mbedtls.c, mbedtls.h, .travis.yml
Notes:
This PR adds support for ECDSA for both key exchange and host key algorithms.
The following elliptic curves are supported:
256-bit curve defined by FIPS 186-4 and SEC1
384-bit curve defined by FIPS 186-4 and SEC1
521-bit curve defined by FIPS 186-4 and SEC1
Credit:
Sebastián Katzer
File: openssl.c, openssl.h, crypto.h, kex.c
Notes:
This cleans up a few things in the curve25519 implementation:
- There is no need to create X509_PUBKEYs or PKCS8_PRIV_KEY_INFOs to
extract key material. EVP_PKEY_get_raw_private_key and
EVP_PKEY_get_raw_public_key work fine.
- libssh2_x25519_ctx was never used (and occasionally mis-typedefed to
libssh2_ed25519_ctx). Remove it. The _libssh2_curve25519_new and
_libssh2_curve25519_gen_k interfaces use the bytes. Note, if it needs
to be added back, there is no need to roundtrip through
EVP_PKEY_new_raw_private_key. EVP_PKEY_keygen already generated an
EVP_PKEY.
- Add some missing error checks.
Credit:
David Benjamin
File: transport.c
Notes:
This is to fix#102, instead of continuing to attempt to read a disconnected socket, it will now error out.
Credit:
TDi-jonesds
Avoid the use of RtlGetVersion or similar Win32 functions,
since these depend on version information from manifests.
This commit makes the WinCNG backend first try to use the
new DH algorithm API with the raw secret derivation feature.
In case this feature is not available the WinCNG backend
will fallback to the classic approach of using RSA-encrypt
to perform the required modular exponentiation of BigNums.
The feature availability test is done during the first handshake
and the result is stored in the crypto backends global state.
Follow up to #397Closes#484
Notes:
The buildconf script is currently required, because we need to copy a
header around, because it is used both from the library and the examples
sources.
However, having a custom 'buildconf'-like script is not needed if we can
ensure that the header exists by the time it is needed. For that, we can
just append the src/ directory to the headers search path for the
examples.
And then it means we no longer need to generate the same header twice,
so we remove the second one from configure.ac.
Now, we can just call "autoreconf -fi" to generate the autotools files,
instead of relying on the canned sequence in "buildconf", since
autoreconf has now long known what to do at the correct moment (future
versions of autotools, automake, autopoint, autoheader etc... may
require an other ordering, or other intermediate steps, etc...).
Eventually, get rid of buildconf now it is no longer needed. In fact, we
really keep it for legacy, but have it just call autoreconf (and print a
nice user-friendly warning). Don't include it in the release tarballs,
though.
Update doc, gitignore, and travis-CI jobs accordingly.
Credit:
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Sam Voss <sam.voss@rockwellcollins.com>
File: libssh2.h
Notes:
Update the min, preferred and max DH group values based on RFC 8270.
Credit:
Will Cosgrove, noted from email list by Mitchell Holland
